AzureAD v3 - data "azuread_group" Error: Could not retrieve group members for group with object ID

[ti-ro]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.9.6
on windows_amd64

• provider registry.terraform.io/hashicorp/azuread v3.0.0
• provider registry.terraform.io/hashicorp/azurerm v4.3.0
• provider registry.terraform.io/hashicorp/random v3.6.3
• provider registry.terraform.io/hashicorp/time v0.12.1

Affected Resource(s)

• data azuread_group

Terraform Configuration Files

data "azuread_group" "aad_group" {
  display_name = var.aad_group_displayname
}

Debug Output

Panic Output

╷ │ Error: Could not retrieve group members for group with object ID: "/groups/xxx-xxx-xxx-xxx" │ │ with module.EXAMPLE.data.azuread_group.aad_group, │ on ..\..\..\..\modules\azure\EXAMPLE\iam.tf line 5, in data "azuread_group" "aad_group": │ 5: data "azuread_group" "aad_group" { │ │ unexpected status 400 (400 Bad Request) with error: Request_BadRequest: Unexpected segment DynamicPathSegment. Expected property/$value.

Expected Behavior

Retrieve the Group information from the data source

Actual Behavior

throws an Error

Steps to Reproduce

Create a Data Resource for azuread_group, input the display name of an existing Entra Group.

1. terraform apply

Important Factoids

None. Worked prior 3.0.0

References

• #0000

[nixlim]

Yep, it's broken! Getting the same thing

[GraemeMeyerGT]

I'm going to jump on with what I assume is a related issue - I get a parsing error for data.azuread_service_principal

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: expected "object_id" to be a valid UUID, got /servicePrincipals/120326c9-ca1a-4198-b326-4417d7b1fc25
│
│   with azurerm_key_vault_access_policy.terraform,
│   on az-key-vault-access-policy.tf line 12, in resource "azurerm_key_vault_access_policy" "terraform":
│   12:   object_id = data.azuread_service_principal.terraform.id
│

I've rolled back to 2.53.1 and the error goes away.

[sunevnuahs]

Same here, pinning to 2.53.1 for now!

[michelefa1988]

Same issue, needs to be hotifxed!!

[manicminer]

@ti-ro Thanks for the report, we'll get this hotfixed.

[manicminer]

@GraemeMeyerGT That is related, but not a bug. Please use the object_id attribute instead, e.g.

resource "azurerm_key_vault_access_policy" "example-principal" {
  key_vault_id = azurerm_key_vault.example.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = data.azuread_service_principal.example.object_id  # <-- `object_id`, not `id`

  key_permissions = [
    "Get", "List", "Encrypt", "Decrypt"
  ]
}

[digital-raver1]

[manicminer]

Thanks @digital-raver1, that's the same error and will be fixed shortly

[simozyadi]

This morning, we encountered the same error while attempting to upgrade to the AzureAD v3 provider. To address the issue and restore functionality, we rolled back to the previous version.

**Could you please implement the necessary fix for the new provider version?

Error: Could not retrieve group members for group with object ID: "/groups/33a44695-da06-5869-b379-dc5214b02cdc"
with data.azuread_group.groups["admin-vm"]
on data.tf line 64, in data "azuread_group" "groups":
data "azuread_group" "groups" {
unexpected status 400 (400 Bad Request) with error: Request_BadRequest: Unexpected segment DynamicPathSegment. Expected property/$value.**

[manicminer]

@simozyadi Thanks for the report, please be mindful of posting +1 comments as they pollute the issue thread. Per my above comments, this is being worked on and a fix will be out shortly.

[phatcher]

@GraemeMeyerGT That is related, but not a bug. Please use the object_id attribute instead, e.g.

resource "azurerm_key_vault_access_policy" "example-principal" {
  key_vault_id = azurerm_key_vault.example.id
  tenant_id    = data.azurerm_client_config.current.tenant_id
  object_id    = data.azuread_service_principal.example.object_id  # <-- `object_id`, not `id`

  key_permissions = [
    "Get", "List", "Encrypt", "Decrypt"
  ]
}

You may not classify it as a bug, but it is an undocumented breaking change