I'm working with our internal IT department to set up a Service Principal which has permissions to manage membership in a single Azure AD group. The Pulumi code I have is this:

export function configureAzureADMembership(memberArgs: MemberArgs[]) {
    let azureSsoGithubGroup = azuread.getGroupOutput({
        displayName: "Azure - SSO - Github",
        securityEnabled: true,
    });

    memberArgs.map((memberInfo) => {
        let user = azuread.getUserOutput({
            userPrincipalName: memberInfo.email
        });

        // new azuread.GroupMember(`github-sso-${memberInfo.username}`, {
        //     groupObjectId: azureSsoGithubGroup.id,
        //     memberObjectId: user.id,
        // });
    })
}

Before even managing the membership, I'm testing that user and group lookup work correctly. The service principal has permission

Directory.Read.All

, as documented here: https://www.pulumi.com/registry/packages/azuread/api-docs/getgroup/#api-permissions Even with this level of access, I still get this error on each user or group lookup:

Authorization_RequestDenied: Insufficient privileges to complete the operation.

I triple checked the values of the authentication config settings for

azuread:clientId

,

azuread:clientSecret

and

azuread:tentantId

and they are correct. Anyone an idea what I might be missing?