I'm working with our internal IT department to set...
# azure
I'm working with our internal IT department to set up a Service Principal which has permissions to manage membership in a single Azure AD group. The Pulumi code I have is this:
Copy code
export function configureAzureADMembership(memberArgs: MemberArgs[]) {
    let azureSsoGithubGroup = azuread.getGroupOutput({
        displayName: "Azure - SSO - Github",
        securityEnabled: true,

    memberArgs.map((memberInfo) => {
        let user = azuread.getUserOutput({
            userPrincipalName: memberInfo.email

        // new azuread.GroupMember(`github-sso-${memberInfo.username}`, {
        //     groupObjectId: azureSsoGithubGroup.id,
        //     memberObjectId: user.id,
        // });
Before even managing the membership, I'm testing that user and group lookup work correctly. The service principal has permission
, as documented here: https://www.pulumi.com/registry/packages/azuread/api-docs/getgroup/#api-permissions Even with this level of access, I still get this error on each user or group lookup:
Copy code
Authorization_RequestDenied: Insufficient privileges to complete the operation.
I triple checked the values of the authentication config settings for
and they are correct. Anyone an idea what I might be missing?
Found it via this SO article: https://stackoverflow.com/questions/70851465/azure-ad-group-authorization-requestdenied-insufficient-privileges-to-complet The permission had to be of type
rather than