I have recently upgrade from using the azuread 1.X.X provider to the azuread 2.X.X provider and am getting the following now when trying to create a new Azure AD Group.
Error: Creating group "AzureAD_DBA-Platform_Admins"
on modules\azuread-solution-aadgroup\2.0.0\modules.tf line 6, in resource "azuread_group" "aadgroup_module_resource":
6: resource "azuread_group" "aadgroup_module_resource" {
GroupsClient.BaseClient.Post(): unexpected status 403 with OData error:
Authorization_RequestDenied: Insufficient privileges to complete the
operation.
I am using a Service Principal with a Client Secret to authenticate:
terraform {
required_version = ">= 0.13.5"
required_providers {
azuread = {
source = "registry.terraform.io/hashicorp/azuread"
version = "~> 2.0.1"
}
}
}
provider "azuread" {
client_id = var.aad_principals[terraform.workspace]
client_secret = var.aad_passwords[terraform.workspace]
tenant_id = var.aad_tenant_ids[terraform.workspace]
version = "=2.0.1"
alias = "xyz"
}
I have followed the documentation here for which API Permissions in Azure AD to provide:
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/guides/service_principal_configuration
But have also given it additional ones as it has been failing with that error (Azure Active Directory Graph are from when using old provider)
I am also able to successfully log into the Azure CLI with this same Service Principal and create an Azure AD group that way.
Any assistance would be greatly appreciated.
I was able to resolve my issue.
when having the “assignable_to_role” parameter set to “true”, your Service Principal needs to have Microsoft Graph RoleManagement permissions. Which makes complete sense, but I didnt see it anywhere in the documentation.
Now if only Terraform had a way to specify all the AAD Role Assignments those groups should have…
1 Like
Thank you for coming back to post your solution!
I can confirm that this indeed fixes this issue.
opened 10:56PM - 03 Nov 21 UTC
After updating to provider 2.x and trying to create a group and getting the belo… w error constantly.
```
GroupsClient.BaseClient.Post(): unexpected status 403 with OData error:
Authorization_RequestDenied: Insufficient privileges to complete the
operation.
```
I ended up stumbling across this forum entry.
https://discuss.hashicorp.com/t/insufficient-privileges-when-trying-to-create-azuread-group-azuread-2-0-1/28866
Which pointed me to the below tables being out of date for the provider. I'm not sure if this is the only permission missing though.
>https://github.com/hashicorp/terraform-provider-azuread/blob/main/docs/guides/service_principal_configuration.md
>https://github.com/hashicorp/terraform-provider-azuread/blob/main/docs/guides/microsoft-graph.md
If you try to create a group with ```assignable_to_role = true``` then the account you are using requires an additional permission (RoleManagement.ReadWrite.Directory).
## Old Table
<html>
<body>
Resource(s) | Role Name(s)
-- | --
data.azuread_application <br /> data.azuread_service_principal | Application.Read.All
data.azuread_domains | Domain.Read.All
data.azuread_group <br /> data.azuread_groups | Group.Read.All
data.azuread_user <br /> data.azuread_users | User.Read.All
azuread_application <br /> azuread_application_certificate <br /> azuread_application_password <br />azuread_service_principal <br />azuread_service_principal_certificate <br />azuread_service_principal_password | Application.ReadWrite.All
azuread_group <br /> azuread_group_member | Group.ReadWrite.All
azuread_user | User.ReadWrite.All
</body>
</html>
## New Table
<html>
<body>
Resource(s) | Role Name(s)
-- | --
data.azuread_application <br /> data.azuread_service_principal | Application.Read.All
data.azuread_domains | Domain.Read.All
data.azuread_group <br /> data.azuread_groups | Group.Read.All
data.azuread_user <br /> data.azuread_users | User.Read.All
azuread_application <br /> azuread_application_certificate <br /> azuread_application_password <br />azuread_service_principal <br />azuread_service_principal_certificate <br />azuread_service_principal_password | Application.ReadWrite.All
azuread_group <br /> azuread_group_member | Group.ReadWrite.All <br /> ```RoleManagement.ReadWrite.Directory```
azuread_user | User.ReadWrite.All
</body>
</html>
This did the trick. Was having the same issue. Added permissions to service principal and I can confirm that it worked.
cramsey86, would you mind telling me how this is done? Or, point to the documentation for this specifically? Thanks
