azuread_privileged_access_group_eligibility_schedule - permissions error despite graph and Entra role applied to service prinicple

[danrvu]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Affected Resource(s)

• azuread_privileged_access_group_eligibility_schedule
  Service principle has the roles that have been stated on error for Graph and also has Priviliged role admin

Terraform Configuration Files

# resource "azuread_privileged_access_group_eligibility_schedule" "example" {
#   for_each           = local.group_eligible_membership
#   group_id        = azuread_group.groups[each.value.group].id
#   principal_id    = azuread_group.groups[each.value.member].id
#   assignment_type = "member"
#   duration        = "P30D"
# }

Debug Output

Error: Could not create assignment schedule request, PrivilegedAccessGroupEligibilityScheduleRequestsClient.BaseClient.Post(): unexpected status 403 with OData error: UnknownError: {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup,PrivilegedEligibilitySchedule.Remove.AzureADGroup.","instanceAnnotations":[]}
│
│ with azuread_privileged_access_group_eligibility_schedule.example["xxxx"],
│ on roles.tf line 8, in resource "azuread_privileged_access_group_eligibility_schedule" "example":
│ 8: resource "azuread_privileged_access_group_eligibility_schedule" "example" {
│
│ Could not create assignment schedule request,
│ PrivilegedAccessGroupEligibilityScheduleRequestsClient.BaseClient.Post():
│ unexpected status 403 with OData error: UnknownError:
│ {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed
│ due to missing permission scope
│ PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup,PrivilegedEligibilitySchedule.Remove.AzureADGroup.","instanceAnnotations":[]}
╵

Panic Output

Expected Behavior

Should have created the eligible assignment for the group

Actual Behavior

Failed with the above error

Steps to Reproduce

• Create service principle that has necessary permissions as stated in the documentation
• Use the - task: AzureCLI@2 to deploy the resource in ADO yaml
• TF vars to allow one group to have eligible assignment on PAG group

1. terraform apply

Important Factoids

References

https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/privileged_access_group_eligibility_schedule

• #0000

[tehho]

This seems to be a "bug" in azure cli login where global administrator role is not propagated using the Microsoft Azure CLI enterprise application. Suggest solution is to login using a service principal with PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup capability enabled.
We deploy using pipeline with service principal and this works for us