AzureAD Error 403 Insufficient privileges with Service Principal

Avatar
Julie Erlemeier
  • Updated

Problem

When using the azuread_group data source with a Service Principal authenticated via a client secret or certificate, the Terraform run fails with a 403 error.

Error: No group found matching specified filter

GroupsClient.BaseClient.Get(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.

Example Configuration

This is an example configuration that may produce the error.

terraform {
  required_providers {
    azuread = {
      source  = "hashicorp/azuread"
      version = ">= 2.33.0, < 3.0.0"
    }
  }
}

provider "azuread" {
  ## client_id, client_secret, and tenant_id are configured
  ## as environment variables or in the provider block.
}

data "azuread_group" "test" {
  display_name = "test-group"
}

Cause

The error message from AzureAD, Insufficient privileges to complete the operation, indicates that the Service Principal used by the Terraform AzureAD provider lacks the necessary API permissions to read group information from Azure Active Directory.

You can confirm this by generating a trace log.

  1. Run the following command to generate a log file.

    $ TF_LOG=TRACE terraform apply 2>&1 | tee apply.log

  2. Search the apply.log file for AzureAD Provider access token claims. In the failing run, the roles and scp claims are empty or null, confirming no permissions are assigned.

    ## Unsuccessful apply trace log
AzureAD Provider access token claims: {
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/REDACTED/",
  "idp": "https://sts.windows.net/REDACTED/",
  "oid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "roles": null,
  "scp": "",
  "sub": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "tenant_region_scope": "NA",
  "tid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "ver": "1.0",
  "app_displayname": "name-of-service-principal",
  "appid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "idtyp": "app"
}

Solutions

Solution 1: Grant Required API Permissions to the Service Principal

To resolve this issue, you must grant the Group.Read.All and Directory.Read.All application permissions to your Service Principal in the Azure Portal and grant admin consent.

Procedure

Follow the steps outlined in the official documentation for Configuring a User or Service Principal for managing Azure Active Directory.

  1. In the Azure Portal, navigate to Azure Active Directory, then select App Registrations. Select your Service Principal.
  2. From the Essentials overview, copy the Application (client) ID and Directory (tenant) ID.
  3. Navigate to Certificates & secrets. Create or view a client secret and copy the secret Value.

  4. Configure the AzureAD provider with your credentials. You can use environment variables or define them directly in the provider block.

    To use environment variables in a sh compatible shell, run the following commands.

    $ export ARM_CLIENT_ID="00000000-0000-0000-0000-000000000000"
$ export ARM_CLIENT_SECRET="MyCl1eNtSeCr3t"
$ export ARM_TENANT_ID="10000000-2000-3000-4000-500000000000"

    To use environment variables in PowerShell, run the following commands.

    $env:ARM_CLIENT_ID = "00000000-0000-0000-0000-000000000000"
$env:ARM_CLIENT_SECRET = "MyCl1eNtSeCr3t"
$env:ARM_TENANT_ID = "10000000-2000-3000-4000-500000000000"

    Alternatively, configure the provider block directly. We recommend using sensitive input variables instead of hardcoding credentials.

    provider "azuread" {
  client_id     = "00000000-0000-0000-0000-000000000000"
  client_secret = "MyCl1eNtSeCr3t"
  tenant_id     = "10000000-2000-3000-4000-500000000000"
}
  5. Navigate back to your Service Principal in the Azure Portal and select API Permissions.
  6. Click Add a permission, select Microsoft Graph, and then choose Application permissions.

  7. Search for and add the Group.Read.All and Directory.Read.All permissions.

    Adding Microsoft Graph API permissions in the Azure Portal

  8. After adding the permissions, you must grant consent. Click the Grant admin consent for... button and confirm the action.

    Granting admin consent for API permissions in the Azure Portal

Outcome

After you grant the required API permissions and admin consent, running terraform apply again will succeed without the 403 error.

A new trace log will show that the roles claim in the access token now includes Group.Read.All and Directory.Read.All.

## Successful apply trace log
AzureAD Provider access token claims: {
  "aud": "https://graph.microsoft.com",
  "iss": "https://sts.windows.net/REDACTED/",
  "idp": "https://sts.windows.net/REDACTED/",
  "oid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "roles": [
    "Group.Read.All",
    "Directory.Read.All"
  ],
  "scp": "",
  "sub": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "tenant_region_scope": "NA",
  "tid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "ver": "1.0",
  "app_displayname": "name-of-service-principal",
  "appid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "idtyp": "app"
}

Additional Information

Articles in this section

Related articles