-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validation for Group ownership is broken #92
Comments
It seems that the original request is modified by the API. If I send the request without the
FYI: If I use the active directory via Azure portal (azure.portal.com), the problem seems to be avoided by never setting |
Hi, I was experiencing pretty much the same issue too. As per the documentation here : https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group API Permissions When authenticated with a service principal, this resource requires one of the following application roles: Group.ReadWrite.All or Directory.ReadWrite.All When authenticated with a user principal, this resource requires one of the following directory roles: Groups Administrator, User Administrator or Global Administrator It worked for me after having granted Group Administrator role. Hope this helps. |
Thanks for the tip @otabut. However, in the enterprise I am working at, it is impossible for ordinary mortals to acquire such elevated rights. My workaround for daily use in Terraform is to create the group via Azure CLI and import it into the state for further management via Terraform, e.g. like this:
|
Any update/progress on resolving this issue? As getting elevated permission is not an option for us and would be forced to do @ju-la-berger 's solution above which kind of defeats the point of using terraform... |
Hi Team, any update its known issue for quite long time :) |
Agreed - I can confirm this is still an issue when using Azure AD API to remove user as owner when a service principal is the rightful owner of the group - but is not being recognized as such - therefore preventing the removal of a user as owner. Please advise on the timelines for a fix on this issue. Thank you. |
Any updates here? Been over a year. |
please fix this! |
I agree, I hope this ticket can get some prioritie. This issue cause delay and automation challenges in our delivery of Azure Landingzones to Microsoft Customers. Expensive delay for everyone. |
…ner, partial workaround for microsoftgraph/msgraph-metadata#92
I would also like to point out that the current API is not idempotent. Without using the above workaround (i.e. no using separate service principle creating the resource, but instead using my identity to create the resource): Calling the API and setting the "owner" only as "Identity2" (not including my identity). The Group resource has both my identity and "Identity2" in the "Owners" field. Applying the same change using the same parameters, results in my identity in the "owners" field being removed (breaking idempotency). I can't create a service principle for this (too many hoops to jump through). Has the workaround been tested for idempotency? I would expect the SP to be included in the Owners on the create, and removed in subsequent applies. |
Any update on this issue or #653 @darrelmiller @baywet ? |
Hi everyone, |
Thanks for the clarification! |
There are recently added undocumented validation rules for Group ownership in Microsoft Graph which are broken. Discussions with the service team would indicate that this validation is intended to affect Microsoft 365 (unified) groups with the goal of preventing group creation without a group having an owner that is a user principal. However at the same time we are seeing errors around group ownership for security groups too and the behavior is inconsistent, sometimes preventing creation of a group no matter what combination of owners are specified.
At group creation time, this seems to manifest in a 400 response with the following error description:
This does not correlate with the request payload which might for example look like the following:
This error is returned despite:
In addition, when removing owners from a group, where there are two owners and one of these is a service principal and the other is a user principal, and the group is a security group and not a unified group, a 400 response can sometimes be received with the following error:
These behaviors have been documented by ourselves and several community members, in the following related issues:
hashicorp/terraform-provider-azuread#464
hashicorp/terraform-provider-azuread#473
hashicorp/terraform-provider-azuread#478
hashicorp/terraform-provider-azuread#567
The text was updated successfully, but these errors were encountered: