Unable to read managementGroup "Tenant Root Group"

SecGlad 41 Reputation points
2023-08-23T08:11:46.1166667+00:00

I have a Azure Subscription which is created in default management group (Root Tenant Group). I am trying to read the information of this subscrption and managment group using "data "azurerm_management_group" "xx" "" But i am getting an unautorized error reading Management Group (Display Name "Tenant Root Group"): listing Management Groups: managementgroups.Client#List: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" ""

Message="The client '' with object id '' does not have authorization to perform action 'Microsoft.Management/managementGroups/read' over scope '/providers/Microsoft.Management' or the scope is invalid

In case i use the managment UUID

name  = "00000000-0000-0000-0000-000000000000"

i get error Management Group "" was not found

I have a Security Reader access on the managment group and only owner is above me. I am also a contributor for the subscription level.

Is there a way to troubleshoot this?

PS: For a module dependency limitation i using an older version of azurerm which is v2.95.0.

expecting a managment group id to be read using terraform code

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
979 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Erkan Sahin 840 Reputation points
    2023-08-23T08:43:18.61+00:00

    Hi SecGlad!

    403 Unauthorized Error:

    Permissions: Even though you have Security Reader access on the management group and Contributor access at the subscription level, ensure you have the necessary permissions to read the management group. The error suggests a lack of authorization for the Microsoft.Management/managementGroups/read action.

    Service Principal: If you're using a service principal with Terraform, ensure it has the required permissions. Sometimes, permissions granted to a user are not the same as those granted to a service principal.

    Management Group Not Found:

    UUID: The UUID 00000000-0000-0000-0000-000000000000 is typically a placeholder. Ensure you're using the correct UUID for the Tenant Root Group.

    Terraform Version: You mentioned using an older version of the azurerm provider (v2.95.0). Consider testing with a newer version in a separate environment to see if the issue persists.

    Troubleshooting Steps:

    1. First, try accessing the management group directly from the Azure Portal to ensure it's visible and accessible.
    2. Use Azure CLI to list and access management groups. This can help determine if the issue is specific to Terraform or a broader Azure access issue.
    3. Run Terraform with the TF_LOG=DEBUG or TF_LOG=TRACE environment variable to get detailed logs. This can provide more insights into the issue.
    4. Review the RBAC settings in Azure to ensure your user or service principal has the necessary permissions. Sometimes, explicit permissions might be needed, even if you have higher-level access.

    I hope my answer helped you - if so please mark it :-)


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.