azure-active-directoryterraformterraform-provider-azureazure-service-principal
Terraform Error: Adding Group Member to the Group
We have a Terraform script that creates a new azuread_service_principal and adds it to the existing group.
resource "azuread_application" "workspace_manager" {
display_name = var.workspace_manager_appregistration_name
sign_in_audience = "AzureADMyOrg"
owners = [
data.azurerm_client_config.this.object_id,
var.master_account_id
]
}
resource "azuread_service_principal" "workspace_manager" {
application_id = azuread_application.workspace_manager.application_id
app_role_assignment_required = false
owners = [
data.azurerm_client_config.this.object_id,
var.master_account_id
]
}
resource "azuread_group_member" "workspace_manager" { \\ the error occurs here
group_object_id = var.security_group_id \\ existing azure ad group id
member_object_id = azuread_service_principal.workspace_manager.object_id \\ created one
}
This script throws the following error:
╷
│ Error: Adding group member "xxx-xxx-xxx" to group "xxx-xxx-xxx"
│
│ with module.pbi.azuread_group_member.workspace_manager,
│ on pbi\main.tf line 52, in resource "azuread_group_member" "workspace_manager":
│ 52: resource "azuread_group_member" "workspace_manager" {
│
│ GroupsClient.BaseClient.Post(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.
╵
Referring to the documentation article, added Group.ReadWrite.All (application) permission to the Service Principal that runs the script.
Terraform docs article: https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group_member
Why can I get this error and what are the solutions? What can I try to do?
Solution
In addition to addingthe "Group.ReadWrite.All" application permission to the service principal, also add "Directory.AccessAsUser.All" app permission for service principal to access the directory as a user for adding a member to a group.
Note: After adding permissions note that the admin consent need to be granted for the app by the admin .
Please check the below code . Or you should have owner role to the group and application .
Code:
resource "azuread_application" "workspace_manager" {
display_name = "wrkmanapp"
sign_in_audience = "AzureADMyOrg"
owners = [
data.azurerm_client_config.current.object_id,
]
}
resource "azuread_service_principal" "workspace_manager" {
application_id = azuread_application.workspace_manager.application_id
app_role_assignment_required = false
owners = [
data.azurerm_client_config.current.object_id
]
}
data "azuread_user" "example" {
//display_name = "userone"
// owners = [data.azuread_client_config.current.object_id]
// password = "notSecure123"
user_principal_name = "[email protected]"
}
data "azuread_group" "example" {
display_name = "kavyaMyGroup"
owners = [data.azuread_client_config.current.object_id]
security_enabled = true
members = [
data.azuread_user.example.object_id
# more users
]
}
resource "azuread_group_member" "workspace_manager" {
group_object_id = azuread_group.example.object_id
// group_object_id = "5xxxf318"
member_object_id = azuread_service_principal.workspace_manager.object_id
}
Could add the serviceprincipal to the existing group successfully.
Reference: azuread_group_member | Resources | hashicorp/azuread | Terraform Registry
- Azure global admin cannot(disabled) add roles under "Access Control(IAM)"
- How to find the delay when I reset a password using Microsoft's Graph API?
- Outlook calendar don't render with FullCalendar
- Azure Remove User Consent to API
- Production slot not using Production as ASPNETCORE_ENVIRONMENT variable
- Microsoft Identity Web: Change Redirect Uri
- Authenticating to Azure application with JMeter
- How do I solve audience (aud) invalid claim error for downstream api service?
- invalid_request: The provided value for the input parameter 'redirect_uri' is not valid
- I am getting an error that OAuth2 Code has already been redeemed
- Generating token for Fabric Rest api using client secret
- Authenticate to SQL Server with Azure app service managed identity through group
- Why is my Azure AD token request returning HTTP 400 consent error for API permissions that have been granted?
- How to set Azure MSAL SSO for my Nextjs14 app using Approuter and next-auth
- Unable to Connect to Azure PostgreSQL Database via Point-to-Site VPN with Azure Active Directory on macOS
- How do I retrieve the service principal password after creation using the azure cli?
- Cannot create Azure B2C Tenant
- Accessing Graph API from multi tenant App Function via identity
- My Azure AD B2C User Flow is not returning a token on jwt.ms
- AADSTS65001: The user or administrator has not consented to use the application with ID <app-id>
- AccountEnabled user property from Azure AD returning null
- Azure B2C user flow without an email
- How to use Azure Data Factory to take Business Central data and put into Azure SQL DB?
- Triggering a PowerAutomate desktop flow, using apis, fails due to access issues
- Azure - should the creator of a resource have owner rights?
- Scope is not being added to Access Token returned from Azure Ad
- The required field 'nonce' is missing from the credential. Ensure that you have all the necessary parameters for the login request. [Azure Open ID]
- Exchanging azure AD token with Identity server token
- Website authenticating users against AAD: can the OpenId document be provided offline to the consuming website?
- how to limit code verification email Spaming in Azure B2C