Support accessTokenAcceptedVersion in azuread_application

[scivm]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

New or Affected Resource(s)

• azuread_application

Potential Terraform Configuration

resource "azuread_application" "test" {
    name = "test"
    accessTokenAcceptedVersion = 2
    ...
}

Possible values for accesstokenAcceptedVersion are 1, 2, or null. If the value is null, this defaults to 1, which corresponds to the v1.0 endpoint.

References

https://docs.microsoft.com/en-gb/azure/active-directory/develop/reference-app-manifest

[scivm]

This parameter is not yet exposed in the azure sdk for go. I will go and troll them. Or maybe fix it there first.

[scivm]

It is not even exposed in the Azure API

[manicminer]

It doesn't look like there is currentlty support for this property in AAD Graph or MS Graph. I found a related issue requesting support here: https://github.com/microsoftgraph/microsoft-graph-docs-contrib/issues/5691

[manicminer]

Actually it looks like it might be supported with a different property name on MS Graph: https://docs.microsoft.com/en-us/graph/api/resources/apiapplication?view=graph-rest-beta

[frank-mueller-ps]

We are currently trying to maintain our API users stored in AAD with Terraform.
It seems that this is a critical feature for this purpose.

If I look at the code, I do not even have an idea how to integrate that feature so I am not able to bring in a sufficient pull request.

But if anyone could pick that up, it would be highly appreciated.

Edit:
It seems also to be available in the non-beta version of graph:
https://docs.microsoft.com/en-us/graph/api/resources/apiapplication?view=graph-rest-1.0&viewFallbackFrom=graph-rest

[manicminer]

At the moment we don't have a way to utilise MS Graph endpoints, however we are looking at implementing it, and then we'll be able to support this.

[haodeon]

For anyone interested, this is how I managed to get it working in terraform

  provisioner "local-exec" {
    command = "az rest --method PATCH --uri \"https://graph.microsoft.com/v1.0/applications/${azuread_application.yourapi.id}\" --body '{\"api\":{\"requestedAccessTokenVersion\":2}}' --headers \"Content-Type=application/json\""
  }

Most of the credit goes to @SimonWahlin. His blog had 90% of the answer.

[drdamour]

@manicminer is this something on target for the AD 2.0 provider?

[drdamour]

@haodeon link to blog you mentioned?

[SimonWahlin]

Probably a bit late, but I guess this is the post he was referring to:
https://blog.simonw.se/azure-functions-and-azure-ad-authentication

[GenesisCoast]

FYI to get @haodeon's solution working I had to do the following:

resource "null_resource" "access_token_accepted_version" {
  depends_on = [
    azuread_application.main
  ]
  provisioner "local-exec" {
    command = <<EOF
      az rest \
        --method PATCH \
        --headers "Content-Type=application/json" \
        --uri "https://graph.microsoft.com/v1.0/applications/${azuread_application.main.id}" \
        --body '{"api":{"requestedAccessTokenVersion":2}}'
    EOF
  }
}

Otherwise I would get the following error:

Error: Error running command 'az rest --method PATCH --uri "https://graph.microsoft.com/v1.0/applications/<object_id>" --body '{"api":{"requestedAccessTokenVersion":2}}' --headers "Content-Type=application/json"': exit status 1. Output: ERROR: The command failed with an unexpected error. Here is the traceback:
ERROR: not enough values to unpack (expected 2, got 1)
Traceback (most recent call last):
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 231, in invoke
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 657, in execute
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 720, in _run_jobs_serially
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 691, in _run_job
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 328, in __call__
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/util/custom.py", line 16, in rest_call
  File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/util.py", line 816, in send_raw_request
  File "_collections_abc.py", line 837, in update
ValueError: not enough values to unpack (expected 2, got 1)
To open an issue, please run: 'az feedback'

Hopefully this helps someone.

[blaineross]

Hey there @GenesisCoast , I think this is what I need but whenever I try and run this I get an error saying I need to perform an AZ login. I modified your example to do an az login call beforehand (see below) but now get an error saying there are insufficient privilges to run the command. Could you share the permissions your service principal has that allows this to run? Cheers

resource "null_resource" "access_token_accepted_version" {
  depends_on = [
    azuread_application.appname
  ]
  provisioner "local-exec" {
    command = <<EOF
      az login --service-principal --username ${var.az_client_id} --password ${var.az_client_secret} --tenant ${var.az_tenant_id}
      az rest \
        --method PATCH \
        --headers "Content-Type=application/json" \
        --uri "https://graph.microsoft.com/v1.0/applications/${azuread_application.appname.id}" \
        --body '{"api":{"requestedAccessTokenVersion":2}}'
    EOF
  }
}

Update For anyone that has the same permission related issues as me, make sure that your app registration has the "Application.ReadWrite.All" added for Microsoft Graph. I previously only had this added under the deprecated Azure Active Directory Graph API as it is also needed there by terraform.

[kevinharing]

You could also use:

az ad app update --id ${azuread_application.appname.id} --set requestedAccessTokenVersion=2

[github-actions]

This functionality has been released in v2.0.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.