search

hashicorp / terraform-provider-azuread

Terraform provider for Azure Active Directory
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs
Mozilla Public License 2.0
417 stars 283 forks source link

Add and grand admin consent for the "Azure VPN" enterprise application #1341

Closed samuelb closed 3 months ago

samuelb commented 3 months ago

Hello

I want to add and grant consent of the "Azure VPN" enterprise application as described at https://learn.microsoft.com/en-us/azure/virtual-wan/openvpn-azure-ad-tenant#enable-authentication by using Terraform. Additionally, I aim to manage its users and groups using Terraform too. However, I couldn't figure out how to express this in Terraform.

As I understood it, this Azure VPN enterprise application is neither a application template nor a new application I'm create in my Entra ID. It's some existing application within Azure where I don't know how to write the Terraform code to address it.

Any guidance or insights on how to achieve this would be greatly appreciated. Thanks!

manicminer commented 3 months ago

Hi @samuelb, thanks for opening this issue. Normally we ask that usage questions are raised on our Discuss site or in our community Slack org (details in the project readme).

However, since this application uses delegated grants (i.e. oauth2 scopes), I believe you'll need to use the azuread_service_principal_delegated_permission_grant resource.

You will need the client ID of the Azure VPN application in order to create a service principal for this application in your tenant, which you can get from the azuread_application_published_app_ids data source where it's labelled "AzureVPN":

data "azuread_application_published_app_ids" "well_known" {}

resource "azuread_service_principal" "azurevpn" {
  application_id = data.azuread_application_published_app_ids.well_known.result.AzureVPN
  use_existing   = true
}

You'll also need the object ID of a service principal representing the resource you're granting access to, in this case Microsoft Graph.

resource "azuread_service_principal" "msgraph" {
  application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
  use_existing   = true
}

Lastly, you'll need to specify the scopes to grant. I usually find these by following the admin consent flow manually and inspecting the resulting principal, which in this case yielded User.Read and User.ReadBasic.All:

resource "azuread_service_principal_delegated_permission_grant" "example" {
  service_principal_object_id          = azuread_service_principal.azurevpn.object_id
  resource_service_principal_object_id = azuread_service_principal.msgraph.object_id
  claim_values                         = ["User.Read", "User.ReadBasic.All"]
}

I recommend using the MS Graph Explorer for easily inspecting service principals to see the scopes and/or roles they publish or consume. Remember that "Enterprise Application" is just a legacy euphemism for service principals. Hope this helps!

Since, as mentioned above, this is more of a usage question and we try to keep GitHub issues for bug reports & feature requests, I'll close out this issue - but you are welcome to join our Slack group where you'll likely get quicker answers for any usage questions :)