Unable to read groups from Azure GroupsClient.BaseClient.Get() (403 error code)

[64J0]

I'm having trouble to authenticate my service principal and make it read Groups from Azure AD. I have assigned all the required permissions and it is still not working.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.1.9
on linux_amd64
+ provider registry.terraform.io/hashicorp/azuread v2.20.0
+ provider registry.terraform.io/hashicorp/azurerm v3.3.0
+ provider registry.terraform.io/hashicorp/local v2.2.2
+ provider registry.terraform.io/hashicorp/random v3.1.3
+ provider registry.terraform.io/hashicorp/tls v3.3.0

Affected Resource(s)

• azuread_group

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp
resource "azuread_group" "aks_administrators" {
  display_name            = "aks-${var.environment}-${var.location}-${var.cluster_name}"
  description             = "Administrators of the ${var.cluster_name} AKS cluster"
  owners                  = [data.azurerm_client_config.current.object_id]
  security_enabled        = true
  prevent_duplicate_names = true
  members                 = []

  lifecycle {
    ignore_changes = [
      owners,
      members,
    ]
  }
}

Debug Output

Panic Output

Expected Behavior

I want to use this configuration code to create this group for me.

Actual Behavior

When I do terraform plan I get this message:

Acquiring state lock. This may take a few moments...
╷
│ Error: could not check for existing group(s): unable to list Groups with filter "displayName eq 'aks-staging-eastus2-rhesus'": GroupsClient.BaseClient.Get(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.
│ 
│   with module.aks.module.aad.azuread_group.aks_administrators,
│   on modules/aad/main.tf line 5, in resource "azuread_group" "aks_administrators":
│    5: resource "azuread_group" "aks_administrators" {
│ 
╵
Releasing state lock. This may take a few moments...

Those are my service principal API permissions:

Steps to Reproduce

1. terraform apply

Important Factoids

Running in a Azure from Brazil.

References

• #0000

[64J0]

I'm authenticating in Azure through a Service Principal account.

[64J0]

Apparently, the problem was az keeping some weird session values in my local machine.

After using those commands it was able to do the terraform plan:

az account clear
az login

[manicminer]

@64J0 Thanks for following up. It's worth noting that we recommend using the provider's native support for authenticating using a service principal rather than relying on az login --service-principal, and in a future release of the provider we may stop supporting that scenario in line with the AzureRM provider.

When using Azure CLI for authentication, the access token, which contains your scopes and roles at the time of issuance, is cached by az-cli and accordingly you'll need to sign out and back in again to have new permissions take effect before this cache expires.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.