Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azuread_user_flow_attribute b2c authentication not working #1079

Open
atcastel opened this issue Apr 21, 2023 · 2 comments
Open

azuread_user_flow_attribute b2c authentication not working #1079

atcastel opened this issue Apr 21, 2023 · 2 comments
Labels
bug feature/user-flows

Comments

@atcastel
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform 1.0.9, azuread 2.37.2 azurerm 3.51.0

Affected Resource(s)

  • azuread_user_flow_attribute

Terraform Configuration Files

this is in the context of an azure ad provider that has a b2c tennant as its tennant, and signed in as the original creator of the b2c tennant

resource "azuread_user_flow_attribute" "example" {
  display_name = "Hobby"
  description  = "Your hobby"
  data_type    = "string"
}

Expected Behavior

user flow attribute created

Actual Behavior

│ Error: Checking for existing user flow attribute: "Hobby"

│ with azuread_user_flow_attribute.example,
│ on main.tf line 112, in resource "azuread_user_flow_attribute" "example":
│ 112: resource "azuread_user_flow_attribute" "example" {

│ UserFlowAttributesClient.BaseClient.Get(): unexpected status 403 with OData error: AADB2C: The application does not have any of the required delegated permissions
│ (IdentityUserFlow.Read.All, IdentityUserFlow.ReadWrite.All) to access the resource.

Steps to Reproduce

  1. create b2c tennant
  2. initialize terraform with the provider tennant for azuread being the b2c tennant
  3. terraform apply

Important Factoids

this is a user who has the ability to create user flow attributes manually in the portal. also tried creating an application with the relevant permissions and using that, but still received the same issue. audit logs in the b2c show a similar error saying "Access denied. Client app does not have required app permissions."
@germandsantana
Copy link

I'm getting the same error adding custom users fields to a b2c tenant.

The only "reliable" way I've found to overcome this issue was creating additional terraform resources:

  • azuread_application granting IdentityUserFlow.ReadWrite.All
  • azuread_application_password to get a secret

then I make a call to a powershell graph local-exec script that runs a Connect-MgGraph passing the secret and finally calling New-MgIdentityUserFlowAttribute to create the custom attribute.

@RockyMM
Copy link

RockyMM commented Nov 6, 2023

You should start with @germandsantana approach, and create another service principal, but in the AAD B2C tenant, not the original tenant, and then configure another azuread provider with an alias.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug feature/user-flows
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@manicminer @RockyMM @atcastel @germandsantana