Resource: azuread_application_permission_scope

Manages a permission scope for an application registration.

This resource is analogous to the oauth2_permission_scope block in the api block of the azuread_application resource. When using these resources together, you should use the ignore_changes lifecycle meta-argument (see example below).

API Permissions

The following API permissions are required in order to use this resource.

When authenticated with a service principal, this resource requires one of the following application roles: Application.ReadWrite.OwnedBy or Application.ReadWrite.All

When authenticated with a user principal, this resource may require one of the following directory roles: Application Administrator or Global Administrator

Example Usage

resource "azuread_application_registration" "example" {
  display_name = "example"
}

resource "random_uuid" "example_administer" {}

resource "azuread_application_permission_scope" "example" {
  application_id = azuread_application_registration.test.id
  scope_id       = random_uuid.example_administer.id
  value          = "administer"

  admin_consent_description  = "Administer the application"
  admin_consent_display_name = "Administer"
}

Usage with azuread_application resource

resource "azuread_application" "example" {
  display_name = "example"

  lifecycle {
    ignore_changes = [
      api[0].oauth2_permission_scope,
    ]
  }
}

resource "azuread_application_permission_scope" "example" {
  application_id = azuread_application.example.id
  # ...
}

Argument Reference

The following arguments are supported:

Attributes Reference

No additional attributes are exported.

Import

Application App Roles can be imported using the object ID of the application and the ID of the permission scope, in the following format.

terraform import azuread_application_permission_scope.example /applications/00000000-0000-0000-0000-000000000000/permissionScopes/11111111-1111-1111-1111-111111111111