-
Notifications
You must be signed in to change notification settings - Fork 285
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azuread_application_from_template - DeletingSamlSpNotAllowed: Property appId is invalid #1388
Comments
@niven01 - I am seeing the same error (error: DeletingSamlSpNotAllowed: Property appId is invalid) in a different context - trying to delete an Azure enterprise app through its MSGraph API endpoint. It was all working fine until about a week ago. |
The error occurs precisely when the identifiers or reply URLs of the SAML configuration of the registered application do not correspond to one of the validated domains of the tenant. In this case, the service principal cannot be deleted. This can be checked with the PS cmdlet Remove-AzureADServicePrincipal; the detailed error message referring to invalid URLs is displayed. The solution is to first adapt the SAML URLs accordingly and then destroy the app via TF. |
Can also be checked by trying to delete an application with an "incorrect" identifier URI in the Azure Portal. This is new behavior, so a new "feature" from Microsoft, perhaps? |
Thanks @benehofer for the tip - the error message from the PS cmdlet In our case we're working around the new "feature" by changing the registered application's attribute called |
Looking at this further it appears there is a deeper problem and definitely due to a Microsoft change as the process I'm about to describe is actually done via API. I have tested via Terraform and the Portal too. We have automation to onboard app registrations and setup SSO with AWS. We need to setup multiple identifiers for multiple instances. This had been working up to 2 days ago. We are basically following the steps outlines here: https://learn.microsoft.com/en-us/entra/identity/saas-apps/amazon-web-service-tutorial#aws-single-account-access-architecture When setting up the As per documentation adding the This has now stopped working via API, Terraform or Directly in the Portal meaning we cannot onboard any more AWS SSO App Registrations. Azure is aware an app registration already has the value of API response: I think the workaround for deleting the app registration by changing the registered application's attribute called identifierUris to match the verified domain of the Entra ID tenant before calling to delete the app is working because value being entered does not exist in any other SAML config for an app registration at the time. Then once deleted the workaround can be used again for the next deletion as the app the change was made to is now gone. I'd be interested if anyone else is having issues creating applications that use the same pattern needed for AWS. We have a ticket logged with Microsoft to discuss this. i dont think is a fix needed in Terraform at this point |
FYI, the issue when creating app registrations for AWS appears to have been resolved. The original issue still exists. The workaround provided of changing the attribute |
There's another, simple, sad, and manual workaround: delete the enterprise app (service principal) from the portal! That being said, the portal is basically calling a function in the back-end. It's usually the same function that's called when you run the corresponding PowerShell cmdlet. Finding out what exactly is being called when running an enterprise app delete from the portal would be interesting. |
Community Note
Terraform (and AzureAD Provider) Version
Tested with
Terraform versions 1.5.0 , 1.8.3
AzureAD Versions: 2.48 , 2.50
Affected Resource(s)
azuread_application_from_template
Terraform Configuration Files
Debug Output
https://gist.github.com/niven01/a683eee62518b3c6fbebf8774816d39c
Panic Output
Expected Behavior
Running a
terraform destroy
should delete app registration. This had been working a month ago. It had not been ran since then.Actual Behavior
terraform destroy fails to delete app registration with following
Error: deleting Application From Template (Template ID: "8b1025e4-1dd2-430b-a150-2ef79cd700f5", Application ID: "ea5fe2bc-58c1-483e-bd4f-40c560986ebc", Service Principal ID: "24cdec0c-d201-4af9-8752-fd5735276f2f"): ApplicationsClient.BaseClient.Delete(): unexpected status 400 with OData error: DeletingSamlSpNotAllowed: Property appId is invalid
Steps to Reproduce
terraform apply -var="application_name=MY_APP_NAME" --auto-approve
terraform destroy -var="application_name=MY_APP_NAME" --auto-approve
Important Factoids
References
The text was updated successfully, but these errors were encountered: