terraform azuread_application error with identifier urls

[Divya1388]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

terraform version: 0.15.4
azuread : 2.6.0

Affected Resource(s)

azuread_application

Terraform Configuration Files

resource "azuread_application" "app_registration" {
  for_each                = local.auth_apps
  display_name            = each.key
  owners                  = [data.azurerm_client_config.current.object_id]
  identifier_uris         = ["https://${each.key}.azurewebsites.net"]
  prevent_duplicate_names = "true"
  # sign_in_audience = "AzureADandPersonalMicrosoftAccount"
  web {
    homepage_url  = "https://${each.key}.azurewebsites.net"
    redirect_uris = ["https://${each.key}.azurewebsites.net/.auth/login/aad/callback"]
    implicit_grant {
      id_token_issuance_enabled = "true"
    }
  }
  required_resource_access {
    resource_app_id = "00000003-0000-0000-c000-000000000000" # Microsoft Graph
    resource_access {
      id   = "e1fe6dd8-ba31-4d61-89e7-88639da4683d" # User.Read.All Delegated
      type = "Scope"
    }
  }
  api {
    oauth2_permission_scope {
      admin_consent_description  = "Allow the application to access {each.key} on behalf of the signed-in user."
      admin_consent_display_name = "Access-${each.key}"
      enabled                    = true
      id                         = random_uuid.expose_api.result
      type                       = "User"
      user_consent_description   = "Allow the application to access example on your behalf."
      user_consent_display_name  = "Access-${each.key}"
      value                      = "user_impersonation"
    }
  }
  dynamic "app_role" {
    for_each = each.value.app_roles
    content {
      allowed_member_types = ["User", "Application"]
      description          = "Admins can manage roles and perform all task actions"
      display_name         = app_role.value.app_role_name
      enabled              = true
      id                   = random_uuid.api_roles["${each.key}-${app_role.value.app_role_name}"].result
      value                = app_role.value.claims_role_value
    }
  }
}

Expected Behavior

The application should have been created . And this was working until last week.

Actual Behavior

Error:
ApplicationsClient.BaseClient.Post():
│ unexpected status 400 with OData error:
│ HostNameNotOnVerifiedDomain: Values of
│ identifierUris property must use a verified
│ domain of the organization or its subdomain:
│ 'https://app-06-testtfapp04-cus.azurewebsites.net'

Steps to Reproduce

1.terraform apply

Important Factoids

This was working until last week.

[Divya1388]

Looks like this is the issue:
https://thewindowsupdate.com/2021/10/14/azure-active-directory-breaking-change-impacting-azure-cli-and-azure-powershell/
Azure/azure-powershell#16097

[nerddtvg]

We just got hit with this today. Per the documentation, there is no workaround other than to remove the URI (if possible) or use a valid URI. Not sure there is anything to fix inside the provider.

[adamrushuk]

Thanks for the link to the breaking changes doc @nerddtvg, I just had to change to a supported format and all is working again 👍🏼

[manicminer]

Thanks for reporting this. As mentioned there is unfortunately nothing we can do about this breaking change to the API. As this doesn't yet affect everyone in every scenario, I believe it would cause more frustration if we artificially extended the impact of this by adding additional validation to the provider at this time. We can however look to add this in the near term once the dust settles from this change.

[manicminer]

Whilst this breaking change is unfortunate, it looks like there's nothing for us to do here. Accordingly I'm going to close this issue for now. Thanks again for reporting!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.