I've developed a Terraform script intended to execute the three key steps:
resource "azuread_application" "test-app" {
display_name = "test-app"
identifier_uris = ["https://test.onmicrosoft.com"]
sign_in_audience = "AzureADandPersonalMicrosoftAccount"
api {
requested_access_token_version = 2
}
single_page_application {
redirect_uris = ["https://redirect-uri.com/"]
}
required_resource_access {
resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
resource_access {
id = data.azuread_service_principal.msgraph.oauth2_permission_scope_ids["offline_access"]
type = "Scope"
}
resource_access {
id = data.azuread_service_principal.msgraph.oauth2_permission_scope_ids["openid"]
type = "Scope"
}
}
}
resource "azuread_service_principal" "test_app_service_principal" {
client_id = azuread_application.test-app.client_id
}
resource "azuread_service_principal_delegated_permission_grant" "test_app_scopes_permission_grant" {
service_principal_object_id = azuread_service_principal.test_app_service_principal.object_id
resource_service_principal_object_id = data.azuread_service_principal.msgraph.object_id
claim_values = ["offline_access", "openid"]
}
However, I'm still encountering the same error during execution.
When I create the app by sending Graph API requests via Postman, everything works as expected. The script runs within a pipeline that uses the same credentials to obtain the token for Postman requests.
Additionally, the Azure Active Directory provider is configured with credentials from Azure B2C and not Azure AD so that aspect should be correctly set up.
provider "azuread" {
client_id = data.azurerm_key_vault_secret.ado_pipeline_sp_client_id.value
client_secret = data.azurerm_key_vault_secret.ado_pipeline_sp_client_secret.value
tenant_id = data.azurerm_key_vault_secret.b2c_tenant_id.value
}
Is this script missing something? Is there any difference between using the Graph API requests or terraform for creating app registrations?