Vault-Azure Credentials integration Bug & Workaround [Error building account: Error getting authenticated object ID: Error listing Service Principals: autorest.DetailedError]

│ Error: Error building account: Error getting authenticated object ID: Error listing Service Principals: autorest.DetailedError{Original:adal.tokenRefreshError{message:"adal: Refresh request failed. Status Code = '400'. Response body: {\"error\":\"unauthorized_client\",\"error_description\":\"AADSTS700016: Application with identifier 'abc1234' was not found in the directory 'efg576'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\\r\\nTrace ID: jrwfkhwr48\\r\\nCorrelation ID: 83ijwb3493434i\\r\\nTimestamp: 2021-07-20 12:33:12Z\",\"error_codes\":[700016],\"timestamp\":\"2021-07-20 16:33:12Z\",\"trace_id\":\"848484hfhwkjw\",\"correlation_id\":\"sjkvsflkjfdkjfs\",\"error_uri\":\"https://login.microsoftonline.com/error?code=700016\"} Endpoint https://login.microsoftonline.com/smdbcsdjhmsdfkhsf/oauth2/token?api-version=1.0", resp:(*http.Response)(0xc001941950)}, PackageType:"azure.BearerAuthorizer", Method:"WithAuthorization", StatusCode:400, Message:"Failed to refresh the Token for request to https://graph.windows.net/msdsfmfbsh/servicePrincipals?%24filter=appId+eq+%0599593547%27&api-version=1.6", ServiceError:[]uint8(nil), Response:(*http.Response)(0xc001941950)}
│
│ with provider["registry.terraform.io/hashicorp/azurerm"],
│ on <your-tf-config-file>.tf line x, in provider "azurerm":
│ x: provider "azurerm" {
│ 

You can also see the error above sometimes when using the "vault_azure_access_credentials" data source with AzureRM [a].

Please see the References section below for links.

Cause

This is due to an Azure-Vault integration bug that is currently being worked on by our Engineers.

HashiCorp Internal Bug ID: 1200394246616755

Workaround

Pending the time a fix is implemented, please use any of these 2 workarounds:

1. Guaranteed Performance - Using AzureRM credentials without the Vault integration

Pending the time the bug is fixed, we advise using the AzureRM credential options listed in the Registry [b1/2] without the Vault integration. Please see [b-1] for the AzureRM provider, and [b-2] for the AzureAD provider.

We understand this option might not be ideal, but pending the time the bug is fixed, this option is the least-impacting to your operations and the best workaround.

2. Improved Performance - Keeping the Azure-Vault integration (requires migrating AD resources to the AzureAD provider)

If you'd like to keep the Azure-Vault integration, there's a marked improvement in the reduction of intermittent errors if you enable the Microsoft Graph API beta setting in the AzureAD providers block like so:

terraform {
  required_providers {
    azuread = {
      source = "hashicorp/azuread"
      version = ">= 1.5.0, < 2.0.0"
    }
  }
}

provider "azuread" {
  use_microsoft_graph = true
  // Other AzureAD provider config details here.
}

NOTE: To take advantage of the Microsoft API Graph solution, you'll need to migrate your AD-related resources to the AzureAD provider. This is because:

• From AzureAD provider version 2.0.0 and up, all AD-related resources in the AzureRM provider will be moved to the AzureAD provider. You can find the comment by one of our Engineers on a related issue here [c].
• The new Microsoft Graph API is supported in beta for AzureAD provider versions 1.5 and higher, but will be fully-supported fully in version 2.0.0 and up, and the old/existing Azure Active Directory Graph API will no longer supported. You can find more about this here [d] & [e].
• To move resources from one provider to another, please see our documentation guide here [f].

 If you have more questions regarding this bug, please feel free to contact:

• HashiCorp Support - for Enterprise Customers
• The respective AzureRM, Vault or AzureAD provider's page - for Community/OpenSource Customers.