azure terraform azure-rm microsoft-entra-id

Terraform creates V1 identity provider while using auth_settings_v2

I am trying to add Microsoft authentication to my azurerm_linux_web_app, uzing azurerm version 3.95.0.

If I create a provider from the GUI it results in a V2 provider, but when I use the following terraform code it results in a V1 provider:

resource "azuread_application" "api_registration" {
  display_name     = "api-registration-${var.workload}-${var.application}-${var.environment}"
  sign_in_audience = "AzureADMyOrg"

  api {
    oauth2_permission_scope {
      admin_consent_description  = "Allow the application to access *** on behalf of the signed-in user."
      admin_consent_display_name = "Access ***"
      enabled                    = true
      type                       = "User"
      user_consent_description   = "Allow the application to access *** on your behalf."
      user_consent_display_name  = "Access ***"
      value                      = "user_impersonation"
      id                         = random_uuid.widgets_scope_id.result
    }
  }

  web {
    homepage_url = "https://***.net"
    redirect_uris = [
      "https://***.net/.auth/login/aad/callback"
    ]
    implicit_grant {
      id_token_issuance_enabled = true
    }
  }
}

resource "azurerm_linux_web_app" "this" {
  name                = "app-${var.workload}-${var.application}-${var.environment}"
  resource_group_name = azurerm_resource_group.this.name
  location            = azurerm_resource_group.this.location
  service_plan_id     = azurerm_service_plan.this.id
  tags                = local.tags

  app_settings = {
    "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET" = azuread_application_password.api_client_secret.value
    "WEBSITE_AUTH_AAD_ALLOWED_TENANTS"         = data.azurerm_client_config.current.tenant_id
  }

  auth_settings_v2 {
    auth_enabled           = true
    require_authentication = true
    require_https          = true
    unauthenticated_action = "RedirectToLoginPage"

    microsoft_v2 {
      client_id                  = azuread_application.api_registration.client_id
      client_secret_setting_name = "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET"
    }

    login {
      token_store_enabled = true
    }
  }

  identity {
    type = "SystemAssigned"
  }

  site_config {
    application_stack {
      python_version = var.app_service_python_runtime_version
    }
  }
}

Screenshot of the authentication blade in the Azure webapp:

I am not sure what I am doing wrong? Any ideas?

Solution

As pointed out by @Jahnavi I was using the wrong provider in this scenario. Instead of microsoft_v2 I should have used active_directory_v2. Below is the configuration I ended up with which works (note primarily the changes to auth_settings_v2):

resource "azuread_application" "api_registration" {
  display_name     = "api-registration-${var.workload}-${var.application}-${var.environment}"
  sign_in_audience = "AzureADMyOrg"

  api {
    oauth2_permission_scope {
      admin_consent_description  = "Allow the application to access *** on behalf of the signed-in user."
      admin_consent_display_name = "Access ***"
      enabled                    = true
      type                       = "User"
      user_consent_description   = "Allow the application to access *** on your behalf."
      user_consent_display_name  = "Access ***"
      value                      = "user_impersonation"
      id                         = random_uuid.widgets_scope_id.result
    }
  }

  required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph

    resource_access {
      id   = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # Sign in and read user profile
      type = "Scope"
    }
  }

  web {
    homepage_url = "https://***.net"
    redirect_uris = [
      "https://***.net/.auth/login/aad/callback"
    ]
    implicit_grant {
      id_token_issuance_enabled = true
    }
  }
}

resource "azurerm_linux_web_app" "this" {
  name                = "app-${var.workload}-${var.application}-${var.environment}"
  resource_group_name = azurerm_resource_group.this.name
  location            = azurerm_resource_group.this.location
  service_plan_id     = azurerm_service_plan.this.id
  tags                = local.tags

  app_settings = {
    "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET" = azuread_application_password.api_client_secret.value
    "WEBSITE_AUTH_AAD_ALLOWED_TENANTS"         = data.azurerm_client_config.current.tenant_id
  }

  auth_settings_v2 {
    auth_enabled           = true
    require_authentication = true
    runtime_version        = "~2"
    unauthenticated_action = "RedirectToLoginPage"
    default_provider       = "azureactivedirectory"

    active_directory_v2 {
      client_id = azuread_application.api_registration.client_id
      client_secret_setting_name = "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET"
      tenant_auth_endpoint = "https://login.microsoftonline.com/${data.azurerm_client_config.current.tenant_id}/v2.0"
    }

    login {
      token_store_enabled = true
    }

  identity {
    type = "SystemAssigned"
  }

  site_config {
    application_stack {
      python_version = var.app_service_python_runtime_version
    }
  }
}

After applying I can see the correct provider appears:

When visiting the site unauthenticated, it now correctly redirects to a login page.