Required Service Principal Permissions to Read AD Users and Group details

djpirra · January 18, 2022, 7:34am

Hi all,

I have created a service principal to be responsible for the Terraform deployment.
Currently this user as the below permissions, but I am still getting 403 when trying to read user or group data from AzureAD provider.

Application.Read.All - Delegated
Application.ReadWrite.All - Delegated
Group.Read.All - Delegated
Group.ReadWrite.All - Delegated
User.Read - Delegated
User.Read.All - Delegated
User.ReadWrite.All - Delegated

Can someone assist on what might be missing since these permissions are already quite permissive?

Thank you

Regards,
LS

tbugfinder · January 18, 2022, 7:41pm

Which version of the provider are you using?
For the azuread provider version 2.x the appropriate permissions have to be Microsoft Graph permissions, for version 1 it’s different.

djpirra · January 19, 2022, 6:28am

I am using version 2.x.

Topic		Replies	Views
Azuread_application as Service Principal Terraform Providers	1	1191	September 14, 2020
Azuread_service_principal permissions Directory.ReadWrite.All Azure azure	2	1180	January 25, 2022
Service principle permissions for azuread Terraform Providers	1	708	November 20, 2019
Insufficient Privileges when trying to create AzureAD Group (azuread 2.0.1) Azure azure	4	12461	August 4, 2022
Service Principal to access AD Azure	0	342	June 16, 2021

Required Service Principal Permissions to Read AD Users and Group details

Related topics