search

microsoftgraph / msgraph-bicep-types

Repo contains Microsoft Graph resource types to integrate with bicep templates.
MIT License
37 stars 6 forks source link

Insufficient privileges to complete the operation - groups with isAssignableToRole set to True #140

Open Ellestad1995 opened 2 months ago

Ellestad1995 commented 2 months ago

Bicep version Run bicep --version via the Bicep CLI, az bicep version via the AZ CLI

PS: ~:bicep --version
Bicep CLI version 0.28.1 (ba1e9f8c1e)

PS: ~:az bicep version  
Bicep CLI version 0.28.1 (ba1e9f8c1e)

Resource and API version Which Microsoft.Graph resource and API version has the issue?

Microsoft.Graph/groups@v1.0

Auth flow Is the deployment interactive (e.g. with a signed in user) or automated (e.g. with an application)?

Both - ServicePrincipal and Signed in user

Deployment details If it's related to deployment failures, please provide the deployment correlation id, Microsoft Graph client request id, and deployment timestamp if applicable.

{
  "status": "Failed",
  "error": {
    "code": "DeploymentFailed",
    "target": "/subscriptions/xxxx-xxxxx-xxxxx-xxxxx/providers/Microsoft.Resources/deployments/entraid-sec-groups-test",
    "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
    "details": [
      {
        "code": "",
        "message": "{\"error\":{\"code\":\"Forbidden\",\"target\":\"/resources/role_tier1Analyst\",\"message\":\"Insufficient privileges to complete the operation. Graph client request id: 9335c582-d847-49e8-9079-3e4a89a5d2e0. Graph request timestamp: 2024-06-13T11:59:32Z.\"}}"
      }
    ]
  }
}

Describe the bug

For Microsoft.Graph/groups resource type when using the property isAssignableToRole set to true, which requires an additional permission for the signed in user/service principal fails even tough the permission is granted.

From the Groups doc: https://learn.microsoft.com/en-us/graph/templates/reference/groups?view=graph-bicep-1.0

Only callers in Global Administrator and Privileged Role Administrator roles can set this property. The caller must also be assigned the RoleManagement.ReadWrite.Directory permission to set this property or update the membership of such groups.

The service principal I'm using is granted the following Microsoft Graph permissions:

It works fine to deploy a group without the property isAssignableToRole set to true. That would mean the permissions are in effect I would believe?

In addition to the Microsoft Graph permissions the service principal have the Entra ID role Privileged Role Administrator which is also a prerequisite.

To Reproduce

  1. Create ServicePrincipal with Microsoft graph application permissions: 'RoleManagement.ReadWrite.Directory', 'Group.ReadWrite.All', 'Directory.ReadWrite.All' (Remember Global Admin consent)
  2. Create a Microsoft.Graph/groups resource:
targetScope = 'subscription'

provider microsoftGraph

resource groupExample 'Microsoft.Graph/groups@v1.0' = {
  displayName: 'Example Group'
  description: 'Example Group'
  isAssignableToRole: true
  mailEnabled: false
  mailNickname: 'example-group'
  securityEnabled: true
  uniqueName: 'example-group'
}
az login --service-principal --username '1234' --password '1234' --tenant '1234'

az deployment sub create --name 'entraid-sec-groups-test' --template-file .\{filename}.bicep --location 'NorwayEast'

Additional context Add any other context about the problem here. For example, what permissions does the identity have if it's a permission issue?

dkershaw10 commented 2 months ago

Thanks @Ellestad1995. Preliminary investigation suggests that the Graph Bicep Extension is missing the RoleManagement.ReadWrite.Directory delegated permission to enable this scenario.

dkershaw10 commented 2 months ago

@Ellestad1995 Follow up question on the scenario. Are you also expecting to be able to assign this role assignable group to an Entra ID role, using Bicep? Does this mean you also need Entra role assignment and/or PIM for Groups?

Ellestad1995 commented 2 months ago

@dkershaw10 Thanks for following up. For now I'm only concerned about creating a group which can be role assignable. Assigning roles to the groups would be great, but I guess that needs to be handled some other way for now.

dkershaw10 commented 2 months ago

Yes - it will need to be handled outside of Bicep for now :( However, if you do want to manage the role assignments (like is possible for Azure roles) then I recommend you upvote (thumbs-up) #123.

abunnyuk commented 2 weeks ago

I'd love for this to be implemented but sadly the documentation states that it's not currently supported.

https://learn.microsoft.com/en-us/graph/templates/limitations#deploying-role-assignable-groups-is-not-supported

dkershaw10 commented 2 weeks ago

@abunnyuk Totally understand and I would love this to be fixed too. Please go ahead and upvote this issue. This is a Microsoft Graph platform issue that we are working on with a partner team. More comments like this will help prioritize the work for our partner team.