Entra Id Group (not role assignable) fails to remove Owners if last Owner is a SPN

[philmph]

Hi,

as suggested in hashicorp/terraform-provider-azuread#1435 I am raising this issue here as well since this error is not related to Terraform and also happening in the Azure Portal UI.

Scenario 1

A group has two Owner objects of which one is a SPN. I am trying to remove the 2nd Owner object which is not a SPN (SPN = last Owner).

Case 1

Role Assignable Group (Single Object Remove):

I am able to remove a 2nd Owner (Terraform & UI).

Case 2

Not Role Assignable Group (Single Object Remove):

I am not able to remove a 2nd Owner (Terraform & UI).

Note: This is only true if the last remaining Owner is a SPN. It is possible if the last object is a user object.

Scenario 2

A group has three or more Owners of which one is a SPN. I am trying to remove all Owner objects which are not a SPN (SPN = last Owner).

Case 3

Not Role Assignable Group (Multiple Object Remove / batch as highlighted here):

UI -> I am able to remove all Owner objects by selecting all objects but the SPN.

Terraform -> I am not able to remove all Owner objects because the Terraform Provider does this one by one.

Error Details

UI -> Failed to remove group owner. The group must have at least one owner.

Terraform -> Error: GroupsClient.BaseClient.Delete(): unexpected status 400 with OData error: Request_BadRequest: The group must have at least one owner, hence this owner cannot be removed.

[itpropro]

Any updates on this?