Stack fails with microsoftGraph provider

[antsok]

Describe the bug Deploying a stack at the subscription level with microsoftGraph provider in bicep fails with error Insufficient privileges to complete the operation. Graph client request id: b63ad977-1969-4207-ba5b-74353803edb5. Graph request timestamp: 2024-06-17T22:39:56Z. (Code: Forbidden)

To Reproduce Steps to reproduce the behavior:

• Ensure identity can create security groups.
• Start deployment with az stack sub create --deny-settings-mode None --action-on-unmanage deleteAll --yes --name 'graph01' --location 'swedencentral' --template-file .\main.bicep --parameters entraGroupName='testGroup2' resourceGroupName='exp02-graph-rg'

Expected behavior Deployment succedes.

Screenshots

Repro Environment Host OS: Windows 11 Powershell Version: 7.4.2

Server Debugging Information Correlation ID: 3d7952c0-c5e5-453c-ade2-69bc6c140322 Tenant ID: 74b5511e-1df2-48b9-a2df-a3b95c48c680 Timestamp of issue (please include time zone): 2024-06-17T22:39:56Z Data Center (eg, West Central US, West Europe): swedencentral

Additional context Trying in 'eastus' region gives the same problem. Deploying with 'az deployment ...' succedes. Example comand az deployment sub create --name 'graph04' --location 'swedencentral' --template-file main.bicep --parameters entraGroupName='testGroup4' resourceGroupName='exp04-graph-rg'

main.bicep

targetScope = 'subscription'

param location string = deployment().location

param resourceGroupName string

param entraGroupName string

resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
  name: resourceGroupName
  location: location
}

module uami 'br/public:avm/res/managed-identity/user-assigned-identity:0.2.1' ={
  scope: resourceGroup
  name: '${deployment().name}-${resourceGroupName}'
  params: {
    name: uniqueString(resourceGroup.name)
  }
}

provider microsoftGraph

resource exampleGroup 'Microsoft.Graph/groups@v1.0' = {
  displayName: entraGroupName
  mailEnabled: false
  mailNickname: entraGroupName
  securityEnabled: true
  uniqueName: entraGroupName
  owners:[
    uami.outputs.principalId
  ]
}

[slavizh]

Stacks are not supported by Microsoft Graph. This is listed as one of the known issues in official docs.

[antsok]

@slavizh I searched the deployment stacks docs before posting it, but the limitation is not listed there https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-stacks?tabs=azure-powershell#known-limitations

But I now see that you are right - official docs of graph extension list it https://learn.microsoft.com/en-us/graph/templates/known-issues-graph-bicep#deployment-error-this-application-0-isnt-authorized-to-call-microsoft-graph-using-a-bicep-template

Maybe adding one line into deployment stacks docs would help people like me.

[slavizh]

@antsok you should be looking at the Graph for Bicep documentation: https://learn.microsoft.com/en-us/graph/templates/known-issues-graph-bicep#other-unsupported-deployment-features.

[slavizh]

@antsok I am also not Microsoft employee and not responsible for Microsoft Learn docs. Additionally any Graph for Bicep issues should be logged here: https://github.com/microsoftgraph/msgraph-bicep-types/issues

[antsok]

@antsok I am also not Microsoft employee and not responsible for Microsoft Learn docs. Additionally any Graph for Bicep issues should be logged here: https://github.com/microsoftgraph/msgraph-bicep-types/issues

Hi there,

I appreciate your comments, but my proposal for docs clarification was to repo owners ;)

[azcloudfarmer]

Hi @antsok and @slavizh - this is being added to our known issues in our public docs. Update in progress

[mumian]

@azcloudfarmer - the article has been updated. You can close this issue.