terraform-provider-azuread
terraform-provider-azuread copied to clipboard
hashicorp
Unable to import azuread_directory_role_eligibility_schedule_request with a Global Administrator user.
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and AzureAD Provider) Version
Affected Resource(s)
-
azuread_directory_role_eligibility_schedule_request
Terraform Configuration Files
Debug Output
Error: Retrieving roleEligibilityScheduleRequest "xxxx-xxx-xxxx-xxxx-xxxxxxxxx" │ │ RoleEligibilityScheduleRequestClient.BaseClient.Get(): unexpected status 403 with OData error: UnknownError: {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope │ RoleEligibilitySchedule.ReadWrite.Directory,RoleManagement.ReadWrite.Directory.","instanceAnnotations":[]} ╵
Panic Output
Expected Behavior
Normally, I can use my account that is Global Administrator to import AzureAD resources into state.
Actual Behavior
Errored with missing API permissions.
Steps to Reproduce
-
terraform import
Important Factoids
References
- #0000
I'm running into a similar issues when creating the azuread_directory_role_eligibility_schedule_request from scratch.
resource "azuread_directory_role" "internal_it_helpdesk_admin" {
display_name = "Helpdesk Administrator"
}
resource "azuread_directory_role_eligibility_schedule_request" "internal_it_helpdesk_admin" {
role_definition_id = azuread_directory_role.internal_it_helpdesk_admin.template_id
principal_id = azuread_group.internal_it_operator.object_id
directory_scope_id = "/"
justification = "Internal-IT"
}
Running the operation as Global Admin.
I'm running into a similar issues when creating the
azuread_directory_role_eligibility_schedule_requestfrom scratch.resource "azuread_directory_role" "internal_it_helpdesk_admin" { display_name = "Helpdesk Administrator" } resource "azuread_directory_role_eligibility_schedule_request" "internal_it_helpdesk_admin" { role_definition_id = azuread_directory_role.internal_it_helpdesk_admin.template_id principal_id = azuread_group.internal_it_operator.object_id directory_scope_id = "/" justification = "Internal-IT" }Running the operation as Global Admin.
I am also experiencing this! Did you manage to find a solution @SebRosander ?
So far the only possible avenue I am seeing is running the Terraform via a service principal with those permissions delegated... which I'm not keen on for other reasons...
@mhosker - I've seen on other issues it's all related to AzureCLI and the only work around right now is to use a Service Principal instead.
Running into the same issue.
I have the Directory Role Privileged Role Administrator assigned to my user but get the error
RoleEligibilityScheduleRequestClient.BaseClient.Get(): unexpected status 403 with OData error: UnknownError: {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope
│ RoleEligibilitySchedule.ReadWrite.Directory,RoleManagement.ReadWrite.Directory.","instanceAnnotations":[]}
when trying to create a resource azuread_directory_role_eligibility_schedule_request.
For now i have created a SP with the required Graph permissions.
Provider Version: 2.53.1
