I'm trying to create an Azure AD application using terraform along with our Azure DevOps pipeline, but I am getting the following error:
1 error(s) occurred:
* module.cluster.module.cluster.azuread_application.cluster: 1 error(s) occurred:
* azuread_application.cluster: graphrbac.ApplicationsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2019-02-19T23:22:23","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"<SOME GUID>"}}]
I'm pretty sure this is because the pipeline's service principal doesn't have the proper permissions within our Azure AD.
This is the offending Terraform code:
resource "azuread_application" "cluster" {
name = "some-application"
}
resource "azuread_service_principal" "cluster" {
application_id = "${azuread_application.cluster.application_id}"
}
Here is what the Terraform Step Looks like (I'm using a Service Connection to supply the service principal).
To configure the service principal, I am selecting "Manage Service Principal" for the Service Connection.
I have then given it all "required permissions" for both Microsoft Graph and Windows Azure Active Directory. I don't think I need the Microsoft Graph, but did that since Windows AAD wasn't working.
According to the error information it indicated that you have no permission to do that.
I follow the terraform guide document, we need to assign permissions corrosponding to the application.
NOTE: If you're authenticating using a Service Principal then it must have permissions to both Read and write all applications and Sign in and read user profile within the Windows Azure Active Directory API
During test, I assign the following permission to the Azure Active Diretory, for more information please refer to the screenshot.
Note: Please don't forget to click Grant permissions
Test Result: