Removing group members using azuread_group_member throws an error although members are being removed

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.3.10 on windows_amd64

provider registry.terraform.io/hashicorp/azuread v2.47.0
provider registry.terraform.io/hashicorp/azurerm v3.98.0
provider registry.terraform.io/hashicorp/local v2.5.1

Affected Resource(s)

azuread_group_member

Terraform Configuration Files

resource "azurerm_resource_group" "resource_group" {
  name     = "test-managed-identity"
  location = "West Europe"
}

resource "azurerm_service_plan" "app_service_plan" {
  name                     = "test-managed-identity-asp"
  resource_group_name      = azurerm_resource_group.resource_group.name
  location                 = azurerm_resource_group.resource_group.location
  os_type                  = "Linux"
  sku_name                 = "B1"
  worker_count             = "1"
  per_site_scaling_enabled = false
}

resource "azurerm_linux_web_app" "linux_web_app" {
  name                = "test-managed-identity-webapp"
  resource_group_name = azurerm_resource_group.resource_group.name
  location            = azurerm_service_plan.app_service_plan.location
  service_plan_id     = azurerm_service_plan.app_service_plan.id
  https_only          = true

  identity { type = "SystemAssigned" }

  site_config {
    ftps_state          = "FtpsOnly"
    minimum_tls_version = "1.2"
  }
}

resource "azuread_group_member" "group_member" {
  group_object_id  = "some existing group object id where the service principal performing the operation is an owner"
  member_object_id = azurerm_linux_web_app.linux_web_app.identity.0.principal_id
}

Debug Output

Issue is easy to reproduce. Nothing interesting to see in the logs. I will only paste small output here...

azuread_group_member.group_member: Destroying... [id=/member/] ╷ │ Error: Waiting for removal of member "" from group with object ID "" │ │ retrieving resource: GroupsClient.BaseClient.Get(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation. ╵ Error occurred while executing scripts! Press any key to continue . . .

Expected Behavior

When the "azuread_group_member" resource is being removed from the configuration the actual group member should be removed from the group without throwing any errors.

Actual Behavior

Terraform is throwing an error (see above) about "Insufficient privileges...". The group member is still being removed which indicates that the permissions are right but Terraform is somehow misbehaving.

Steps to Reproduce

Create a group where your service principal used for deployments is being an owner
Add Application.Read.All permissions to your service principal to be able to read managed identities from Entra ID
Copy the configuration above and adapt it to your setup (e.g. add group object id...)
Run terraform apply

Important Factoids

Please note that according to the Terraform docs no additional API permission should be required for using "azuread_group_member" if the service principal used for deployment is being an owner of the group in question (https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group_member#api-permissions). This is at least not correct if the members that should be added to the group are managed identities. In this case "Application.Read.All" API permission is required.

References

Similar issue but with adding group members. Perhaps "Application.Read.All" API permission is missing here... https://github.com/hashicorp/terraform-provider-azuread/issues/1202https://github.com/hashicorp/terraform-provider-azuread/issues/1202

0000

hashicorp / terraform-provider-azuread