Share via

Using a Terraform service principal to manage an application registration with azuread_application, fails with Authorization_RequestDenied: Insufficient privileges to complete the operation.

Eugene 1 Reputation point
2021-11-09T10:39:24.76+00:00

Using a Terraform service principal to manage an application registration with azuread_application, fails with ApplicationsClient.BaseClient.Post(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.

The Service Principal has the following permissions: Directory.ReadWrite.All on Microsoft.Graph and Cloud Application Administrator role.

main.tf:
data "azuread_client_config" "current" {}

resource "azuread_application" "app" {
display_name = "${var.kv_app_principal_display_name}${var.environment}"
//owners = [data.azuread_client_config.current.object_id]
}

resource "azuread_application_password" "app" {
application_object_id = azuread_application.app.application_id
end_date = "2299-12-30T23:00:00Z"
}

azuread_application.app: Creating...

│ Error: Could not create application

│ with azuread_application.app,
│ on application.tf line 3, in resource "azuread_application" "app":
│ 3: resource "azuread_application" "app" {

│ ApplicationsClient.BaseClient.Post(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Micheal Falowo 6 Reputation points
    2023-04-16T21:28:18.7066667+00:00

    To manage azure AD object using your service principal, you'll need to add the following api permissions to your app registration manifest. Please be cautious to not provide the permission you do not want your SPN to have. once the permissions are added, you will need to grant admin consent in other for those permissions to be effective. Please let me know if this works for you. User's image

        "requiredResourceAccess": [
		{
			"resourceAppId": "00000003-0000-0000-c000-000000000000",
			"resourceAccess": [
				{
					"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
					"type": "Scope"
				},
				{
					"id": "18a4783c-866b-4cc7-a460-3d5e5662c884",
					"type": "Role"
				},
				{
					"id": "1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9",
					"type": "Role"
				},
				{
					"id": "62a82d76-70ea-41e2-9197-370581804d09",
					"type": "Role"
				},
				{
					"id": "19dbc75e-c2e2-444c-a770-ec69d8559fc7",
					"type": "Role"
				},
				{
					"id": "9a5d68dd-52b0-4cc2-bd40-abcf44ac3a30",
					"type": "Role"
				},
				{
					"id": "dbaae8cf-10b5-4b86-a4a1-f871c94c6695",
					"type": "Role"
				},
				{
					"id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",
					"type": "Role"
				}
			]
		},
		{
			"resourceAppId": "00000002-0000-0000-c000-000000000000",
			"resourceAccess": [
				{
					"id": "3afa6a7d-9b1a-42eb-948e-1650a849e176",
					"type": "Role"
				},
				{
					"id": "78c8a3c8-a07e-4b9e-af1b-b5ccab50a175",
					"type": "Role"
				}
			]
		}
    ]
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.