AZURE
AADGroupNotFound - AAD Group Not Found: Group Does Not Exist
AADGroupNotFound shows up when Azure AD (Entra ID) couldn't resolve the group—display name typo, wrong object ID, deleted group, or it's in another tenant you can't access. This 404 client-side error occurs when Azure AD validates group identifiers before operations. Most common in RBAC role assignments for VM access, but also appears in AKS cluster RBAC, Azure SQL database user management, and App Service deployment permissions. Cross-tenant access needs B2B federation or guest user invites. Group identifiers are case-sensitive for display names.
#Common Causes
- →Invalid Group Identifier: The group display name, object ID, or mail nickname is incorrect or contains typos. Group identifiers must match exactly what's stored in Azure AD (case-sensitive for display names). This is persistent—you must use the correct identifier.
- →Deleted Group: The group has been soft-deleted or permanently deleted from Azure AD. Deleted groups aren't accessible via standard queries. Soft-deleted groups may be recoverable within the retention period (typically 30 days). This is persistent—you must use a different group or restore the deleted group if possible.
- →Cross-Tenant Access: The group exists in a different tenant, and you don't have access. Cross-tenant access requires B2B federation configuration or guest user invitation. This is persistent—you must get access or use a group in your tenant.
✓Solutions
- 1Step 1: Diagnose - List all groups to see available identifiers: az ad group list --query "[].{DisplayName:displayName,ObjectId:id,Mail:mail}" --output table
- 2Step 2: Diagnose - Search for group by display name: az ad group list --filter "displayName eq '<name>'" --query "[].{DisplayName:displayName,ObjectId:id,Mail:mail}" --output table
- 3Step 3: Diagnose - Search for group by mail nickname: az ad group list --filter "mailNickname eq '<nickname>'" --query "[].{DisplayName:displayName,Mail:mail}" --output table
- 4Step 4: Fix - If identifier is wrong, use the correct identifier from the group list. Verify case sensitivity for display names.
- 5Step 5: Fix - If group was deleted, check if soft-deleted and restore within retention period. Use Azure Portal > Azure AD > Groups > Deleted groups to restore.
- 6Step 6: Fix - For cross-tenant access, ensure B2B federation is configured or request guest user invitation from the target tenant administrator.
- 7Step 7: Verify - After finding the correct group or restoring, retry your operation. It should succeed instead of returning AADGroupNotFound.
</>Code Examples
Azure AD Group Lookup and Verification
1# This script helps diagnose AADGroupNotFound by searching for groups
2
3# Step 1: Example group display name to search (replace with your group name)
4GROUP_NAME="My Security Group"
5echo "Searching for group: ${GROUP_NAME}"
6
7# Step 2: Search for group by display name
8echo "Searching by display name..."
9az ad group list \
10 --filter "displayName eq '${GROUP_NAME}'" \
11 --query "[].{DisplayName:displayName,ObjectId:id,Mail:mail}" \
12 --output table
13
14# Step 3: List all groups to see available groups
15echo "Listing all groups in tenant..."
16az ad group list \
17 --query "[].{DisplayName:displayName,ObjectId:id,Mail:mail}" \
18 --output table
19
20# Step 4: Get group by object ID (if you have it)
21OBJECT_ID="12345678-1234-1234-1234-123456789012"
22echo "Searching for group by object ID: ${OBJECT_ID}..."
23if az ad group show \
24 --group ${OBJECT_ID} \
25 --query "{DisplayName:displayName,ObjectId:id,Mail:mail}" \
26 --output table 2>&1; then
27 echo "Group found by object ID"
28else
29 echo "Group not found by object ID"
30fi
31
32# Step 5: Search groups by mail nickname
33MAIL_NICKNAME="mygroup"
34echo "Searching for group by mail nickname: ${MAIL_NICKNAME}..."
35az ad group list \
36 --filter "mailNickname eq '${MAIL_NICKNAME}'" \
37 --query "[].{DisplayName:displayName,Mail:mail,ObjectId:id}" \
38 --output table
39
40# Step 6: Get group members (if group is found)
41if [ ! -z "${OBJECT_ID}" ]; then
42 echo "Listing members of group: ${OBJECT_ID}..."
43 az ad group member list \
44 --group ${OBJECT_ID} \
45 --query "[].{DisplayName:displayName,UserPrincipalName:userPrincipalName,ObjectType:objectType}" \
46 --output table
47fi
48
49# Step 7: Instructions for checking deleted groups
50echo ""
51echo "To check for deleted groups:"
52echo " 1. Go to Azure Portal > Azure AD > Groups > Deleted groups"
53echo " 2. Search for the group by name"
54echo " 3. If found, click 'Restore group' to recover within retention period"↗Related Errors
Provider Information
This error code is specific to AZURE services. For more information, refer to the official AZURE documentation.