AzureRM Error Listing Service Principals with Status Code 403

Avatar
Calvin Liu
  • Updated

Problem

When running Terraform with AzureRM Provider version 1.x and version 2.x, users may start to encounter a 403 error with this content:

Error: Error building account: Error getting authenticated object ID: Error 
listing Service Principals: autorest.DetailedError{Original:(*azure.RequestError)
(0xc001269ef0), PackageType:"graphrbac.ServicePrincipalsClient", Method:"List", 
StatusCode:403, Message:"Failure responding to request", ServiceError:[]uint8(nil),
 Response:(*http.Response)(0xc001269e60)}

  on provider.tf line 12, in provider "azurerm":
  12: provider "azurerm" {

Operation failed: failed running terraform plan (exit 1)

 

Cause

The cause of this issue is that Azure has deprecated the Azure AD Graph API since September 1, 2024. Azure has also scheduled a full retirement of the Azure AD Graph API on July 1, 2025. All new apps are blocked from accessing Azure AD Graph since February 1, 2025.

 

Solution

To resolve this issue, users must upgrade the AzureRM provider version to 3.x or higher. Starting version 3.0.0, Microsoft Graph API is used for Azure authentication instead of Azure AD Graph API. When upgrading to version 3.0.0, it's also recommended to upgrade Terraform to at least version 0.12.31.  The next major release of the AzureRM Provider (v4.0) will require Terraform 1.0 or later.

The Terraform configurations for the AzureRM provider version 3.x and above versions are like this,

terraform {
  required_version = "~> 0.12"
  required_providers {
    azurerm = "~>3.0"
  }
}

provider "azurerm" {
  features {}
  # client_id       = var.client_id
  # client_secret   = var.client_secret
  # tenant_id       = var.tenant_id
  # subscription_id = var.subscription_id
}

After upgrading to AzureRM version 3.x, the error message should disappear.

Terraform will perform the following actions:

  # azurerm_resource_group.example will be created
  + resource "azurerm_resource_group" "example" {
      + id       = (known after apply)
      + location = "eastus2"
      + name     = "test-resources"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

 

Additional Information

Articles in this section

See more

Related articles