Unable to create user entitlement for service principal using full-access PAT of org owner

[tdg5]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and Azure DevOps Provider) Version

$ terraform -v
Terraform v1.8.3
on darwin_arm64
+ provider registry.terraform.io/hashicorp/azuread v2.50.0
+ provider registry.terraform.io/hashicorp/azurerm v3.105.0
+ provider registry.terraform.io/microsoft/azuredevops v1.1.1

Affected Resource(s)

• azuredevops_user_entitlement

Terraform Configuration Files

# providers.tf
terraform {
  required_providers {
    azuread = {
      source  = "hashicorp/azuread"
      version = "~> 2.50.0"
    }

    azuredevops = {
      source  = "microsoft/azuredevops"
      version = "1.1.1"
    }
  }
  required_version = "~> 1.8"
}

provider "azuread" {
  tenant_id = "TENANT_ID"
}

provider "azuredevops" {
  org_service_url = "https://dev.azure.com/MY_URL"
  tenant_id       = "TENANT_ID"
}

# main.tf
data "azuread_service_principal" "this" {
  display_name = "SERVICE_PRINCIPAL"
}

resource "azuredevops_user_entitlement" "this" {
  account_license_type = "basic"
  origin               = "aad"
  origin_id            = data.azuread_service_principal.this.object_id
}

Debug Output

https://gist.github.com/tdg5/30e58f99ab019e04b577755c4e8d3578

Panic Output

Expected Behavior

I should be able to add a user entitlement to a service principal using a full-access PAT belonging to the ADO organization owner.

Actual Behavior

Server side failure :(

Creating user entitlement: Adding user entitlement: (5000) The Id, OriginId, or User.PrincipalName must be set. The Principal Name is usually an email address.

I can add the service principal through the UI and then import the resource, for what it's worth, so it doesn't seem like it's a credential issue.

Steps to Reproduce

1. Create a new ADO org, or use an existing one.
2. Authenticate as org owner.
3. Create a PAT that is granted full access
4. Make PAT available to terraform
5. terraform apply
6. Weep

Important Factoids

This is a vanilla US azure tenant. I've tried this with several ADO orgs and with several service principals, the result is the same.

References

I think @fredgate may have also hit this error and thought it was something else: https://github.com/microsoft/terraform-provider-azuredevops/issues/444#issuecomment-2153117611