Insufficient Privileges when trying to create AzureAD Group (azuread 2.0.1)

I have recently upgrade from using the azuread 1.X.X provider to the azuread 2.X.X provider and am getting the following now when trying to create a new Azure AD Group.

Error: Creating group "AzureAD_DBA-Platform_Admins"

  on modules\azuread-solution-aadgroup\2.0.0\ line 6, in resource "azuread_group" "aadgroup_module_resource":
   6: resource "azuread_group" "aadgroup_module_resource" {

GroupsClient.BaseClient.Post(): unexpected status 403 with OData error:
Authorization_RequestDenied: Insufficient privileges to complete the

I am using a Service Principal with a Client Secret to authenticate:

terraform {
  required_version = ">= 0.13.5"

  required_providers {
    azuread = {
      source  = ""
      version = "~> 2.0.1"

provider "azuread" {
  client_id                   = var.aad_principals[terraform.workspace]
  client_secret               = var.aad_passwords[terraform.workspace]
  tenant_id                   = var.aad_tenant_ids[terraform.workspace]
  version                     = "=2.0.1"
  alias                       = "xyz"

I have followed the documentation here for which API Permissions in Azure AD to provide:

But have also given it additional ones as it has been failing with that error (Azure Active Directory Graph are from when using old provider)

I am also able to successfully log into the Azure CLI with this same Service Principal and create an Azure AD group that way.

Any assistance would be greatly appreciated.

I was able to resolve my issue.

when having the “assignable_to_role” parameter set to “true”, your Service Principal needs to have Microsoft Graph RoleManagement permissions. Which makes complete sense, but I didnt see it anywhere in the documentation.

Now if only Terraform had a way to specify all the AAD Role Assignments those groups should have…

1 Like

Thank you for coming back to post your solution!

I can confirm that this indeed fixes this issue.

This did the trick. Was having the same issue. Added permissions to service principal and I can confirm that it worked.

cramsey86, would you mind telling me how this is done? Or, point to the documentation for this specifically? Thanks