Create azuread_application failed: Property api.requestedAccessTokenVersion is invalid.

[jakubslonxlab]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform 1.5.7 
Azuread provider: 

Affected Resource(s)

• azuread_application

We are not setting a property for api block on the resource. We have changed the permissions as part of our investigation, but this did not affect the behaviour.

Terraform Configuration Files

resource.tf 

resource "azuread_application" "sp_application" {
  display_name = "[${var.service_principal_name}"

  dynamic "required_resource_access" {
    for_each = length(concat(var.graph_api_application_permissions, var.graph_api_delegated_permissions)) == 0 ? [] : ["trigger create"]
    content {
      resource_app_id = local.microsoft_graph_resource_app_id
      dynamic "resource_access" {
        iterator = permission_name
        for_each = var.graph_api_delegated_permissions
        content {
          id   = local.delegated_permissions[permission_name.value]
          type = "Scope"
        }
      }
      dynamic "resource_access" {
        iterator = permission_name
        for_each = var.graph_api_application_permissions
        content {
          id   = local.application_permissions[permission_name.value]
          type = "Role"
        }
      }
    }
  }
}

Permissions that we assign:

graph_api_application_permissions = [
    "Application.ReadWrite.All",
    "Policy.ReadWrite.ApplicationConfiguration",
    "Policy.Read.All",
    "Group.ReadWrite.All",
    "User.Read.All"
  ]

Expected Behavior

Create the azuread_application resource:

+ resource "azuread_application" "azuread_application_name" {
      + app_role_ids                = (known after apply)
      + application_id              = (known after apply)
      + client_id                   = (known after apply)
      + disabled_by_microsoft       = (known after apply)
      + display_name                = "Display name goes here"
      + id                          = (known after apply)
      + logo_url                    = (known after apply)
      + oauth2_permission_scope_ids = (known after apply)
      + object_id                   = (known after apply)
      + prevent_duplicate_names     = false
      + publisher_domain            = (known after apply)
      + sign_in_audience            = "AzureADMyOrg"
      + tags                        = (known after apply)
      + template_id                 = (known after apply)

      + required_resource_access {
          + resource_app_id = "resource-app-id-goes-here"

          + resource_access {
              + id   = "resource-access-id-goes-here"
              + type = "Role"
            }
          + resource_access {
              + id   = "resource-access-id-goes-here"
              + type = "Role"
            }
          + resource_access {
              + id   = "resource-access-id-goes-here"
              + type = "Role"
            }
          + resource_access {
              + id   = "resource-access-id-goes-here"
              + type = "Role"
            }
          + resource_access {
              + id   = "resource-access-id-goes-here"
              + type = "Role"
            }
        }
    }

Actual Behavior

Error: Could not create application

  with module./azuread-application.azuread_application.azuread_application_name,
  on .terraform/modules/azuread-application/main.tf line 1, in resource "azuread_application" "azuread_application_name":
   1: resource "azuread_application" "azuread_application_name" {

ApplicationsClient.BaseClient.Post(): unexpected status 400 with OData error:
InvalidAccessTokenVersion: Property api.requestedAccessTokenVersion is
invalid.

Steps to Reproduce

1. terraform plan
2. terraform apply -> fails

[manicminer]

Hi @jakubslonxlab, thanks for opening this issue. By default, the azuread_application resource sets requested_access_token_version = 1, which is the same default value as the API. If you are getting this error, it suggests that for one reason or another the application must have this property set to 2. Can you try adding the following to your configuration?

resource "azuread_application" "sp_application" {
  # ...

  api {
    requested_access_token_version = 2
  }
}