azure-active-directoryterraformterraform-provider-azureazure-service-principal
Terraform Error: Adding Group Member to the Group
We have a Terraform script that creates a new azuread_service_principal and adds it to the existing group.
resource "azuread_application" "workspace_manager" {
display_name = var.workspace_manager_appregistration_name
sign_in_audience = "AzureADMyOrg"
owners = [
data.azurerm_client_config.this.object_id,
var.master_account_id
]
}
resource "azuread_service_principal" "workspace_manager" {
application_id = azuread_application.workspace_manager.application_id
app_role_assignment_required = false
owners = [
data.azurerm_client_config.this.object_id,
var.master_account_id
]
}
resource "azuread_group_member" "workspace_manager" { \\ the error occurs here
group_object_id = var.security_group_id \\ existing azure ad group id
member_object_id = azuread_service_principal.workspace_manager.object_id \\ created one
}
This script throws the following error:
╷
│ Error: Adding group member "xxx-xxx-xxx" to group "xxx-xxx-xxx"
│
│ with module.pbi.azuread_group_member.workspace_manager,
│ on pbi\main.tf line 52, in resource "azuread_group_member" "workspace_manager":
│ 52: resource "azuread_group_member" "workspace_manager" {
│
│ GroupsClient.BaseClient.Post(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.
╵
Referring to the documentation article, added Group.ReadWrite.All (application) permission to the Service Principal that runs the script.
Terraform docs article: https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group_member
Why can I get this error and what are the solutions? What can I try to do?
Solution
In addition to addingthe "Group.ReadWrite.All" application permission to the service principal, also add "Directory.AccessAsUser.All" app permission for service principal to access the directory as a user for adding a member to a group.
Note: After adding permissions note that the admin consent need to be granted for the app by the admin .
Please check the below code . Or you should have owner role to the group and application .
Code:
resource "azuread_application" "workspace_manager" {
display_name = "wrkmanapp"
sign_in_audience = "AzureADMyOrg"
owners = [
data.azurerm_client_config.current.object_id,
]
}
resource "azuread_service_principal" "workspace_manager" {
application_id = azuread_application.workspace_manager.application_id
app_role_assignment_required = false
owners = [
data.azurerm_client_config.current.object_id
]
}
data "azuread_user" "example" {
//display_name = "userone"
// owners = [data.azuread_client_config.current.object_id]
// password = "notSecure123"
user_principal_name = "[email protected]"
}
data "azuread_group" "example" {
display_name = "kavyaMyGroup"
owners = [data.azuread_client_config.current.object_id]
security_enabled = true
members = [
data.azuread_user.example.object_id
# more users
]
}
resource "azuread_group_member" "workspace_manager" {
group_object_id = azuread_group.example.object_id
// group_object_id = "5xxxf318"
member_object_id = azuread_service_principal.workspace_manager.object_id
}
Could add the serviceprincipal to the existing group successfully.
Reference: azuread_group_member | Resources | hashicorp/azuread | Terraform Registry
- Access Sharepoint Online Files from .NET Worker Service via Microsoft Graph/OAuth - Unauthorized or Access Denied error (401)
- Get-RemoteDomain in powershell exchange online error : The term 'Get-RemoteDomain' is not recognized as the name of a cmdlet
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- Azure Storage accounts container public access level has dissabled
- How to get "exp" from jwt token and compare with it current time to check if token is expired
- How to refresh client assertion in ConfidentialClientApplication?
- Enforce MFA for specific API called from SPFx via AADTokenProvider (Even with SPO MFA)
- How to extract TLS 1.X of all app services/web app running Azure
- Why Can't I See Roles Assigned to an App Registration in Azure?
- Connect C# ASP.NET Core web app to Microsoft Graph calendar
- Is there a way to find out all users of a particular group in AzureAD?
- MSAL Redirect on Failure AADSTS50105
- Microsoft Power BI REST API PowerBINotAuthorizedException
- AzureAD SAML SSO through AWS Cognito - doesn't match requested authentication method
- How to get username after logged in?.I am trying with MSAL (@azure/msal-angular) for Azure Signin
- Display all the user's files using Microsoft Graph API not working
- Get Access Token from Microsoft Graph for ClientId with delegated permissions
- How to call Microsoft Graph API from ASP.NET Core Web API that is called by SPA
- add-kdsrootkey error the request is not supported
- AADSTS50011: The redirect URI http does not match the redirect URIs
- Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com
- Getting user data through an Azure AD OAuth login - React Native Expo App
- HTTP request to update Service Principal Entra
- on-behalf-of flow, getting error AADSTS50013 while acquiring obo token
- Azure AD B2C Password Reset
- ASP.NET Core 5 WebAPI - Azure AD - Call Graph API Using Azure Ad Access Token
- Programmatically Assign Exchange Roles to a Group in Azure AD using Microsoft Graph API
- "AADSTS900144: The request body must contain the following parameter: 'grant_type'.?
- Signature validation of my Azure access-token, Private-key?
- Entra ID OIDC Failed Auth Attempt Logs