You’ve created a new subscription, created service principal for terraform, ran your scripts for creating infrastructure and then… boom! Terraform doesn’t have rights to read currently existing user which is referenced by "data" "azuread_user" block.

Exact error looks following:

Alt text

It’s because terraform service principal doesn’t have enough privileges to read users data from Azure Active Directory.

What needs to be done?

  1. Login into Azure Portal
  2. Go into Azure Active Directory, then App registrations.
  3. Find service principal responsible for terraform, in my case it’s named terraform.
  4. Go to API permissions tab.
  5. Add following permissions for Microsoft.Graph API:
    • Application.ReadWrite.All
    • AppRoleAssignment.ReadWrite.All
    • Directory.ReadWrite.All
  6. After adding, give an admin consent for all of these permissions.

Final list looks like this:

Alt text

Right now terraform service principal has rights to read users and domain data.