Last active
April 10, 2024 00:41
-
-
Save MatthewJDavis/a6e91b79538f5e2e7c566449f2d3d957 to your computer and use it in GitHub Desktop.
Example Terraform to show how you can retrieve the MS Graph permissions with Terraform.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| terraform { | |
| required_providers { | |
| azuread = { | |
| source = "hashicorp/azuread" | |
| } | |
| } | |
| } | |
| # Authenticated via the Azure CLI | |
| data "azuread_application_published_app_ids" "well_known" {} | |
| data "azuread_service_principal" "msgraph" { | |
| client_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph | |
| } | |
| output "user_read_all" { | |
| value = data.azuread_service_principal.msgraph.app_role_ids["User.Read.All"] | |
| } | |
| output "mail_readbasic_all" { | |
| value = data.azuread_service_principal.msgraph.app_role_ids["Mail.ReadBasic.All"] | |
| } | |
| # Example how to create an app with the requried MS Graph Permission. | |
| resource "azuread_application" "directory_role_app" { | |
| display_name = "exampleApp" | |
| identifier_uris = ["api://example-app"] | |
| sign_in_audience = "AzureADMyOrg" | |
| required_resource_access { | |
| resource_app_id = "00000003-0000-0000-c000-000000000000" # MS Graph app id. | |
| resource_access { | |
| id = data.azuread_service_principal.msgraph.app_role_ids["User.Read.All"] # User.Read.All id. | |
| type = "Role" | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment