AzureRM Error Listing Service Principals with Status Code 403

Avatar
Calvin Liu
  • Updated

Introduction

This article provides troubleshooting guidance for a 403 error that occurs when using older versions of the AzureRM provider with Terraform.

Problem

When you run terraform plan with AzureRM Provider versions 1.x or 2.x, you may encounter a 403 error with the following output:

Error: Error building account: Error getting authenticated object ID: Error
listing Service Principals: autorest.DetailedError{Original:(*azure.RequestError)
(0xc001269ef0), PackageType:"graphrbac.ServicePrincipalsClient", Method:"List",
StatusCode:403, Message:"Failure responding to request", ServiceError:[]uint8(nil),
Response:(*http.Response)(0xc001269e60)}

on provider.tf line 12, in provider "azurerm":
12: provider "azurerm" {

Operation failed: failed running terraform plan (exit 1)

Cause

This error occurs because Microsoft has deprecated the Azure AD Graph API, which was used for authentication in older versions of the AzureRM provider. As of September 2024, this API is no longer fully supported, leading to authentication failures.

For more details, refer to the official Microsoft announcement on the Azure AD Graph API retirement.

Solution

To resolve this issue, you must upgrade the AzureRM provider to version 3.0.0 or higher. Starting with version 3.0.0, the provider uses the Microsoft Graph API for authentication.

When upgrading the provider, HashiCorp also recommends upgrading Terraform to at least version 0.12.31. Note that the next major release of the AzureRM Provider (v4.0) will require Terraform 1.0 or later.

Update your provider configuration to require version 3.0 or later.

terraform {
  required_version = ">= 0.12.31"

  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">= 3.0"
    }
  }
}

provider "azurerm" {
  features {}
  # client_id       = var.client_id
  # client_secret   = var.client_secret
  # tenant_id       = var.tenant_id
  # subscription_id = var.subscription_id
}

Outcome

After updating the provider version, a terraform plan will succeed and show the expected changes.

Terraform will perform the following actions:

  # azurerm_resource_group.example will be created
  + resource "azurerm_resource_group" "example" {
      + id       = (known after apply)
      + location = "eastus2"
      + name     = "test-resources"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Additional Information

Articles in this section

See more

Related articles