azureAD provider 2+ issues

Hi,
since the latest “azureAD” updates we face some problems with our Terraform Azure scripts.

In some scripts the following error occurs with “terraform plan”:

Error: building client: unable to obtain access token: running Azure CLI: exit status 1: ERROR: AADSTS530003: Your device is required to be managed to access this resource.
│ Trace ID: xxx
│ Correlation ID: xxx
│ Timestamp: xx
│ To re-authenticate, please run ‘az login’. If the problem persists, please contact your tenant administrator.

│ with provider[“registry.terraform.io/hashicorp/azuread”],
│ on main.tf line 9, in provider “azuread”:
│ 9: provider “azuread” {

Strangely enough, the error does not occur with other scripts that use the same azureAD provider plugin.

The re-authetication does not fix the problem.

Through an analysis with Fiddler, we found the following point during the login, which seems to be causing the problems:

“token_type”: “Bearer”,
“scope”: “AuditLog.Read.All Directory.AccessAsUser.All Group.ReadWrite.All User.ReadWrite.All”,
“resource”: “https://graph.microsoft.com/”,

Due to the scope, our Azure Access Policies block this request.

Conditional-Access policy was set on the service of Exchange-Online and SharePoint Online. Using the Graph Scope of “Group.ReadWrite.All” caused the activiation and policy enforcement of both services

The main interests are:

  1. Does the azureAD provider plugin offer the option to switch off or change these “default” scopes?
  2. Are these scopes resource dependent? If so, which resources are affected?

As a workaround, we first set the azureAD plugin version to 1.6.0 in our scripts.

Thank you for your answers in advance.

Kind regards
Thorsten