I am creating a new Azure Active Directory Application Registration in pulumi using typescript as outlined here: https://www.pulumi.com/registry/packages/azuread/api-docs/application/
My code looks roughly as follows:
const current = azuread.getClientConfig({});
const appRegistrationName = "my-app-registration";
const appRegistration = new azuread.Application(appRegistrationName, {
identifierUris: ["api://my-app-registration"],
displayName: appRegistrationName,
owners: [current.then((current: { objectId: any }) => current.objectId)],
signInAudience: "AzureADMyOrg",
requiredResourceAccesses: [
...
],
api: {
oauth2PermissionScopes: [
...
]
},
singlePageApplication: {
redirectUris: [
...
],
},
});
This works as expected, creating the App Registration with the owner as the service principal the pipeline runs under. The problem I am having is when I try to add other users as owners on creation.
const otherOwners = [
'5bc697d2-5f95-47ae-a57a-ad997b9979b7',
'5c57c660-b071-48f1-a700-1100e218a68a',
'cf1247a5-5ab1-48ab-a7ca-3d38807c7bff',
];
When I change the code above so that the owners block looks like this:
owners: [current.then((current: { objectId: any }) => current.objectId), ...otherOwners ],
I get the following error:
- Could not create application: ApplicationsClient.BaseClient.Post(): unexpected status 403 with OData error: Authorization_RequestDenied: Insufficient privileges to complete the operation.
The service principal has the following permissions:
- https://graph.microsoft.com/Application.Read.All
- https://graph.microsoft.com/Application.ReadWrite.OwnedBy
It should be able to add users as owners to applications which it owns. In fact it can do this as if I run the initial code and then modify it, everything is created as expected. I would like to just be able to write and deploy the code once though. Is there a way to create a resource and update it in the same script? Or some other method of creating the resource with multiple owners (including the service principal)?
