azuread_application owners section -> ApplicationsClient.BaseClient.Post(): unexpected status 404 with OData

[michalklusakc4]

I'm trying to create an application along with its service principal.

I've been using azuread_application which works fine but when I add owners section it fails

provider "azuread" {
  alias         = "adb2cprovider"
  tenant_id     = var.tenant_id
  client_id     = var.client_id
  client_secret = var.client_secret
}

data "azuread_client_config" "current" {}


resource "azuread_application" "installer_api" {
  provider         = azuread.adb2cprovider
  display_name     = "myapp"
  sign_in_audience = "AzureADandPersonalMicrosoftAccount"
  owners           = [data.azuread_client_config.current.object_id]``

 ...
}

I have multiple providers registered, using adb2cprovider due to a multi-directory sceario (Azure AD B2C).

Everything works fine until I start using owners = [data.azuread_client_config.current.object_id] which causes following error:

Error: Could not add owners to application with object ID: "1817e8e2-c05d-4d0f-a465-23a4fc71e91e"

  with module.adb2c.azuread_application.installer_api,
  on modules/adb2c/main.tf line 15, in resource "azuread_application" "installer_api":
  15: resource "azuread_application" "installer_api" {

ApplicationsClient.BaseClient.Post(): unexpected status 404 with OData
error: Request_ResourceNotFound: Resource
'e7f88bb6-8b53-4eb1-aeca-234a0305acb4' does not exist or one of its queried
reference-property objects are not present.

The problem is that I don't see anything registered as e7f88bb6-8b53-4eb1-aeca-234a0305acb4 in my Active Directory. On the other hand the app registration with 1817e8e2-c05d-4d0f-a465-23a4fc71e91e id gets created successfully. Is it a bug or am I missing something?

EDIT:

my providers.tf block:

terraform {
  required_providers {
    azuread = {
      source  = "hashicorp/azuread"
      version = "~> 2.33.0"
    }
  }
}

[Threpio]

The error message suggests that the current client connecting to azure has an object id of e7f88bb6-8b53-4eb1-aeca-234a0305acb4.
If you create a terraform output that contains the current client config and print the object_id does it give you the above object_id?

In terms of it getting created successfully - in this terraform module the application is created and THEN the owners are assigned (in the code that is).

[manicminer]

Hi @michalklusakc4, thanks for opening this issue. The azuread_client_config data source retrieves information for the authenticated principal. Because principal object IDs are scoped per tenant, you will need an azuread_client_config data source per provider alias, and to reference the corresponding data source when sourcing the authenticated principal's object ID.

The 404 you are getting suggests a specified owner principal was not found in the directory whilst attempting to create the application. Unfortunately, receiving a 404 for a POST request isn't very intuitive but here we are.

[Xzelsius]

I am facing a similar errors

{"error":{"code":"Request_ResourceNotFound","message":"Resource '' does not exist or one of its queried reference-property objects are not present.","innerError":{"date":"2023-02-21T13:09:38","request-id":".....","client-request-id":"....."}}}

This is my terraform resource

resource "azuread_application" "application" {
  display_name = var.name
  logo_image   = var.logo != null ? filebase64(var.logo) : null

  #owners = var.owners
}

No matter how I try to create a azuread_application (with or without owners specified), the error still occurs.

Below is the body which is being sent:

{
    "groupMembershipClaims": null,
    "[email protected]": [
        "https://graph.microsoft.com/v1.0/<id of directory>/directoryObjects/<id of service principal>"
    ],
    "api": {
        "acceptMappedClaims": false,
        "knownClientApplications": [],
        "oauth2PermissionScopes": [],
        "requestedAccessTokenVersion": 1
    },
    "appRoles": [],
    "description": null,
    "displayName": "TERRAFORM_UPDATE_ecb01146-8dfc-361c-c1eb-23141566c48e",
    "identifierUris": [],
    "info": {
        "marketingUrl": "",
        "privacyStatementUrl": "",
        "supportUrl": "",
        "termsOfServiceUrl": ""
    },
    "isDeviceOnlyAuthSupported": false,
    "isFallbackPublicClient": false,
    "oauth2RequirePostResponse": false,
    "optionalClaims": {},
    "publicClient": {
        "redirectUris": []
    },
    "requiredResourceAccess": [],
    "signInAudience": "AzureADMyOrg",
    "spa": {
        "redirectUris": []
    },
    "tags": [],
    "web": {
        "homePageUrl": null,
        "implicitGrantSettings": {
            "enableAccessTokenIssuance": false,
            "enableIdTokenIssuance": false
        },
        "logoutUrl": null,
        "redirectUris": []
    }
}

The referenced owner exists and can be queried by the service principal (according to the TRACE log and postman).

If I send the exact same body using Postman to POST https://graph.microsoft.com/v1.0/applications but remove the oauth2RequirePostResponse field the request succeeds.

So I think it has something todo with the oauth2RequirePostResponse field.
I am using hashicorp/azuread with version 2.34.0

EDIT: I just found out that my problem might have been fixed with #1023

[manicminer]

@Xzelsius You are correct about #1023, please update to v2.34.1 which contains a fix for that issue.