Insufficient Privileges when trying to create AzureAD Group (azuread 2.0.1)

I have recently upgrade from using the azuread 1.X.X provider to the azuread 2.X.X provider and am getting the following now when trying to create a new Azure AD Group.

Error: Creating group "AzureAD_DBA-Platform_Admins"

  on modules\azuread-solution-aadgroup\2.0.0\modules.tf line 6, in resource "azuread_group" "aadgroup_module_resource":
   6: resource "azuread_group" "aadgroup_module_resource" {

GroupsClient.BaseClient.Post(): unexpected status 403 with OData error:
Authorization_RequestDenied: Insufficient privileges to complete the
operation.

I am using a Service Principal with a Client Secret to authenticate:

terraform {
  required_version = ">= 0.13.5"

  required_providers {
    azuread = {
      source  = "registry.terraform.io/hashicorp/azuread"
      version = "~> 2.0.1"
    }
  }
}

provider "azuread" {
  client_id                   = var.aad_principals[terraform.workspace]
  client_secret               = var.aad_passwords[terraform.workspace]
  tenant_id                   = var.aad_tenant_ids[terraform.workspace]
  version                     = "=2.0.1"
  alias                       = "xyz"
}

I have followed the documentation here for which API Permissions in Azure AD to provide:

https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/guides/service_principal_configuration

But have also given it additional ones as it has been failing with that error (Azure Active Directory Graph are from when using old provider)

I am also able to successfully log into the Azure CLI with this same Service Principal and create an Azure AD group that way.

Any assistance would be greatly appreciated.

I was able to resolve my issue.

when having the “assignable_to_role” parameter set to “true”, your Service Principal needs to have Microsoft Graph RoleManagement permissions. Which makes complete sense, but I didnt see it anywhere in the documentation.

Now if only Terraform had a way to specify all the AAD Role Assignments those groups should have…