Terraform Error: Adding Group Member to the Group

We have a Terraform script that creates a new azuread_service_principal and adds it to the existing group.

resource "azuread_application" "workspace_manager" {
  display_name     = var.workspace_manager_appregistration_name
  sign_in_audience = "AzureADMyOrg"
  owners = [
    data.azurerm_client_config.this.object_id,
    var.master_account_id
  ]
}

resource "azuread_service_principal" "workspace_manager" {
  application_id               = azuread_application.workspace_manager.application_id
  app_role_assignment_required = false
  owners = [
    data.azurerm_client_config.this.object_id,
    var.master_account_id
  ]
}

resource "azuread_group_member" "workspace_manager" { \\ the error occurs here
  group_object_id  = var.security_group_id \\ existing azure ad group id
  member_object_id = azuread_service_principal.workspace_manager.object_id \\ created one
}
    

This script throws the following error:

╷
│ Error: Adding group member "xxx-xxx-xxx" to group "xxx-xxx-xxx"
│
│   with module.pbi.azuread_group_member.workspace_manager,
│   on pbi\main.tf line 52, in resource "azuread_group_member" "workspace_manager":
│   52: resource "azuread_group_member" "workspace_manager" {
│
│ GroupsClient.BaseClient.Post(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.
╵

Referring to the documentation article, added Group.ReadWrite.All (application) permission to the Service Principal that runs the script.

Terraform docs article: https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group_member

Why can I get this error and what are the solutions? What can I try to do?

In addition to addingthe "Group.ReadWrite.All" application permission to the service principal, also add "Directory.AccessAsUser.All" app permission for service principal to access the directory as a user for adding a member to a group.

Note: After adding permissions note that the admin consent need to be granted for the app by the admin .

Please check the below code .
Or you should have owner role to the group and application .

Code:

resource "azuread_application" "workspace_manager" {
  display_name     = "wrkmanapp"
  sign_in_audience = "AzureADMyOrg"
  owners = [
    data.azurerm_client_config.current.object_id,
  ]
}

resource "azuread_service_principal" "workspace_manager" {
  application_id               = azuread_application.workspace_manager.application_id
  app_role_assignment_required = false
  owners = [
    data.azurerm_client_config.current.object_id  
  ]
}


    
data "azuread_user" "example" {
  //display_name        = "userone"
 // owners              = [data.azuread_client_config.current.object_id]
 // password            = "notSecure123"
  user_principal_name = "xxx@xx.onmicrosoft.com"
}


data "azuread_group" "example" {
  display_name     = "kavyaMyGroup"
  owners           = [data.azuread_client_config.current.object_id]
 security_enabled = true

  members = [
    data.azuread_user.example.object_id
    # more users 
  ]
}


resource "azuread_group_member" "workspace_manager" { 
  group_object_id  = azuread_group.example.object_id
 // group_object_id = "5xxxf318"
  member_object_id = azuread_service_principal.workspace_manager.object_id 
}

Could add the serviceprincipal to the existing group successfully.

Reference: azuread_group_member | Resources | hashicorp/azuread | Terraform Registry