Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Creation of group in administrative unit fails when running under service principal #1061

Open
adhodgson1 opened this issue Apr 5, 2023 · 4 comments · May be fixed by #1594
Open

Creation of group in administrative unit fails when running under service principal #1061

adhodgson1 opened this issue Apr 5, 2023 · 4 comments · May be fixed by #1594
Labels
feature/groups needs-investigation

Comments

@adhodgson1
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.3.9
on windows_amd64

  • provider registry.terraform.io/hashicorp/azuread v2.36.0

Affected Resource(s)

azuread_group

Terraform Configuration Files

resource "azuread_group" "group" {
  display_name = "test-group"
  prevent_duplicate_names = true
  security_enabled        = true
  administrative_unit_ids = ["<id>"]
}

Expected Behavior

Group is created within the relevant administrative unit

Actual Behavior

When I run this code as a service principal with the Groups Administrator role, I get an error:

Error: �Creating group in administrative unit with ID "[...]", "test-group"�[0m
withazuread_group.group
on aad_groups.tf line 1, in resource "azuread_group" "group":
1: resource "azuread_group" "group" {
AdministrativeUnitsClient.BaseClient.Post(): unexpected status 403 with
OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.

When I run using a user principal with the same permissions it works fine. Is it supported to run with an SPN using this configuration when the SPN only has priviledges to create groups within the administrative unit?
@phantlantis
Copy link

phantlantis commented May 2, 2023
edited
Loading

Ran into this same issue today. I haven't been in a position to test this yet, but even with the Groups Administrator role assigned in the scope of an AU, the Service Principal may still need broader tenant level reading permissions than just whatever objects that it would be adding as members to the group (User, Application or Group, for instance). This section in their docs seems to imply that it may need something akin to the Directory Readers role. That could be a troubleshooting step to see if these issues resolve for anyone that is running into this.

@kboro
Copy link

kboro commented Oct 27, 2023
edited
Loading

In my case setting up following API permissions for SPN fixed an issue:

image

plus assigning "Groups Administrator" RBAC role on AU level.

@ezwizzy007
Copy link

Granting API permissions at the tenant level seems to defeat the purpose of limiting access to the Administrative Unit (AU).

@manicminer manicminer linked a pull request Dec 17, 2024 that will close this issue
Open
@manicminer
Copy link
Contributor

When creating groups in administrative units, it must be possible to read the administrative units - this can be granted through the AdministrativeUnits.Read.All or Directory.Read.All app roles. I've opened #1594 to document this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature/groups needs-investigation
Projects
None yet
Milestone
No milestone
5 participants
@manicminer @phantlantis @adhodgson1 @kboro @ezwizzy007