Manages a delegated permission grant for a service principal, on behalf of a single user, or all users.
The following API permissions are required in order to use this resource.
When authenticated with a service principal, this resource requires the following application role: Directory.ReadWrite.All
When authenticated with a user principal, this resource requires one the following directory role: Global Administrator
Delegated permission grant for all users
data "azuread_application_published_app_ids" "well_known" {}
resource "azuread_service_principal" "msgraph" {
application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
use_existing = true
}
resource "azuread_application" "example" {
display_name = "example"
required_resource_access {
resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["openid"]
type = "Scope"
}
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read"]
type = "Scope"
}
}
}
resource "azuread_service_principal" "example" {
application_id = azuread_application.example.application_id
}
resource "azuread_service_principal_delegated_permission_grant" "example" {
service_principal_object_id = azuread_service_principal.example.object_id
resource_service_principal_object_id = azuread_service_principal.msgraph.object_id
claim_values = ["openid", "User.Read.All"]
}
Delegated permission grant for a single user
data "azuread_application_published_app_ids" "well_known" {}
resource "azuread_service_principal" "msgraph" {
application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
use_existing = true
}
resource "azuread_application" "example" {
display_name = "example"
required_resource_access {
resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["openid"]
type = "Scope"
}
resource_access {
id = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read"]
type = "Scope"
}
}
}
resource "azuread_service_principal" "example" {
application_id = azuread_application.example.application_id
}
resource "azuread_user" "example" {
display_name = "J. Doe"
user_principal_name = "jdoe@hashicorp.com"
mail_nickname = "jdoe"
password = "SecretP@sswd99!"
}
resource "azuread_service_principal_delegated_permission_grant" "example" {
service_principal_object_id = azuread_service_principal.example.object_id
resource_service_principal_object_id = azuread_service_principal.msgraph.object_id
claim_values = ["openid", "User.Read.All"]
user_object_id = azuread_user.example.object_id
}
The following arguments are supported:
claim_values
- (Required) - A set of claim values for delegated permission scopes which should be included in access tokens for the resource.resource_service_principal_object_id
- (Required) The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.service_principal_object_id
- (Required) The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.user_object_id
- (Optional) - The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.In addition to all arguments above, the following attributes are exported:
id
- The ID of the delegated permission grant.Delegated permission grants can be imported using their ID, e.g.
terraform import azuread_service_principal_delegated_permission_grant.example aaBBcDDeFG6h5JKLMN2PQrrssTTUUvWWxxxxxyyyzzz