Required Service Principal Permissions to Read AD Users and Group details

Hi all,

I have created a service principal to be responsible for the Terraform deployment.
Currently this user as the below permissions, but I am still getting 403 when trying to read user or group data from AzureAD provider.

  • Application.Read.All - Delegated
  • Application.ReadWrite.All - Delegated
  • Group.Read.All - Delegated
  • Group.ReadWrite.All - Delegated
  • User.Read - Delegated
  • User.Read.All - Delegated
  • User.ReadWrite.All - Delegated

Can someone assist on what might be missing since these permissions are already quite permissive?

Thank you


Which version of the provider are you using?
For the azuread provider version 2.x the appropriate permissions have to be Microsoft Graph permissions, for version 1 it’s different.

I am using version 2.x.