From af740a7a5e3360aba46a1e754902d2b510f6bc0f Mon Sep 17 00:00:00 2001
From: Tom Bamford <tom@bamford.io>
Date: Mon, 7 Mar 2022 21:19:32 +0000
Subject: [PATCH] azuread_application: Scope/Role validation for magic string
 "User"

Fixes: #721
---
 internal/services/applications/validate/tokens.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/internal/services/applications/validate/tokens.go b/internal/services/applications/validate/tokens.go
index 0dfad9741a..1c66712a0c 100644
--- a/internal/services/applications/validate/tokens.go
+++ b/internal/services/applications/validate/tokens.go
@@ -1,7 +1,9 @@
 package validate
 
 import (
+	"fmt"
 	"regexp"
+	"strings"
 
 	"github.com/hashicorp/go-cty/cty"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
@@ -44,5 +46,14 @@ func RoleScopeClaimValue(i interface{}, path cty.Path) (ret diag.Diagnostics) {
 		})
 	}
 
+	// See https://github.com/hashicorp/terraform-provider-azuread/issues/721
+	if strings.EqualFold(v, "User") {
+		ret = append(ret, diag.Diagnostic{
+			Severity:      diag.Error,
+			Summary:       fmt.Sprintf("Value cannot have the string value %q", "User"),
+			AttributePath: path,
+		})
+	}
+
 	return // nolint:nakedret
 }