You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After updating to provider 2.x and trying to create a group and getting the below error constantly.
GroupsClient.BaseClient.Post(): unexpected status 403 with OData error:
Authorization_RequestDenied: Insufficient privileges to complete the
operation.
If you try to create a group with assignable_to_role = true then the account you are using requires an additional permission (RoleManagement.ReadWrite.Directory).
Hi @TheBlackMini, thanks for reporting this documentation discrepency. The permissions tables in the v2 upgrade guide, and in the guide on configuring a principal, are intentionally incomplete for brevity - there is a note beneath each table suggesting to consult the documentation page for the particular resource to get the latest permissions.
However, this permission is indeed missing from the azuread_group page, so we'll update this to note the RoleManagement.ReadWrite.Directory role is required when using the assignable_to_role property. Thanks!
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
After updating to provider 2.x and trying to create a group and getting the below error constantly.
I ended up stumbling across this forum entry.
https://discuss.hashicorp.com/t/insufficient-privileges-when-trying-to-create-azuread-group-azuread-2-0-1/28866
Which pointed me to the below tables being out of date for the provider. I'm not sure if this is the only permission missing though.
If you try to create a group with
assignable_to_role = true
then the account you are using requires an additional permission (RoleManagement.ReadWrite.Directory).Old Table
data.azuread_service_principal
data.azuread_groups
data.azuread_users
azuread_application_certificate
azuread_application_password
azuread_service_principal
azuread_service_principal_certificate
azuread_service_principal_password
azuread_group_member
New Table
data.azuread_service_principal
data.azuread_groups
data.azuread_users
azuread_application_certificate
azuread_application_password
azuread_service_principal
azuread_service_principal_certificate
azuread_service_principal_password
azuread_group_member
RoleManagement.ReadWrite.Directory
The text was updated successfully, but these errors were encountered: