azuread_application_identifier_uri without verified domain not applying on first attempt

[nbaju1]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Terraform v1.8.1 AzureAD Provider: 2.49.0

Affected Resource(s)

• azuread_application_identifier_uri

Terraform Configuration Files

(Note that I use the CDKTF for Python, so the example is a manually written mock-up of the actual configuration)

resource "azuread_application" "example" {
  display_name = "example"

  lifecycle {
    ignore_changes = [
      identifier_uris,
    ]
  }
}

resource "azuread_service_principal" "example_sp" {
  client_id = azuread_application.example.client_id
}

resource "azuread_application_identifier_uri" "example_uri" {
  application_id = azuread_application.example.id
  identifier_uri = "https://non-verified-host.com"
}

Debug Output

│ Error: creating Application IdentifierUri (Application ID: <redacted>", IdentifierUri ID: "<redacted>"): ApplicationsClient.BaseClient.Patch(): unexpected status 400 with OData error: HostNameNotOnVerifiedDomain: Values of identifierUris property must use a verified domain of the organization or its subdomain: 'https://non-verified-host.com'
│ 
│   with azuread_application_identifier_uri.example_uri,
│   on cdk.tf.json line 90, in resource.azuread_application_identifier_uri.example_uri:
│   90:       }
│ 
│ creating Application IdentifierUri (Application ID:
│ "<redacted>", IdentifierUri ID:
│ "<redacted>"):
│ ApplicationsClient.BaseClient.Patch(): unexpected status 400 with OData
│ error: HostNameNotOnVerifiedDomain: Values of identifierUris property must
│ use a verified domain of the organization or its subdomain:
│ 'https://non-verified-host.com'

Expected Behavior

Applies identifier URI after application creation.

Actual Behavior

Creates application, but fails on applying the identifier URI.

Steps to Reproduce

1. terraform plan
2. terraform apply

Workarounds

• Re-running terraform apply with same configuration applies the identifier URI without error.
• If a corresponding service principal is added to the configuration, and a depends_on = azuread_service_principal.example_sp is added to the azuread_application_identifier_uri resource, the identifier URI is applied without error.

[nbaju1]

Just realized that the first workaround is basically the same as the second. Creating the URI resource after the service principal is created will allow the unverified domain. Which is most likely due to identifierUris being used for both application registration identifier and SAML SSO config, where there is much more freedom in the syntax of the identifier compared to the identifier on the application registration. So I assume this won't work at all for bare application registrations.