Azure : GroupsClient.BaseClient.Get(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges

OneDeveloper
January 2, 2023
173 views
0 votes
2 Answers

I’m trying to create the Azure AD Group using the following terraform code

# Required Provider
terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.0.2"
    }
  }
  required_version = ">= 1.1.0"
}

# Configure the Microsoft Azure Provider
provider "azurerm" {
  features {}

  ....
  ....
}

data "azuread_client_config" "current" {}

# Variables
variable "ad_groups" {
  description = "Azure AD groups to be added"
  type = list(object({
    display_name = string,
    description  = string   
  }))
  default = [
    {
      display_name = "Group1"
      description  = "some description"
    },
    {
      display_name = "Group2"
      description  = "some description" 
    }
  ]
}

# Create AD Groups and add the Current User
resource "azuread_group" "this"{
  count = length(var.ad_groups)
  display_name =  var.ad_groups[count.index].display_name
  description = var.ad_groups[count.index].description
  security_enabled = true
  prevent_duplicate_names = true  
  owners  = [data.azuread_client_config.current.object_id]
}

and I am getting the following error

**Error:** could not check for existing group(s): unable to list Groups with filter "displayName eq 'Group1'": GroupsClient.BaseClient.Get(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.

This service principal has the following roles at the Management group level

Does it need both the Directory.ReadWrite.All and Group.ReadWrite.All API Permissions? If not, what access does it need?

Note: If I disable the "prevent_duplicate_names = true" and apply the terraform, it throws the following error

GroupsClient.BaseClient.Post(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to
│ complete the operation.

Answers

- Sridevi
- January 3, 2023 at 7:50 am
- 0 votes
0
I tried to reproduce the same in my environment via Postman and got below results:

By default, newly created application will have User.Read API permission already added to it.

I registered one new Azure AD application named GroupSP and has API permission like below:

Without adding any extra API permission, I generated one access token using client credentials flow via Postman like below:
```
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:<appID>
grant_type:client_credentials
client_secret:<secret>
scope: https://graph.microsoft.com/.default
```
Response:

When I used the above token to create Azure AD group with owner, I got same error as below:
```
POST https://graph.microsoft.com/v1.0/groups
Content-Type: application/json

{
  "description": "Group with designated owner",
  "displayName": "Group1",
  "groupTypes": [ ],
  "mailEnabled": false,
  "mailNickname": "srigroup",
  "securityEnabled": true,
  "[email protected]": [
    "https://graph.microsoft.com/v1.0/users/<userID>"
  ]
}
```
Response:

To resolve the error, I added Directory.ReadWrite.All API permission to the service principal like below:

After granting admin consent to above permission, I generated access token again and ran the same query and got response successfully as below:
```
POST https://graph.microsoft.com/v1.0/groups
Content-Type: application/json

{
  "description": "Group with designated owner",
  "displayName": "Group1",
  "groupTypes": [ ],
  "mailEnabled": false,
  "mailNickname": "srigroup",
  "securityEnabled": true,
  "[email protected]": [
    "https://graph.microsoft.com/v1.0/users/<userID>"
  ]
}
```
Response:

To confirm that, I checked the Portal where Azure AD group is created, and owner added successfully like below:

You can also check Audit logs of that created group like below:

In your case, make sure to add Directory.ReadWrite.All API permission to your service principal that resolves 403 Forbidden error.

If Directory.ReadWrite.All permission is added to the service principal, Group.ReadWrite.All permission is not required.
Login or Signup to reply.

- IditBnaya
- March 13, 2023 at 2:01 pm
- 0 votes
0
I added the service Principal to Groups Administrator role in Azure AD and it worked for me.

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.