Insufficient privileges to complete the operation - groups with isAssignableToRole set to True

[Ellestad1995]

Bicep version
Run bicep --version via the Bicep CLI, az bicep version via the AZ CLI

PS: ~:bicep --version
Bicep CLI version 0.28.1 (ba1e9f8c1e)

PS: ~:az bicep version  
Bicep CLI version 0.28.1 (ba1e9f8c1e)

Resource and API version
Which Microsoft.Graph resource and API version has the issue?

Microsoft.Graph/[email protected]

Auth flow
Is the deployment interactive (e.g. with a signed in user) or automated (e.g. with an application)?

Both - ServicePrincipal and Signed in user

Deployment details
If it's related to deployment failures, please provide the deployment correlation id, Microsoft Graph client request id, and deployment timestamp if applicable.

{
  "status": "Failed",
  "error": {
    "code": "DeploymentFailed",
    "target": "/subscriptions/xxxx-xxxxx-xxxxx-xxxxx/providers/Microsoft.Resources/deployments/entraid-sec-groups-test",
    "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",
    "details": [
      {
        "code": "",
        "message": "{\"error\":{\"code\":\"Forbidden\",\"target\":\"/resources/role_tier1Analyst\",\"message\":\"Insufficient privileges to complete the operation. Graph client request id: 9335c582-d847-49e8-9079-3e4a89a5d2e0. Graph request timestamp: 2024-06-13T11:59:32Z.\"}}"
      }
    ]
  }
}

Describe the bug

For Microsoft.Graph/groups resource type when using the property isAssignableToRole set to true, which requires an additional permission for the signed in user/service principal fails even tough the permission is granted.

From the Groups doc: https://learn.microsoft.com/en-us/graph/templates/reference/groups?view=graph-bicep-1.0

Only callers in Global Administrator and Privileged Role Administrator roles can set this property. The caller must also be assigned the RoleManagement.ReadWrite.Directory permission to set this property or update the membership of such groups.

The service principal I'm using is granted the following Microsoft Graph permissions:

• Directory.ReadWrite.All
• Group.ReadWrite.All
• RoleManagement.ReadWrite.Directory

It works fine to deploy a group without the property isAssignableToRole set to true. That would mean the permissions are in effect I would believe?

In addition to the Microsoft Graph permissions the service principal have the Entra ID role Privileged Role Administrator which is also a prerequisite.

To Reproduce

1. Create ServicePrincipal with Microsoft graph application permissions: 'RoleManagement.ReadWrite.Directory', 'Group.ReadWrite.All', 'Directory.ReadWrite.All' (Remember Global Admin consent)
2. Create a Microsoft.Graph/groups resource:

targetScope = 'subscription'

provider microsoftGraph

resource groupExample 'Microsoft.Graph/[email protected]' = {
  displayName: 'Example Group'
  description: 'Example Group'
  isAssignableToRole: true
  mailEnabled: false
  mailNickname: 'example-group'
  securityEnabled: true
  uniqueName: 'example-group'
}

az login --service-principal --username '1234' --password '1234' --tenant '1234'

az deployment sub create --name 'entraid-sec-groups-test' --template-file .\{filename}.bicep --location 'NorwayEast'

Additional context
Add any other context about the problem here. For example, what permissions does the identity have if it's a permission issue?

[dkershaw10]

Thanks @Ellestad1995.
Preliminary investigation suggests that the Graph Bicep Extension is missing the RoleManagement.ReadWrite.Directory delegated permission to enable this scenario.

[dkershaw10]

@Ellestad1995 Follow up question on the scenario. Are you also expecting to be able to assign this role assignable group to an Entra ID role, using Bicep? Does this mean you also need Entra role assignment and/or PIM for Groups?

[Ellestad1995]

@dkershaw10 Thanks for following up. For now I'm only concerned about creating a group which can be role assignable. Assigning roles to the groups would be great, but I guess that needs to be handled some other way for now.

[dkershaw10]

Yes - it will need to be handled outside of Bicep for now :(
However, if you do want to manage the role assignments (like is possible for Azure roles) then I recommend you upvote (thumbs-up) #123.

[abunnyuk]

I'd love for this to be implemented but sadly the documentation states that it's not currently supported.

https://learn.microsoft.com/en-us/graph/templates/limitations#deploying-role-assignable-groups-is-not-supported

[dkershaw10]

@abunnyuk Totally understand and I would love this to be fixed too. Please go ahead and upvote this issue. This is a Microsoft Graph platform issue that we are working on with a partner team. More comments like this will help prioritize the work for our partner team.

[pattisanta]

I also create group with isAssignableToRole to be set to true. Do anyone know when this will be fixed/updated?

Thanks,
Patti