Insufficient privileges to complete the operation on getting Application/Service principal via existing syntax

[slavizh]

Bicep version Bicep CLI version 0.30.3 (2f0e78dcae)

Resource and API version Microsoft.Graph/applications@v1.0, Microsoft.Graph/servicePrincipals@v1.0

Auth flow automated, initially tested with Cloud Application Administrator role but after that I have added Global administrator. result is the same.

Deployment details Insufficient privileges to complete the operation. Graph client request id: afff112b-8a8c-4f20-a1dd-9640b2a09d5e. Graph request timestamp: 2024-09-18T13:25:58Z. (Code: Forbidden) Correlation ID: 7c517c2b-7f6a-4083-b50a-84365d8a1ebe

Describe the bug To have successful deployment and service principal to be added as member to group.

To Reproduce This should be minimum reproducible template. You need to enter information for your own environment,

extension microsoftGraph

param entraGroup object = {
  name: 'ExampleGroup2'
  type: 'Security'
  displayName: 'Example Group 2'
  mailNickname: 'exampleGroup2'
  members: [
    {
      name: 'SomeName'
      type: 'Application'
    }
  ]
  owners: []
}

var defaultMember = {
  subscriptionId: subscription().subscriptionId
  resourceGroup: ''
  name: ''
  appId: ''
}

resource memberManagedIdentities 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' existing = [
  for (member, i) in entraGroup.members: if (member.type =~ 'UserAssignedManagedIdentity') {
    //https://github.com/Azure/bicep/issues/13937
    name: empty(union(defaultMember, member).name) ? 'dummy${i}' : member.name
    scope: resourceGroup(union(defaultMember, member).subscriptionId, union(defaultMember, member).resourceGroup)
  }
]

resource memberApplications 'Microsoft.Graph/applications@v1.0' existing = [
  for (member, i) in entraGroup.members: if (member.type =~ 'Application') {
    //https://github.com/Azure/bicep/issues/13937
    uniqueName: empty(union(defaultMember, member).name) ? 'dummy${i}' : member.name
  }
]

resource memberServicePrincipals 'Microsoft.Graph/servicePrincipals@v1.0' existing = [
  for (member, i) in entraGroup.members: if (member.type =~ 'Application') {
    appId: memberApplications[i].appId
  }
]

resource memberServicePrincipalsStandalone 'Microsoft.Graph/servicePrincipals@v1.0' existing = [
  for (member, i) in entraGroup.members: if (member.type =~ 'ServicePrincipal') {
    //https://github.com/Azure/bicep/issues/13937
    appId: empty(union(defaultMember, member).appId) ? 'dummy${i}' : member.appId
  }
]

resource memberGroups 'Microsoft.Graph/groups@v1.0' existing = [
  for (member, i) in entraGroup.members: if (member.type =~ 'Group') {
    //https://github.com/Azure/bicep/issues/13937
    uniqueName: empty(union(defaultMember, member).name) ? 'dummy${i}' : member.name
  }
]

resource entraGroupRes 'Microsoft.Graph/groups@v1.0' = {
  uniqueName: entraGroup.name
  displayName: entraGroup.displayName
  mailEnabled: false
  mailNickname: entraGroup.mailNickname
  securityEnabled: true
  description: null
  members: [
    for (member, i) in entraGroup.members: member.type =~ 'UserAssignedManagedIdentity'
      ? memberManagedIdentities[i].properties.principalId
      : member.type =~ 'Application'
          ? memberServicePrincipals[i].id
          : member.type =~ 'ServicePrincipal'
              ? memberServicePrincipalsStandalone[i].id
              : member.type =~ 'Group' ? memberGroups[i].id : member.type =~ 'PrincipalId' ? member.principalId : ''
  ]
}

Additional context Add any other context about the problem here. For example, what permissions does the identity have if it's a permission issue?

[dkershaw10]

Weirdly I could not find your requestId in the logs. However, I managed to repro, and I found those logs. Will get someone to investigate this.

Insufficient privileges to complete the operation. Graph client request id: 375a0c44-c06c-4da0-b266-dbc582883acd. Graph request timestamp: 2024-09-19T16:52:20Z

cc: @eketo-msft @jason-dou

[dkershaw10]

In my repo, my test user did not have the Entra Groups Management role. When assigned this role, my test user could successfully deploy your script. So my test user now has Groups Management and App Admin (and Privileged Role Admin).

@slavizh Can you try to repro again please provide a new client request id and timestamp please?

[slavizh]

@dkershaw10 I am not able to achieve success. Still getting the error: | {"error":{"code":"Forbidden","target":"/resources/entraGroupRes","message":"Insufficient privileges to complete the operation. Graph client request id: 84396c71-fa3d-4e35-b22a-4cc28a82cabc. Graph request timestamp: 2024-09-20T08:42:52Z."}} (Code:DeploymentOperationFailed) Status Message: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details. (Code: DeploymentFailed) - The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'. (Code: ResourceDeploymentFailure) - At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details. (Code: DeploymentFailed) - {"error":{"code":"Forbidden","target":"/resources/entraGroupRes","message":"Insufficient privileges to complete the operation. Graph client request id: 8edb2286-c3b1-42f3-9ad5-6034da90ad7a. Graph request timestamp: 2024-09-20T08:42:53Z."}} (Code:) - The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'. (Code: ResourceDeploymentFailure) - At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details. (Code: DeploymentFailed) - {"error":{"code":"Forbidden","target":"/resources/entraGroupRes","message":"Insufficient privileges to complete the operation. Graph client request id: 84396c71-fa3d-4e35-b22a-4cc28a82cabc. Graph request timestamp: 2024-09-20T08:42:52Z."}} (Code:) - The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'. (Code: ResourceDeploymentFailure) - At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details. (Code: DeploymentFailed) - {"error":{"code":"Forbidden","target":"/resources/entraGroupRes","message":"Insufficient privileges to complete the operation. Graph client request id: 784f7bee-01bb-49a9-b59b-f6786f76db45. Graph request timestamp: 2024-09-20T08:42:52Z."}} (Code:) - The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'. (Code: ResourceDeploymentFailure) - At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details. (Code: DeploymentFailed) - {"error":{"code":"Forbidden","target":"/resources/entraGroupRes","message":"Insufficient privileges to complete the operation. Graph client request id: 3cf6aa6d-553b-4bf2-b52a-99705ff056c9. Graph request timestamp: 2024-09-20T08:42:53Z."}} (Code:) CorrelationId: 3b653a39-7fb4-461b-a157-b9b90bb65970

I already had Groups Administrator role. May be I am doing something wrong with the role assignments as my expertise is not in Microsoft Entra. To verify here is what I am doing: Azure Portal -> Microsoft Entra -> Roles and administrators -> click on the desired role -> Add assignments -> Find the Service principal in the list of users and service principals and click add. End result is like this:

I have done this for Application Administrator, Global Administrator, Groups Administrator, User administrator.

am I doing something wrong?

[dkershaw10]

@slavizh Just to keep you up to date here - @eketo-msft has been investigating this issue - and will get back to you with an update. I will also try and see if I can repro the issue with an application-only flow. I didn't see the issue with interactive flows.

[slavizh]

@dkershaw10 any update?

[slavizh]

@dkershaw10 just did re-deployment where the only change was I have migrated to dynamic types. No change in other parts of the code, no change in the provided Bicep Parameters, no change in the permissions of the Service Principal I have been using. And this time it succeeded. Could it be something solved with using the latest preview with dynamic types or some backend change or may be the permissions required some time to be applied fully? Although as you have saw I have logged the error after your reply a whole day has passed and I was still able to reproduce it. May be if someone looks at the logs from the previous errors to investigate what could have caused the fix to make sure we have root cause.

[dkershaw10]

cc: @eketo-msft who is investigating.

[eketo-msft]

It could be a timing issue. Do you know approximately the time delta between assigining the SP to an admin role and deploying the bicep template?

Logs were able to confirm that the role was not loaded but the backend is performing role loading correctly for SP subjects.

[slavizh]

@eketo-msft exact timing no but as I have mentioned I have tried it on the next day and still there was an error.

[NickVanRaaijT]

We have the same issue. The service principal which is executing the deployment is also Global Administrator

ERROR: {"status":"Failed","error":{"code":"DeploymentFailed","target":"/subscriptions/***/providers/Microsoft.Resources/deployments/main","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"","message":"{\"error\":{\"code\":\"Forbidden\",\"target\":\"/resources/appRegistratrion[3]\",\"message\":\"Insufficient privileges to complete the operation. Graph client request id: 4581fe87-f05b-4191-b1a9-eca002d8c4b1. Graph request timestamp: 2024-10-31T10:59:30Z.\"}}"},{"code":"","message":"{\"error\":{\"code\":\"Forbidden\",\"target\":\"/resources/appRegistratrion[4]\",\"message\":\"Insufficient privileges to complete the operation. Graph client request id: b2de40f1-771c-468e-a5a1-091a665d46e6. Graph request timestamp: 2024-10-31T10:59:30Z.\"}}"},{"code":"","message":"{\"error\":{\"code\":\"Forbidden\",\"target\":\"/resources/appRegistratrion[2]\",\"message\":\"Insufficient privileges to complete the operation. Graph client request id: 7ca12bc4-bcfe-4974-b919-72be7b6073fc. Graph request timestamp: 2024-10-31T10:59:30Z.\"}}"},{"code":"","message":"{\"error\":{\"code\":\"Forbidden\",\"target\":\"/resources/appRegistratrion[1]\",\"message\":\"Insufficient privileges to complete the operation. Graph client request id: c877317f-8cd5-4447-bcf0-a1259a547832. Graph request timestamp: 2024-10-31T10:59:30Z.\"}}"},{"code":"","message":"{\"error\":{\"code\":\"Forbidden\",\"target\":\"/resources/appRegistratrion[0]\",\"message\":\"Insufficient privileges to complete the operation. Graph client request id: bed2e399-9bde-496f-8113-4e49348e5f41. Graph request timestamp: 2024-10-31T10:59:30Z.\"}}"}]}}

[dkershaw10]

@eketo-msft can you investigate @NickVanRaaijT failures above please?

@NickVanRaaijT how soon after assigning the role to the SP did you attempt the deployment? If you run it again now, does it still fail?

Also, while this is fine for testing, I strongly advise against assigning the global admin permission to a service principal. This gives the SP the ability to pretty much change anything in Entra, as well as other services that are part of the tenant.

[slavizh]

@dkershaw10 noted about the security concern. Currently we use it only for development. We will start doing things in production once we have release where we do not have to enable preview things via bicepconfig and we do not have critical bugs. I guess the best place to point out about required permissions is the API reference - for example this is the page for groups https://learn.microsoft.com/en-us/graph/templates/reference/groups?view=graph-bicep-1.0. As you can see there you do not have permissions required if you need to reference resources. So I think there is room for improvement in the docs.

[dkershaw10]

Sorry @slavizh I'm just double checking your comment here. I think you are saying that the least privileged permissions in the reference docs are for create/update only and not for read operations (for referencing existing resources)?

I think that's a fair comment. I'll create a separate documentation enhancement issue for that.

[slavizh]

@dkershaw10 exactly. Not providing specific input how you should handle that in docs as most likely you have some specific vision of how these Rest API docs need to look and most likely they are automatically generated so it is up to you to decide where and how that information will be provided.