TF Destroy - Inconsistent Deletion of First-Party Azure AD Applications

bhushangawale19 · October 26, 2023, 7:02am

We have a terraform package to deploy new Azure AD application registration, it also grants permissions to existing Microsoft first-party applications like SharePoint Online and MS Exchange Online, referencing them as demonstrated in the code below.

resource "azuread_service_principal" "exchange" {
  application_id = data.azuread_application_published_app_ids.well_known.result.Office365ExchangeOnline
  use_existing   = true
}

resource "azuread_service_principal" "sharepoint" {
  application_id = data.azuread_application_published_app_ids.well_known.result.Office365SharePointOnline
  use_existing   = true
}

resource "azuread_service_principal" "intune" {
  application_id = data.azuread_application_published_app_ids.well_known.result.InTune
  use_existing   = true
}

resource "azuread_service_principal" "teams" {
  application_id = data.azuread_application_published_app_ids.well_known.result.TeamsServices
  use_existing   = true
}

We have referred to the documentation of the flag use_existing = true Terraform Registry and understood the caveat associated with it.

In theory, when the “destroy” command is executed for this package, it should remove the Azure AD application registration as well as the referenced service principles marked with the “use_existing = true” flag. However, if it encounters any difficulties in deleting them, it will proceed with the execution, but any errors that occur will not be displayed.

According to Microsoft’s documentation, it’s not possible to delete first-party applications in Azure AD from the tenant. Based on this information, as indicated in the code above, the “destroy” command should refrain from deleting the referenced service principles in Azure AD since all of them are Microsoft’s first-party applications.

Observation: Upon running the “destroy” command, we observed that out of four, it deleted two of the referenced service principles below from Azure AD, in addition to the application registration created by the package.

Office365ExchangeOnline
Office365SharePointOnline

What’s intriguing is that it selectively removed only 2 out of the 4 referenced service principles, which is inconsistent.

This prompts a couple of questions.
First, why did the “destroy” command manage to delete only a subset of the referred first-party applications?
Secondly, if Microsoft specifies that first-party applications cannot be deleted, how did Terraforms “destroy” command still succeed in deleting them?

bhushangawale19 · November 1, 2023, 5:16am

Update - It appears that the issue is with the azure ad provider and already is discussed here

github.com/hashicorp/terraform-provider-azuread

Possible Azure AD "outage" with specific usage of azuread_service_principal

opened 05:32AM - 12 Jul 23 UTC

DMoenks

documentation feature/service-principal

### Community Note * Please vote on this issue by adding a 👍 [reaction](https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the community and maintainers prioritise this request * Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request * If you are interested in working on this issue or have submitted a pull request, please leave a comment ### Terraform (and AzureAD Provider) Version ``` Terraform v1.4.1 on windows_amd64 \+ provider registry.terraform.io/hashicorp/azuread v2.39.0 \+ provider registry.terraform.io/hashicorp/azurerm v3.64.0 ``` ### Affected Resource(s) - `data azuread_service_principal` - `resource azuread_service_principal` ### Terraform Configuration Files ```hcl data "azuread_service_principal" "service_principal_exchange_online" { # Provider: Office 365 Exchange Online application_id = "00000002-0000-0ff1-ce00-000000000000" } ``` ```hcl resource "azuread_service_principal" "service_principal_exchange_online" { # Provider: Office 365 Exchange Online application_id = "00000002-0000-0ff1-ce00-000000000000" use_existing = true } ``` ### Debug Output ### Panic Output ### Expected Behavior The documentation better shouldn't suggest using the `use_existing` argument for `resource azuread_service_principal` with first-party applications by using phrases like _[...]behaviour is useful[...]_ and _[...]deletion fails (as it often the case for first-party Microsoft applications)_, but rather should include a warning to carefully handle first-party applications and suggest using `data azuread_service_principal` instead. An information box titled _Caveats_ doesn't really seem to emphasize the possible outcome either. ### Actual Behavior Using `resource azuread_service_principal` with `use_existing = true` as an argument will actually succeed in deleting some first-party Microsoft applications from Azure AD when running `terraform destroy`, potentially breaking other first-party and third-party applications in its wake, e.g. a Microsoft Exchange hybrid configuration between Exchange Online and Exchange server. ### Steps to Reproduce 1. `terraform apply` 2. `terraform destroy` ### Important Factoids ### References

Topic		Replies	Views
Terraform removes existing resources when applying Azure	3	2156	January 14, 2020
Resource Destroy Behaviour Issue Azure	0	416	October 7, 2023
Facing an issue when i plan a terraform Confused about destroy Terraform	8	2956	July 30, 2019
Delete computer object from domain upon destroy (domain-join extension) Terraform	2	2150	November 10, 2021
Destroying Azure Key Vault with policies and/or secrets Azure	3	3380	February 25, 2021

TF Destroy - Inconsistent Deletion of First-Party Azure AD Applications

Related topics