Azure Service Principal gets "Authorization_RequestDenied" when used in Terraform

Question

I have a service principal that is used when running my Terraform scripts that works for 99% of what I need to do. However I then need to run the following script with terraform to update a property on an App Registration - as this is the only way it can be done (Here for reference - https://github.com/hashicorp/terraform-provider-azuread/issues/188).

resource "null_resource" "access_token_accepted_version" {
   depends_on = [
   azuread_application.appname
]
provisioner "local-exec" {
command = <<EOF
  az login --service-principal --username ${var.az_client_id} --password 
${var.az_client_secret} --tenant ${var.az_tenant_id}
  az rest \
    --method PATCH \
    --headers "Content-Type=application/json" \
    --uri "https://graph.microsoft.com/v1.0/applications/${azuread_application.appname.id}" \
    --body '{"api":{"requestedAccessTokenVersion":2}}'
EOF
  }
}

The Az login part seems to run successfully, but then the PATCH call will always result in the following error -

ERROR: Forbidden({"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation."

I would like to think there is a permission I can add to the associated app registration for the service principal, but I cannot find the right one. Here is what I have currently (some are needed, some are stabs in the dark)

Can anyone think of a way around this?

Answer 1

You would need to give Application.ReadWrite.All permission under Microsoft Graph. Currently you have given that permission under Azure Active Directory Graph.

Once you do that, you should not get this error.