Describe the bug
New-MgBetaDomainFederationConfiguration returns 403 Insufficient Privileges in GCC High when using the documented minimum permissions (Domain Name Administrator role + Domain.ReadWrite.All scope). The operation only succeeds after elevating to Hybrid Identity Administrator + User Administrator + Domain Name Administrator roles AND connecting with Domain.ReadWrite.All, Directory.ReadWrite.All, User.ReadWrite.All, and Directory.AccessAsUser.All scopes. The API documentation does not reflect these additional requirements.
Expected behavior
Per the API documentation (https://learn.microsoft.com/en-us/graph/api/domain-post-federationconfiguration), Domain Name Administrator role + Domain.ReadWrite.All scope should be sufficient. The additional roles and scopes required in GCC High are undocumented.
How to reproduce
- Activate Domain Name Administrator via PIM (docs state this is least privileged role).
- Connect with Connect-MgGraph -Scopes "Domain.ReadWrite.All" -Environment USGov.
- Run:
$kpoFed = Get-MgBetaDomainFederationConfiguration -DomainId "kpo.amazon"
New-MgBetaDomainFederationConfiguration -DomainId "leo.amazon" `
-DisplayName $kpoFed.DisplayName `
-IssuerUri $kpoFed.IssuerUri `
-ActiveSignInUri $kpoFed.ActiveSignInUri `
-PassiveSignInUri $kpoFed.PassiveSignInUri `
-SignOutUri $kpoFed.SignOutUri `
-PreferredAuthenticationProtocol $kpoFed.PreferredAuthenticationProtocol `
-FederatedIdpMfaBehavior $kpoFed.FederatedIdpMfaBehavior `
-IsSignedAuthenticationRequestRequired `
-SigningCertificate $kpoFed.SigningCertificate `
-NextSigningCertificate $kpoFed.NextSigningCertificate
SDK Version
2.37.0
Latest version known to work for scenario above?
N/A
Known Workarounds
Only succeeded after elevating to all three roles:
- Hybrid Identity Administrator
- User Administrator
- Domain Name Administrator
AND connecting with expanded scopes:
Connect-MgGraph -Scopes "Domain.ReadWrite.All","Directory.ReadWrite.All","User.ReadWrite.All","Directory.AccessAsUser.All" -Environment USGov
Debug output
Click to expand log
```
N/A
</details>
### Configuration
N/A
### Other information
N/A
Describe the bug
New-MgBetaDomainFederationConfiguration returns 403 Insufficient Privileges in GCC High when using the documented minimum permissions (Domain Name Administrator role + Domain.ReadWrite.All scope). The operation only succeeds after elevating to Hybrid Identity Administrator + User Administrator + Domain Name Administrator roles AND connecting with Domain.ReadWrite.All, Directory.ReadWrite.All, User.ReadWrite.All, and Directory.AccessAsUser.All scopes. The API documentation does not reflect these additional requirements.
Expected behavior
Per the API documentation (https://learn.microsoft.com/en-us/graph/api/domain-post-federationconfiguration), Domain Name Administrator role + Domain.ReadWrite.All scope should be sufficient. The additional roles and scopes required in GCC High are undocumented.
How to reproduce
SDK Version
2.37.0
Latest version known to work for scenario above?
N/A
Known Workarounds
Only succeeded after elevating to all three roles:
AND connecting with expanded scopes:
Connect-MgGraph -Scopes "Domain.ReadWrite.All","Directory.ReadWrite.All","User.ReadWrite.All","Directory.AccessAsUser.All" -Environment USGov
Debug output
Click to expand log
```N/A