skip to Main Content

Am I assigning the app role permission below in azuread.tf incorrectly?

resource "azuread_application" "resource_creation" {
  display_name = local.azad_resource_creation_sp_name

  app_role {
    # ensuring app role definition can be assigned to other applications (the service principal)
    allowed_member_types = ["Application"]
    # enabling the app role
    enabled = true 
    # app role description used when the role is being assigned 
    description = "Pre Requisite application role for service principal authentication"
    # app role display name that shows during app role assignment 
    display_name = "Role assigned  - Application.ReadWrite.All"
    # unique identifier of the app role, sourced from https://learn.microsoft.com/en-us/graph/permissions-reference 
    id = "1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9"
  }
}

After applying the config I receive the following error:

 Error: Could not create application
with azuread_application.service_connection
on azuread.tf line 14, in resource "azuread_application" "service_connection":

resource "azuread_application" "service_connection" {

ApplicationsClient.BaseClient.Post(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.

I have referenced other code examples and in this instance I am authencticating via a service principal. Hence the reason why I have assigned the: Application.ReadWrite.All role. Sourced here – Microsoft Graph permissions reference

Do I need an app role assignment ? Or are additional application roles required in addition to the Application.ReadWrite.All role?

2

Answers


  1. It looks like by looking and error type with the code 403, I would say it’s an error with your Azure Account Role through which you are trying to manage and deploying the terraform resources.. so just check your user’s service role either be in "Application Administrator" or "Application Developer"
    ApplicationsClient.BaseClient.Post(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.

    Login or Signup to reply.
  2. Because you are login in via Service Principal,

    You must assign to this Service Principal the role of "Application administrator" or "Application developer" in your Azure Active Directory

    enter image description here

    Hope this helps!

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search