terraform-provider-azuread
terraform-provider-azuread copied to clipboard
hashicorp
azuread_group_role_management_policy throws 403 permission scope not granted error
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and AzureAD Provider) Version
Affected Resource(s)
azuread_group_role_management_policy
Terraform Configuration Files
resource "azuread_group_role_management_policy" "example" {
group_id = data.azuread_group.example.id
role_id = "member"
}
# created by SpokeBaseline/eu-dev
data "azuread_group" "example" {
display_name = "sg-somegroup"
}
Debug Output
Panic Output
Expected Behavior
The azuread provider should run fine without a permission error.
Actual Behavior
╷
│ Error: Could not parse policy assignment ID, Could not list existing policy assignments, RoleManagementPolicyAssignmentClient.BaseClient.Get(): unexpected status 403 with OData error: UnknownError: {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope RoleManagementPolicy.Read.AzureADGroup,RoleManagementPolicy.ReadWrite.AzureADGroup.","instanceAnnotations":[]}
│
│ with azuread_group_role_management_policy.example,
│ on main.tf line 2, in resource "azuread_group_role_management_policy" "example":
│ 2: resource "azuread_group_role_management_policy" "example" {
│
│ Could not parse policy assignment ID, Could not list existing policy assignments,
│ RoleManagementPolicyAssignmentClient.BaseClient.Get(): unexpected status 403 with OData error: UnknownError:
│ {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope
│ RoleManagementPolicy.Read.AzureADGroup,RoleManagementPolicy.ReadWrite.AzureADGroup.","instanceAnnotations":[]}
╵
Steps to Reproduce
- Running as user
- User has global administrator role in Entra
terraform apply
Important Factoids
References
Maybe the following azure cli issues are helpful:
- https://github.com/Azure/azure-cli/issues/26471
- https://github.com/Azure/azure-cli/issues/22775
- https://github.com/Azure/azure-cli/issues/28854
Hi @cveld, thanks for reporting this. As you have suggested, this does seem to be an issue with the delegated permissions obtained by Azure CLI. At this time there is little we can do about it, except suggest, as it has been in the linked issue, that you use application credentials to authenticate instead of a user account (and furthermore, our recommendation would be to use the provider's native support rather than using Azure CLI). I recognise this may be undesirable or infeasible due to organizational policies or other concerns, however we are unfortunately blocked on Azure CLI at this time.
@manicminer if user identity is not supported as this moment, can you can add that to the docs? the current version gave the impression to me that it should work:
When authenticated with a user principal, this resource requires Global Administrator directory role, or the Privileged Role Administrator role in Identity Governance.
Yes, I'm hoping soon to audit the documented scopes for all resources and update accordingly.
Maybe azuread could implement its own user auth and provide a customizable client id 😅 well I am more a fan of delegating access tokens to az cli. But never hit into the limitation of the client id permissions before. That surprised me.
Any update? I am running into this issue as well on hashicorp/azuread 3.3.0
