I’m trying to create an azuread_application with application permissions over the Graph API. I’m doing it just as it says in the documentation:
resource "azuread_application" "sp_app" {
provider = azuread.myprovider
name = "myapplicationname"
available_to_other_tenants = true
type = "native"
required_resource_access {
resource_app_id = "00000003-0000-0000-c000-000000000000"
resource_access {
id = "1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9"
type = "Role"
}
}
}
And I’m getting the following error:
graphrbac.ApplicationsClient#Patch: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="Unknown"
Message="Unknown service error" Details=[{"odata.error":{"code":"Request_BadRequest","date":"2020-01-13T17:10:00","message":{"lang":"en","value":"Property requiredResourceAcce
ss.resourceAccess is invalid."},"requestId":"84401250-b2dc-4c6c-baa9-910ac1546158","values":[{"item":"PropertyName","value":"requiredResourceAccess.resourceAccess"},{"item":"Pr
opertyErrorCode","value":"GenericError"}]}}]
I thought it was a permissions issue, since I’m logging in with a Service Principal, but it has the permissions specified in the documentation as well:
NOTE: If you’re authenticating using a Service Principal then it must have permissions to both Read and write owned by applications and Sign in and read user profile within the Windows Azure Active Directory API.
I was able to make it work by using a webapp/api application instead of native.
I also obtained some TRACE level logs, and it looks like the problem comes when, after creating the app with the permissions, there’s a PATCH request to make the app public: