Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

403 The caller is not authorized with azuread provider and identitygovernance resource using az cli auth #1069

Open
benjy44 opened this issue Apr 17, 2023 · 7 comments
Open

403 The caller is not authorized with azuread provider and identitygovernance resource using az cli auth #1069

benjy44 opened this issue Apr 17, 2023 · 7 comments
Labels
api-bug upstream-microsoft
Milestone
Blocked

Comments

@benjy44
Copy link

benjy44 commented Apr 17, 2023

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Affected Resource(s)

  • azuread_access_package_catalog and other identity governance resources

Terraform Configuration Files

terraform {
  required_providers {
    azuread = {
      source  = "hashicorp/azuread"
      version = "2.37.0"
    }
  }
}

data "azuread_access_package_catalog" "example" {
  object_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}

Debug Output

https://gist.github.com/benjy44/987488983fe02474bbff870a690537d7

Expected Behavior

No error

Actual Behavior

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Error listing access package catalog with filter displayName eq 'My AP'
│ 
│   with data.azuread_access_package_catalog.example,
│   on test.tf line 10, in data "azuread_access_package_catalog" "example":
│   10: data "azuread_access_package_catalog" "example" {
│ 
│ AccessPackageCatalogClient.BaseClient.Get(): unexpected status 403 with OData error: UnAuthorized: User is not authorized to perform the operation. Reason: The caller is not authorized.
╵

Steps to Reproduce

  1. terraform apply

Important Factoids

I can see in the debug logs the URL not authorized:
https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/catalogs/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Now if I tried to access this url with az I get the same error:

$ az rest --url https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/catalogs/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Forbidden({"error":{"code":"UnAuthorized","message":"User is not authorized to perform the operation. Reason: The caller is not authorized.","innerError":{"date":"2023-04-15T11:14:31","request-id":"51b41bb8-b37d-4dc3-a37c-df826c7d863a","client-request-id":"51b41bb8-b37d-4dc3-a37c-df826c7d863a"}}})

If I inspect my JWT token from az account get-access-token --scope https://graph.microsoft.com/.default I do see that the scopes are limited:

"scp": "AuditLog.Read.All Directory.AccessAsUser.All email Group.ReadWrite.All openid profile User.ReadWrite.All"

I can add that using a token obtained from graph explorer, I can curl the same graph endpoint without issue, using the token from az cli I cannot curl and get 403.
The only difference between the tokens is the scope, which contains EntitlementManagement.Read.All for example in the graph explorer token.

I expect Directory.AccessAsUser.All to allow identity governance resources, however I cannot find any doc from Microsoft that would confirm this or not.

Am I correct to assume that terraform cannot work with az cli auth for identitygovernance resources due to those limited scope in the token? If so it would be nice to update the doc.

Or am I missing something else? Can anyone confirm that these identity governance resources work with az cli login as user?
@manicminer
Copy link
Contributor

@benjy44 Thanks for reporting this issue. I am able to reproduce and despite holding the Global Admin role I received the same error message. This happened on both the v1.0 and beta APIs - although the provider is using the v1.0 API for this particular data source.

Unfortunately this is either an API bug, or a documentation bug, on the part of Microsoft Graph. I have reported this upstream at microsoftgraph/msgraph-metadata#327 and would recommend opening an Azure support ticket or contact your account manager to raise this bug.

Since this is apparently an API bug, or possibly a documentation bug (although I repro'd this whilst having Global Administrator so I'm more inclined to suspect the former.), there is unfortunately nothing we can do to mitigate or resolve this problem. Its worth nothing that this doesn't happen when I authenticate with an access token for an application obtained by client credentials flow, so this might be a viable workaround, if this is an option for you.

@manicminer manicminer added this to the Blocked milestone Apr 17, 2023
@benjy44
Copy link
Author

benjy44 commented Apr 17, 2023

Thanks for the quick reply @manicminer
we'll raise the issue with our account manager and use a service principal in the meantime

@cedrox
Copy link

cedrox commented Apr 24, 2023

Hello I use a SP with Identity governance administrator role (also I tried with global admin role) and it's not working on my side anymore.
I have reported it here and today I have also an error like this

│ Error: Waiting for deletion of access package assignment policy with object ID "GUID"

│ retrieving resource: AccessPackageAssignmentPolicyClient.BaseClient.Get():
│ unexpected status 403 with OData error: UnAuthorized: User is not
│ authorized to perform the operation. Reason: Unauthorized

Thanks @benjy44 to reported it and @manicminer for pointing us the graph api bug.
I will also open a support ticket.
Thanks

@cedrox
Copy link

cedrox commented Apr 27, 2023

To work properly on Entitlement management, Azure AAD terraform provider SPN need to have 2 permissions :

  • AD Role : Identity Governance Administrator
  • Graph API delegated permission : EntitlementManagement.ReadWrite.All

It's a requirement and it should be added in the documentation

Thanks a lot to Microsoft support to help me on this case

@cedrox cedrox mentioned this issue Apr 28, 2023
Closed
@kbcz1989
Copy link

We are using following permissions:
image

Open
@The-Heyman
Copy link

I think I got the solution here:

I got the error
AADSTS65002: Consent between first party application '04b07795-8ddb-461a-bbee-02f9e1bf7b46' and first party resource '00000003-0000-0000-c000-000000000000' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: 67365321-86e3-456a-8125-a58b2bb02400 Correlation ID: d3b0db94-356a-4062-89a5-afac0e36d766 Timestamp: 2024-07-31 10:41:52Z. (https://login.microsoftonline.com/error?code=65002)
when running

az login --scope https://graph.microsoft.com/EntitlementManagement.ReadWrite.All

So the missing piece is that a Global Admin needs to run this command and grant admin consent that az cli can use that permission for the tenant

@eltimmo
Copy link

eltimmo commented Nov 15, 2024

There's a recent issue been raise for this with the azure-cli team Azure/azure-cli#30149

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
api-bug upstream-microsoft
Projects
None yet
Milestone
Blocked
Development

No branches or pull requests
6 participants
@manicminer @cedrox @eltimmo @The-Heyman @benjy44 @kbcz1989