I am provisioning some Azure infrastructure using Terraform. Included in the setup requirement is some configuration of an Azure AD registered app and this requires the following Microsoft Graph permissions to be granted (see image below):
- GroupMember.Read.All
- email (OpenId)
Within my Terraform configuration, I have the below code snippet included in my resource "azuread_application"
block, within the required_resource_access
sub-block. For the resource_access ids, I have used the values provided on this Microsoft page -
My Terraform configuration is currently able to successfully add the GroupMember.Read.All permission, but somehow it fails to add the required Email permission as depicted in the screenshot below, displaying the GUID reference instead of the actual name "email".
What I'd also like to be able to do in my Terraform configuration is the ability to Grant admin consent for both API/Permissions (depicted in the rightmost column).
Any tips on how I can achieve all of the above?
CodePudding user response:
For permission type
, Scope
corresponds to the Delegated
permission type, where Role
is the Application
type.
The email
OpenID scope is a Delegated
permission type, so you need to change the permission type
from Role
to Scope
.
resource_access {
id = "64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0"
type = "Scope"
}