Managed Identity Cannot Read Conditional Access Policies

[ryaison]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Summary

When attempting to import (and manage) a Conditional Access policy using a Managed Identity, Terraform fails to read the existing resource, claiming scopes are missing from the token. Using the same process with a Service Principal works as expected. Both Identities have the required Graph API permissions.

Terraform (and AzureAD Provider) Version

Terraform version: 1.6.3
AzureAD Provider version: 3.0.1

Affected Resource(s)

azuread_conditional_access_policy

Terraform Configuration Files

provider "azuread" {
  use_cli   = false
  use_msi   = true
  client_id = <managed_id_client_id>
  tenant_id = <tenant_id>
}

resource "azuread_conditional_access_policy" "sample" {
  display_name = "My Policy"
  state        = "enabled"

  conditions {
    applications {
      included_applications = ["All"]
    }
    client_app_types = ["all"]
    users {
      included_users = ["All"]
    }
  }
  grant_controls {
    built_in_controls = ["mfa"]
    operator          = "OR"
  }
}

import {
  to = azuread_conditional_access_policy.sample
  id = "/identity/conditionalAccess/policies/<policy_id_guid>"
}

Expected Behavior

Terraform imports the Conditional Access policy.

Actual Behavior

Error: retrieving Identity Conditional Access Policy (Conditional Access Policy: "<policy_id_guid>")

unexpected status 403 (403 Forbidden) with error: AccessDenied: You cannot
perform the requested operation, required scopes are missing in the token.

Steps to Reproduce

1. terraform plan

OR

1. terraform apply (if not importing)

Important Factoids

Using the same resource code with a Service Principal (instead of Managed ID) works as expected:

provider "azuread" {
  use_cli   = false
  client_id = <service_principal_client_id>
  tenant_id = <tenant_id>
}

Permissions for both identities include:
Policy.ReadWrite.ConditionalAccess
Policy.Read.All

[manicminer]

@ryaison Unfortunately the permissions for an endpoint are assigned by the token service and are not controlled by the provider. To help in debugging your effective permissions, you can enable debug logging (export TF_LOG=DEBUG) and look for a line containing AzureAD Provider access token claims which will output the claims present in the access token. If the roles are not present, then these permissions have not been effectively granted and you will need to ensure you're using the right principal, and that the roles have been assigned (e.g. given admin consent).

[ryaison]

I'm going to chalk this up to Entra ID taking a while to apply permissions. I came back to this today and it works as expected and the claims are present as expected. No changes have been made.
Thanks!