l

    limited-rainbow-51650

    6 months ago
    I'm working with our internal IT department to set up a Service Principal which has permissions to manage membership in a single Azure AD group. The Pulumi code I have is this:
    export function configureAzureADMembership(memberArgs: MemberArgs[]) {
        let azureSsoGithubGroup = azuread.getGroupOutput({
            displayName: "Azure - SSO - Github",
            securityEnabled: true,
        });
    
        memberArgs.map((memberInfo) => {
            let user = azuread.getUserOutput({
                userPrincipalName: memberInfo.email
            });
    
            // new azuread.GroupMember(`github-sso-${memberInfo.username}`, {
            //     groupObjectId: azureSsoGithubGroup.id,
            //     memberObjectId: user.id,
            // });
        })
    }
    Before even managing the membership, I'm testing that user and group lookup work correctly. The service principal has permission
    Directory.Read.All
    , as documented here:https://www.pulumi.com/registry/packages/azuread/api-docs/getgroup/#api-permissions Even with this level of access, I still get this error on each user or group lookup:
    Authorization_RequestDenied: Insufficient privileges to complete the operation.
    I triple checked the values of the authentication config settings for
    azuread:clientId
    ,
    azuread:clientSecret
    and
    azuread:tentantId
    and they are correct. Anyone an idea what I might be missing?
    Found it via this SO article: https://stackoverflow.com/questions/70851465/azure-ad-group-authorization-requestdenied-insufficient-privileges-to-complet The permission had to be of type
    Application
    rather than
    Delegated
    .