Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stack fails with microsoftGraph provider #169

Closed
antsok opened this issue Jun 17, 2024 · 9 comments
Closed

Stack fails with microsoftGraph provider #169

antsok opened this issue Jun 17, 2024 · 9 comments

Comments

@antsok
Copy link

antsok commented Jun 17, 2024
edited
Loading

Describe the bug
Deploying a stack at the subscription level with microsoftGraph provider in bicep fails with error Insufficient privileges to complete the operation. Graph client request id: b63ad977-1969-4207-ba5b-74353803edb5. Graph request timestamp: 2024-06-17T22:39:56Z. (Code: Forbidden)

To Reproduce
Steps to reproduce the behavior:

  • Ensure identity can create security groups.
  • Start deployment with az stack sub create --deny-settings-mode None --action-on-unmanage deleteAll --yes --name 'graph01' --location 'swedencentral' --template-file .\main.bicep --parameters entraGroupName='testGroup2' resourceGroupName='exp02-graph-rg'

Expected behavior
Deployment succedes.

Screenshots
image

Repro Environment
Host OS: Windows 11
Powershell Version: 7.4.2

Server Debugging Information
Correlation ID: 3d7952c0-c5e5-453c-ade2-69bc6c140322
Tenant ID: 74b5511e-1df2-48b9-a2df-a3b95c48c680
Timestamp of issue (please include time zone): 2024-06-17T22:39:56Z
Data Center (eg, West Central US, West Europe): swedencentral

Additional context
Trying in 'eastus' region gives the same problem.
Deploying with 'az deployment ...' succedes. Example comand az deployment sub create --name 'graph04' --location 'swedencentral' --template-file main.bicep --parameters entraGroupName='testGroup4' resourceGroupName='exp04-graph-rg'

main.bicep

targetScope = 'subscription'

param location string = deployment().location

param resourceGroupName string

param entraGroupName string

resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
  name: resourceGroupName
  location: location
}

module uami 'br/public:avm/res/managed-identity/user-assigned-identity:0.2.1' ={
  scope: resourceGroup
  name: '${deployment().name}-${resourceGroupName}'
  params: {
    name: uniqueString(resourceGroup.name)
  }
}

provider microsoftGraph

resource exampleGroup 'Microsoft.Graph/[email protected]' = {
  displayName: entraGroupName
  mailEnabled: false
  mailNickname: entraGroupName
  securityEnabled: true
  uniqueName: entraGroupName
  owners:[
    uami.outputs.principalId
  ]
}
@slavizh
Copy link
Collaborator

slavizh commented Jun 18, 2024

Stacks are not supported by Microsoft Graph. This is listed as one of the known issues in official docs.

@antsok
Copy link
Author

antsok commented Jun 20, 2024

@slavizh I searched the deployment stacks docs before posting it, but the limitation is not listed there https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-stacks?tabs=azure-powershell#known-limitations

But I now see that you are right - official docs of graph extension list it https://learn.microsoft.com/en-us/graph/templates/known-issues-graph-bicep#deployment-error-this-application-0-isnt-authorized-to-call-microsoft-graph-using-a-bicep-template

Maybe adding one line into deployment stacks docs would help people like me.

@slavizh
Copy link
Collaborator

slavizh commented Jun 21, 2024

@antsok you should be looking at the Graph for Bicep documentation: https://learn.microsoft.com/en-us/graph/templates/known-issues-graph-bicep#other-unsupported-deployment-features.

@slavizh
Copy link
Collaborator

slavizh commented Jun 21, 2024

@antsok I am also not Microsoft employee and not responsible for Microsoft Learn docs. Additionally any Graph for Bicep issues should be logged here: https://github.com/microsoftgraph/msgraph-bicep-types/issues

@antsok
Copy link
Author

antsok commented Jun 22, 2024

@antsok I am also not Microsoft employee and not responsible for Microsoft Learn docs. Additionally any Graph for Bicep issues should be logged here: https://github.com/microsoftgraph/msgraph-bicep-types/issues

Hi there,

I appreciate your comments, but my proposal for docs clarification was to repo owners ;)

@azcloudfarmer
Copy link
Contributor

Hi @antsok and @slavizh - this is being added to our known issues in our public docs. Update in progress

@mumian
Copy link
Collaborator

mumian commented Jun 27, 2024

@azcloudfarmer - the article has been updated. You can close this issue.

@andreibicu
Copy link

Stacks are not supported by Microsoft Graph. This is listed as one of the known issues in official docs.

It would be very helpful to know if someone is working on it. An estimation is beyond my wishes.

@alex-frankel
Copy link
Contributor

@andreibicu - the design for this is underway now and can be tracked here in this REP: Azure/bicep-reps#6

@kalbert312 / @azcloudfarmer / @snarkywolverine / @stephaniezyen - when the design is done and we determine an ETA, can we make sure we note that somewhere? I'm not sure if the REP is the right spot for that or if there should be an issue in this repo.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@mumian @azcloudfarmer @andreibicu @antsok @alex-frankel @slavizh @snarkywolverine