az devops security group create fails when using --origin-id

[JamesStanley]

Describe the bug

When using an Azure DevOps pipeline with the System.AccessToken the following command fails:

az devops security group create --origin-id $($existingAzureAD_GroupObjectId) --groups $($vssgp.someDescriptorForGroup) --scope organization --org https://dev.azure.com/$($organization)

Error message:

request failed: Error occurred in request., RetryError: HTTPSConnectionPool(host='vssps.dev.azure.com', port=443): Max retries exceeded with url: /xxxxx-xxxx/_apis/Graph/Groups?groupDescriptors=vssgp.xxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Caused by ResponseError('too many 503 error responses',))

(Have replaced org and group ids with x's)

To Reproduce Azure Cli Version: azure-cli 2.7.0 *

command-modules-nspkg 2.0.3 core 2.7.0 * nspkg 3.0.4 telemetry 1.0.4

Extensions: azure-devops 0.18.0

Steps to reproduce the behavior:

1. create a yaml pipeline using the following task.

• task: AzureCLI@2 displayName: 'Create Azure Devops Projects' inputs: azureSubscription: 'pipeline_create_ado_projects' scriptType: 'pscore' scriptLocation: 'inlineScript' inlineScript: |

            echo "$(System.AccessToken)" | az devops login
  
           az devops security group create --origin-id $($existingAzureAD_GroupObjectId) --groups 
          $($vssgp.someDescriptorForGroup) --scope organization --org https://dev.azure.com/$($organization)
  

2. Run pipeline....
3. See error

Expected behavior Azure Devops Group created.

Debug logs

request failed: Error occurred in request., RetryError: HTTPSConnectionPool(host='vssps.dev.azure.com', port=443): Max retries exceeded with url: /xxxxx-xxxx/_apis/Graph/Groups?groupDescriptors=vssgp.xxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Caused by ResponseError('too many 503 error responses',))

Additional context

If I use a personal access token in the pipeline it works fine so I think it may be down to permissions.

The PAT has the following scopes assigned:

**Project and Team Create, read, update, and delete

Graph Read, group, scope, and add**

I have made both the project build service as well as the ad app under which the Azure CLI task is running a member of "[TEAM FOUNDATION]\Enterprise Service Accounts"

Creating groups (using yaml pipeline) not using an existing aad group work fine. ie

echo "$(personalAccessToken)" | az devops login

az devops security group create --name 'Some group name' --groups 'vssgp.someDescriptorForGroupOne

[rodney-almeida]

I was having the same problem. Seems to be a permission issue and found granting the respective Build Service account "Edit instance-level information" on the organization level resolved the issue

[fluffydice]

I have the same issue when running the same cli command. I also have the same requirement to add an entra id group to a project group. The project collection build service is also a member of project collection administrators group at the org level. Has anyone been able to find the root cause for this?

Cli version - 2.59.0 Azure-devops extension version - 1.0.0