Open danrvu opened 1 month ago
This seems to be a "bug" in azure cli login where global administrator role is not propagated using the Microsoft Azure CLI enterprise application. Suggest solution is to login using a service principal with PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup capability enabled. We deploy using pipeline with service principal and this works for us
Community Note
Terraform (and AzureAD Provider) Version
Affected Resource(s)
azuread_privileged_access_group_eligibility_schedule
Service principle has the roles that have been stated on error for Graph and also has Priviliged role adminTerraform Configuration Files
Debug Output
Error: Could not create assignment schedule request, PrivilegedAccessGroupEligibilityScheduleRequestsClient.BaseClient.Post(): unexpected status 403 with OData error: UnknownError: {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup,PrivilegedEligibilitySchedule.Remove.AzureADGroup.","instanceAnnotations":[]} β β with azuread_privileged_access_group_eligibility_schedule.example["xxxx"], β on roles.tf line 8, in resource "azuread_privileged_access_group_eligibility_schedule" "example": β 8: resource "azuread_privileged_access_group_eligibility_schedule" "example" { β β Could not create assignment schedule request, β PrivilegedAccessGroupEligibilityScheduleRequestsClient.BaseClient.Post(): β unexpected status 403 with OData error: UnknownError: β {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed β due to missing permission scope β PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup,PrivilegedEligibilitySchedule.Remove.AzureADGroup.","instanceAnnotations":[]} β΅
Panic Output
Expected Behavior
Should have created the eligible assignment for the group
Actual Behavior
Failed with the above error
Steps to Reproduce
terraform apply
Important Factoids
References
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/privileged_access_group_eligibility_schedule
0000