Search code examples
azurepermissionsazure-active-directoryterraformmicrosoft-graph-api

Setting Azure AD Microsoft Graph Email API/Permission in Terraform


I am provisioning some Azure infrastructure using Terraform. Included in the setup requirement is some configuration of an Azure AD registered app and this requires the following Microsoft Graph permissions to be granted (see image below):

  • GroupMember.Read.All
  • email (OpenId)

enter image description here

Within my Terraform configuration, I have the below code snippet included in my resource "azuread_application" block, within the required_resource_access sub-block. For the resource_access ids, I have used the values provided on this Microsoft page - https://learn.microsoft.com/en-us/graph/permissions-reference.

enter image description here

My Terraform configuration is currently able to successfully add the GroupMember.Read.All permission, but somehow it fails to add the required Email permission as depicted in the screenshot below, displaying the GUID reference instead of the actual name "email".

What I'd also like to be able to do in my Terraform configuration is the ability to Grant admin consent for both API/Permissions (depicted in the rightmost column).

enter image description here

Any tips on how I can achieve all of the above?



Solution

  • For permission type, Scope corresponds to the Delegated permission type, where Role is the Application type.

    The email OpenID scope is a Delegated permission type, so you need to change the permission type from Role to Scope.

    resource_access {
        id = "64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0"
        type = "Scope"
    }