I've created a service principal with an Owner role:

➜  ~ az account set --subscription="47a..."
➜  ~ az ad sp create-for-rbac --role="Owner" --scopes="/subscriptions/47a...

and then I copied

{
  "appId": "bc8a...",
  "displayName": "azure-cli-2022-04-25-23-55-25",
  "password": "...",
  "tenant": "..."
}

the params to auth for azuread TF Provider that has the following code:

data "azuread_service_principal" "peering_creator" {
  # Harcoded custom client_id
  application_id = "abc..."
}

and get

Error: Listing service principals for filter "appId eq '...'"

  on main.tf line 248, in data "azuread_service_principal" "peering_creator":
 248: data "azuread_service_principal" "peering_creator" {

ServicePrincipalsClient.BaseClient.Get(): unexpected status 403 with OData
error: Authorization_RequestDenied: Insufficient privileges to complete the
operation.

CodePudding user response：

Terraform doesn't support authenticating using a Service Principal via the Azure CLI; you need to instead specify the credentials either through Environment Variables or in the Provider block.

In addition as listed on the azurerm_azuread_application page - the Service Principal being used needs to have the appropriate permissions to Azure Active Directory (which is unrelated to the Azure Subscription):

NOTE: If you're authenticating using a Service Principal then it must have permissions to both Read and write all applications and Sign in and read user profile within the Windows Azure Active Directory API.

If you update the permissions on this Service Principal then it should be possible to create applications.