Azuread_service_principal permissions Directory.ReadWrite.All


I created a GitHub issue for this but maybe its better to ask here…

We are trying to use a service principal to provision other service principals using the terraform azuread provider and according to the docs:

When authenticated with a service principal, this resource requires one of the following application roles: Application.ReadWrite.All or Directory.ReadWrite.All

Could someone explain why the permissions need to be so broad? We are a little constrained by our governance, but we are able to use az ad sp create as objects without the above permissions and it works ok

I am running into similar behavior but in a different use case.

I believe the answer lies in the fact that Terraform is using MS Graph API calls so you need to explicitly add the API permissions to the Service Principle.

Hey - yeah, we got our problem resolved, for anyone stumbling here - as @kvietmeier mentioned we had to give the provisioning SP Application.ReadWrite.OwnedBy permission in the Microsoft Graph API and then explicitly set the application and SP owner. Microsoft doesn’t do this automatically and without it the provisioning SP can create other SPs but fails to patch or delete them.

In short, the following worked for us in conjunction with the permission above:

data "azurerm_subscription" "current" {}

data "azurerm_client_config" "current" {}
data "azuread_client_config" "current" {}

# first you need an azure application
resource "azuread_application" "app" {
  display_name = var.sp_name
  owners       = [data.azuread_client_config.current.object_id]

# service principal
resource "azuread_service_principal" "sp" {
  application_id               =
  app_role_assignment_required = false
  owners                       = [data.azuread_client_config.current.object_id]
resource "azuread_service_principal_password" "sp_pwd" {
  service_principal_id =
  end_date             = var.expiry_date