I’m trying to create the Azure AD Group using the following terraform code
# Required Provider
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.0.2"
}
}
required_version = ">= 1.1.0"
}
# Configure the Microsoft Azure Provider
provider "azurerm" {
features {}
....
....
}
data "azuread_client_config" "current" {}
# Variables
variable "ad_groups" {
description = "Azure AD groups to be added"
type = list(object({
display_name = string,
description = string
}))
default = [
{
display_name = "Group1"
description = "some description"
},
{
display_name = "Group2"
description = "some description"
}
]
}
# Create AD Groups and add the Current User
resource "azuread_group" "this"{
count = length(var.ad_groups)
display_name = var.ad_groups[count.index].display_name
description = var.ad_groups[count.index].description
security_enabled = true
prevent_duplicate_names = true
owners = [data.azuread_client_config.current.object_id]
}
and I am getting the following error
**Error:** could not check for existing group(s): unable to list Groups with filter "displayName eq 'Group1'": GroupsClient.BaseClient.Get(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.
This service principal has the following roles at the Management group level
Does it need both the Directory.ReadWrite.All and Group.ReadWrite.All API Permissions? If not, what access does it need?
Note: If I disable the "prevent_duplicate_names = true" and apply the terraform, it throws the following error
GroupsClient.BaseClient.Post(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to
│ complete the operation.
CodePudding user response:
I tried to reproduce the same in my environment via Postman and got below results:
By default, newly created application will have User.Read API permission already added to it.
I registered one new Azure AD application named GroupSP and has API permission like below:
Without adding any extra API permission, I generated one access token using client credentials flow via Postman like below:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:<appID>
grant_type:client_credentials
client_secret:<secret>
scope: https://graph.microsoft.com/.default
Response:
When I used the above token to create Azure AD group with owner, I got same error as below:
POST https://graph.microsoft.com/v1.0/groups
Content-Type: application/json
{
"description": "Group with designated owner",
"displayName": "Group1",
"groupTypes": [ ],
"mailEnabled": false,
"mailNickname": "srigroup",
"securityEnabled": true,
"[email protected]": [
"https://graph.microsoft.com/v1.0/users/<userID>"
]
}
Response:
To resolve the error, I added Directory.ReadWrite.All API permission to the service principal like below:
After granting admin consent to above permission, I generated access token again and ran the same query and got response successfully as below:
POST https://graph.microsoft.com/v1.0/groups
Content-Type: application/json
{
"description": "Group with designated owner",
"displayName": "Group1",
"groupTypes": [ ],
"mailEnabled": false,
"mailNickname": "srigroup",
"securityEnabled": true,
"[email protected]": [
"https://graph.microsoft.com/v1.0/users/<userID>"
]
}
Response:
To confirm that, I checked the Portal where Azure AD group is created, and owner added successfully like below:
You can also check Audit logs of that created group like below:
In your case, make sure to add Directory.ReadWrite.All API permission to your service principal that resolves 403 Forbidden error.
If Directory.ReadWrite.All permission is added to the service principal, Group.ReadWrite.All permission is not required.