Am I assigning the app role permission below in azuread.tf incorrectly?
resource "azuread_application" "resource_creation" {
display_name = local.azad_resource_creation_sp_name
app_role {
# ensuring app role definition can be assigned to other applications (the service principal)
allowed_member_types = ["Application"]
# enabling the app role
enabled = true
# app role description used when the role is being assigned
description = "Pre Requisite application role for service principal authentication"
# app role display name that shows during app role assignment
display_name = "Role assigned - Application.ReadWrite.All"
# unique identifier of the app role, sourced from https://learn.microsoft.com/en-us/graph/permissions-reference
id = "1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9"
}
}
After applying the config I receive the following error:
Error: Could not create application
with azuread_application.service_connection
on azuread.tf line 14, in resource "azuread_application" "service_connection":
resource "azuread_application" "service_connection" {
ApplicationsClient.BaseClient.Post(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.
I have referenced other code examples and in this instance I am authencticating via a service principal. Hence the reason why I have assigned the: Application.ReadWrite.All
role. Sourced here -
Hope this helps!