You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and AzureAD Provider) Version
Affected Resource(s)
azuread_group_role_management_policy
Terraform Configuration Files
resource"azuread_group_role_management_policy""example" {
group_id=data.azuread_group.example.idrole_id="member"
}
# created by SpokeBaseline/eu-devdata"azuread_group""example" {
display_name="sg-somegroup"
}
Debug Output
Panic Output
Expected Behavior
The azuread provider should run fine without a permission error.
Actual Behavior
╷
│ Error: Could not parse policy assignment ID, Could not list existing policy assignments, RoleManagementPolicyAssignmentClient.BaseClient.Get(): unexpected status 403 with OData error: UnknownError: {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope RoleManagementPolicy.Read.AzureADGroup,RoleManagementPolicy.ReadWrite.AzureADGroup.","instanceAnnotations":[]}
│
│ with azuread_group_role_management_policy.example,
│ on main.tf line 2, in resource "azuread_group_role_management_policy" "example":
│ 2: resource "azuread_group_role_management_policy" "example" {
│
│ Could not parse policy assignment ID, Could not list existing policy assignments,
│ RoleManagementPolicyAssignmentClient.BaseClient.Get(): unexpected status 403 with OData error: UnknownError:
│ {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope
│ RoleManagementPolicy.Read.AzureADGroup,RoleManagementPolicy.ReadWrite.AzureADGroup.","instanceAnnotations":[]}
╵
Hi @cveld, thanks for reporting this. As you have suggested, this does seem to be an issue with the delegated permissions obtained by Azure CLI. At this time there is little we can do about it, except suggest, as it has been in the linked issue, that you use application credentials to authenticate instead of a user account (and furthermore, our recommendation would be to use the provider's native support rather than using Azure CLI). I recognise this may be undesirable or infeasible due to organizational policies or other concerns, however we are unfortunately blocked on Azure CLI at this time.
@manicminer if user identity is not supported as this moment, can you can add that to the docs? the current version gave the impression to me that it should work:
When authenticated with a user principal, this resource requires Global Administrator directory role, or the Privileged Role Administrator role in Identity Governance.
Maybe azuread could implement its own user auth and provide a customizable client id 😅 well I am more a fan of delegating access tokens to az cli. But never hit into the limitation of the client id permissions before. That surprised me.
Community Note
Terraform (and AzureAD Provider) Version
Affected Resource(s)
azuread_group_role_management_policy
Terraform Configuration Files
Debug Output
Panic Output
Expected Behavior
The azuread provider should run fine without a permission error.
Actual Behavior
Steps to Reproduce
terraform apply
Important Factoids
References
Maybe the following azure cli issues are helpful:
The text was updated successfully, but these errors were encountered: