From 0a52bb62c2568a9fe8d9524562590f6e35db777e Mon Sep 17 00:00:00 2001 From: Tom Bamford Date: Tue, 17 Dec 2024 09:51:26 +0000 Subject: [PATCH] azuread_group: document all application permissions needed when creating groups inside administrative units --- docs/resources/group.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/resources/group.md b/docs/resources/group.md index af06539ff..ba223ae86 100644 --- a/docs/resources/group.md +++ b/docs/resources/group.md @@ -20,7 +20,7 @@ If specifying owners for a group, which are user principals, this resource addit When authenticated with a user principal, this resource requires one of the following directory roles: `Groups Administrator`, `User Administrator` or `Global Administrator` -When creating this resource in administrative units exclusively, the role `Groups Administrator` is required to be scoped on any administrative unit used. +When creating this resource in administrative units exclusively, the directory role `Groups Administrator` is required to be scoped on any administrative unit used. Additionally, it must be possible to read the administrative units being used, which can be granted through the `AdministrativeUnit.Read.All` or `Directory.Read.All` application roles. The `external_senders_allowed`, `auto_subscribe_new_members`, `hide_from_address_lists` and `hide_from_outlook_clients` properties can only be configured when authenticating as a user and cannot be configured when authenticating as a service principal. Additionally, the user being used for authentication must be a Member of the tenant where the group is being managed and _not_ a Guest. This is a known API issue; please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) official documentation.