What does the error "GroupsClient.BaseClient.Post() An invalid operation was included in the following modified references: 'members'" mean?

Question

I am trying to add an existing Azure Registered Application to an existing Azure Active Directory Group via Terraform. I used the following sequence to complete the task:

// References the existing AAD group
data "azuread_group" "existing_aad_group" {
  display_name = "<display name of the aad group>"
  security_enabled = true
}

// References the existing registered application
data "azuread_application" "existing_registered_application" {
  display_name = "<display name of the registered application>"
}

// --> Adds the application as a member of the AAD group.
resource "azuread_group_member" "registered_app_member" {
  group_object_id = data.azuread_group.existing_aad_group.object_id
  member_object_id  = data.azuread_application.existing_registered_application.object_id
}

The above code fails with the following error:

╷
│ Error: Adding group member "ceb93cb8XXXXX" to group "2f16446cXXXX"
│ 
│   with module.service.azuread_group_member.function_app,
│   on ../../resources/aad_group.tf line 6, in resource "azuread_group_member" "function_app":
│    6: resource "azuread_group_member" "function_app" {
│ 
│ GroupsClient.BaseClient.Post(): unexpected status 400 with OData error:
│ Request_BadRequest: An invalid operation was included in the following
│ modified references: 'members'.
╵

Question

What does this error mean and how can I fix it?

Answer 1

I tried to reproduce the same in my environment :

Code used:

resource "azuread_group" "example" {
  display_name     = "kavyaMyGroup"
  owners           = [data.azuread_client_config.current.object_id]
  security_enabled = true

  members = [
    azuread_user.example.object_id,
    # more users 
   ]
}

resource "azuread_group_member" "registered_app_member" {
  group_object_id = azuread_group.example.object_id
  member_object_id  = azuread_application.example.object_id
}

resource "azuread_application" "example" {
  display_name     = "example"
  owners           = [data.azuread_client_config.current.object_id]
  sign_in_audience = "AzureADMultipleOrgs"


  required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph

    resource_access {
      id   = "df021288-bdef-4463-88db-98f22de89214" # User.Read.All
      type = "Role"
    }

    resource_access {
      id   = "b4e74841-8e56-480b-be8b-910348b18b4c" # User.ReadWrite
      type = "Scope"
    }
  }

  web {
    homepage_url  = "https://app.example.net"
    logout_url    = "https://app.example.net/logout"
    redirect_uris = ["https://app.example.net/account"]

    implicit_grant {
      access_token_issuance_enabled = true
      id_token_issuance_enabled     = true
    }
  }
}

Received same Error:

azuread_group_member.registered_app_member: Creating... │ Error: Adding group member "xxx" to group "xxxx"

│ with azuread_group_member.registered_app_member, │ on main.tf line 84, in resource "azuread_group_member" "registered_app_member": │ 84: resource "azuread_group_member" "registered_app_member" {

│ GroupsClient.BaseClient.Post(): unexpected status 400 with OData error: Request_BadRequest: An invalid operation │ was included in the following modified references: 'members'.

As it could not add the application , directly , i tried creating service principal of the existing application and then assigned to the group using its object ID:

Code:

resource "azuread_application" "example" {
  display_name     = "example"
  owners           = [data.azuread_client_config.current.object_id]
  sign_in_audience = "AzureADMultipleOrgs"

  required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph

    resource_access {
      id   = "df021288-bdef-4463-88db-98f22de89214" # User.Read.All
      type = "Role"
    }

    resource_access {
      id   = "b4e74841-8e56-480b-be8b-910348b18b4c" # User.ReadWrite
      type = "Scope"
    }
  }

  web {
    homepage_url  = "https://app.example.net"
    logout_url    = "https://app.example.net/logout"
    redirect_uris = ["https://app.example.net/account"]

    implicit_grant {
      access_token_issuance_enabled = true
      id_token_issuance_enabled     = true
    }
  }
}


resource "azuread_service_principal" "example" {
  application_id               = azuread_application.example.application_id
  app_role_assignment_required = false
  owners                       = [data.azuread_client_config.current.object_id]
}

#below code adds Enterprise app to required group

resource "azuread_service_principal" "example" {
  application_id               = azuread_application.example.application_id
  app_role_assignment_required = false
  owners                       = [data.azuread_client_config.current.object_id]
}

Terraform code is successfully run with terraform apply

---

Could see the app added to the group in the form of enterprise app as we are using service principal of app:

---

App:

Reference: azuread_service_principal | Resources | hashicorp/azuread | Terraform Registry