Configuring Azure SSO via Terraform

Currently building a new app with Terraform in Azure, and we’d like the SSO configuration for the app to be integrated into our Terraform definitions. From with what I’ve found, I’ve gotten the SSO portion working, but only via Azure’s ‘classic’ authentication, which it warns me is being deprecated. As shown in the below error message.

I’ve read through all the documentation on configuring the app service for SSO, but it’s not clear to me what I’m doing that’s forcing me into classic mode.

Terraform definitions are below, note that I’ve pared it down to just the app service, app registration, and enterprise app. There are some references to other pieces like owner groups that I’ve not included, but they do all properly resolve and the code does run.

resource "azurerm_app_service" "appWebExt" {
  name                = "${var.web_path}"
  location            = azurerm_resource_group.rg.location
  resource_group_name =
  app_service_plan_id =

  client_affinity_enabled = true

  site_config {
    dotnet_framework_version  = "v5.0"
    ftps_state                = "AllAllowed"
    http2_enabled             = true

  auth_settings {
    enabled = true
    microsoft {
      client_id = azuread_service_principal.appEnt.application_id
      client_secret = azuread_service_principal_password.appEntPass.value

resource "azuread_application" "appReg" {
  display_name     = "${var.app_registration_name}"
  owners           = data.azuread_users.appRegOwners.object_ids
  required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph

    resource_access {
      id   = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read
      type = "Scope"

  web {
    homepage_url = "https://${var.web_path}"
    redirect_uris = [
    implicit_grant {
      access_token_issuance_enabled = false
      id_token_issuance_enabled     = true

resource "azuread_service_principal" "appEnt" {
  application_id               = azuread_application.appReg.application_id
  owners                       = data.azuread_users.appRegOwners.object_ids
  feature_tags {
    enterprise = true
    custom_single_sign_on = true

resource "azuread_service_principal_password" "appEntPass" {
  service_principal_id = azuread_service_principal.appEnt.object_id

So ultimately, what needs to change here so I use the more up to date authentication mode instead of the classic auth?