4

I'm trying to create an Azure AD application using terraform along with our Azure DevOps pipeline, but I am getting the following error:

1 error(s) occurred:

* module.cluster.module.cluster.azuread_application.cluster: 1 error(s) occurred:

* azuread_application.cluster: graphrbac.ApplicationsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2019-02-19T23:22:23","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"<SOME GUID>"}}]

I'm pretty sure this is because the pipeline's service principal doesn't have the proper permissions within our Azure AD.

This is the offending Terraform code:

resource "azuread_application" "cluster" {
  name = "some-application"
}

resource "azuread_service_principal" "cluster" {
  application_id = "${azuread_application.cluster.application_id}"
}

Here is what the Terraform Step Looks like (I'm using a Service Connection to supply the service principal).

Terraform Step

To configure the service principal, I am selecting "Manage Service Principal" for the Service Connection.

Service Connection

I have then given it all "required permissions" for both Microsoft Graph and Windows Azure Active Directory. I don't think I need the Microsoft Graph, but did that since Windows AAD wasn't working.

Service Principal Configuration

Improve this question

2 Answers 2

Reset to default
7

According to the error information it indicated that you have no permission to do that.

I follow the terraform guide document, we need to assign permissions corrosponding to the application.

NOTE: If you're authenticating using a Service Principal then it must have permissions to both Read and write all applications and Sign in and read user profile within the Windows Azure Active Directory API

During test, I assign the following permission to the Azure Active Diretory, for more information please refer to the screenshot.

enter image description here

Note: Please don't forget to click Grant permissions

Test Result:

enter image description here

enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I struggled with this until i found a comment on a Github Issue about using the Legacy aPI for this, not the Microsoft Graph API.
The link for the guide is a dead link now, any update for that?
registry.terraform.io/providers/hashicorp/azuread/latest/docs/…
0

In order for terraform to access AD and make changes, you need to add these permissions.

listed permission image

You need to give these permissions to the Service principle of the Azure DevOps service connection. Use Manage Service Principle option. In Azure, these are API permissions for the registered app and its Service Principle.

azure devops service connection image

More info: https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/guides/service_principal_configuration

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.