Menu
My service principal attempts to read a certain AD group using the following terraform code:
data "azuread_group" "hosting_ad_group" {
name = local.hosting_ad_group_name
}
According to the documentation at https://www.terraform.io/docs/providers/azuread/d/group.html:
NOTE: If you're authenticating using a Service Principal then it must have permissions to Read directory data within the Windows Azure Active Directory API.
And indeed my SP has this permission:
Yet when I am running terraform apply as this SP I get the following:
Error: Error finding Azure AD Group with display name "AdminRole-Product-DFDevelopmentOps": Error listing Azure AD Groups for filter "displayName eq 'AdminRole-Product-DFDevelopmentOps'": graphrbac.GroupsClient#List: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2020-02-09T13:59:32","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"b4f52aca-7306-4d12-95c9-cf922ae59483"}}]
What am I missing?
EDIT 1
This is how I set the API permissions from terraform:
resource "azuread_application" "app" {
name = local.ctx.HostingAppName
# AAD Graph API
required_resource_access {
resource_app_id = "00000002-0000-0000-c000-000000000000"
# Sign in and read user profile
resource_access {
id = "311a71cc-e848-46a1-bdf8-97ff7156d8e6"
type = "Scope"
}
# Manage apps that this app creates or owns
resource_access {
id = "824c81eb-e3f8-4ee6-8f6d-de7f50d565b7"
type = "Role"
}
# Read directory data
resource_access {
id = "5778995a-e1bf-45b8-affa-663a9f3f4d04"
type = "Scope"
}
}
}
475
On 30 June 2022, we'll retire Azure AD Graph.
The Graph API of Azure AD provides a broad set of standard queries that can be used to retrieve metadata information about the tenant's directory and its data structure, but also about users, groups, and other common entities.
Go to portal.azure.com and sign in with your work or student account. In the left navigation pane in the Azure portal, click Azure Active Directory. The Azure Active Directory admin center is displayed.
Please note that Application permissions are different from Delegated permissions. If you are using service principal to call the api, you should grant your application application permission.
Reference:
Types of permissions
175
Just add Api Permission "Azure Active Directory Graph" from Azure Active Directory-->App Registrations-->(Service Principal)-->Api Permissioins-->Add Permissions.
Application.ReadWrite.All
Directory.ReadWrite.All
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
