I’ve registered a single-page-app + API server on Azure that allow Business + Personal account sign-in.
When I create this manually, a new user is given a prompt telling them their organisation admin needs to approve access to the application. However, when I create them using Terraform, new users get the following error.
Can anyone suggest something I can try, please?
Thanks
locals {
app_base_display_name = "CompanyName- ProductName"
app_display_name = var.environment == "prod" ? local.app_base_display_name : "${local.app_base_display_name} (${var.environment})"
}
data "azuread_client_config" "current" {}
data "azuread_application_published_app_ids" "well_known" {}
resource "random_uuid" "server_api_scope_id" {}
resource "random_uuid" "server_api_uri_unique_id" {}
resource "azuread_service_principal" "msgraph" {
application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
use_existing = true
}
resource "azuread_application" "server" {
display_name = local.app_display_name
prevent_duplicate_names = true
owners = [data.azuread_client_config.current.object_id]
sign_in_audience = "AzureADandPersonalMicrosoftAccount"
identifier_uris = [ "https://${var.auth_domain}/${random_uuid.server_api_uri_unique_id.result}"]
api {
mapped_claims_enabled = true
requested_access_token_version = 2
oauth2_permission_scope {
admin_consent_description = "Allow ProductName to access a user's name and email address."
admin_consent_display_name = "Access user name and email address"
enabled = true
id = random_uuid.server_api_scope_id.result
type = "User"
user_consent_description = "Allow ProductName to access your name and email address."
user_consent_display_name = "Access your name and email address"
value = "access_as_user"
}
}
required_resource_access {
resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read"]
type = "Scope"
}
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["email"]
type = "Scope"
}
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["openid"]
type = "Scope"
}
}
web {
homepage_url = "https://CompanyNameProductName${var.environment}.azurewebsites.net"
logout_url = "https://CompanyNameProductName${var.environment}.azurewebsites.net/authentication/logout"
redirect_uris = [ "https://CompanyNameProductName${var.environment}.azurewebsites.net/" ]
implicit_grant {
access_token_issuance_enabled = true
}
}
}
resource "azuread_service_principal" "server" {
application_id = azuread_application.server.application_id
app_role_assignment_required = false
owners = [data.azuread_client_config.current.object_id]
}
resource "azuread_application" "client" {
display_name = "${local.app_display_name} front-end"
prevent_duplicate_names = true
owners = [data.azuread_client_config.current.object_id]
sign_in_audience = "AzureADandPersonalMicrosoftAccount"
required_resource_access {
resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read"]
type = "Scope"
}
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["email"]
type = "Scope"
}
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["openid"]
type = "Scope"
}
}
required_resource_access {
resource_app_id = azuread_application.server.application_id
resource_access {
id = random_uuid.server_api_scope_id.result
type = "Scope"
}
}
api {
mapped_claims_enabled = true
requested_access_token_version = 2
}
single_page_application {
redirect_uris = [
"https://CompanyNameProductName${var.environment}.azurewebsites.net/authentication/login-callback",
"https://localhost:6510/authentication/login-callback"
]
}
}
resource "azuread_service_principal" "client" {
application_id = azuread_application.client.application_id
app_role_assignment_required = false
owners = [data.azuread_client_config.current.object_id]
}
## to do
## 1: In AAD grant the app permission to the API "access_as_user" (done)
## 2: Same screen, click Grant Admin Consent