A group has two Owner objects of which one is a SPN. I am trying to remove the 2nd Owner object which is not a SPN (SPN = last Owner).
Case 1
Role Assignable Group (Single Object Remove):
I am able to remove a 2nd Owner (Terraform & UI).
Case 2
Not Role Assignable Group (Single Object Remove):
I am not able to remove a 2nd Owner (Terraform & UI).
Note: This is only true if the last remaining Owner is a SPN. It is possible if the last object is a user object.
Scenario 2
A group has three or more Owners of which one is a SPN. I am trying to remove all Owner objects which are not a SPN (SPN = last Owner).
Case 3
Not Role Assignable Group (Multiple Object Remove / batch as highlighted here):
UI -> I am able to remove all Owner objects by selecting all objects but the SPN.
Terraform -> I am not able to remove all Owner objects because the Terraform Provider does this one by one.
Error Details
UI -> Failed to remove group owner. The group must have at least one owner.
Terraform -> Error: GroupsClient.BaseClient.Delete(): unexpected status 400 with OData error: Request_BadRequest: The group must have at least one owner, hence this owner cannot be removed.
itpropro
commented
2 months ago
Hi,
as suggested in https://github.com/hashicorp/terraform-provider-azuread/issues/1435 I am raising this issue here as well since this error is not related to Terraform and also happening in the Azure Portal UI.
Scenario 1
A group has two
Ownerobjects of which one is a SPN. I am trying to remove the 2nd Owner object which is not a SPN (SPN = last Owner).Case 1
Role Assignable Group (Single Object Remove):
I am able to remove a 2nd Owner (Terraform & UI).
Case 2
Not Role Assignable Group (Single Object Remove):
I am not able to remove a 2nd Owner (Terraform & UI).
Note: This is only true if the last remaining Owner is a SPN. It is possible if the last object is a user object.
Scenario 2
A group has three or more Owners of which one is a SPN. I am trying to remove all Owner objects which are not a SPN (SPN = last Owner).
Case 3
Not Role Assignable Group (Multiple Object Remove /
batchas highlighted here):UI -> I am able to remove all Owner objects by selecting all objects but the SPN.
Terraform -> I am not able to remove all Owner objects because the Terraform Provider does this one by one.
Error Details
UI ->
Failed to remove group owner. The group must have at least one owner.Terraform ->
Error: GroupsClient.BaseClient.Delete(): unexpected status 400 with OData error: Request_BadRequest: The group must have at least one owner, hence this owner cannot be removed.