Error: ODataId was nil when creating an azuread_group resource

[bher2000]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

$ terraform -v
Terraform v1.0.7
on linux_amd64
+ provider registry.terraform.io/hashicorp/azuread v2.2.1
+ provider registry.terraform.io/hashicorp/azurerm v2.77.0
+ provider registry.terraform.io/hashicorp/random v3.1.0

Affected Resource(s)

• azuread_group

Terraform Configuration Files

provider "azurerm" {
  features {}
}

data "azuread_client_config" "current" {}

resource "azuread_group" "example" {
  display_name     = "example"
  owners               = [data.azuread_client_config.current.object_id]
  security_enabled = true
}

Debug Output

azuread_group.example: Creating...

│ Error: Could not retrieve owner principal object "00000000-0000-0000-0000-000000000000"
│ 
│   with azuread_group.example,
│   on main.tf line 41, in resource "azuread_group" "example":
│   41: resource "azuread_group" "example" {
│ 
│ ODataId was nil

Expected Behavior

The group should have been successfully created

Actual Behavior

An error occurred mentioning ODataId was nil

Steps to Reproduce

export ARM_CLIENT_ID="..."
export ARM_CLIENT_SECRET="..."
export ARM_SUBSCRIPTION_ID="..."
export ARM_TENANT_ID="..."
export ARM_ENVIRONMENT=usgovernment

terraform apply

Important Factoids

We are attempting to create groups in our Azure Active Directory hosted in Azure US Government.

[manicminer]

Hi @bher2000, thanks for raising this! Could you post a debug trace that shows the API requests and responses during the failed apply? The access token will be auto redacted but you may wish to redact the tenant ID too. This will really help in diagnosing the source of the error.

For context, when assigning group owners (or owners for other resources), we look up the principal using the directoryObjects API in order to get the OData ID (which is different to the object ID) - this is the key that's needed to assign ownership at create time. The error shown is thrown if the response for that request doesn't contain such an ID.

[bher2000]

Good morning @manicminer,
Sure the API requests from the TRACE log are below, let me know if you need any more info from the log. Also thanks for the background on what OData ID is, I was having some issues trying to figure out exactly what that value was.

I've tried using a service principal with a client ID and secret (this is what I used for this run to get the TRACE logs) to authenticate and also just running az login to use my own user account, both result in this same error message.

$ TF_LOG=TRACE ARM_ENVIRONMENT=usgovernmentl4 terraform apply
...
2021-09-23T09:21:28.187-0400 [INFO]  provider.terraform-provider-azuread_v2.2.1_x5: 2021/09/23 09:21:28 [DEBUG] Begin AzureAD Request: ==========================================
GET /v1.0/[REDACTED]/directoryObjects/[REDACTED] HTTP/1.1
Host: graph.microsoft.us
User-Agent: HashiCorp Terraform/1.0.7 (+https://www.terraform.io) Terraform Plugin SDK/2.7.0 terraform-provider-azuread/2.2.1 Hamilton (Go-http-client/1.1) pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Accept: application/json
Content-Type: application/json; charset=utf-8
Accept-Encoding: gzip


========================================= End AzureAD Request: timestamp=2021-09-23T09:21:28.186-0400
2021-09-23T09:21:28.508-0400 [INFO]  provider.terraform-provider-azuread_v2.2.1_x5: 2021/09/23 09:21:28 [DEBUG] Begin AzureAD Response for GET https://graph.microsoft.us/v1.0/[REDACTED]/directoryObjects/[REDACTED]: ==========================================
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Cache-Control: no-cache
Client-Request-Id: 4dd395b2-8072-4190-8027-85bc6329bddd
Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8
Date: Thu, 23 Sep 2021 13:21:27 GMT
Odata-Version: 4.0
Request-Id: 4dd395b2-8072-4190-8027-85bc6329bddd
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"USGov Arizona","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"PH1NEPF00001421"}}

556
{"@odata.context":"https://graph.microsoft.us/v1.0/$metadata#directoryObjects/$entity","@odata.type":"#microsoft.graph.servicePrincipal","id":"[REDACTED]","deletedDateTime":null,"accountEnabled":true,"alternativeNames":[],"appDisplayName":"[REDACTED]","appDescription":null,"appId":"[REDACTED]","applicationTemplateId":null,"appOwnerOrganizationId":"[REDACTED]","appRoleAssignmentRequired":false,"createdDateTime":"2020-12-04T14:48:53Z","description":null,"disabledByMicrosoftStatus":null,"displayName":"[REDACTED]","homepage":null,"loginUrl":null,"logoutUrl":null,"notes":null,"notificationEmailAddresses":[],"preferredSingleSignOnMode":null,"preferredTokenSigningKeyThumbprint":null,"replyUrls":[],"resourceSpecificApplicationPermissions":[],"samlSingleSignOnSettings":null,"servicePrincipalNames":["[REDACTED]"],"servicePrincipalType":"Application","signInAudience":"AzureADMyOrg","tags":["WindowsAzureActiveDirectoryIntegratedApp"],"tokenEncryptionKeyId":null,"verifiedPublisher":{"displayName":null,"verifiedPublisherId":null,"addedDateTime":null},"addIns":[],"appRoles":[],"info":{"logoUrl":null,"marketingUrl":null,"privacyStatementUrl":null,"supportUrl":null,"termsOfServiceUrl":null},"keyCredentials":[],"oauth2PermissionScopes":[],"passwordCredentials":[]}
0


========================================== End AzureAD Response: timestamp=2021-09-23T09:21:28.507-0400
...

[manicminer]

@bher2000 That's great, thanks. That unfortunately confirms that the API is missing the @odata.id field from the response. The provider relies on this field to specify owners, for example as in this docs example.

I would recommend raising this as an Azure support issue. I've raised this upstream at microsoftgraph/msgraph-metadata#94 - if you have any additional information it would be great if you could post it there.

Since this is an API issue, I'm marking this as blocked for now. Unfortunately there is no workaround right now; due to recent API changes we are forced to always specify an owner when creating a group, even when none are specified in a configuration, and as mentioned we rely on this field for that.

[bher2000]

@manicminer,
Thanks for the update and details on this issue! While its unfortunate we cannot use this module for now its honestly not super surprising that Azure Government Cloud is causing the issue :). I will put in a ticket with Azure support on our side about this issue and link this thread.

Thanks again for the quick response!

[helayoty]

I'm facing the same issue

I got the following error:

json.Marshal(): json: error calling MarshalJSON for type msgraph.Application:
json: error calling MarshalJSON for type *msgraph.Owners: marshaling Owners:
encountered DirectoryObject with nil ODataId

Here is the provider versions

terraform {
  required_version = ">=0.14.0"
  required_providers {
    random = {
      source  = "hashicorp/random"
      version = "3.0.0"
    }
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=2.58.0"
    }
    azuread = {
      source  = "hashicorp/azuread"
      version = "~> 2.4.0"
    }
  }
}

[manicminer]

@helayoty Thanks for the report, are you also running in Azure Government? L4?

[helayoty]

@helayoty Thanks for the report, are you also running in Azure Government? L4?

No, Azure.

[manicminer]

@helayoty Interesting, could you isolate this with a test configuration and post a debug trace? It seems the API response is not what we're expecting but it would be good to see what's actually being returned. Thanks!

[mlcooper]

@manicminer I too am facing this same issue; here is my info. I am using Azure, not Azure Government.

Error:

 Error: Could not retrieve owner principal object "3dbbf06f-4bd1-42ea-8788-[REDACTED]"
│
│   with azuread_group.ops_key_vault,
│   on main.tf line 17, in resource "azuread_group" "ops_key_vault":
│   17: resource "azuread_group" "ops_key_vault" {
│
│ ODataId was nil

Version info:

Terraform v1.0.8
on linux_amd64
+ provider registry.terraform.io/hashicorp/azuread v2.5.0
+ provider registry.terraform.io/hashicorp/azurerm v2.78.0

Debug output:

2021-09-30T20:47:44.848-0400 [INFO]  provider.terraform-provider-azuread_v2.5.0_x5: 2021/09/30 20:47:44 [DEBUG] Begin AzureAD Request: ==========================================
GET /v1.0//directoryObjects/3dbbf06f-4bd1-42ea-8788-[REDACTED] HTTP/1.1
Host: graph.microsoft.com
User-Agent: HashiCorp Terraform/1.0.8 (+https://www.terraform.io) Terraform Plugin SDK/2.7.0 terraform-provider-azuread/2.5.0 Hamilton (Go-http-client/1.1) pid-222c6c49-1b0a-5959-a213-6608f9eb8820
Accept: application/json
Content-Type: application/json; charset=utf-8
Accept-Encoding: gzip


========================================= End AzureAD Request: timestamp=2021-09-30T20:47:44.848-0400
2021-09-30T20:47:45.199-0400 [INFO]  provider.terraform-provider-azuread_v2.5.0_x5: 2021/09/30 20:47:45 [DEBUG] Begin AzureAD Response for GET https://graph.microsoft.com/v1.0//directoryObjects/3dbbf06f-4bd1-42ea-8788-[REDACTED]: ==========================================
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Cache-Control: no-cache
Client-Request-Id: 274beadf-b74a-415e-91ef-1cb8e5e1b1fd
Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8
Date: Fri, 01 Oct 2021 00:47:44 GMT
Odata-Version: 4.0
Request-Id: 274beadf-b74a-415e-91ef-1cb8e5e1b1fd
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"South Central US","Slice":"E","Ring":"3","ScaleUnit":"002","RoleInstance":"SN1PEPF0000648C"}}
X-Ms-Resource-Unit: 1

19c
{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#directoryObjects/$entity","@odata.type":"#microsoft.graph.user","id":"3dbbf06f-4bd1-42ea-8788-[REDACTED]","businessPhones":[],"displayName":"Joe Smith","givenName":"Joe","jobTitle":null,"mail":null,"mobilePhone":null,"officeLocation":null,"preferredLanguage":null,"surname":"Smith","userPrincipalName":"joe.smith@[REDACTED].onmicrosoft.com"}
0


========================================== End AzureAD Response: timestamp=2021-09-30T20:47:45.199-0400

I have opened a support case directly with Azure.

[DmytryEmery]

As of today, I'm also experiencing a similar error with AzureCloud (not government),

but it's even with azuread_application creation.

I suspect this is the same issue, it looks like a response that doesn't contain what azuread provider is expecting.

I can create a separate issue, but I suspect this is the same root cause.

Error:

│ Error: Could not create application
│
│   with azuread_application.app_registration,
│   on active-directory.tf line 15, in resource "azuread_application" "app_registration":
│   15: resource "azuread_application" "app_registration" {
│
│ json.Marshal(): json: error calling MarshalJSON for type msgraph.Application: json: error calling MarshalJSON for type
│ *msgraph.Owners: marshaling Owners: encountered DirectoryObject with nil ODataId

Providers:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "2.77.0"
    }
    azuread = {
      source  = "hashicorp/azuread"
      version = "2.5.0"
    }
  }

Debug output:

========================================= End AzureAD Request: timestamp=2021-10-01T13:00:10.846-0700
2021-10-01T13:00:12.071-0700 [INFO]  provider.terraform-provider-azuread_v2.5.0_x5.exe: 2021/10/01 13:00:12 [DEBUG] Begin AzureAD Response for GET https://graph.microsoft.com/v1.0/[REDACTED]/directoryObjects/[REDACTED]: ==========================================
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Cache-Control: no-cache
Client-Request-Id: [REDACTED]
Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8
Date: Fri, 01 Oct 2021 20:00:11 GMT
Odata-Version: 4.0
Request-Id: [REDACTED]
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"West US 2","Slice":"E","Ring":"1","ScaleUnit":"000","RoleInstance":"[REDACTED]"}}
X-Ms-Resource-Unit: 1

1db
{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#directoryObjects/$entity","@odata.type":"#microsoft.graph.user","id":"[REDACTED]","businessPhones":["[REDACTED]"],"displayName":"Dmytry Emery","givenName":"Dmytry","jobTitle":"[REDACTED]","mail":"[REDACTED]","mobilePhone":null,"officeLocation":[REDACTED]","preferredLanguage":null,"surname":"Emery","userPrincipalName":"[REDACTED]"}
0
========================================== End AzureAD Response: timestamp=2021-10-01T13:00:12.071-0700

[Bj3MaS]

is there a workaround for this? I didn't have this problem yesterday, I only experienced it today

[manicminer]

Unfortunately there is no workaround at present. We are raising this API regression with the relevant service team.

[stazz]

Hey!

Looking at the debug output, I've noticed the following header in Graph API responses:

Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8

I then tried the following curl request, using the URL that is used by the TF provider in my case:

curl -v \
  -H 'Authorization: Bearer ey...' \
  -H 'Accept: application/json;odata.metadata=full;charset=utf-8' \
  'https://graph.microsoft.com/v1.0/<tenant ID>/directoryObjects/<app ID>'

Notice the odata.metadata=full in Accept header. As a result, I got the response with @odata.id attribute:

{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#directoryObjects/$entity","@odata.type":"#microsoft.graph.application","@odata.id":"directoryObjects('<app ID>')","@odata.editLink":... }

Perhaps the Microsoft has recently changed the definition of what is "minimial" OData, and this why the ID is no longer returned by default?

With TypeScript library, including the "Accept" header can be achieved like this:

import * as graph from "@microsoft/microsoft-graph-client";

const client: graph.Client = ...;
const directoryObject = await client
  .api("<tenant ID>/directoryObjects/<app ID>")
  .header("Accept", "application/json;odata.metadata=full;charset=utf-8")
  .get();

@manicminer Perhaps a similar approach could be used with Go library for Microsoft Graph? Looking at the ticket
you submitted ( microsoftgraph/msgraph-metadata#94 ), it's been quiet for 9days and I suspect there might as well be "working as intended" -kind of response incoming form MS.

Perhaps meanwhile implement the full metadata fetching by the client, since this is quite a big blocker (can't really use the provider at all when operating in tenant affected by MS change)? I also think that explicitly specifying full metadata is more futureproof solution in general.

Edit: I notice that there may be no official MSGraph client for Go (?). Looks like "Hamilton" library is used to query MSGraph. I think it boils down to allowing customization for this line: https://github.com/manicminer/hamilton/blob/80ee8faed5254353670568f803f5828e5467a6f4/msgraph/client.go#L143

[mlcooper]

I did some research and in the odata standard there are some standard request parameters that can be used, including odata.metadata=minimal and odata.metadata=full. So I agree with @stazz, I think that line in the Hamilton library simply always needs to use odata.metadata=full. You can see the odata standard here.

[manicminer]

@stazz @mlcooper Many thanks for digging into this.

(cc @bher2000, @helayoty, @DmytryEmery, @Bj3MaS) I'm working on an implementation to support OData-related HTTP headers and have pushed a test build to manicminer/terraform-provider-azuread. This is another class of issue that is not affecting any of our testing tenants, so if anyone affected by this issue is able to test and give feedback it would be highly appreciated!

You can give this a spin by modifying your terraform block:

terraform {
  required_providers {
    azuread = {
      source = "manicminer/azuread"
      version = "12.0.1"
    }
  }
}

This is not a reviewed release and is cut from a development branch. Please do not use this in a production tenant. I'll be deleting the release artifacts in time so it will only work until then.

Thanks!

[mlcooper]

Hi @manicminer thank you for working on this and pushing a build to test. I am ready to test it out, however it does not appear the 12.0.0 version has been published on the TF Registry yet. I will keep an eye out for it and test as soon as it's there:

https://registry.terraform.io/providers/manicminer/azuread/latest

[manicminer]

Thanks and sorry I was a bit hasty, forgetting that Registry publishing sometimes takes awhile to fully sync!

Edit: Looks like it's there now :)

[mickeder]

@manicminer I've just tested your solution, and unfortunately it doesn't work.
Earlier I stumbled upon this issue:

azuread_application.grafana: Creating...
│ Error: Could not create application
│ 
│   with azuread_application.grafana,
│   on azuread.tf line 7, in resource "azuread_application" "grafana":
│    7: resource "azuread_application" "grafana" {
│ 
│ json.Marshal(): json: error calling MarshalJSON for type
│ msgraph.Application: json: error calling MarshalJSON for type
│ *msgraph.Owners: marshaling Owners: encountered DirectoryObject with nil
│ ODataId

Now with a custom version 12.0.0 there is another problem:

azuread_application.grafana: Creating...
│ Error: Could not create application
│ 
│   with azuread_application.grafana,
│   on azuread.tf line 7, in resource "azuread_application" "grafana":
│    7: resource "azuread_application" "grafana" {
│ 
│ ApplicationsClient.BaseClient.Post(): unexpected status 400 with OData
│ error: BadRequest: Invalid URL format specified in @odata.bind for owners

[manicminer]

Thanks @mickeder, I'll take a look and try to resolve that

[manicminer]

@mickeder Would you be able to post a debug trace? It would be great it you could limit it to a small configuration containing only the resource that's failing. If you could try and create a test application so that you don't have to redact the UUIDs that would be even better. Thanks!

[haflidif]

When it is available tomorrow, will it be accessible with version 2.5.1?

azuread = {
      source  = "hashicorp/azuread"
      version = "2.5.1"
    }

Will probably be available in Version = "2.6.0"

[anarsen]

@everyone screaming for a timeframe: Do you require the features in >= 2.0.0 of the provider? If not, just reference 1.6.0 and be happy until the fix is out.

[callppatel]

@everyone screaming for a timeframe: Do you require the features in >= 2.0.0 of the provider? If not, just reference 1.6.0 and be happy until the fix is out.

You can't downgrade once you upgraded and store it terraform state. Terraform doesn't like downgrade to lower version.

[stazz]

@callppatel @anarsen Good points both of you. I do think, tho, that demanding timeframes for fixes in OSS software that people are using without paying anything at all, is a bit over-the-top.

[andrewCluey]

@callppatel @anarsen Good points both of you. I do think, tho, that demanding timeframes for fixes in OSS software that people are using without paying anything at all, is a bit over-the-top.

Dead right.

[khanali21]

@anarsen Are you suggesting that using the :
azuread = {
source = "hashicorp/azuread"
version = "1.6.0"
}

should solve the problem, if I am using the resource for the first time?

[khanali21]

"that demanding timeframes for fixes in OSS software, is a bit over-the-top"
I am not sure I can agree with that, OSS software is no different than any proprietary software in terms of support and being agile IMHO. Only difference is that it is supported by community not by a company or a person.
And I don't think, people collaborating on the OSS, actually "demand" anything "timeframe or fix", they simply "request" with their fellow OSS developers. And success of OSS movement depends on such collaboration.

That's my 2 cents.

[flanksaul]

azuread:index:ServicePrincipal (nameofSp): error: 1 error occurred: * Could not create service principal: json.Marshal(): json: error calling MarshalJSON for type *msgraph.Owners: marshaling Owners: encountered DirectoryObject with nil ODataId

Just reporting that this is now occurring on SP creation as well (using pulumi).

[github-actions]

This functionality has been released in v2.6.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[manicminer]

As per the above notice, please upgrade to version 2.6.0 of the AzureAD provider which implements a fix for this issue.

At first this issue seemed to affect a small number of tenants but the radius grew over the last few days to affect a large number of tenants. Thank you to all who commented, debugged and otherwise contributed to identifying and resolving this issue, and for all the discussion points - your involvement is greatly appreciated!

For anyone who effectively downgraded their provider to a v1.x release to sidestep this API issue, a gentle reminder to remember the upgrade guide when you update your configurations to work with v2.6.0.

Edit: If Terraform is not yet picking up the new version for you, please allow several minutes as the TF Registry updates

[binte]

I am still having the exact same issue I was having yesterday, and I am using the latest version. I guess I still need to wait as you mentioned?

[manicminer]

@binte Please open a new issue with more details if you are experiencing similar or new issues, thanks!

[brnwn4]

Confirmed fixed. Big thanks to @manicminer

[Maximo1990]

Hi all guys.

could some body help me to know why I'm receiving this error on my TF module.

│ ApplicationsClient.BaseClient.Post(): unexpected status 403 with OData
│ error: Authorization_RequestDenied: Insufficient privileges to complete the
│ operation.

I am using an Access Key and Secret on my config using a Service Principal. and I have configured Microsoft Graph > User.ReadWrite.All

Thank you in advance

[brnwn4]

Hi all guys.

could some body help me to know why I'm receiving this error on my TF module.

│ ApplicationsClient.BaseClient.Post(): unexpected status 403 with OData │ error: Authorization_RequestDenied: Insufficient privileges to complete the │ operation.

I am using an Access Key and Secret on my config using a Service Principal. and I have configured Microsoft Graph > User.ReadWrite.All

Thank you in advance

@Maximo1990 - You will need to have one of the following roles: application roles: Application.ReadWrite.All or Directory.ReadWrite.All

More info listed here: https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application

Cheers!

[Maximo1990]

Hi all guys.
could some body help me to know why I'm receiving this error on my TF module.
│ ApplicationsClient.BaseClient.Post(): unexpected status 403 with OData │ error: Authorization_RequestDenied: Insufficient privileges to complete the │ operation.
I am using an Access Key and Secret on my config using a Service Principal. and I have configured Microsoft Graph > User.ReadWrite.All
Thank you in advance

@Maximo1990 - You will need to have one of the following roles: application roles: Application.ReadWrite.All or Directory.ReadWrite.All

More info listed here: https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application

Cheers!

@brnwn4 thanks for your help, let me try whit this roles.

[brnwn4]

Hi all guys.
could some body help me to know why I'm receiving this error on my TF module.
│ ApplicationsClient.BaseClient.Post(): unexpected status 403 with OData │ error: Authorization_RequestDenied: Insufficient privileges to complete the │ operation.
I am using an Access Key and Secret on my config using a Service Principal. and I have configured Microsoft Graph > User.ReadWrite.All
Thank you in advance

@Maximo1990 - You will need to have one of the following roles: application roles: Application.ReadWrite.All or Directory.ReadWrite.All
More info listed here: https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application
Cheers!

@brnwn4 thanks for your help, let me try whit this roles.

@Maximo1990 - No problem. Should work out, i initially hit the same error on my initial deploy with a SP.

[grantorchard]

Thanks for the quick action on resolving this folks, much appreciated!

[Maximo1990]

Hi all guys.
could some body help me to know why I'm receiving this error on my TF module.
│ ApplicationsClient.BaseClient.Post(): unexpected status 403 with OData │ error: Authorization_RequestDenied: Insufficient privileges to complete the │ operation.
I am using an Access Key and Secret on my config using a Service Principal. and I have configured Microsoft Graph > User.ReadWrite.All
Thank you in advance

@Maximo1990 - You will need to have one of the following roles: application roles: Application.ReadWrite.All or Directory.ReadWrite.All
More info listed here: https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application
Cheers!

@brnwn4 thanks for your help, let me try whit this roles.

@Maximo1990 - No problem. Should work out, i initially hit the same error on my initial deploy with a SP.

@brnwn4 the issue still continue.

[mristok]

Thanks for resolving this so quickly! I am back up and running.

[manicminer]

@Maximo1990 Thanks for reaching out. As this is our issue tracker, used mainly for bug reports and feature requests, I would suggest following our Authentication Guide to get set up to use the provider. After this, if you are still experiencing problems I recommend our Discuss forum or our Slack group (details in the project readme) where the community or maintainers will be happy to assist with your configuration. Thanks!