diff --git a/package-lock.json b/package-lock.json
index df779eb..bb40ab0 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "azure-acme-provisioner",
-  "version": "0.4.0",
+  "version": "0.4.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "azure-acme-provisioner",
-      "version": "0.4.0",
+      "version": "0.4.1",
       "license": "MIT",
       "dependencies": {
         "@azure/arm-authorization": "^9.0.0",
diff --git a/package.json b/package.json
index f570c8f..b4d15a5 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "azure-acme-provisioner",
-  "version": "0.4.0",
+  "version": "0.4.1",
   "author": {
     "name": "Sławomir Koszewski",
     "url": "https://github.com/skoszewski"
diff --git a/src/cli.ts b/src/cli.ts
index 91fef44..938997b 100644
--- a/src/cli.ts
+++ b/src/cli.ts
@@ -134,6 +134,7 @@ sharedOptions(
     .command('assign-role <domain>')
     .description('Assign Key Vault Certificate User and Secrets User roles to a principal for a domain certificate')
     .requiredOption('--principal-id <id>', 'Azure principal ID to assign roles to')
+    .option('--dry-run', 'Show what would be assigned without making changes')
 ).action(async (domain: string, options: Record<string, unknown>) => {
   applyOverrides(options);
   const config = loadConfig();
@@ -155,10 +156,15 @@ sharedOptions(
     { role: 'Key Vault Secrets User'     as const, scope: `${vaultBase}/secrets/${certName}` },
   ];
 
+  const dryRun = Boolean(options['dryRun']);
   for (const { role, scope } of assignments) {
-    const roleDefinitionId = `/subscriptions/${sub}/providers/Microsoft.Authorization/roleDefinitions/${ROLE_IDS[role]}`;
-    await authClient.roleAssignments.create(scope, randomUUID(), { roleDefinitionId, principalId });
-    console.log(`Assigned '${role}' to ${principalId} on ${scope}`);
+    if (dryRun) {
+      console.log(`[dry-run] Would assign '${role}' to ${principalId} on ${scope}`);
+    } else {
+      const roleDefinitionId = `/subscriptions/${sub}/providers/Microsoft.Authorization/roleDefinitions/${ROLE_IDS[role]}`;
+      await authClient.roleAssignments.create(scope, randomUUID(), { roleDefinitionId, principalId });
+      console.log(`Assigned '${role}' to ${principalId} on ${scope}`);
+    }
   }
 });