azuread_group API permission issue in documentation

[TheBlackMini]

After updating to provider 2.x and trying to create a group and getting the below error constantly.

GroupsClient.BaseClient.Post(): unexpected status 403 with OData error:
Authorization_RequestDenied: Insufficient privileges to complete the
operation.

I ended up stumbling across this forum entry.

https://discuss.hashicorp.com/t/insufficient-privileges-when-trying-to-create-azuread-group-azuread-2-0-1/28866

Which pointed me to the below tables being out of date for the provider. I'm not sure if this is the only permission missing though.

https://github.com/hashicorp/terraform-provider-azuread/blob/main/docs/guides/service_principal_configuration.md
https://github.com/hashicorp/terraform-provider-azuread/blob/main/docs/guides/microsoft-graph.md

If you try to create a group with assignable_to_role = true then the account you are using requires an additional permission (RoleManagement.ReadWrite.Directory).

Old Table

Resource(s)	Role Name(s)
data.azuread_application data.azuread_service_principal	Application.Read.All
data.azuread_domains	Domain.Read.All
data.azuread_group data.azuread_groups	Group.Read.All
data.azuread_user data.azuread_users	User.Read.All
azuread_application azuread_application_certificate azuread_application_password azuread_service_principal azuread_service_principal_certificate azuread_service_principal_password	Application.ReadWrite.All
azuread_group azuread_group_member	Group.ReadWrite.All
azuread_user	User.ReadWrite.All

New Table

Resource(s)	Role Name(s)
data.azuread_application data.azuread_service_principal	Application.Read.All
data.azuread_domains	Domain.Read.All
data.azuread_group data.azuread_groups	Group.Read.All
data.azuread_user data.azuread_users	User.Read.All
azuread_application azuread_application_certificate azuread_application_password azuread_service_principal azuread_service_principal_certificate azuread_service_principal_password	Application.ReadWrite.All
azuread_group azuread_group_member	Group.ReadWrite.All RoleManagement.ReadWrite.Directory
azuread_user	User.ReadWrite.All

[manicminer]

Hi @TheBlackMini, thanks for reporting this documentation discrepency. The permissions tables in the v2 upgrade guide, and in the guide on configuring a principal, are intentionally incomplete for brevity - there is a note beneath each table suggesting to consult the documentation page for the particular resource to get the latest permissions.

However, this permission is indeed missing from the azuread_group page, so we'll update this to note the RoleManagement.ReadWrite.Directory role is required when using the assignable_to_role property. Thanks!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.