Hey everyone,
Im new to this community and preparing for the Terraform Associate Certification. 1. I’m currently working on a project, where i would like to enable PIM for the AD Groups and add users as Eligible assignment Members under this group. I tried looking for a Hashicorp provider where i can enable or activate PIM for the ADGroups, but i dont find one. For the ADGroup, where i enabled the PIM manually, i used the resource block azuread_privileged_access_group_eligibility_schedule, to add a user as a member with Eligible assignment. But i received error as following.
Error: creating eligibility schedule request: unexpected status 403 (403 Forbidden) with error: UnknownError: {“errorCode”:“PermissionScopeNotGranted”,“message”:“Authorization failed due to missing permission scope PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup.”,“instanceAnnotations”:[]} ││ with azuread_privileged_access_group_eligibility_schedule.example, │ on mainssogroupattachmentmodulevars.tf line 1, in resource “azuread_privileged_access_group_eligibility_schedule” “example”: │ 1: resource “azuread_privileged_access_group_eligibility_schedule” “example” { creating eligibility schedule request: unexpected status 403 (403 Forbidden) with error: UnknownError: {“errorCode”:“PermissionScopeNotGranted”,“message”:“Authorization failed due to missing permission scope │ PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup,PrivilegedAccess.ReadWrite.AzureADGroup.”,“instanceAnnotations”:[]}
Iam the Global Administrator, and the owner of the respective AD Group, but the issue still exists. I can do this manually without any issues but facing error only when i try to do this via terraform. From the Hashicorp GIT page, i learnt that a case is open and no updates so far. The link is for your reference. (azuread_privileged_access_group_eligibility_schedule - permissions error despite graph and Entra role applied to service prinicple · Issue #1386 · hashicorp/terraform-provider-azuread · GitHub) Is the issue with the limitation mentioned in the link, still exists. In such case do we have any workaround, or do we need to add the user assignment manually. Appreciate your suggestions to progress further. Thanks a lot.