Removal of "azuread_application_pre_authorized" also removes pre-existing pre-authorized clients not managed by Terraform

[l33tCod-er]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

• provider version 2.53.1

Affected Resource(s)

• azuread_application_pre_authorized

Terraform Configuration Files

# This null_resource adds clients for which there is no app registration. Thus, we can't use "azuread_application_pre_authorized" for them, anyway, the need to be allowed to access call a certain scope on the "target_app"
resource "null_resource" "patched_app_reg" {
  triggers = {
    scope_1 = lookup(<target_app>, "scope1", <tenant>)
    scope_2 = lookup(<target_app>, "scope2", <tenant>)
  }

  provisioner "local-exec" {
    interpreter = ["pwsh", "-Command"]
    command     = <<EOF
        az rest --method Patch --uri "https://graph.microsoft.com/v1.0/applications/<target_app>" --headers 'Content-Type=application/json' --body '{"api": {"preAuthorizedApplications": [{"appId": <some_guid_1>, "delegatedPermissionIds": [<all_scope_id_lookup>, "scope1", <tenant>)}"]},{"appId": <some_guid_2>, "delegatedPermissionIds": [<all_scope_id_lookup>, "scope1", <tenant>)}"]},{"appId": <some_guid_3>, "delegatedPermissionIds": [<all_scope_id_lookup>, "scope1", <tenant>)}"]}]}}'
EOF

    environment = {
      POWERSHELL_TELEMETRY_OPTOUT = 1
    }
  }
}

resource "azuread_application_pre_authorized" "new_app_reg" {
  application_object_id = <target_app>
  authorized_client_id  = <some_guid_with_app_reg>
  permission_ids        = [<scope_lookup>, "scope1", <tenant>)]
}

Expected Behavior

Both the "null_resource" and the "azuread_application_pre_authorized" add pre_authorized clients to the "target_app". When the "azuread_application_pre_authorized.new_app_reg" is deleted, the "null_resource" added ones are not touched.

Actual Behavior

When "azuread_application_pre_authorized.new_app_reg" is removed, all four pre_authorized clients are deleted, not only the single managed one through it, but also the azure cli patched ones.

Steps to Reproduce

1. TF apply the above (with real values I cannot state)
2. Remove azuread_application_pre_authorized.new_app_reg
3. TF apply
4. All pre_authorized clients are gone

Important Factoids

As stated in the comment above, we have to use the null_resource for three / multiple clients as there is no app registration available for them. We must use azure cli to pre_authorize them has we can't grant the permission needed through "app registration -> api permission" and consent to it.

[l33tCod-er]

Same seems to be true with "azuread_application_pre_authorized" only: added three, deleted one - and in the end, only a single one was preserved

[manicminer]

@l33tCod-er Does the out-of-bound pre-authorized app entry have the same client ID as the TF managed one? During removal, pre-authorized apps in the manifest are matched against the client ID and are only removed when it matches.