Hi,
since the latest “azureAD” updates we face some problems with our Terraform Azure scripts.
In some scripts the following error occurs with “terraform plan”:
Error: building client: unable to obtain access token: running Azure CLI: exit status 1: ERROR: AADSTS530003: Your device is required to be managed to access this resource.
│ Trace ID: xxx
│ Correlation ID: xxx
│ Timestamp: xx
│ To re-authenticate, please run ‘az login’. If the problem persists, please contact your tenant administrator.
│
│ with provider[“Terraform Registry”],
│ on main.tf line 9, in provider “azuread”:
│ 9: provider “azuread” {
Strangely enough, the error does not occur with other scripts that use the same azureAD provider plugin.
The re-authetication does not fix the problem.
Through an analysis with Fiddler, we found the following point during the login, which seems to be causing the problems:
“token_type”: “Bearer”,
“scope”: “AuditLog.Read.All Directory.AccessAsUser.All Group.ReadWrite.All User.ReadWrite.All”,
“resource”: “https://graph.microsoft.com/”,
Due to the scope, our Azure Access Policies block this request.
Conditional-Access policy was set on the service of Exchange-Online and SharePoint Online. Using the Graph Scope of “Group.ReadWrite.All” caused the activiation and policy enforcement of both services
The main interests are:
- Does the azureAD provider plugin offer the option to switch off or change these “default” scopes?
- Are these scopes resource dependent? If so, which resources are affected?
As a workaround, we first set the azureAD plugin version to 1.6.0 in our scripts.
Thank you for your answers in advance.
Kind regards
Thorsten