Issue with adding delegated Graph API permission to Enterprise app with Terraform
I have been stuck for 2 days and tried out several things but still struggling to wrap my head around a very otherwise simple task.
- I wanted to create an enterprise app using Terraform (Done. Created Service Principal & AzureAd Application)
Application Creation
resource "azuread_application" "enterprise_app_oidc" {
display_name = var.ent_app_display_name
owners = distinct(var.ad_group_owners)
required_resource_access {
resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["openid"]
type = "Scope"
}
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read"]
type = "Scope"
}
}
}
Service Principal
resource "azuread_service_principal" "enterprise_app_sp_oidc" {
client_id = azuread_application.enterprise_app_oidc.client_id
owners = azuread_group.ad_group_oidc[0].owners
preferred_single_sign_on_mode = "oidc"
app_role_assignment_required = true
feature_tags {
enterprise = true
}
}
Now once the Application and Service Principal (Enterprise app is created) I wanted to add Graph API access to it. So I followed following from Terraform documenataion
data "azuread_application_published_app_ids" "well_known" {}
output "data_from_well_known" {
value = data.azuread_application_published_app_ids.well_known.result
}
resource "azuread_service_principal" "msgraph" {
client_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
use_existing = true
}
resource "azuread_service_principal_delegated_permission_grant" "example" {
service_principal_object_id = azuread_service_principal.enterprise_app_sp_oidc.object_id
resource_service_principal_object_id = azuread_service_principal.msgraph.object_id
claim_values = ["openid", "User.Read.All"]
}
I do not entirely understand why do I need to create a second service prinicpal called "msgraph" but ok, I kindav guessed the context here. But here is my problem
Now once I deploy this code, I get the following
**Question is:
- Why is the RED circled area "other permissions" added and how to get rid of it?
- How do I add other permissions like email, profile, offline etc in blue circled area**
I apologize in advance for my ignorance if there's something very basic and common im missing!!
Thank you in advance!
Solution
If I understand correctly then you don't need to do the delegation part.
Remove the delegation resource.
For adding more permissions to your app, add more resource blocks
This is how your application resource should look like
resource "azuread_application" "enterprise_app_oidc" {
display_name = var.ent_app_display_name
owners = distinct(var.ad_group_owners)
required_resource_access {
resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
dynamic "resource_access" {
for_each = var.oauth2_permission_scope_ids
content {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids[resource_access.value]
type = "Scope"
}
}
}
}
To add permissions like email, openid etc. create a variable. This variable is iterated in the application resource and creates permission for all the items available in the list
variable "oauth2_permission_scope_ids" {
type = list(string)
default = [ "openid", "email", "profile", "offline_access" ]
}
Now this should give you the desired outcome.
- VM has reported a failure when processing extension AzureDiskEncryption
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Trigger / queue build policy pipeline on ADO PR with Azure CLI
- Azure AD B2C Password Reset
- Batch create mailbox folders with GRAPH API (from Graph Explorer)
- Azure Web App on Linux: "Error: Container didn't respond to HTTP pings on port: 8080" - when using: "start": "pm2 start server.js"
- How can I apply name=value tags to service principals in Azure?
- Visual Studio Code: Could not find $web blob container for storage account
- Error when registering data factory integration runtime on windows VM
- Retrieve list of repositories and their tag versions in one call
- Getting Error while running Azure DevOps Pipeline "Error: building account: could not acquire access token to parse claims: clientCredentialsToken
- Create Resource Group with Azure Management C# API
- Azure LDAP Authentication Connection Refused On Cloud Server or Other Desktops
- Create a gpu nodepool on azure with a student account
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- Cannot connect to SQL Server from logic app
- How to Resolve Errors When Running Python Jobs in Azure App Service WebJobs
- How do I open Kudu console in Azure functions consumption plan?
- Azure AutoML Image Classification Job
- Onedrive GRAPH API - 403 when getting user's OneDrive
- Azure Government Get incidents returns 401 Forbidden
- Delta Table Partitioning - why only for tables bigger than 1 TB
- How to check if an Azure storage queue has messages
- Azure WAF exclusion, what's the difference between RequestArgNames and RequestArgValues?
- How to order results of a query by the results of an aggregate function in ComosDb?
- Azure routing between different subscriptions - force one, common outbound IP and share Site-to-site (IPSec) defined in Virtual network gateway
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- Azure DevOps - Create a work item from incoming email
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?