admin管理员组文章数量:1314480
I tried several things but still struggling to wrap my head around a very otherwise simple task.
- I wanted to create an enterprise app using Terraform (Done. Created Service Principal & AzureAd Application)
Application Creation
resource "azuread_application" "enterprise_app_oidc" {
display_name = var.ent_app_display_name
owners = distinct(var.ad_group_owners)
required_resource_access {
resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["openid"]
type = "Scope"
}
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read"]
type = "Scope"
}
}
}
Service Principal
resource "azuread_service_principal" "enterprise_app_sp_oidc" {
client_id = azuread_application.enterprise_app_oidc.client_id
owners = azuread_group.ad_group_oidc[0].owners
preferred_single_sign_on_mode = "oidc"
app_role_assignment_required = true
feature_tags {
enterprise = true
}
}
Now once the Application and Service Principal (Enterprise app is created) I wanted to add Graph API access to it. So I followed following from Terraform documenataion
data "azuread_application_published_app_ids" "well_known" {}
output "data_from_well_known" {
value = data.azuread_application_published_app_ids.well_known.result
}
resource "azuread_service_principal" "msgraph" {
client_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
use_existing = true
}
resource "azuread_service_principal_delegated_permission_grant" "example" {
service_principal_object_id = azuread_service_principal.enterprise_app_sp_oidc.object_id
resource_service_principal_object_id = azuread_service_principal.msgraph.object_id
claim_values = ["openid", "User.Read.All"]
}
I do not entirely understand why do I need to create a second service principal called "msgraph" but ok, I kind of guessed the context here. But here is my problem
Now once I deploy this code, I get the following
My questions are:
- Why is the RED circled area "other permissions" added and how to get rid of it?
- How do I add other permissions like email, profile, offline etc in blue circled area**
I tried several things but still struggling to wrap my head around a very otherwise simple task.
- I wanted to create an enterprise app using Terraform (Done. Created Service Principal & AzureAd Application)
Application Creation
resource "azuread_application" "enterprise_app_oidc" {
display_name = var.ent_app_display_name
owners = distinct(var.ad_group_owners)
required_resource_access {
resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["openid"]
type = "Scope"
}
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read"]
type = "Scope"
}
}
}
Service Principal
resource "azuread_service_principal" "enterprise_app_sp_oidc" {
client_id = azuread_application.enterprise_app_oidc.client_id
owners = azuread_group.ad_group_oidc[0].owners
preferred_single_sign_on_mode = "oidc"
app_role_assignment_required = true
feature_tags {
enterprise = true
}
}
Now once the Application and Service Principal (Enterprise app is created) I wanted to add Graph API access to it. So I followed following from Terraform documenataion
data "azuread_application_published_app_ids" "well_known" {}
output "data_from_well_known" {
value = data.azuread_application_published_app_ids.well_known.result
}
resource "azuread_service_principal" "msgraph" {
client_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
use_existing = true
}
resource "azuread_service_principal_delegated_permission_grant" "example" {
service_principal_object_id = azuread_service_principal.enterprise_app_sp_oidc.object_id
resource_service_principal_object_id = azuread_service_principal.msgraph.object_id
claim_values = ["openid", "User.Read.All"]
}
I do not entirely understand why do I need to create a second service principal called "msgraph" but ok, I kind of guessed the context here. But here is my problem
Now once I deploy this code, I get the following
My questions are:
- Why is the RED circled area "other permissions" added and how to get rid of it?
- How do I add other permissions like email, profile, offline etc in blue circled area**
- Can't you manage the API permissions in Azure portal? – Tiny Wang Commented Jan 31 at 7:05
- @TinyWang naaa cant use portal. Idea is to automate so that we don't need to give portal access. – New Programmer Commented Jan 31 at 8:04
2 Answers
Reset to default 1If I understand correctly then you don't need to do the delegation part.
Remove the delegation resource.
For adding more permissions to your app, add more resource blocks
This is how your application resource should look like
resource "azuread_application" "enterprise_app_oidc" {
display_name = var.ent_app_display_name
owners = distinct(var.ad_group_owners)
required_resource_access {
resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
dynamic "resource_access" {
for_each = var.oauth2_permission_scope_ids
content {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids[resource_access.value]
type = "Scope"
}
}
}
}
To add permissions like email, openid etc. create a variable. This variable is iterated in the application resource and creates permission for all the items available in the list
variable "oauth2_permission_scope_ids" {
type = list(string)
default = [ "openid", "email", "profile", "offline_access" ]
}
Now this should give you the desired outcome.
The code you provided is adding User.Read.All and openid under delegated permission with a consent grant, and then it's removing the User.Read.All permission without revoking admin consent. This is why it's showing in the other permission section.
Here is the updated code to add the delegated permission with admin consent, without removing the permissions
provider "azuread" {
tenant_id = "2a"
}
data "azuread_client_config" "current" {}
data "azuread_application_published_app_ids" "well_known" {}
output "data_from_well_known" {
value = data.azuread_application_published_app_ids.well_known.result
}
resource "azuread_service_principal" "msgraph" {
client_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
use_existing = true
}
resource "azuread_application" "enterprise_app_oidc" {
display_name = "demoapp-Ad"
owners = [data.azuread_client_config.current.object_id]
required_resource_access {
resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["openid"]
type = "Scope"
}
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read"]
type = "Scope"
}
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read.All"]
type = "Scope"
}
}
}
resource "azuread_service_principal" "enterprise_app_sp_oidc" {
client_id = azuread_application.enterprise_app_oidc.client_id
owners = [data.azuread_client_config.current.object_id]
preferred_single_sign_on_mode = "oidc"
app_role_assignment_required = true
feature_tags {
enterprise = true
}
}
resource "azuread_service_principal_delegated_permission_grant" "example" {
service_principal_object_id = azuread_service_principal.enterprise_app_sp_oidc.object_id
resource_service_principal_object_id = azuread_service_principal.msgraph.object_id
claim_values = ["openid", "User.Read.All"]
}
Terraform apply
After running the code, the delegated permission has been added to the application with admin consent.
Output:
本文标签: azureIssue with adding delegated Graph API permission to Enterprise app with TerraformStack Overflow
版权声明:本文标题:azure - Issue with adding delegated Graph API permission to Enterprise app with Terraform - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741962372a2407355.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论