Configuring Azure SSO via Terraform

Terraform Providers Azure
1

Currently building a new app with Terraform in Azure, and we’d like the SSO configuration for the app to be integrated into our Terraform definitions. From with what I’ve found, I’ve gotten the SSO portion working, but only via Azure’s ‘classic’ authentication, which it warns me is being deprecated. As shown in the below error message.

AzureClassicAuthError
AzureClassicAuthError1109×488 14.1 KB

I’ve read through all the documentation on configuring the app service for SSO, but it’s not clear to me what I’m doing that’s forcing me into classic mode.

Terraform definitions are below, note that I’ve pared it down to just the app service, app registration, and enterprise app. There are some references to other pieces like owner groups that I’ve not included, but they do all properly resolve and the code does run.

resource "azurerm_app_service" "appWebExt" {
  name                = "${var.web_path}"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
  app_service_plan_id = azurerm_app_service_plan.plan.id

  client_affinity_enabled = true

  site_config {
    dotnet_framework_version  = "v5.0"
    ftps_state                = "AllAllowed"
    http2_enabled             = true
  }

  auth_settings {
    enabled = true
    microsoft {
      client_id = azuread_service_principal.appEnt.application_id
      client_secret = azuread_service_principal_password.appEntPass.value
    }
  }
}

resource "azuread_application" "appReg" {
  display_name     = "${var.app_registration_name}"
  owners           = data.azuread_users.appRegOwners.object_ids
  
  required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph

    resource_access {
      id   = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read
      type = "Scope"
    }
  }

  web {
    homepage_url = "https://${var.web_path}.azurewebsites.net/"
    redirect_uris = [
      "https://${var.web_path}.azurewebsites.net/",
      "https://${var.web_path}.azurewebsites.net/signin-oidc",
      "https://${var.web_path}.azurewebsites.net/.auth/login/aad/callback", 
      "https://${var.web_path}.azurewebsites.net/",
      "https://${var.web_path}.azurewebsites.net/signin-oidc",
      "https://${var.web_path}.azurewebsites.net/.auth/login/aad/callback", 
      "https://localhost:44359/signin-oidc"
    ]
    
    implicit_grant {
      access_token_issuance_enabled = false
      id_token_issuance_enabled     = true
    }
  }
}

resource "azuread_service_principal" "appEnt" {
  application_id               = azuread_application.appReg.application_id
  owners                       = data.azuread_users.appRegOwners.object_ids
  
  feature_tags {
    enterprise = true
    custom_single_sign_on = true
  }
}

resource "azuread_service_principal_password" "appEntPass" {
  service_principal_id = azuread_service_principal.appEnt.object_id
}

So ultimately, what needs to change here so I use the more up to date authentication mode instead of the classic auth?