azureterraformmicrosoft-graph-apimicrosoft-entra-idazure-entra-id
Adding Graph API application permission via Terraform shows corrupted IDs instead of scope names
I have made some progress in automation of Enterprise app registration process at my new work using Terraform. However, I am seeing some strange behavior.
When I add Graph API (Application permission) from PORTAL to my Application then I see it like this:
However, when I do the same via Terraform code
# Enterprise Application
resource "azuread_application" "enterprise_app_oidc" {
display_name = "my-case-app"
required_resource_access {
resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["AccessReview.Read.All"]
type = "Role" //Scope or Role
}
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["Application.Read.All"]
type = "Role" //Scope or Role
}
}
}
resource "azuread_service_principal" "enterprise_app_sp_oidc" {
client_id = azuread_application.enterprise_app_oidc.client_id
owners = azuread_application.enterprise_app_oidc.owners
preferred_single_sign_on_mode = "oidc"
app_role_assignment_required = true
feature_tags {
enterprise = true
}
depends_on = [ azuread_application.enterprise_app_oidc ]
}
## Graph API permissions
resource "azuread_service_principal" "msgraph" {
client_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
use_existing = true
}
data "azuread_application_published_app_ids" "well_known" {
}
However, with Terraform cide when I go to Portal. It shows like this. And clicking on it shows no details or info.
Solution
Adding Graph API application permission via Terraform shows corrupted IDs instead of scope names
Issue seems to be with the way you refer the permission id is not inline with the requirment. As per the terraform configuration for azuread_application we need to refer the id of the role not directly refer from the property.
In order to fetch the required role id follow the command given below
az ad sp list --display-name "Microsoft Graph" --query '[].appRoles[?value==`AccessReview.Read.All` || value==`Application.Read.All`]' -o json | jq
replace the required role name as per the requirement so that it will fetch the properties
configuration:
provider "azurerm" {
features {}
}
provider "azuread" {
}
data "azuread_client_config" "current" {}
data "azuread_application_published_app_ids" "well_known" {}
output "data_from_well_known" {
value = data.azuread_application_published_app_ids.well_known.result
}
resource "azuread_service_principal" "msgraph" {
client_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
use_existing = true
}
resource "azuread_application" "enterprise_app_oidc" {
display_name = "demoapp-Ad"
owners = [data.azuread_client_config.current.object_id]
required_resource_access {
resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
resource_access {
id = "d07a8cc0-3d51-4b77-b3b0-32704d1f69fa"
type = "Role"
}
resource_access {
id = "9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30"
type = "Role"
}
}
}
- What is a difference between elastic computing and serverless computing?
- Access Sharepoint Online Files from .NET Worker Service via Microsoft Graph/OAuth - Unauthorized or Access Denied error (401)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?
- Update VCore by database in power shell
- While scanning a simple key, could not find expected ':'. Syntax error in azure-pipeline.yaml
- I'm not able to call the Azure document intelligence api using the latest api version "2024-02-29-preview"
- AzureWebJobsStorage Managed Identity not working
- Get-RemoteDomain in powershell exchange online error : The term 'Get-RemoteDomain' is not recognized as the name of a cmdlet
- How can I Get Started Using Certificates to Authenticate my APIs Using Azure Key Vault?
- Azure Storage blob getting the io.netty.channel.StacklessClosedChannelException while generating /downloading the from SasUrl
- How to set up a site-to-site connection between Azure VNet and an on-premises network with a single IP address for traffic selectors?
- Summarization of docx or pdf document
- Unable to use Azure Developer CLI (azd) in vsCode even after extensions installed
- How to configure backend application on Container Apps
- WebJob is stopping due to website shutting down
- Azure SQL trigger for Functions configuration problem
- Does azure blob storage support http2?
- Azure Pronunciation Assessment Could not deserialize speech context error
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- How do I Parse FormData containing a audio file in AZ function app in 2025
- Not able to delete Public IP address in azure
- Azure Devops Apple App Store Release.Missing value for the attribute 'whatsNew'
- Azure Storage accounts container public access level has dissabled
- Issue with adding delegated Graph API permission to Enterprise app with Terraform
- Getting an error when using the Flexible File Destination Task in Visual Studio 2022 SSIS
- Problem with Azure Email Communication Service Custom Domain
- How to refresh client assertion in ConfidentialClientApplication?
- Using Microsoft Graph Explorer (we have code too) we can GET All Subscriptions, but GET one by ID gives access error
- Invalid operands found for operator -eq
- nginx - php-fpm - azure container app returns truncated pages