search

hashicorp / terraform-provider-azuread

Terraform provider for Azure Active Directory
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs
Mozilla Public License 2.0
415 stars 280 forks source link

azuread_privileged_access_group_eligibility_schedule - permissions error despite graph and Entra role applied to service prinicple #1386

Open danrvu opened 1 month ago

danrvu commented 1 month ago

Community Note

Terraform (and AzureAD Provider) Version

Affected Resource(s)

Terraform Configuration Files

# resource "azuread_privileged_access_group_eligibility_schedule" "example" {
#   for_each           = local.group_eligible_membership
#   group_id        = azuread_group.groups[each.value.group].id
#   principal_id    = azuread_group.groups[each.value.member].id
#   assignment_type = "member"
#   duration        = "P30D"
# }

Debug Output

Error: Could not create assignment schedule request, PrivilegedAccessGroupEligibilityScheduleRequestsClient.BaseClient.Post(): unexpected status 403 with OData error: UnknownError: {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup,PrivilegedEligibilitySchedule.Remove.AzureADGroup.","instanceAnnotations":[]} β”‚ β”‚ with azuread_privileged_access_group_eligibility_schedule.example["xxxx"], β”‚ on roles.tf line 8, in resource "azuread_privileged_access_group_eligibility_schedule" "example": β”‚ 8: resource "azuread_privileged_access_group_eligibility_schedule" "example" { β”‚ β”‚ Could not create assignment schedule request, β”‚ PrivilegedAccessGroupEligibilityScheduleRequestsClient.BaseClient.Post(): β”‚ unexpected status 403 with OData error: UnknownError: β”‚ {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed β”‚ due to missing permission scope β”‚ PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup,PrivilegedEligibilitySchedule.Remove.AzureADGroup.","instanceAnnotations":[]} β•΅

Panic Output

Expected Behavior

Should have created the eligible assignment for the group

Actual Behavior

Failed with the above error

Steps to Reproduce

  1. terraform apply

Important Factoids

References

https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/privileged_access_group_eligibility_schedule

tehho commented 3 weeks ago

This seems to be a "bug" in azure cli login where global administrator role is not propagated using the Microsoft Azure CLI enterprise application. Suggest solution is to login using a service principal with PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup capability enabled. We deploy using pipeline with service principal and this works for us