Comments (21)
Isn't this already available through the
required_resource_access
? E.g.
@jorgecarleitao that creates the applications required permissions, but some of those permissions then need to be granted by an admin
Here is an example from the Portal of permissions that have and have not been granted consent from an admin:-
from terraform-provider-azuread.
As we are moving all azure ad resources to the separate AzureAd pr i have moved this issue there
from terraform-provider-azuread.
Unless I missed something in the proposal here, I think that the azurerm_app_permission_definition would need an additional property, to tell which API these permissions belong to, as a lot of these permissions are present in multiple APIs (e.g. "Application.ReadWrite.All", "Directory.ReadWrite.All")
I learned the hard way by trial and error, that these permissions are not interchangeable between e.g. Azure AD API and MS Graph API, even though the Azure AD API is now marked as legacy.
This is especially important for the AzureAD provider resources as they seem to need the legacy permissions and will not work using the MS Graph permissions.
from terraform-provider-azuread.
anyone with the same question i had, i found the answer by using
az ad sp list --display-name "Microsoft Graph" | select-string <URI or DISPLAY NAME> -cont 10
from terraform-provider-azuread.
@manicminer Consent can be given using oauth2PermissionGrants
although still in Beta.
Sam Cogan wrote a nice article about this topic:
https://samcogan.com/provide-admin-consent-fora-azure-ad-applications-programmatically/
But be warned - it is beta, and I personally had an App Registration that failed badly after playing around with it 😄
Actually it failed so bad that it was causing an internal error in Azure
from terraform-provider-azuread.
@manicminer the command i mention at #33 (comment) is certainly api backed, but not sure if thats something in the go sdk
from terraform-provider-azuread.
@katbyte I'm going to start looking into this as thanks to #79 it appears we now have the ability to read the application OAuth2 permissions, so would make sense to be able to manage them as well
just wanted to check if anyone else has already started?
from terraform-provider-azuread.
from terraform-provider-azuread.
Isn't this already available through the required_resource_access
? E.g.
# Microsoft Graph
required_resource_access {
resource_app_id = "00000003-0000-0000-c000-000000000000"
# Access directory as the signed in user
resource_access {
id = "0e263e50-5827-48a4-b97c-d940288653c7"
type = "Scope"
}
# Read directory data
resource_access {
id = "06da0dbc-49e2-44d2-8312-53f166ab848a"
type = "Scope"
}
}
from terraform-provider-azuread.
@jorgecarleitao where'd u get the guids from, all i'm used to is URIs like https://graph.microsoft.com/User.Read.All
from terraform-provider-azuread.
This seams very messy I am not sure what is the correct implementation but I found this post helpful (https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/).
And i would question if the right place for this is the Azure AD provider ?
from terraform-provider-azuread.
This is the ad provider repo so it's in the right place
from terraform-provider-azuread.
Fwiw everything in the description is already achievable with the current required_resource_access block as of this writing.
But using the guids only is pretty tough. Be nice if it could be guid OR uri for both the required_resource_access and resource_access blocks since those are what show up in portal.
Someone mentioned u cant grant admin consent...and that would not make sense on an aplication. You can only grant consent for a service principal in a tenant (though the portal shows in the app reg the current tenants admin status)...in fact consent may be for the whole tenant for that app...im not really sure if you can have two SPs in one tenant for a single app and if they can have distinct grants...never tried.
IMO as written this ticket could be closed.
from terraform-provider-azuread.
In terms of the original feature request, I believe API Permissions for an application can be managed with the required_resource_access
block of the azuread_application
resource. I don't think it makes sense for us to work with the API and permissions friendly names, as Microsoft makes APIs available via their published UUIDs and you can look these up in the portal to store as variables if you wish.
I'm looking to merge a change in #252 that will enable setting published scopes for an application (aka "Expose an API" in the portal), and I believe this covers all the cases discussed in this issue so I am going to mark as resolved.
Please feel free to comment if I have missed something!
from terraform-provider-azuread.
@manicminer theres not actually an easy way to find the uuid’s in the portal :(
from terraform-provider-azuread.
@drdamour the way I usually do it, is to grant an API scope and then poke through the application manifest. Admittedly this doesn't exactly qualify as easy but it's workable. If there's a way to list them via an API i'm all ears :)
from terraform-provider-azuread.
Fwiw everything in the description is already achievable with the current required_resource_access block as of this writing.
I do not understand, how is it currently possible to Grant Admin consent with the current required_resource_access
?
from terraform-provider-azuread.
I do not understand, how is it currently possible to Grant Admin consent with the current
required_resource_access
?
@Console32 This particular action is not supported by the provider. Admin Consent for API scopes is implemented as a user-only operation, presumably to enforce oversight, as such there's no supported way of granting consent unless you are signed in as a real user. It's possible this may be changing with some recent additions to the MS Graph API, but that's speculation at this point and we are not currently able to use that API anyway. So, at least for the time being, this is a manual step that tenant administrators must accomplish.
from terraform-provider-azuread.
Fwiw everything in the description is already achievable with the current required_resource_access block as of this writing.
I do not understand, how is it currently possible to Grant Admin consent with the current
required_resource_access
?
@Console32 in my interpretation admin consent was not requested in the original description, but i can see how it could be interpreted the other way.
from terraform-provider-azuread.
We'll possibly have to wait for this to make it out of beta :)
from terraform-provider-azuread.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!
from terraform-provider-azuread.
Related Issues (20)
- cannot specify logo_image via application_registration, only supported in higher level application resource
- State is updated with new password, even when password change failed.
- Add "AppProtectionPolicy" to Conditional Access Grant Control HOT 4
- Add new resource azuread_group_owner for add owner to group HOT 1
- azuread_group SkipExchangeInstantOn missing from behaviors HOT 1
- application_filter param missing from azuread_conditional_access_policy applications condition
- azuread_access_package_catalog_role not supporing AccessPackage assignment manager as display_name HOT 3
- Adding authentication via path-based environment variables as provided by terraform-provider-azurerm HOT 3
- azuread_access_package_assignment_policy.approval_settings.approval_stage.primary_approver blocks sensitive to order
- Additional resources azuread_application_homepage_url, azuread_application_logout_url, azuread_application_implicit_grant
- Your own example of creating a group doesn't work HOT 4
- How to Customize user provisioning attribute-mappings using terraform?? HOT 4
- azuread_service_principal_delegated_permission_grant don't want to grant HOT 3
- azuread_application_registration can't be destroyed by owner if using azuread_application_owner HOT 4
- Entra ID Group constantly gets removed/added to an Administrative Unit each time Terraform runs HOT 2
- Identity Governance Entitlement Management using /beta/ API instead of /v1/ HOT 1
- Incorrect Import Id in Documentation HOT 2
- Add and grand admin consent for the "Azure VPN" enterprise application HOT 1
- Error when setting identifier_uri for azuread_application or azuread_application_identifier_uri HOT 3
- ignore_changes does not ignore `app_role` block on `azuread_application`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-provider-azuread.