Share via

How can I reliably automate granting admin consent for an Azure Databricks SCIM app using Terraform and Azure CLI without manual intervention?

Kaniganti Sai Sumanth 20 Reputation points
2025-01-05T13:46:37.9466667+00:00

I am trying to automate the creation of an Azure AD application (specifically, an Azure Databricks SCIM app) and grant admin consent for its API permissions using Terraform. The required API permissions include Application.ReadWrite.All, Application.ReadWrite.OwnedBy, Group.Read.All, and User.Read.All. To achieve this, I am automating the Azure login process using a Bash script and a Service Principal. In the script, I prompt the user to provide the Service Principal's client ID and client secret for login. While the login step works and the SCIM app is created successfully, I am unable to grant admin consent for the app programmatically.

I use a null_resource with a local-exec provisioner to run an Azure CLI command (az ad app permission admin-consent), but this step intermittently fails, even with retry logic. When the retries are exhausted, I have to log in interactively to grant consent manually, which defeats the purpose of automation. I suspect the issue might be related to the admin consent process, as these permissions require admin consent due to their sensitive nature. Is there a reliable way to programmatically grant admin consent for the Azure Databricks SCIM app during the Terraform execution without manual intervention? Below is a snippet of my Terraform and Bash logic for reference. Any insights or suggestions would be greatly appreciated!

Code Snippet:

resource "null_resource" "grant_admin_consent" {

provisioner "local-exec" {

command     = "az ad app permission admin-consent --id ${azuread_application.scim.application_id}"

interpreter = ["bash", "-c"]

}

depends_on = [

azuread_application.scim,

azuread_application_password.scim_secret

]

triggers = {

app_id = azuread_application.scim.application_id

}

}

ERROR: Unauthorized({"ClassName":"System.Security.Authentication.AuthenticationException","Message":"S2S17000: SAL was unable to validate the protocol. Validation failure: 'ValidationCompleted; UnsupportedAuthenticationScheme; UnsupportedAuthenticationScheme; UnsupportedAuthenticationScheme'","Data":null,"InnerException":null,"HelpURL":null,"StackTraceString":null,"RemoteStackTraceString":null,"RemoteStackIndex":0,"ExceptionMethod":null,"HResult":-2146233087,"Source":null,"WatsonBuckets":null})

 

Interactive authentication is needed. Please run: az logout az login

Azure Databricks
Azure Databricks
An Apache Spark-based analytics platform optimized for Azure.
2,303 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,834 questions
0 comments
Accepted answer
  1. Sanoop M 80 Reputation points Microsoft Vendor
    2025-01-06T20:14:17.0366667+00:00

    Hello @Kaniganti Sai Sumanth ,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, I understand that you want to know whether is it possible to automate granting admin consent for an Azure Databricks SCIM app using Terraform and Azure CLI without manual intervention?

    Yes, it is possible to automate granting admin consent for an Azure Databricks SCIM app using Terraform and Azure CLI.

    Pre-Requisites:

    To grant tenant-wide admin consent, you need:

    • A Microsoft Entra user account with one of the following roles:
      • Privileged Role Administrator, for granting consent for apps requesting any permission, for any API.
      • Cloud Application Administrator or Application Administrator, for granting consent for apps requesting any permission for any API, except Microsoft Graph app roles (application permissions).
      • A custom directory role that includes the permission to grant permissions to applications, for the permissions required by the application.

    Please make sure the user account with which you are trying to grant admin consent for Azure Databricks SCIM application has required roles, such as "Global Administrator" or "Privileged Role Administrator".

    Please refer to the below documents for your reference regarding the Pre-Requisites to grant tenant-wide admin consent and the Azure CLI commands for Grant Application & Delegated permissions through admin-consent.

    https://zcusa.951200.xyz/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=ms-graph

    https://zcusa.951200.xyz/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-admin-consent

    I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.

    If the above answer is helpful, please click "Accept Answer" and kindly upvote it. If you have additional questions about this answer, please click "Comment".

    Thanks and Best Regards,

    Sanoop Mohan

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.