I am trying to add an existing Azure Registered Application to an existing Azure Active Directory Group via Terraform. I used the following sequence to complete the task:
// References the existing AAD group
data "azuread_group" "existing_aad_group" {
display_name = "<display name of the aad group>"
security_enabled = true
}
// References the existing registered application
data "azuread_application" "existing_registered_application" {
display_name = "<display name of the registered application>"
}
// --> Adds the application as a member of the AAD group.
resource "azuread_group_member" "registered_app_member" {
group_object_id = data.azuread_group.existing_aad_group.object_id
member_object_id = data.azuread_application.existing_registered_application.object_id
}
The above code fails with the following error:
╷
│ Error: Adding group member "ceb93cb8XXXXX" to group "2f16446cXXXX"
│
│ with module.service.azuread_group_member.function_app,
│ on ../../resources/aad_group.tf line 6, in resource "azuread_group_member" "function_app":
│ 6: resource "azuread_group_member" "function_app" {
│
│ GroupsClient.BaseClient.Post(): unexpected status 400 with OData error:
│ Request_BadRequest: An invalid operation was included in the following
│ modified references: 'members'.
╵
Question
What does this error mean and how can I fix it?
I tried to reproduce the same in my environment :
Code used:
resource "azuread_group" "example" {
display_name = "kavyaMyGroup"
owners = [data.azuread_client_config.current.object_id]
security_enabled = true
members = [
azuread_user.example.object_id,
# more users
]
}
resource "azuread_group_member" "registered_app_member" {
group_object_id = azuread_group.example.object_id
member_object_id = azuread_application.example.object_id
}
resource "azuread_application" "example" {
display_name = "example"
owners = [data.azuread_client_config.current.object_id]
sign_in_audience = "AzureADMultipleOrgs"
required_resource_access {
resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph
resource_access {
id = "df021288-bdef-4463-88db-98f22de89214" # User.Read.All
type = "Role"
}
resource_access {
id = "b4e74841-8e56-480b-be8b-910348b18b4c" # User.ReadWrite
type = "Scope"
}
}
web {
homepage_url = "https://app.example.net"
logout_url = "https://app.example.net/logout"
redirect_uris = ["https://app.example.net/account"]
implicit_grant {
access_token_issuance_enabled = true
id_token_issuance_enabled = true
}
}
}
Received same Error:
azuread_group_member.registered_app_member: Creating... │ Error: Adding group member "xxx" to group "xxxx"
│ with azuread_group_member.registered_app_member, │ on main.tf line 84, in resource "azuread_group_member" "registered_app_member": │ 84: resource "azuread_group_member" "registered_app_member" {
│ GroupsClient.BaseClient.Post(): unexpected status 400 with OData error: Request_BadRequest: An invalid operation │ was included in the following modified references: 'members'.
As it could not add the application , directly , i tried creating service principal of the existing application and then assigned to the group using its object ID:
Code:
resource "azuread_application" "example" {
display_name = "example"
owners = [data.azuread_client_config.current.object_id]
sign_in_audience = "AzureADMultipleOrgs"
required_resource_access {
resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph
resource_access {
id = "df021288-bdef-4463-88db-98f22de89214" # User.Read.All
type = "Role"
}
resource_access {
id = "b4e74841-8e56-480b-be8b-910348b18b4c" # User.ReadWrite
type = "Scope"
}
}
web {
homepage_url = "https://app.example.net"
logout_url = "https://app.example.net/logout"
redirect_uris = ["https://app.example.net/account"]
implicit_grant {
access_token_issuance_enabled = true
id_token_issuance_enabled = true
}
}
}
resource "azuread_service_principal" "example" {
application_id = azuread_application.example.application_id
app_role_assignment_required = false
owners = [data.azuread_client_config.current.object_id]
}
#below code adds Enterprise app to required group
resource "azuread_service_principal" "example" {
application_id = azuread_application.example.application_id
app_role_assignment_required = false
owners = [data.azuread_client_config.current.object_id]
}
Terraform code is successfully run with terraform apply
Could see the app added to the group in the form of enterprise app as we are using service principal of app:
App:
Reference: azuread_service_principal | Resources | hashicorp/azuread | Terraform Registry