New Resource Request: app permissions/Microsoft Graph Permissions about terraform-provider-azuread HOT 21 CLOSED

Isn't this already available through the required_resource_access? E.g.

@jorgecarleitao that creates the applications required permissions, but some of those permissions then need to be granted by an admin

Here is an example from the Portal of permissions that have and have not been granted consent from an admin:-

from terraform-provider-azuread.

As we are moving all azure ad resources to the separate AzureAd pr i have moved this issue there

from terraform-provider-azuread.

Unless I missed something in the proposal here, I think that the azurerm_app_permission_definition would need an additional property, to tell which API these permissions belong to, as a lot of these permissions are present in multiple APIs (e.g. "Application.ReadWrite.All", "Directory.ReadWrite.All")
I learned the hard way by trial and error, that these permissions are not interchangeable between e.g. Azure AD API and MS Graph API, even though the Azure AD API is now marked as legacy.

This is especially important for the AzureAD provider resources as they seem to need the legacy permissions and will not work using the MS Graph permissions.

from terraform-provider-azuread.

anyone with the same question i had, i found the answer by using

az ad sp list --display-name "Microsoft Graph" | select-string <URI or DISPLAY NAME> -cont 10

from terraform-provider-azuread.

@manicminer Consent can be given using oauth2PermissionGrants although still in Beta.
Sam Cogan wrote a nice article about this topic:
https://samcogan.com/provide-admin-consent-fora-azure-ad-applications-programmatically/

But be warned - it is beta, and I personally had an App Registration that failed badly after playing around with it 😄
Actually it failed so bad that it was causing an internal error in Azure

from terraform-provider-azuread.

@manicminer the command i mention at #33 (comment) is certainly api backed, but not sure if thats something in the go sdk

from terraform-provider-azuread.

@katbyte I'm going to start looking into this as thanks to #79 it appears we now have the ability to read the application OAuth2 permissions, so would make sense to be able to manage them as well

just wanted to check if anyone else has already started?

from terraform-provider-azuread.

from terraform-provider-azuread.

Isn't this already available through the required_resource_access? E.g.

  # Microsoft Graph
  required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000"

    # Access directory as the signed in user
    resource_access {
      id = "0e263e50-5827-48a4-b97c-d940288653c7"
      type = "Scope"
    }

    # Read directory data
    resource_access {
      id = "06da0dbc-49e2-44d2-8312-53f166ab848a"
      type = "Scope"
    }
  }

from terraform-provider-azuread.

@jorgecarleitao where'd u get the guids from, all i'm used to is URIs like https://graph.microsoft.com/User.Read.All

from terraform-provider-azuread.

This seams very messy I am not sure what is the correct implementation but I found this post helpful (https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/).

And i would question if the right place for this is the Azure AD provider ?

from terraform-provider-azuread.

This is the ad provider repo so it's in the right place

from terraform-provider-azuread.

Fwiw everything in the description is already achievable with the current required_resource_access block as of this writing.

But using the guids only is pretty tough. Be nice if it could be guid OR uri for both the required_resource_access and resource_access blocks since those are what show up in portal.

Someone mentioned u cant grant admin consent...and that would not make sense on an aplication. You can only grant consent for a service principal in a tenant (though the portal shows in the app reg the current tenants admin status)...in fact consent may be for the whole tenant for that app...im not really sure if you can have two SPs in one tenant for a single app and if they can have distinct grants...never tried.

IMO as written this ticket could be closed.

from terraform-provider-azuread.

In terms of the original feature request, I believe API Permissions for an application can be managed with the required_resource_access block of the azuread_application resource. I don't think it makes sense for us to work with the API and permissions friendly names, as Microsoft makes APIs available via their published UUIDs and you can look these up in the portal to store as variables if you wish.

I'm looking to merge a change in #252 that will enable setting published scopes for an application (aka "Expose an API" in the portal), and I believe this covers all the cases discussed in this issue so I am going to mark as resolved.

Please feel free to comment if I have missed something!

from terraform-provider-azuread.

@manicminer theres not actually an easy way to find the uuid’s in the portal :(

from terraform-provider-azuread.

@drdamour the way I usually do it, is to grant an API scope and then poke through the application manifest. Admittedly this doesn't exactly qualify as easy but it's workable. If there's a way to list them via an API i'm all ears :)

from terraform-provider-azuread.

Fwiw everything in the description is already achievable with the current required_resource_access block as of this writing.

I do not understand, how is it currently possible to Grant Admin consent with the current required_resource_access?

from terraform-provider-azuread.

I do not understand, how is it currently possible to Grant Admin consent with the current required_resource_access?

@Console32 This particular action is not supported by the provider. Admin Consent for API scopes is implemented as a user-only operation, presumably to enforce oversight, as such there's no supported way of granting consent unless you are signed in as a real user. It's possible this may be changing with some recent additions to the MS Graph API, but that's speculation at this point and we are not currently able to use that API anyway. So, at least for the time being, this is a manual step that tenant administrators must accomplish.

from terraform-provider-azuread.

Fwiw everything in the description is already achievable with the current required_resource_access block as of this writing.

I do not understand, how is it currently possible to Grant Admin consent with the current required_resource_access?

@Console32 in my interpretation admin consent was not requested in the original description, but i can see how it could be interpreted the other way.

from terraform-provider-azuread.

We'll possibly have to wait for this to make it out of beta :)

from terraform-provider-azuread.

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

from terraform-provider-azuread.