How to use `azuread_application_pre_authorized` with the authorizing application being msgraph

[penenkel]

With the application_object_id argument being deprecated and the new application_id argument expecting a resource id (i.e. a terraform application id?), how can I specify MicrosoftGraph?

I have tried

• data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph which should be an Azure application id aka client_id
• data.azuread_service_principal.msgraph.object_id
  which should be an Azure object_id and is defined via

  data "azuread_service_principal" "msgraph" {
  application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
  } 

  neither of which is of the format expected by the application_id argument which is apparently something like applications/<uuid> which seems to be a terraform specific resource id.

[penenkel]

The correct answer is: you don't, use azuread_app_role_assignment instead.

resource "azuread_app_role_assignment" "example_app_may_acsess_msgraph_to_send_mail" {
  app_role_id         = data.azuread_service_principal.msgraph.app_role_ids["Mail.Send"]
  principal_object_id = azuread_service_principal.example_app.object_id
  resource_object_id  = data.azuread_service_principal.msgraph.object_id
}

As an explanation:

• MicrosoftGraph delegated permissions -> these are "scopes" in OAuth parlance -> use azuread_service_principal_delegated_permission_grant
• MicrosoftGraph application permissions -> these are "roles" in OAuth parlance
  -> use azuread_app_role_assignment
• to allow other application to access your own (as an application) -> use azuread_application_pre_authorized