Issue with adding delegated Graph API permission to Enterprise app with Terraform

Question

I tried several things but still struggling to wrap my head around a very otherwise simple task.

• I wanted to create an enterprise app using Terraform (Done. Created Service Principal & AzureAd Application)

Application Creation

resource "azuread_application" "enterprise_app_oidc" {
  display_name = var.ent_app_display_name
  owners = distinct(var.ad_group_owners)

  required_resource_access {
    resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph

    resource_access {
      id   = azuread_service_principal.msgraph.oauth2_permission_scope_ids["openid"]
      type = "Scope"
    }

    resource_access {
      id   = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read"]
      type = "Scope"
    }
  }
}

Service Principal

resource "azuread_service_principal" "enterprise_app_sp_oidc" {
  client_id                     = azuread_application.enterprise_app_oidc.client_id
  owners                        = azuread_group.ad_group_oidc[0].owners
  preferred_single_sign_on_mode = "oidc"
  app_role_assignment_required  = true


  feature_tags {
    enterprise = true
  }

}

Now once the Application and Service Principal (Enterprise app is created) I wanted to add Graph API access to it. So I followed following from Terraform documenataion

data "azuread_application_published_app_ids" "well_known" {}

output "data_from_well_known" {
  value = data.azuread_application_published_app_ids.well_known.result
  
}

resource "azuread_service_principal" "msgraph" {
  client_id    = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
  use_existing = true
}

resource "azuread_service_principal_delegated_permission_grant" "example" {
  service_principal_object_id          = azuread_service_principal.enterprise_app_sp_oidc.object_id
  resource_service_principal_object_id = azuread_service_principal.msgraph.object_id
  claim_values                         = ["openid", "User.Read.All"]
}

I do not entirely understand why do I need to create a second service principal called "msgraph" but ok, I kind of guessed the context here. But here is my problem

Now once I deploy this code, I get the following

My questions are:

• Why is the RED circled area "other permissions" added and how to get rid of it?
• How do I add other permissions like email, profile, offline etc in blue circled area**

Answer 1

If I understand correctly then you don't need to do the delegation part.

Remove the delegation resource.

For adding more permissions to your app, add more resource blocks

This is how your application resource should look like

resource "azuread_application" "enterprise_app_oidc" {
  display_name = var.ent_app_display_name
  owners = distinct(var.ad_group_owners)



  required_resource_access {
    resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
    dynamic "resource_access" {
      for_each = var.oauth2_permission_scope_ids
      content {
        id   = azuread_service_principal.msgraph.oauth2_permission_scope_ids[resource_access.value]
        type = "Scope"
      }
    }
  }
  
}

To add permissions like email, openid etc. create a variable. This variable is iterated in the application resource and creates permission for all the items available in the list

variable "oauth2_permission_scope_ids" {
  type        = list(string)
  default = [ "openid", "email", "profile", "offline_access" ]
}

Now this should give you the desired outcome.

Answer 2

The code you provided is adding User.Read.All and openid under delegated permission with a consent grant, and then it's removing the User.Read.All permission without revoking admin consent. This is why it's showing in the other permission section.

Here is the updated code to add the delegated permission with admin consent, without removing the permissions

provider "azuread" {
  tenant_id = "2a"
}
data "azuread_client_config" "current" {}

data "azuread_application_published_app_ids" "well_known" {}

output "data_from_well_known" {
  value = data.azuread_application_published_app_ids.well_known.result
}

resource "azuread_service_principal" "msgraph" {
  client_id    = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
  use_existing = true
}

resource "azuread_application" "enterprise_app_oidc" {
  display_name = "demoapp-Ad"
  owners = [data.azuread_client_config.current.object_id]

  required_resource_access {
    resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph

    resource_access {
      id   = azuread_service_principal.msgraph.oauth2_permission_scope_ids["openid"]
      type = "Scope"
    }

    resource_access {
      id   = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read"]
      type = "Scope"
    }
    resource_access {
      id   = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read.All"]
      type = "Scope"
    }
  }
}

resource "azuread_service_principal" "enterprise_app_sp_oidc" {
  client_id                     = azuread_application.enterprise_app_oidc.client_id
  owners                        = [data.azuread_client_config.current.object_id]
  preferred_single_sign_on_mode = "oidc"
  app_role_assignment_required  = true


  feature_tags {
    enterprise = true
  }
}

resource "azuread_service_principal_delegated_permission_grant" "example" {
  service_principal_object_id          = azuread_service_principal.enterprise_app_sp_oidc.object_id
  resource_service_principal_object_id = azuread_service_principal.msgraph.object_id
  claim_values                         = ["openid", "User.Read.All"]
}

Terraform apply

After running the code, the delegated permission has been added to the application with admin consent.

Output: