azuread_group_role_management_policy throws 403 permission scope not granted error

[cveld]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Affected Resource(s)

• azuread_group_role_management_policy

Terraform Configuration Files

resource "azuread_group_role_management_policy" "example" {
  group_id = data.azuread_group.example.id
  role_id  = "member"
}

# created by SpokeBaseline/eu-dev
data "azuread_group" "example" {
  display_name = "sg-somegroup"
}

Debug Output

Panic Output

Expected Behavior

The azuread provider should run fine without a permission error.

Actual Behavior

╷
│ Error: Could not parse policy assignment ID, Could not list existing policy assignments, RoleManagementPolicyAssignmentClient.BaseClient.Get(): unexpected status 403 with OData error: UnknownError: {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope RoleManagementPolicy.Read.AzureADGroup,RoleManagementPolicy.ReadWrite.AzureADGroup.","instanceAnnotations":[]}
│
│   with azuread_group_role_management_policy.example,
│   on main.tf line 2, in resource "azuread_group_role_management_policy" "example":
│    2: resource "azuread_group_role_management_policy" "example" {
│
│ Could not parse policy assignment ID, Could not list existing policy assignments,
│ RoleManagementPolicyAssignmentClient.BaseClient.Get(): unexpected status 403 with OData error: UnknownError:
│ {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope
│ RoleManagementPolicy.Read.AzureADGroup,RoleManagementPolicy.ReadWrite.AzureADGroup.","instanceAnnotations":[]}
╵

Steps to Reproduce

1. Running as user
2. User has global administrator role in Entra
3. terraform apply

Important Factoids

References

Maybe the following azure cli issues are helpful:

• Graph API consent issue Azure/azure-cli#26471
• [Feature Request] Support custom client ID Azure/azure-cli#22775
• PIM group roles listing error through REST API Azure/azure-cli#28854

[manicminer]

Hi @cveld, thanks for reporting this. As you have suggested, this does seem to be an issue with the delegated permissions obtained by Azure CLI. At this time there is little we can do about it, except suggest, as it has been in the linked issue, that you use application credentials to authenticate instead of a user account (and furthermore, our recommendation would be to use the provider's native support rather than using Azure CLI). I recognise this may be undesirable or infeasible due to organizational policies or other concerns, however we are unfortunately blocked on Azure CLI at this time.

[cveld]

@manicminer if user identity is not supported as this moment, can you can add that to the docs? the current version gave the impression to me that it should work:

When authenticated with a user principal, this resource requires Global Administrator directory role, or the Privileged Role Administrator role in Identity Governance.

[manicminer]

Yes, I'm hoping soon to audit the documented scopes for all resources and update accordingly.

[cveld]

Maybe azuread could implement its own user auth and provide a customizable client id 😅 well I am more a fan of delegating access tokens to az cli. But never hit into the limitation of the client id permissions before. That surprised me.