You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and AzureAD Provider) Version
Affected Resource(s)
azuread_privileged_access_group_eligibility_schedule
Service principle has the roles that have been stated on error for Graph and also has Priviliged role admin
Error: Could not create assignment schedule request, PrivilegedAccessGroupEligibilityScheduleRequestsClient.BaseClient.Post(): unexpected status 403 with OData error: UnknownError: {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup,PrivilegedEligibilitySchedule.Remove.AzureADGroup.","instanceAnnotations":[]}
│
│ with azuread_privileged_access_group_eligibility_schedule.example["xxxx"],
│ on roles.tf line 8, in resource "azuread_privileged_access_group_eligibility_schedule" "example":
│ 8: resource "azuread_privileged_access_group_eligibility_schedule" "example" {
│
│ Could not create assignment schedule request,
│ PrivilegedAccessGroupEligibilityScheduleRequestsClient.BaseClient.Post():
│ unexpected status 403 with OData error: UnknownError:
│ {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed
│ due to missing permission scope
│ PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup,PrivilegedEligibilitySchedule.Remove.AzureADGroup.","instanceAnnotations":[]}
╵
Panic Output
Expected Behavior
Should have created the eligible assignment for the group
Actual Behavior
Failed with the above error
Steps to Reproduce
Create service principle that has necessary permissions as stated in the documentation
Use the - task: AzureCLI@2 to deploy the resource in ADO yaml
TF vars to allow one group to have eligible assignment on PAG group
This seems to be a "bug" in azure cli login where global administrator role is not propagated using the Microsoft Azure CLI enterprise application. Suggest solution is to login using a service principal with PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup capability enabled.
We deploy using pipeline with service principal and this works for us
Community Note
Terraform (and AzureAD Provider) Version
Affected Resource(s)
azuread_privileged_access_group_eligibility_schedule
Service principle has the roles that have been stated on error for Graph and also has Priviliged role admin
Terraform Configuration Files
Debug Output
Error: Could not create assignment schedule request, PrivilegedAccessGroupEligibilityScheduleRequestsClient.BaseClient.Post(): unexpected status 403 with OData error: UnknownError: {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed due to missing permission scope PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup,PrivilegedEligibilitySchedule.Remove.AzureADGroup.","instanceAnnotations":[]}
│
│ with azuread_privileged_access_group_eligibility_schedule.example["xxxx"],
│ on roles.tf line 8, in resource "azuread_privileged_access_group_eligibility_schedule" "example":
│ 8: resource "azuread_privileged_access_group_eligibility_schedule" "example" {
│
│ Could not create assignment schedule request,
│ PrivilegedAccessGroupEligibilityScheduleRequestsClient.BaseClient.Post():
│ unexpected status 403 with OData error: UnknownError:
│ {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed
│ due to missing permission scope
│ PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup,PrivilegedEligibilitySchedule.Remove.AzureADGroup.","instanceAnnotations":[]}
╵
Panic Output
Expected Behavior
Should have created the eligible assignment for the group
Actual Behavior
Failed with the above error
Steps to Reproduce
terraform apply
Important Factoids
References
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/privileged_access_group_eligibility_schedule
The text was updated successfully, but these errors were encountered: