Insufficient Privileges when trying to create AzureAD Group (azuread 2.0.1)

cramsey86 · August 29, 2021, 1:28pm

I have recently upgrade from using the azuread 1.X.X provider to the azuread 2.X.X provider and am getting the following now when trying to create a new Azure AD Group.

Error: Creating group "AzureAD_DBA-Platform_Admins"

  on modules\azuread-solution-aadgroup\2.0.0\modules.tf line 6, in resource "azuread_group" "aadgroup_module_resource":
   6: resource "azuread_group" "aadgroup_module_resource" {

GroupsClient.BaseClient.Post(): unexpected status 403 with OData error:
Authorization_RequestDenied: Insufficient privileges to complete the
operation.

I am using a Service Principal with a Client Secret to authenticate:

terraform {
  required_version = ">= 0.13.5"

  required_providers {
    azuread = {
      source  = "registry.terraform.io/hashicorp/azuread"
      version = "~> 2.0.1"
    }
  }
}

provider "azuread" {
  client_id                   = var.aad_principals[terraform.workspace]
  client_secret               = var.aad_passwords[terraform.workspace]
  tenant_id                   = var.aad_tenant_ids[terraform.workspace]
  version                     = "=2.0.1"
  alias                       = "xyz"
}

I have followed the documentation here for which API Permissions in Azure AD to provide:

https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/guides/service_principal_configuration

But have also given it additional ones as it has been failing with that error (Azure Active Directory Graph are from when using old provider)

I am also able to successfully log into the Azure CLI with this same Service Principal and create an Azure AD group that way.

Any assistance would be greatly appreciated.

cramsey86 · September 6, 2021, 4:37pm

I was able to resolve my issue.

when having the “assignable_to_role” parameter set to “true”, your Service Principal needs to have Microsoft Graph RoleManagement permissions. Which makes complete sense, but I didnt see it anywhere in the documentation.

Now if only Terraform had a way to specify all the AAD Role Assignments those groups should have…

TheBlackMini · November 3, 2021, 10:33pm

Thank you for coming back to post your solution!

I can confirm that this indeed fixes this issue.

github.com/hashicorp/terraform-provider-azuread

azuread_group API permission issue in documentation

opened 10:56PM - 03 Nov 21 UTC

TheBlackMini

After updating to provider 2.x and trying to create a group and getting the belo…w error constantly. ``` GroupsClient.BaseClient.Post(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation. ``` I ended up stumbling across this forum entry. https://discuss.hashicorp.com/t/insufficient-privileges-when-trying-to-create-azuread-group-azuread-2-0-1/28866 Which pointed me to the below tables being out of date for the provider. I'm not sure if this is the only permission missing though. >https://github.com/hashicorp/terraform-provider-azuread/blob/main/docs/guides/service_principal_configuration.md >https://github.com/hashicorp/terraform-provider-azuread/blob/main/docs/guides/microsoft-graph.md If you try to create a group with ```assignable_to_role = true``` then the account you are using requires an additional permission (RoleManagement.ReadWrite.Directory). ## Old Table <html> <body> Resource(s) | Role Name(s) -- | -- data.azuread_application data.azuread_service_principal | Application.Read.All data.azuread_domains | Domain.Read.All data.azuread_group data.azuread_groups | Group.Read.All data.azuread_user data.azuread_users | User.Read.All azuread_application azuread_application_certificate azuread_application_password azuread_service_principal azuread_service_principal_certificate azuread_service_principal_password | Application.ReadWrite.All azuread_group azuread_group_member | Group.ReadWrite.All azuread_user | User.ReadWrite.All </body> </html> ## New Table <html> <body> Resource(s) | Role Name(s) -- | -- data.azuread_application data.azuread_service_principal | Application.Read.All data.azuread_domains | Domain.Read.All data.azuread_group data.azuread_groups | Group.Read.All data.azuread_user data.azuread_users | User.Read.All azuread_application azuread_application_certificate azuread_application_password azuread_service_principal azuread_service_principal_certificate azuread_service_principal_password | Application.ReadWrite.All azuread_group azuread_group_member | Group.ReadWrite.All ```RoleManagement.ReadWrite.Directory``` azuread_user | User.ReadWrite.All </body> </html>

jason8496as · June 21, 2022, 8:14pm

This did the trick. Was having the same issue. Added permissions to service principal and I can confirm that it worked.

ecoffman · August 4, 2022, 11:17am

cramsey86, would you mind telling me how this is done? Or, point to the documentation for this specifically? Thanks

Topic		Replies	Views
Terraform Cloud, create azure application error Azure	1	464	March 16, 2024
Create a management group Terraform	4	1704	December 4, 2020
Required Service Principal Permissions to Read AD Users and Group details Azure azure	2	697	January 19, 2022
Set a existent Role Directory when create user Azure hcp-terraform , azure	0	429	November 25, 2021
403 The caller is not authorized with azuread provider and identitygovernance resource using az cli auth Azure	1	513	April 17, 2023

Insufficient Privileges when trying to create AzureAD Group (azuread 2.0.1)

Related topics