skip to Main Content

I’m trying to create the Azure AD Group using the following terraform code

# Required Provider
terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.0.2"
    }
  }
  required_version = ">= 1.1.0"
}

# Configure the Microsoft Azure Provider
provider "azurerm" {
  features {}

  ....
  ....
}

data "azuread_client_config" "current" {}

# Variables
variable "ad_groups" {
  description = "Azure AD groups to be added"
  type = list(object({
    display_name = string,
    description  = string   
  }))
  default = [
    {
      display_name = "Group1"
      description  = "some description"
    },
    {
      display_name = "Group2"
      description  = "some description" 
    }
  ]
}

# Create AD Groups and add the Current User
resource "azuread_group" "this"{
  count = length(var.ad_groups)
  display_name =  var.ad_groups[count.index].display_name
  description = var.ad_groups[count.index].description
  security_enabled = true
  prevent_duplicate_names = true  
  owners  = [data.azuread_client_config.current.object_id]
}

and I am getting the following error

**Error:** could not check for existing group(s): unable to list Groups with filter "displayName eq 'Group1'": GroupsClient.BaseClient.Get(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.

This service principal has the following roles at the Management group level

enter image description here

Does it need both the Directory.ReadWrite.All and Group.ReadWrite.All API Permissions? If not, what access does it need?

enter image description here

Note: If I disable the "prevent_duplicate_names = true" and apply the terraform, it throws the following error

GroupsClient.BaseClient.Post(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to
│ complete the operation.

2

Answers


  1. I tried to reproduce the same in my environment via Postman and got below results:

    By default, newly created application will have User.Read API permission already added to it.

    I registered one new Azure AD application named GroupSP and has API permission like below:

    enter image description here

    Without adding any extra API permission, I generated one access token using client credentials flow via Postman like below:

    POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
    client_id:<appID>
    grant_type:client_credentials
    client_secret:<secret>
    scope: https://graph.microsoft.com/.default
    

    Response:

    enter image description here

    When I used the above token to create Azure AD group with owner, I got same error as below:

    POST https://graph.microsoft.com/v1.0/groups
    Content-Type: application/json
    
    {
      "description": "Group with designated owner",
      "displayName": "Group1",
      "groupTypes": [ ],
      "mailEnabled": false,
      "mailNickname": "srigroup",
      "securityEnabled": true,
      "[email protected]": [
        "https://graph.microsoft.com/v1.0/users/<userID>"
      ]
    }
    

    Response:

    enter image description here

    To resolve the error, I added Directory.ReadWrite.All API permission to the service principal like below:

    enter image description here

    After granting admin consent to above permission, I generated access token again and ran the same query and got response successfully as below:

    POST https://graph.microsoft.com/v1.0/groups
    Content-Type: application/json
    
    {
      "description": "Group with designated owner",
      "displayName": "Group1",
      "groupTypes": [ ],
      "mailEnabled": false,
      "mailNickname": "srigroup",
      "securityEnabled": true,
      "[email protected]": [
        "https://graph.microsoft.com/v1.0/users/<userID>"
      ]
    }
    

    Response:

    enter image description here

    To confirm that, I checked the Portal where Azure AD group is created, and owner added successfully like below:

    enter image description here

    You can also check Audit logs of that created group like below:

    enter image description here

    In your case, make sure to add Directory.ReadWrite.All API permission to your service principal that resolves 403 Forbidden error.

    If Directory.ReadWrite.All permission is added to the service principal, Group.ReadWrite.All permission is not required.

    Login or Signup to reply.
  2. I added the service Principal to Groups Administrator role in Azure AD and it worked for me.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search