Insufficient privileges to complete the operation on getting Application/Service principal via existing syntax

[slavizh]

Bicep version Bicep CLI version 0.30.3 (2f0e78dcae)

Resource and API version Microsoft.Graph/applications@v1.0, Microsoft.Graph/servicePrincipals@v1.0

Auth flow automated, initially tested with Cloud Application Administrator role but after that I have added Global administrator. result is the same.

Deployment details Insufficient privileges to complete the operation. Graph client request id: afff112b-8a8c-4f20-a1dd-9640b2a09d5e. Graph request timestamp: 2024-09-18T13:25:58Z. (Code: Forbidden) Correlation ID: 7c517c2b-7f6a-4083-b50a-84365d8a1ebe

Describe the bug To have successful deployment and service principal to be added as member to group.

To Reproduce This should be minimum reproducible template. You need to enter information for your own environment,

extension microsoftGraph

param entraGroup object = {
  name: 'ExampleGroup2'
  type: 'Security'
  displayName: 'Example Group 2'
  mailNickname: 'exampleGroup2'
  members: [
    {
      name: 'SomeName'
      type: 'Application'
    }
  ]
  owners: []
}

var defaultMember = {
  subscriptionId: subscription().subscriptionId
  resourceGroup: ''
  name: ''
  appId: ''
}

resource memberManagedIdentities 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' existing = [
  for (member, i) in entraGroup.members: if (member.type =~ 'UserAssignedManagedIdentity') {
    //https://github.com/Azure/bicep/issues/13937
    name: empty(union(defaultMember, member).name) ? 'dummy${i}' : member.name
    scope: resourceGroup(union(defaultMember, member).subscriptionId, union(defaultMember, member).resourceGroup)
  }
]

resource memberApplications 'Microsoft.Graph/applications@v1.0' existing = [
  for (member, i) in entraGroup.members: if (member.type =~ 'Application') {
    //https://github.com/Azure/bicep/issues/13937
    uniqueName: empty(union(defaultMember, member).name) ? 'dummy${i}' : member.name
  }
]

resource memberServicePrincipals 'Microsoft.Graph/servicePrincipals@v1.0' existing = [
  for (member, i) in entraGroup.members: if (member.type =~ 'Application') {
    appId: memberApplications[i].appId
  }
]

resource memberServicePrincipalsStandalone 'Microsoft.Graph/servicePrincipals@v1.0' existing = [
  for (member, i) in entraGroup.members: if (member.type =~ 'ServicePrincipal') {
    //https://github.com/Azure/bicep/issues/13937
    appId: empty(union(defaultMember, member).appId) ? 'dummy${i}' : member.appId
  }
]

resource memberGroups 'Microsoft.Graph/groups@v1.0' existing = [
  for (member, i) in entraGroup.members: if (member.type =~ 'Group') {
    //https://github.com/Azure/bicep/issues/13937
    uniqueName: empty(union(defaultMember, member).name) ? 'dummy${i}' : member.name
  }
]

resource entraGroupRes 'Microsoft.Graph/groups@v1.0' = {
  uniqueName: entraGroup.name
  displayName: entraGroup.displayName
  mailEnabled: false
  mailNickname: entraGroup.mailNickname
  securityEnabled: true
  description: null
  members: [
    for (member, i) in entraGroup.members: member.type =~ 'UserAssignedManagedIdentity'
      ? memberManagedIdentities[i].properties.principalId
      : member.type =~ 'Application'
          ? memberServicePrincipals[i].id
          : member.type =~ 'ServicePrincipal'
              ? memberServicePrincipalsStandalone[i].id
              : member.type =~ 'Group' ? memberGroups[i].id : member.type =~ 'PrincipalId' ? member.principalId : ''
  ]
}

Additional context Add any other context about the problem here. For example, what permissions does the identity have if it's a permission issue?

[dkershaw10]

Weirdly I could not find your requestId in the logs. However, I managed to repro, and I found those logs. Will get someone to investigate this.

Insufficient privileges to complete the operation. Graph client request id: 375a0c44-c06c-4da0-b266-dbc582883acd. Graph request timestamp: 2024-09-19T16:52:20Z

cc: @eketo-msft @jason-dou

[dkershaw10]

In my repo, my test user did not have the Entra Groups Management role. When assigned this role, my test user could successfully deploy your script. So my test user now has Groups Management and App Admin (and Privileged Role Admin).

@slavizh Can you try to repro again please provide a new client request id and timestamp please?

[slavizh]

@dkershaw10 I am not able to achieve success. Still getting the error: | {"error":{"code":"Forbidden","target":"/resources/entraGroupRes","message":"Insufficient privileges to complete the operation. Graph client request id: 84396c71-fa3d-4e35-b22a-4cc28a82cabc. Graph request timestamp: 2024-09-20T08:42:52Z."}} (Code:DeploymentOperationFailed) Status Message: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details. (Code: DeploymentFailed) - The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'. (Code: ResourceDeploymentFailure) - At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details. (Code: DeploymentFailed) - {"error":{"code":"Forbidden","target":"/resources/entraGroupRes","message":"Insufficient privileges to complete the operation. Graph client request id: 8edb2286-c3b1-42f3-9ad5-6034da90ad7a. Graph request timestamp: 2024-09-20T08:42:53Z."}} (Code:) - The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'. (Code: ResourceDeploymentFailure) - At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details. (Code: DeploymentFailed) - {"error":{"code":"Forbidden","target":"/resources/entraGroupRes","message":"Insufficient privileges to complete the operation. Graph client request id: 84396c71-fa3d-4e35-b22a-4cc28a82cabc. Graph request timestamp: 2024-09-20T08:42:52Z."}} (Code:) - The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'. (Code: ResourceDeploymentFailure) - At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details. (Code: DeploymentFailed) - {"error":{"code":"Forbidden","target":"/resources/entraGroupRes","message":"Insufficient privileges to complete the operation. Graph client request id: 784f7bee-01bb-49a9-b59b-f6786f76db45. Graph request timestamp: 2024-09-20T08:42:52Z."}} (Code:) - The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'. (Code: ResourceDeploymentFailure) - At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details. (Code: DeploymentFailed) - {"error":{"code":"Forbidden","target":"/resources/entraGroupRes","message":"Insufficient privileges to complete the operation. Graph client request id: 3cf6aa6d-553b-4bf2-b52a-99705ff056c9. Graph request timestamp: 2024-09-20T08:42:53Z."}} (Code:) CorrelationId: 3b653a39-7fb4-461b-a157-b9b90bb65970

I already had Groups Administrator role. May be I am doing something wrong with the role assignments as my expertise is not in Microsoft Entra. To verify here is what I am doing: Azure Portal -> Microsoft Entra -> Roles and administrators -> click on the desired role -> Add assignments -> Find the Service principal in the list of users and service principals and click add. End result is like this:

I have done this for Application Administrator, Global Administrator, Groups Administrator, User administrator.

am I doing something wrong?

[dkershaw10]

@slavizh Just to keep you up to date here - @eketo-msft has been investigating this issue - and will get back to you with an update. I will also try and see if I can repro the issue with an application-only flow. I didn't see the issue with interactive flows.