How to create Enterprise app in Terraform with SCIM

Question

I am trying to create a new Enterprise App with Terraform i Azure. Everytime I am ending with an app created, but then when going into a Provisioning, I got an error saying "Out of the box automatic provisioning to app_name_here is not supported today".

What I am missing in my code? What actually makes this SCIM part available to provision? I don't need the provisioning details in TF code, I want only create and app with TF, which later I am able to provision manually, without that error I pasted. Here is my code

data "azurerm_client_config" "main" {}

resource "azuread_application" "enterprise_app" {
  display_name = "enterprise_app"
  feature_tags {
    custom_single_sign_on = true
  }
  owners = setsubtract(
    local.owners,
    [
      local.managers.xxxxx,
      local.managers.xxxxx,
    ]
  )
  
  web {
    redirect_uris = [
      "https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/client/oauth2/authorize",
    ]

    implicit_grant {
      access_token_issuance_enabled = false
      id_token_issuance_enabled     = false
    }
  }
}

resource "azuread_service_principal" "enterprise_app" {
  application_id                = azuread_application.enterprise_app.application_id
  owners                        = azuread_application.enterprise_app.owners
  login_url                     = "https://axxxxxxxxxxx/auth/login"
  feature_tags {
    custom_single_sign_on = true
    enterprise = true
    gallery = false
    
  }
}

resource "azuread_synchronization_secret" "enterprise_app" {
  service_principal_id = azuread_service_principal.enterprise_app.id

  credential {
    key   = "BaseAddress"
    value = "https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxapi/v1/scim/"
  }
  credential {
    key   = "SecretToken"
    value = "abcdefghijaksl"
  }
}
  resource "azuread_synchronization_job" "enterprise_app" {
  service_principal_id = azuread_service_principal.enterprise_app.id
  template_id          = "scim"
  enabled              = true
}

Answer 1

Creating Enterprise app in Terraform with SCIM

If you want to use Terraform to build an Enterprise Application in Azure that can be provisioned manually later without getting the error "Out of the box automatic provisioning to app_name_here is not supported today".

Before we can solve your problem, we need to know what the error message means. This error usually means that your Enterprise Application does not have the right settings for automatic provisioning. This might be because the SCIM (System for Cross-domain Identity Management) configuration is missing or wrong. SCIM is very important for creating and managing users.

For demo purpose, I tried using the terraform code below

Terraform configuration:

# Configure the Azure Provider
provider "azurerm" {
  features {}
}

provider "azuread" {}

data "azuread_application_template" "example" {
  display_name = "Azure Databricks SCIM Provisioning Connector"
}

resource "azuread_application" "example" {
  display_name = "vksbdemo"
  template_id  = data.azuread_application_template.example.template_id
  feature_tags {
    enterprise = true
    gallery    = true
  }
}

resource "azuread_service_principal" "example" {
  client_id    = azuread_application.example.client_id
  use_existing   = true
}

resource "azuread_synchronization_secret" "example" {
  service_principal_id = azuread_service_principal.example.id

  credential {
    key   = "BaseAddress"
    value = "https://adb-example.azuredatabricks.net/api/2.0/preview/scim"
  }
  credential {
    key   = "SecretToken"
    value = "some-token"
  }
}

resource "azuread_synchronization_job" "example" {
  service_principal_id = azuread_service_principal.example.id
  template_id          = "dataBricks"
  enabled              = true
}

The respective place needs to be replaced Your_SCIM_Endpoint_URL and Your_SCIM_Secret with your actual SCIM endpoint and secret token.

Many cloud applications already support SCIM and provide SCIM endpoints out of the box. If you're integrating with such a service, they will provide you with the SCIM endpoint URL and a secret token.

Output: