Resource: azuread_service_principal

Manages a service principal associated with an application within Azure Active Directory.

API Permissions

The following API permissions are required in order to use this resource.

When authenticated with a service principal, this resource requires one of the following application roles: Application.ReadWrite.OwnedBy or Application.ReadWrite.All

When authenticated with a user principal, this resource may require one of the following directory roles: Application Administrator or Global Administrator

Example Usage

Create a service principal for an application

data "azuread_client_config" "current" {}

resource "azuread_application" "example" {
  display_name = "example"
  owners       = [data.azuread_client_config.current.object_id]
}

resource "azuread_service_principal" "example" {
  client_id                    = azuread_application.example.client_id
  app_role_assignment_required = false
  owners                       = [data.azuread_client_config.current.object_id]
}

Create a service principal for an enterprise application

data "azuread_client_config" "current" {}

resource "azuread_application" "example" {
  display_name = "example"
  owners       = [data.azuread_client_config.current.object_id]
}

resource "azuread_service_principal" "example" {
  client_id                    = azuread_application.example.client_id
  app_role_assignment_required = false
  owners                       = [data.azuread_client_config.current.object_id]

  feature_tags {
    enterprise = true
    gallery    = true
  }
}

Manage a service principal for a first-party Microsoft application

data "azuread_application_published_app_ids" "well_known" {}

resource "azuread_service_principal" "msgraph" {
  client_id    = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
  use_existing = true
}

Create a service principal for an application created from a gallery template

data "azuread_application_template" "example" {
  display_name = "Marketo"
}

resource "azuread_application" "example" {
  display_name = "example"
  template_id  = data.azuread_application_template.example.template_id
}

resource "azuread_service_principal" "example" {
  client_id    = azuread_application.example.client_id
  use_existing = true
}

Argument Reference

The following arguments are supported:


feature_tags block supports the following:


saml_single_sign_on supports the following:

Attributes Reference

In addition to all arguments above, the following attributes are exported:


app_roles is a list of objects with the following attributes:


oauth2_permission_scopes is a list of objects with the following attributes:

Import

Service principals can be imported using their object ID, e.g.

terraform import azuread_service_principal.example 00000000-0000-0000-0000-000000000000