.= 'tag.htm'; break; case 'flag': $pre .= $default_pre .= 'flag.htm'; break; case 'my': $pre .= $default_pre .= 'my.htm'; break; case 'my_password': $pre .= $default_pre .= 'my_password.htm'; break; case 'my_bind': $pre .= $default_pre .= 'my_bind.htm'; break; case 'my_avatar': $pre .= $default_pre .= 'my_avatar.htm'; break; case 'home_article': $pre .= $default_pre .= 'home_article.htm'; break; case 'home_comment': $pre .= $default_pre .= 'home_comment.htm'; break; case 'user': $pre .= $default_pre .= 'user.htm'; break; case 'user_login': $pre .= $default_pre .= 'user_login.htm'; break; case 'user_create': $pre .= $default_pre .= 'user_create.htm'; break; case 'user_resetpw': $pre .= $default_pre .= 'user_resetpw.htm'; break; case 'user_resetpw_complete': $pre .= $default_pre .= 'user_resetpw_complete.htm'; break; case 'user_comment': $pre .= $default_pre .= 'user_comment.htm'; break; case 'single_page': $pre .= $default_pre .= 'single_page.htm'; break; case 'search': $pre .= $default_pre .= 'search.htm'; break; case 'operate_sticky': $pre .= $default_pre .= 'operate_sticky.htm'; break; case 'operate_close': $pre .= $default_pre .= 'operate_close.htm'; break; case 'operate_delete': $pre .= $default_pre .= 'operate_delete.htm'; break; case 'operate_move': $pre .= $default_pre .= 'operate_move.htm'; break; case '404': $pre .= $default_pre .= '404.htm'; break; case 'read_404': $pre .= $default_pre .= 'read_404.htm'; break; case 'list_404': $pre .= $default_pre .= 'list_404.htm'; break; default: $pre .= $default_pre .= theme_mode_pre(); break; } if ($config['theme']) { $conffile = APP_PATH . 'view/template/' . $config['theme'] . '/conf.json'; $json = is_file($conffile) ? xn_json_decode(file_get_contents($conffile)) : array(); } !empty($json['installed']) and $path_file = APP_PATH . 'view/template/' . $config['theme'] . '/htm/' . ($id ? $id . '_' : '') . $pre; (empty($path_file) || !is_file($path_file)) and $path_file = APP_PATH . 'view/template/' . $config['theme'] . '/htm/' . $pre; if (!empty($config['theme_child']) && is_array($config['theme_child'])) { foreach ($config['theme_child'] as $theme) { if (empty($theme) || is_array($theme)) continue; $path_file = APP_PATH . 'view/template/' . $theme . '/htm/' . ($id ? $id . '_' : '') . $pre; !is_file($path_file) and $path_file = APP_PATH . 'view/template/' . $theme . '/htm/' . $pre; } } !is_file($path_file) and $path_file = APP_PATH . ($dir ? 'plugin/' . $dir . '/view/htm/' : 'view/htm/') . $default_pre; return $path_file; } function theme_mode_pre($type = 0) { global $config; $mode = $config['setting']['website_mode']; $pre = ''; if (1 == $mode) { $pre .= 2 == $type ? 'portal_category.htm' : 'portal.htm'; } elseif (2 == $mode) { $pre .= 2 == $type ? 'flat_category.htm' : 'flat.htm'; } else { $pre .= 2 == $type ? 'index_category.htm' : 'index.htm'; } return $pre; } ?>azure - Issue with adding delegated Graph API permission to Enterprise app with Terraform - Stack Overflow

科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>azure - Issue with adding delegated Graph API permission to Enterprise app with Terraform - Stack Overflow

    azure - Issue with adding delegated Graph API permission to Enterprise app with Terraform - Stack Overflow

    programmeradmin0浏览0评论

    I tried several things but still struggling to wrap my head around a very otherwise simple task.

    • I wanted to create an enterprise app using Terraform (Done. Created Service Principal & AzureAd Application)

    Application Creation

    resource "azuread_application" "enterprise_app_oidc" {
  display_name = var.ent_app_display_name
  owners = distinct(var.ad_group_owners)

  required_resource_access {
    resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph

    resource_access {
      id   = azuread_service_principal.msgraph.oauth2_permission_scope_ids["openid"]
      type = "Scope"
    }

    resource_access {
      id   = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read"]
      type = "Scope"
    }
  }
}

    Service Principal

    resource "azuread_service_principal" "enterprise_app_sp_oidc" {
  client_id                     = azuread_application.enterprise_app_oidc.client_id
  owners                        = azuread_group.ad_group_oidc[0].owners
  preferred_single_sign_on_mode = "oidc"
  app_role_assignment_required  = true


  feature_tags {
    enterprise = true
  }

}

    Now once the Application and Service Principal (Enterprise app is created) I wanted to add Graph API access to it. So I followed following from Terraform documenataion

    data "azuread_application_published_app_ids" "well_known" {}

output "data_from_well_known" {
  value = data.azuread_application_published_app_ids.well_known.result
  
}

resource "azuread_service_principal" "msgraph" {
  client_id    = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
  use_existing = true
}

resource "azuread_service_principal_delegated_permission_grant" "example" {
  service_principal_object_id          = azuread_service_principal.enterprise_app_sp_oidc.object_id
  resource_service_principal_object_id = azuread_service_principal.msgraph.object_id
  claim_values                         = ["openid", "User.Read.All"]
}

    I do not entirely understand why do I need to create a second service principal called "msgraph" but ok, I kind of guessed the context here. But here is my problem

    Now once I deploy this code, I get the following

    My questions are:

    • Why is the RED circled area "other permissions" added and how to get rid of it?
    • How do I add other permissions like email, profile, offline etc in blue circled area**

    I tried several things but still struggling to wrap my head around a very otherwise simple task.

    • I wanted to create an enterprise app using Terraform (Done. Created Service Principal & AzureAd Application)

    Application Creation

    resource "azuread_application" "enterprise_app_oidc" {
  display_name = var.ent_app_display_name
  owners = distinct(var.ad_group_owners)

  required_resource_access {
    resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph

    resource_access {
      id   = azuread_service_principal.msgraph.oauth2_permission_scope_ids["openid"]
      type = "Scope"
    }

    resource_access {
      id   = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read"]
      type = "Scope"
    }
  }
}

    Service Principal

    resource "azuread_service_principal" "enterprise_app_sp_oidc" {
  client_id                     = azuread_application.enterprise_app_oidc.client_id
  owners                        = azuread_group.ad_group_oidc[0].owners
  preferred_single_sign_on_mode = "oidc"
  app_role_assignment_required  = true


  feature_tags {
    enterprise = true
  }

}

    Now once the Application and Service Principal (Enterprise app is created) I wanted to add Graph API access to it. So I followed following from Terraform documenataion

    data "azuread_application_published_app_ids" "well_known" {}

output "data_from_well_known" {
  value = data.azuread_application_published_app_ids.well_known.result
  
}

resource "azuread_service_principal" "msgraph" {
  client_id    = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
  use_existing = true
}

resource "azuread_service_principal_delegated_permission_grant" "example" {
  service_principal_object_id          = azuread_service_principal.enterprise_app_sp_oidc.object_id
  resource_service_principal_object_id = azuread_service_principal.msgraph.object_id
  claim_values                         = ["openid", "User.Read.All"]
}

    I do not entirely understand why do I need to create a second service principal called "msgraph" but ok, I kind of guessed the context here. But here is my problem

    Now once I deploy this code, I get the following

    My questions are:

    • Why is the RED circled area "other permissions" added and how to get rid of it?
    • How do I add other permissions like email, profile, offline etc in blue circled area**
    • azure
    • terraform
    • azure-ad-graph-api
    • microsoft-entra-id
    • azure-entra-id
    Share Improve this question edited Mar 1 at 17:31 halfer 20.3k19 gold badges109 silver badges202 bronze badges asked Jan 30 at 13:26 New ProgrammerNew Programmer 655 bronze badges 2
    • Can't you manage the API permissions in Azure portal? – Tiny Wang Commented Jan 31 at 7:05
    • @TinyWang naaa cant use portal. Idea is to automate so that we don't need to give portal access. – New Programmer Commented Jan 31 at 8:04
    Add a comment  | 

    2 Answers 2

    Reset to default 1

    If I understand correctly then you don't need to do the delegation part.

    Remove the delegation resource.

    For adding more permissions to your app, add more resource blocks

    This is how your application resource should look like

    resource "azuread_application" "enterprise_app_oidc" {
  display_name = var.ent_app_display_name
  owners = distinct(var.ad_group_owners)



  required_resource_access {
    resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
    dynamic "resource_access" {
      for_each = var.oauth2_permission_scope_ids
      content {
        id   = azuread_service_principal.msgraph.oauth2_permission_scope_ids[resource_access.value]
        type = "Scope"
      }
    }
  }
  
}

    To add permissions like email, openid etc. create a variable. This variable is iterated in the application resource and creates permission for all the items available in the list

    variable "oauth2_permission_scope_ids" {
  type        = list(string)
  default = [ "openid", "email", "profile", "offline_access" ]
}

    Now this should give you the desired outcome.

    The code you provided is adding User.Read.All and openid under delegated permission with a consent grant, and then it's removing the User.Read.All permission without revoking admin consent. This is why it's showing in the other permission section.

    Here is the updated code to add the delegated permission with admin consent, without removing the permissions

    provider "azuread" {
  tenant_id = "2a"
}
data "azuread_client_config" "current" {}

data "azuread_application_published_app_ids" "well_known" {}

output "data_from_well_known" {
  value = data.azuread_application_published_app_ids.well_known.result
}

resource "azuread_service_principal" "msgraph" {
  client_id    = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
  use_existing = true
}

resource "azuread_application" "enterprise_app_oidc" {
  display_name = "demoapp-Ad"
  owners = [data.azuread_client_config.current.object_id]

  required_resource_access {
    resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph

    resource_access {
      id   = azuread_service_principal.msgraph.oauth2_permission_scope_ids["openid"]
      type = "Scope"
    }

    resource_access {
      id   = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read"]
      type = "Scope"
    }
    resource_access {
      id   = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read.All"]
      type = "Scope"
    }
  }
}

resource "azuread_service_principal" "enterprise_app_sp_oidc" {
  client_id                     = azuread_application.enterprise_app_oidc.client_id
  owners                        = [data.azuread_client_config.current.object_id]
  preferred_single_sign_on_mode = "oidc"
  app_role_assignment_required  = true


  feature_tags {
    enterprise = true
  }
}

resource "azuread_service_principal_delegated_permission_grant" "example" {
  service_principal_object_id          = azuread_service_principal.enterprise_app_sp_oidc.object_id
  resource_service_principal_object_id = azuread_service_principal.msgraph.object_id
  claim_values                         = ["openid", "User.Read.All"]
}

    Terraform apply

    After running the code, the delegated permission has been added to the application with admin consent.

    Output:

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论