403 The caller is not authorized with azuread provider and identitygovernance resource using az cli auth

Hi all,

I’m trying to figure out an authorization issue when using the new identity governance resources.

Here a basic code:

terraform {
  required_providers {
    azuread = {
      source  = "hashicorp/azuread"
      version = "2.37.0"
    }
  }
}

data "azuread_access_package_catalog" "example" {
  object_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}

which fails:

╷
│ Error: Error retrieving access package catalog with id "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
│ 
│   with data.azuread_access_package_catalog.example,
│   on main.tf line 10, in data "azuread_access_package_catalog" "example":
│   10: data "azuread_access_package_catalog" "example" {
│ 
│ AccessPackageCatalogClient.BaseClient.Get(): unexpected status 403 with OData error: UnAuthorized: User is not authorized to perform the operation. Reason: The caller is not authorized.

I can see in the debug logs the URL not authorized:
https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/catalogs/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Now if I tried to access this url with az I get the same error:

$ az rest --url https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/catalogs/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Forbidden({"error":{"code":"UnAuthorized","message":"User is not authorized to perform the operation. Reason: The caller is not authorized.","innerError":{"date":"2023-04-15T11:14:31","request-id":"51b41bb8-b37d-4dc3-a37c-df826c7d863a","client-request-id":"51b41bb8-b37d-4dc3-a37c-df826c7d863a"}}})

If I inspect my JWT token from az account get-access-token --scope https://graph.microsoft.com/.default I do see that the scopes are limited:

"scp": "AuditLog.Read.All Directory.AccessAsUser.All email Group.ReadWrite.All openid profile User.ReadWrite.All"

I can add that using a token obtained from graph explorer, I can curl the same graph endpoint without issue, using the token from az cli I cannot curl and get 403. The only difference between the tokens is the scope, which contains EntitlementManagement.Read.All for example in the graph explorer token.

Am I correct to assume that terraform cannot work with az cli auth for identitygovernance resources due to those limited scope in the token? If so it would be nice to update the doc.

Or am I missing something else?

Thanks for the help!
Ben

this an probably an API bug
issue can be followed here 403 The caller is not authorized with azuread provider and identitygovernance resource using az cli auth · Issue #1069 · hashicorp/terraform-provider-azuread · GitHub