Insufficient privileges to complete the operation

[slavizh]

Bicep version Bicep CLI version 0.27.1 (4b41cb6d4b)

Resource and API version Microsoft.Graph/applications@v1.0, Microsoft.Graph/servicePrincipals@v1., Microsoft.Graph/groups@v1.0

Auth flow automated

Deployment details Basically I get this error:

{
  "code": "InvalidTemplateDeployment",
  "message": "The template deployment 'memberId-6r7qavqqjkwe4-0' is not valid according to the validation procedure. The tracking id is 'a47fd54e-cf73-42db-8de4-5c0c273336c9'. See inner errors for details.",
  "details": [
    {
      "code": "Forbidden",
      "target": "/resources/memberApplication",
      "message": "Insufficient privileges to complete the operation. Graph client request id: 0b34cca9-a0e2-40c9-a671-1e0e0eb95295. Graph request timestamp: Fri, 31 May 2024 11:39:21 GMT."
    },
    {
      "code": "Forbidden",
      "target": "/resources/memberGroup",
      "message": "Insufficient privileges to complete the operation. Graph client request id: a8010f89-ef36-44a0-b1e7-0355c0fb4698. Graph request timestamp: Fri, 31 May 2024 11:39:21 GMT."
    }
  ]
}

when I try to deploy this template from another one:

provider microsoftGraph

param member object

var defaultMember = {
  subscriptionId: subscription().subscriptionId
  resourceGroup: ''
}

resource memberManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' existing = if (member.type =~ 'ManagedIdentity') {
  name: member.name
  scope: resourceGroup(union(defaultMember, member).subscriptionId, union(defaultMember, member).resourceGroup)
}

resource memberApplication 'Microsoft.Graph/applications@v1.0' existing = if (member.type =~ 'Application') {
  uniqueName: member.name
}

resource memberServicePrincipal 'Microsoft.Graph/servicePrincipals@v1.0' existing = if (member.type =~ 'Application') {
  appId: memberApplication.appId
}

resource memberServicePrincipalStandalone 'Microsoft.Graph/servicePrincipals@v1.0' existing = if (member.type =~ 'ServicePrincipal') {
  appId: member.appId
}

resource memberGroup 'Microsoft.Graph/groups@v1.0' existing = if (member.type =~ 'Group') {
  uniqueName: member.name
}

output principalId string = member.type =~ 'ManagedIdentity'
    ? memberManagedIdentity.properties.principalId
    : member.type =~ 'Application'
    ? memberServicePrincipal.id
    : member.type =~ 'ServicePrincipal'
    ? memberServicePrincipalStandalone.id
    : member.type =~ 'Group'
    ? memberGroup.id
    : member.type =~ 'PrincipalId'
    ? member.principalId
    : ''

I get the first error as it is related to another issue I have opened but the other two are not very logical. May be this is some issue in error handling.

Describe the bug described

To Reproduce described

Additional context Add any other context about the problem here. For example, what permissions does the identity have if it's a permission issue?

[slavizh]

May be it is completely related to https://github.com/microsoftgraph/msgraph-bicep-types/issues/126 and does not require attention.

[dkershaw10]

@jason-dou please investigate

[jason-dou]

@slavizh Looks like it's a permission issue with the application used to deploy the templates. Have you checked if the application was granted necessary permission to read the resources? And if the issue still exists after the permission is granted?

[slavizh]

@jason-dou yes. I think the issue is related to issue #126. Because of that issue in certain way when you write the code the graph is somehow producing incorrect error. I guess it can be closed as #126 needs to be resolved.

[jason-dou]

@slavizh This could be a different issue than #126. Could you share what permissions are assigned to the application that deploys the template? Are they application permissions or Entra built-in permissions?

This could also be a transient issue with permission validation internally. Have you tried deploying the same template again, and do you still see the issue?

[slavizh]

@jason-dou I think it is not as with the same application I was deploying the same groups. Due to issue 126 I tried to modify the code a little bit in order to see if I can come up with some workaround. That modification led to that issue. It is also not transient as I have tried several times.

[jason-dou]

@slavizh We've found multiple issues here with this template deployment:

• Condition for existing extensible resources not working as expected. A fix is in progress as mentioned in this comment https://github.com/microsoftgraph/msgraph-bicep-types/issues/126#issuecomment-2168780771
• Permissions not validated properly (Authorization failure). We are still investigating on this issue. Meanwhile a workaround might be to remove the resources from the template (like applications) which requires more than existing granted permissions to be managed, or grant your application necessary permissions to manage all permissions in the template.

[slavizh]

@jason-dou thanks. I think I will wait for know as the first issue is the bigger blocker for me. I have end up reaching the second issue by creating undesired workaround for the first issue.

[dkershaw10]

@slavizh are you OK closing this issue? We're tracking the first issue with a separate item, and we think we've fixed the 2nd authz issue.

[slavizh]

@dkershaw10 yes can be closed.