Read-only permissions insufficient for `azuread_directory_role_eligibility_schedule_request` when generating a Terraform plan

[sandra-bee]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Affected Resource(s)

• azuread_directory_role_eligibility_schedule_request

Terraform Configuration Files

resource "azuread_directory_role" "license_admin" {
  display_name = "License Administrator"
}

resource "azuread_directory_role_eligibility_schedule_request" "assign_license_admin_to_license_team" {
  role_definition_id = azuread_directory_role.license_admin.template_id
  principal_id       = "<license_team_obj_id>"
  directory_scope_id = "/"  # Directory scope
  justification      = "License team need permissions to manage licenses."
}

Debug Output

Panic Output

Expected Behavior

Generating a Terraform plan does not modify any resources thus should be possible with just the RoleEligibilitySchedule.Read.Directory role (i.e. read permissions only).

Actual Behavior

Generating a Terraform plan using a service principal assigned the RoleEligibilitySchedule.Read.Directory role yields the following error:

╷
│ Error: Retrieving Role Management Directory Role Eligibility Schedule Request (Unified Role Eligibility Schedule Request: "<req-id>")
│ 
│   with azuread_directory_role_eligibility_schedule_request.assign_license_admin_to_license_team,
│   on main.tf line 902, in resource "azuread_directory_role_eligibility_schedule_request" "assign_license_admin_to_license_team":
│  902: resource "azuread_directory_role_eligibility_schedule_request" "assign_license_admin_to_license_team" {
│ 
│ unexpected status 403 (403 Forbidden) with error: UnknownError:
│ {"errorCode":"PermissionScopeNotGranted","message":"Authorization failed
│ due to missing permission scope
│ RoleEligibilitySchedule.ReadWrite.Directory,RoleManagement.ReadWrite.Directory,RoleEligibilitySchedule.Remove.Directory.","instanceAnnotations":[]}
╵

The additional write permissions contained in RoleEligibilitySchedule.ReadWrite.Directory seem to be necessary to generate a Terraform plan, even though the Terraform plan does not make any changes to the resources. According to the least-privilege principle, we would like to use read-only permissions when generating a Terraform plan - not unnecessary and additional write permissions.

Steps to Reproduce

1. Grant the service principal running the Terraform code the RoleEligibilitySchedule.Read.Directory role.
2. terraform plan

Important Factoids

References

• Related question on Microsoft Learn.
• Related question on GitHub.