terraform-provider-azuread
terraform-provider-azuread copied to clipboard
hashicorp
azuread_privileged_access_group_eligibility_schedule - permissions error despite graph and Entra role applied to service prinicple
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and AzureAD Provider) Version
Affected Resource(s)
azuread_privileged_access_group_eligibility_scheduleService principle has the roles that have been stated on error for Graph and also has Priviliged role admin
Terraform Configuration Files
# resource "azuread_privileged_access_group_eligibility_schedule" "example" {
# for_each = local.group_eligible_membership
# group_id = azuread_group.groups[each.value.group].id
# principal_id = azuread_group.groups[each.value.member].id
# assignment_type = "member"
# duration = "P30D"
# }
Debug Output
Error: Could not create assignment schedule request, PrivilegedAccessGroupEligibilityScheduleRequestsClient.BaseClient.Post(): unexpected status 403 with OData error: UnknownError: {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup,PrivilegedEligibilitySchedule.Remove.AzureADGroup.","instanceAnnotations":[]} │ │ with azuread_privileged_access_group_eligibility_schedule.example["xxxx"], │ on roles.tf line 8, in resource "azuread_privileged_access_group_eligibility_schedule" "example": │ 8: resource "azuread_privileged_access_group_eligibility_schedule" "example" { │ │ Could not create assignment schedule request, │ PrivilegedAccessGroupEligibilityScheduleRequestsClient.BaseClient.Post(): │ unexpected status 403 with OData error: UnknownError: │ {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed │ due to missing permission scope │ PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup,PrivilegedEligibilitySchedule.Remove.AzureADGroup.","instanceAnnotations":[]} ╵
Panic Output
Expected Behavior
Should have created the eligible assignment for the group
Actual Behavior
Failed with the above error
Steps to Reproduce
- Create service principle that has necessary permissions as stated in the documentation
- Use the - task: AzureCLI@2 to deploy the resource in ADO yaml
- TF vars to allow one group to have eligible assignment on PAG group
terraform apply
Important Factoids
References
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/privileged_access_group_eligibility_schedule
- #0000
This seems to be a "bug" in azure cli login where global administrator role is not propagated using the Microsoft Azure CLI enterprise application. Suggest solution is to login using a service principal with PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup capability enabled. We deploy using pipeline with service principal and this works for us
I have a similar issue but with my user permissions, I created a group and I am able to setup PIM on it from Azure Portal, though via Terraform running from my laptop and logged in with az login, I have a permissions error:
Error: Could not create assignment schedule request,
PrivilegedAccessGroupEligibilityScheduleRequestsClient.BaseClient.Post():
unexpected status 403 with OData error: UnknownError:
{
"errorCode":"PermissionScopeNotGranted",
"message":"Authorization failed due to missing permission scope
PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup.",
"instanceAnnotations":[]
}
EDIT
Maybe it is another issue or feature request but being a Group owner should be sufficient to be allowed to configure PIM on a given group (that's what Azure Portal requires).
Requesting Directory Roles for this is blocking most of the users (it limits the usage of the 3 PIM resources to Company-level Entra ID administrators).
I have a similar issue using az login.
Any details about the role role not beeing propagated using the Microsoft Azure CLI enterprise application ?
@xmarcelet-saas
Seems to be an issue with the ms-graph access token issued by az cli.
You can replicate or further understand the issue by viewing the JWT issued when accessing Graph Explorer, and then, separately, the az access token az account get-access-token --resource https://graph.microsoft.com.
We can then compare the tokens by decoding them and reviewing the scp field which will yield a different value, likely a more restrictive one than the one issued by Graph Explorer.
Similar discussion exists here: https://github.com/Azure/azure-cli/issues/22775 https://github.com/Azure/azure-cli/issues/30149
I am getting the same error when trying to configure eligible assignment - it works fine via Azure portal, but I am getting below error in Terraform (with the same user):
│ Error: creating eligibility schedule request: unexpected status 403 (403 Forbidden) with error: UnknownError: {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup,PrivilegedEligibilitySchedule.Remove.AzureADGroup.","instanceAnnotations":[]}
Unfortunately this API cannot be used when authenticating with Azure CLI - specifically that it does not include the necessary scopes in the access token. This is unfortunately a limitation of Azure CLI at this time.
I am getting the same error:
│ Error: creating eligibility schedule request: unexpected status 403 (403 Forbidden) with error: UnknownError: {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup,PrivilegedEligibilitySchedule.Remove.AzureADGroup.","instanceAnnotations":[]}
Using a user-assigned identity with eligible assignment in entra id. CLI is running in an devops agent container, which has the identity assigned.
Funny thing is, we have two tenants for test and production loads.
In both tenants, we have exactly the same resources rollout out with terraform, but in one tenant we are not getting the error.
