Support for Microsoft Graph API

[grtn316]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Support ends for Azure AD Graph APIs 6/30/2022 and new features were discontinued 6/30/2020 (link).

It appears that the TF provider is still using the Azure AD Graph APIs to authenticate SPNs. This can be seen by inspecting traffic and using this article to compare.

When will this be upgraded to the Microsoft Graph APIs?

New or Affected Resource(s)

• latest azurerm provider

References

• https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-request-differences
• https://techcommunity.microsoft.com/t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363
• https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-migration
• https://techcommunity.microsoft.com/t5/azure-active-directory-identity/have-you-updated-your-applications-to-use-the-microsoft/ba-p/1144698

[manicminer]

Hi @grtn316, thanks for noting this. This is on our roadmap and we're planning to switch to using Microsoft Graph for all AAD operations in v3.0, since this will be a breaking change for users due to the difference in permissions which will be needed.

[grtn316]

Hi @grtn316, thanks for noting this. This is on our roadmap and we're planning to switch to using Microsoft Graph for all AAD operations in v3.0, since this will be a breaking change for users due to the difference in permissions which will be needed.

Thanks for the update. Do you happen to know how far out v3.0 is?

[manicminer]

@grtn316 We don't have a timeframe at this stage as we're still early in planning/scoping.

[PaulusTM]

This is already breaking as you can't assign the Azure AD Graph API to applications anymore. It's simply grayed out.

For me this results in issues deploying with Terraform.

╷
│ Error: Retrieving group with object ID: "<id>"
│ 
│   with data.azuread_group.admins,
│   on ad.tf line 1, in data "azuread_group" "admins":
│    1: data "azuread_group" "admins" {
│ 
│ graphrbac.GroupsClient#Get: Failure responding to request: StatusCode=403
│ -- Original Error: autorest/azure: Service returned an error. Status=403
│ Code="Unknown" Message="Unknown service error"
│ Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2021-10-20T13:07:28","message":{"lang":"en","value":"Insufficient
│ privileges to complete the
│ operation."},"requestId":"<ID>"}}]
╵

[dohnto]

I upgraded my az to 2.30.0 which introduced MSAL related breaking change and my terraform (azurerm=2.83.0) stopped working with

│ Error: building account: getting authenticated object ID: Error parsing json result from the Azure CLI: Error waiting for the Azure CLI: exit status 1: Could not retrieve token from local cache. Please run 'az login'.
│ 
│   with provider["registry.terraform.io/hashicorp/azurerm"],
│   on main.tf line 8, in provider "azurerm":
│    8: provider "azurerm" {

Is this related?

Update: downgrade to az=2.28 and running az login fixes this.

[manicminer]

@dohnto I've been doing some testing with the new az-cli version 2.30.0 and it's working great for me with single-tenant auth.

However, I've noticed that it's likely to fail when using mult-tenant auth (i.e. specifying auxiliary_tenant_ids) - are you perhaps using that? I believe we'll be able to get a fix out for this soon.

[DaveOHenry]

We are using multiple tenants via provider alias and it's not working anymore with az-cli 2.30. The error message is:

│ Error: building account: getting authenticated object ID: Error parsing json result from the Azure CLI: Error waiting for the Azure CLI: exit status 1: ERROR: The command failed with an unexpected error. Here is the traceback:
│ ERROR: [Errno 2] No such file or directory
│ Traceback (most recent call last):
│   File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/command_operation.py", line 352, in handler
│     client = self.client_factory(self.cli_ctx) if self.client_factory else None
│ TypeError: get_graph_client_signed_in_users() missing 1 required positional argument: '_'

[manicminer]

@DaveOHenry That looks like an az-cli error, I'd suggest removing your ~/.azure directory and signing in again. The provider runs the commands az account get-access-token and az ad signed-in-user show, you'll want to make sure you can run these in your terminal without error.

If you are explicitly using multi-tenant auth (e.g. via auxiliary_tenant_ids / ARM_AUXILIARY_TENANT_IDS), there a known issue for which we have a fix incoming.

[DaveOHenry]

Thanks for the insights and pointing me into the right direction! The commands are indeed visible in the azure-cli logs. There are many az account get-access-token commands and one of these fails with "Errno 2". Sorry for hijacking this issue. There seems to be a bug in the azure-cli that was most likely introduced in v2.30: https://github.com/Azure/azure-cli/issues/20252 https://github.com/Azure/azure-cli/issues/20273

[manicminer]

We'll be switching away from the Azure Active Directory Graph API in version 3.0 of the provider. In the meantime, this capability is available in version 2.94.0 or later of the provider via the use_msal provider property.

With the current implementation, in most cases the provider will likely not make any calls to Microsoft Graph; instead it will attempt to consume the claims from access tokens, and will only call Microsoft Graph as a fallback in the event that more information about the authenticated principal is needed. Either way, no additional API permissions should be required and the net effect from enabling this property should simply be that the provider ceases to call the Azure Active Directory Graph API.

[tombuildsstuff]

It's worth calling that the AzureRM Terraform Backend will also use the Azure Active Directory Graph API by default, in Terraform 1.1 this can be switched to using Microsoft Graph by setting use_microsoft_graph = true - but this default will change in Terraform 1.2 to be on by default

[github-actions[bot]]

This functionality has been released in v3.0.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.