403 The caller is not authorized with azuread provider and identitygovernance resource using az cli auth

[benjy44]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Affected Resource(s)

• azuread_access_package_catalog and other identity governance resources

Terraform Configuration Files

terraform {
  required_providers {
    azuread = {
      source  = "hashicorp/azuread"
      version = "2.37.0"
    }
  }
}

data "azuread_access_package_catalog" "example" {
  object_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}

Debug Output

https://gist.github.com/benjy44/987488983fe02474bbff870a690537d7

Expected Behavior

No error

Actual Behavior

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Error listing access package catalog with filter displayName eq 'My AP'
│ 
│   with data.azuread_access_package_catalog.example,
│   on test.tf line 10, in data "azuread_access_package_catalog" "example":
│   10: data "azuread_access_package_catalog" "example" {
│ 
│ AccessPackageCatalogClient.BaseClient.Get(): unexpected status 403 with OData error: UnAuthorized: User is not authorized to perform the operation. Reason: The caller is not authorized.
╵

Steps to Reproduce

1. terraform apply

Important Factoids

I can see in the debug logs the URL not authorized: https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/catalogs/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Now if I tried to access this url with az I get the same error:

$ az rest --url https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/catalogs/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Forbidden({"error":{"code":"UnAuthorized","message":"User is not authorized to perform the operation. Reason: The caller is not authorized.","innerError":{"date":"2023-04-15T11:14:31","request-id":"51b41bb8-b37d-4dc3-a37c-df826c7d863a","client-request-id":"51b41bb8-b37d-4dc3-a37c-df826c7d863a"}}})

If I inspect my JWT token from az account get-access-token --scope https://graph.microsoft.com/.default I do see that the scopes are limited:

"scp": "AuditLog.Read.All Directory.AccessAsUser.All email Group.ReadWrite.All openid profile User.ReadWrite.All"

I can add that using a token obtained from graph explorer, I can curl the same graph endpoint without issue, using the token from az cli I cannot curl and get 403. The only difference between the tokens is the scope, which contains EntitlementManagement.Read.All for example in the graph explorer token.

I expect Directory.AccessAsUser.All to allow identity governance resources, however I cannot find any doc from Microsoft that would confirm this or not.

Am I correct to assume that terraform cannot work with az cli auth for identitygovernance resources due to those limited scope in the token? If so it would be nice to update the doc.

Or am I missing something else? Can anyone confirm that these identity governance resources work with az cli login as user?

[manicminer]

@benjy44 Thanks for reporting this issue. I am able to reproduce and despite holding the Global Admin role I received the same error message. This happened on both the v1.0 and beta APIs - although the provider is using the v1.0 API for this particular data source.

Unfortunately this is either an API bug, or a documentation bug, on the part of Microsoft Graph. I have reported this upstream at https://github.com/microsoftgraph/msgraph-metadata/issues/327 and would recommend opening an Azure support ticket or contact your account manager to raise this bug.

Since this is apparently an API bug, or possibly a documentation bug (although I repro'd this whilst having Global Administrator so I'm more inclined to suspect the former.), there is unfortunately nothing we can do to mitigate or resolve this problem. Its worth nothing that this doesn't happen when I authenticate with an access token for an application obtained by client credentials flow, so this might be a viable workaround, if this is an option for you.

[benjy44]

Thanks for the quick reply @manicminer we'll raise the issue with our account manager and use a service principal in the meantime

[cedrox]

Hello I use a SP with Identity governance administrator role (also I tried with global admin role) and it's not working on my side anymore. I have reported it here and today I have also an error like this

│ Error: Waiting for deletion of access package assignment policy with object ID "GUID" │ │ retrieving resource: AccessPackageAssignmentPolicyClient.BaseClient.Get(): │ unexpected status 403 with OData error: UnAuthorized: User is not │ authorized to perform the operation. Reason: Unauthorized

Thanks @benjy44 to reported it and @manicminer for pointing us the graph api bug. I will also open a support ticket. Thanks

[cedrox]

To work properly on Entitlement management, Azure AAD terraform provider SPN need to have 2 permissions :

• AD Role : Identity Governance Administrator
• Graph API delegated permission : EntitlementManagement.ReadWrite.All

It's a requirement and it should be added in the documentation

Thanks a lot to Microsoft support to help me on this case

[kbcz1989]

We are using following permissions:

[The-Heyman]

I think I got the solution here:

I got the error AADSTS65002: Consent between first party application '04b07795-8ddb-461a-bbee-02f9e1bf7b46' and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: 67365321-86e3-456a-8125-a58b2bb02400 Correlation ID: d3b0db94-356a-4062-89a5-afac0e36d766 Timestamp: 2024-07-31 10:41:52Z. (https://login.microsoftonline.com/error?code=65002) when running

az login --scope https://graph.microsoft.com/EntitlementManagement.ReadWrite.All

So the missing piece is that a Global Admin needs to run this command and grant admin consent that az cli can use that permission for the tenant