Search code examples
terraformazure-active-directory

Service principal with API permissions cannot create azuread_application via Terraform

I'm trying to create an azuread_application using a Service Principal that has following API permissions granted:

enter image description here

However when applying Terraform template, I'm getting this error:

Saved the plan to: tfplan
To perform exactly these actions, run the following command to apply:
    terraform apply "tfplan"
$ terraform apply --auto-approve tfplan > terraform_output.json
╷
│ Error: creating {}: ApplicationsClient.BaseClient.Post(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.
│ 
│   with azuread_application_registration.app-test,
│   on main.tf line 15, in resource "azuread_application_registration" "app-test":
│   15: resource "azuread_application" "app-test" {
│ 
│ creating {}: ApplicationsClient.BaseClient.Post(): unexpected status 403
│ with OData error: Authorization_RequestDenied: Insufficient privileges to
│ complete the operation.
╵
Cleaning up project directory and file based variables
00:01
ERROR: Job failed: exit code 1
Solution

  • For creating an Azure AD application with a Service Principal, it may be sufficient to grant Application.ReadWrite.All to the Service Principal

    • Note: Make sure to verify that the service principal used in Terraform for authentication has the API permission Application.ReadWrite.All.
    • Check if any account is already logged in by using the command az account show. If an account is shown, log out using az logout and then run the code again.

    When I try to create Azure AD application with Service principal by using SP Login without granting admin consent, I too got same authentication error.

        provider "azuread" {
      tenant_id         = "123333333"
      client_id         = "12333333333"
      client_secret     = "12333333"
      use_cli           = false
    }
    
    resource "azuread_application" "example" {
      display_name = "demo-app"
    }
    resource "azuread_service_principal" "example" {
      client_id                    = azuread_application.example.client_id
      app_role_assignment_required = false
    }

    enter image description here

    But after granting the consent, it got created.

    enter image description here

    Below are the API permission.

    enter image description here

    Azure AD application has been created successfully.

    enter image description here