terraform-provider-azuread
terraform-provider-azuread copied to clipboard
hashicorp
No group found matching specified filter
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
I am getting the following error when attempting to use azuread_group via a service principle:
data.azuread_group.ad_group: Still reading... [30s elapsed]
Error: No group found matching specified filter (displayName eq 'my-group')
with data.azuread_group.ad_group,
on azure.tf line 26, in data "azuread_group" "ad_group":
26: display_name = var.ad_group
GroupsClient.BaseClient.Get(): unexpected status 403 with OData error:
Authorization_RequestDenied: Insufficient privileges to complete the operation.
The docs for azuread_group mention the following:
When authenticated with a service principal, this resource requires one of the following application roles: Group.ReadWrite.All or Directory.ReadWrite.All
My service principle has both of these (apart from the write part) and has consent granted by my organisation:
This is certainly an issue with Azure permissions, but I am struggling to figure out which extra permission I need. The docs should probably be updated as well if extra perms are needed.
Can anyone shed any light on this?
Hi @axc450, whilst this is more of a usage question, in case there is an issue could you please post a debug log (e.g. TF_LOG=DEBUG)? This will show the token claims, and all the requests/responses involved. Thanks.
I have the same issue, for me the service principal only has the Directory.Read.All permission and here's the failing request captured from the logs:
2023-03-06T13:27:01.3920949Z 2023-03-06T13:27:01.391Z [INFO] provider.terraform-provider-azuread_v2.36.0_x5: 2023/03/06 13:27:01 [DEBUG] ============================ Begin AzureAD Response ===========================
2023-03-06T13:27:01.3936921Z GET https://graph.microsoft.com/beta/groups/{group-id}?%24select=allowExternalSenders%2CautoSubscribeNewMembers%2ChideFromAddressLists%2ChideFromOutlookClients
2023-03-06T13:27:01.3937795Z Request ID: a4edcedd-9da3-6c55-8787-23da147211c7
2023-03-06T13:27:01.3938221Z
2023-03-06T13:27:01.3938329Z HTTP/1.1 403 Forbidden
2023-03-06T13:27:01.3938641Z Transfer-Encoding: chunked
2023-03-06T13:27:01.3938961Z Cache-Control: private
2023-03-06T13:27:01.3939373Z Client-Request-Id: 41eee7c9-6cb5-4f8b-a829-d73e858d8db2
2023-03-06T13:27:01.3939935Z Content-Type: application/json
2023-03-06T13:27:01.3940232Z Date: Mon, 06 Mar 2023 13:27:00 GMT
2023-03-06T13:27:01.3940636Z Request-Id: 41eee7c9-6cb5-4f8b-a829-d73e858d8db2
2023-03-06T13:27:01.3941058Z Strict-Transport-Security: max-age=31536000
2023-03-06T13:27:01.3941412Z Vary: Accept-Encoding
2023-03-06T13:27:01.3942006Z X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"West US","Slice":"E","Ring":"4","ScaleUnit":"005","RoleInstance":"SJ1PEPF00000A87"}}
2023-03-06T13:27:01.3942499Z
2023-03-06T13:27:01.3942589Z 100
2023-03-06T13:27:01.3943453Z {"error":{"code":"ErrorAccessDenied","message":"Access is denied. Check credentials and try again.","innerError":{"date":"2023-03-06T13:27:01","request-id":"41eee7c9-6cb5-4f8b-a829-d73e858d8db2","client-request-id":"41eee7c9-6cb5-4f8b-a829-d73e858d8db2"}}}
2023-03-06T13:27:01.3944257Z 0
2023-03-06T13:27:01.3944385Z
2023-03-06T13:27:01.3944391Z
I'm not sure what else to look into to fix this one, any help would be appreciated
