Manages a permission scope for an application registration.
This resource is analogous to the oauth2_permission_scope
block in the api
block of the azuread_application
resource. When using these resources together, you should use the ignore_changes
lifecycle meta-argument (see example below).
The following API permissions are required in order to use this resource.
When authenticated with a service principal, this resource requires one of the following application roles: Application.ReadWrite.OwnedBy
or Application.ReadWrite.All
When authenticated with a user principal, this resource may require one of the following directory roles: Application Administrator
or Global Administrator
resource "azuread_application_registration" "example" {
display_name = "example"
}
resource "random_uuid" "example_administer" {}
resource "azuread_application_permission_scope" "example" {
application_id = azuread_application_registration.test.id
scope_id = random_uuid.example_administer.id
value = "administer"
admin_consent_description = "Administer the application"
admin_consent_display_name = "Administer"
}
Usage with azuread_application resource
resource "azuread_application" "example" {
display_name = "example"
lifecycle {
ignore_changes = [
api[0].oauth2_permission_scope,
]
}
}
resource "azuread_application_permission_scope" "example" {
application_id = azuread_application.example.id
# ...
}
The following arguments are supported:
admin_consent_description
- (Required) Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.admin_consent_display_name
- (Required) Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.application_id
- (Required) The resource ID of the application registration. Changing this forces a new resource to be created.scope_id
- (Required) The unique identifier of the permission scope. Must be a valid UUID. Changing this forces a new resource to be created.type
- (Required) Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions.user_consent_description
- (Required) Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.user_consent_display_name
- (Required) Display name for the delegated permission that appears in the end user consent experience.value
- (Optional) The value that is used for the scp
claim in OAuth access tokens.No additional attributes are exported.
Application App Roles can be imported using the object ID of the application and the ID of the permission scope, in the following format.
terraform import azuread_application_permission_scope.example /applications/00000000-0000-0000-0000-000000000000/permissionScopes/11111111-1111-1111-1111-111111111111