I'm the owner of an Azure subscription. If I create an Application, a Service Principal, and a corresponding Password with Pulumi, the application does not have a "Client Secret" in the Azure Portal.

Expected behavior

I thought the password is the "Client Secret" of an application – if so, a password created with Pulumi should show up in the Azure Portal.

Current behavior

It's not shown.

Steps to reproduce

const application = new azuread.Application('monitoring-reader-dev');
const servicePrincipal = new azuread.ServicePrincipal('monitoring-reader', {
	applicationId: application.applicationId,
});

const secret = new random.RandomString('monitoring-reader-secret', {
	length: 24,
});
const password = new azuread.ServicePrincipalPassword('monitoring-reader-password', {
	endDateRelative: '8760h',
	servicePrincipalId: servicePrincipal.id,
	value: secret.result,
});

If I'm not mistaken I just need a confirmation rather than a clue.
When I create AD artefact (ServicePrincipal, RoleAssigment etc) I have an option to pass CustomResourceOptions
in cosntructor, same as for provisiong other Azure resources.

I need to use custom options in order to pass subscription id as we have many of them.
SubscriptionId should be passed inside the provider so my question is: can it be any of the two Pulumi.Azure.Provider or Pulumi.AzureNextGen.Provider correct? Proper provider type play role when provisioning resources but with AD it can by any ?

Subscription & AD mix is a little bit opaque, you can't see it easily on Azure Portal I guess and by accident we can ommit it also with Pulumi. If subscription expires then principals lost access. So if I will not pass proper subscription id it will be taken from default (set by 'az account set') which may cause dramatic effects

In particular, it lists subscriptionId which isn't part of the upstream configuration https://registry.terraform.io/providers/hashicorp/azuread/latest/docs#argument-reference

Also, do we have a docs page that would describe how to configure Azure AD?

In the Python implementation of getGroup() we're warning people not to pass in the name as it's deprecated even if no name parameter is being used

Expected behavior

Should return the group without the warning

Current behavior

Returns error message:

Diagnostics:
  pulumi:pulumi:Stack (getgroup-python-dev):
    warning: name is deprecated: This property has been renamed to `display_name` and will be removed in v2.0 of this provider.
    warning: name is deprecated: This property has been renamed to `display_name` and will be removed in v2.0 of this provider.

Steps to reproduce

Python code:

import pulumi
from pulumi_azuread import get_group

get_group(display_name="groupname")

similar typescript code (which works):

import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const example = pulumi.output(azuread.getGroup({
    displayName: "groupname",
    securityEnabled: true,
}, { async: true }));

This is a major change for us in Pulumi and will need to have some details added to the CHANGELOG

Is there an (easy) way to change the type of a reply URL for pulumi_azuread.Application?

In the Azure Portal, there are three main types (as used in the key replyUrlsWithType in the manifest) of redirect URIs; "Web", "Spa", and "native".
I've been unable to have the URIs be categorised as "Spa", as this is necessary to enable the PKCE code flow in Azure.

I am able to change it manually, and pulumi will not change it back, with I use as a workaround.

I'm trying to create a single-page application in azure ad, but I only find the web argument,

When created using the web property mentioned above I won't be marked as a SPA and I can't see the following message

that I do see on my manual registered apps.

Is there something I'm missing?

I am currently trying to add an App Service to an Azure Ad Group, but I am currently getting the error message below.

Current behavior

  azuread:index:GroupMember (exampleGroupMember):
    error: 1 error occurred:
        Adding group member: adding group member "11111111-1111-1111-1111-111111111111" to Group 
with ID "62cf0ccb-112e-460f-b180-ec2c44bf9367": graphrbac.GroupsClient#AddMember: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Request_ResourceNotFound","date":"2021-05-25T10:55:01","message":{"lang":"en","value":"Resource '11111111-1111-1111-1111-111111111111' does not exist or one of its queried reference-property objects are not present."},"requestId":"600782af-7167-4b01-909a-3d5d32b26f63"}}]

Steps to reproduce

import {Output} from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
import * as azuread from "@pulumi/azuread";
import { Locations } from "@pulumi/azure";

const exampleResourceGroup = new azure.core.ResourceGroup("exampleResourceGroup", {
    location: Locations.WestEurope,
});

const examplePlan = new azure.appservice.Plan("examplePlan", {
    location: exampleResourceGroup.location,
    resourceGroupName: exampleResourceGroup.name,
    sku: {
        tier: "Standard",
        size: "S1",
    },
}, {
    dependsOn: [exampleResourceGroup]
});

const exampleAppService = new azure.appservice.AppService("exampleAppService", {
    location: exampleResourceGroup.location,
    resourceGroupName: exampleResourceGroup.name,
    appServicePlanId: examplePlan.id,
},{
    dependsOn: [examplePlan]
});

function principalId(appService: azure.appservice.AppService): Output<string> {
    // Work around a preview issue https://github.com/pulumi/pulumi-azure/issues/192
    return appService.identity.principalId.apply(id => id || '11111111-1111-1111-1111-111111111111');
}

const exampleAadGroup = new azuread.Group("exampleAadGroup",{
    displayName: 'grp-example'
}, {
    dependsOn: []
});

new azuread.GroupMember("exampleGroupMember", {
    groupObjectId: exampleAadGroup.id,
    memberObjectId: principalId(exampleAppService),
}, {
    dependsOn: [exampleAadGroup, exampleAppService]
});

Hi,

I could not find this but is there a way to create an application from manifest please?

For example, I cannot find the replyUrlWithType, and I have a scenario where I need to create reply URLs or type WEB and NativeClient, but current set up only allows for one using azuread.Application() with options reply_urls and type=native separately.
(If I was able to create from manifest - like I can do with PowerShell -, I could extract manifest from working app, stipe out what I do not need to explicitly set and run from there...)

For now, looks like I may need to create two apps.

Thank you for your guidance.

Dan

Hi @leezen,

Thank you for your response in the previous in issue #81 but we created this new issue to get to the root of the problem.

I have the credentials in my config Pulumi.dev.yml which were added as follows:

pulumi config set azure:clientId "00000000000000000000000"
pulumi config set azure:clientSecret "00000000000000000000000" --secret
pulumi config set azure:tenantId "00000000000000000000000"
pulumi config set azure:subscriptionId "00000000000000000000000"

The thing that's bugging me is that the service principal credentials are initially recognized by pulumi as I can see in the debug entries. Running:

$ pulumi preview --debug

Presents us with the following:

Line 55.
debug: 2020/06/09 10:31:16 Testing if Service Principal / Client Certificate is applicable for Authentication..
debug: 2020/06/09 10:31:16 Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication..
debug: 2020/06/09 10:31:16 Testing if Service Principal / Client Secret is applicable for Authentication..
debug: 2020/06/09 10:31:16 Using Service Principal / Client Secret for Authentication
debug: 2020/06/09 10:31:16 Getting OAuth config for endpoint https://login.microsoftonline.com/ with  tenant....

^^^ This shows that the service principal and the client secret configs were recognized.

Line 94.
debug: 2020/06/09 10:31:17 Testing if Service Principal / Client Certificate is applicable for Authentication..
debug: 2020/06/09 10:31:17 Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication..
debug: 2020/06/09 10:31:17 Testing if Service Principal / Client Secret is applicable for Authentication..
debug: 2020/06/09 10:31:17 Testing if Managed Service Identity is applicable for Authentication..
debug: 2020/06/09 10:31:17 Testing if Obtaining a token from the Azure CLI is applicable for Authentication..
debug: 2020/06/09 10:31:17 Using Obtaining a token from the Azure CLI for Authentication

^^^ And then Pulumi forgets about the service principal...

And, at the end, it's as if the service principal crendentials were never presented.

Grpc.Core.RpcException: Status(StatusCode=Unknown, Detail="invocation of azuread:index/getGroup:getGroup returned an error: Error building AzureAD Client: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).

    To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'
    auth method - instructions for which can be found here: **** There's no link presented here.

    Alternatively you can authenticate using the Azure CLI by using a User Account.")

However, adding the service principal credentials as environment variables worked.

This has forced me to place the credentials in two places. The Pulumi.dev.yml and the environment variables. Not ideal.

After several hours on this, it seems that possibly the feedback to help the devops may be improved in some way to help us get to the source of the problem faster.

Can you help with this please?

Thanks

Originally posted by @fabiomilheiro in #81 (comment)

Hi,

I have created Azure application and Bot channel with pulumi using this link. But i'm getting Unauthorized error when try this application with Bot. i have tried Oauth2AllowImplicitFlow = false parameter but pulumi still add implicit grant setting

If I disable Implicit Grant setting from azure portal then Bot channel works fine. can you please guide how i can avoid this implicit grant setting from pulumi? thanks

I have the following error when trying to set the Owners property of an ApplicationArgs:

Error while adding owners to Azure AD applications with ID "****-****-****-***-****": 
Error adding owner "****-****-****-****-****" to Azure AD applications with ID "****-****-****-***-****":
graphrbac.ApplicationsClient#AddOwner: Failure responding to request: StatusCode=403 -- 
Original Error: autorest/azure: Service returned an error. 
Status=403 Code="Unknown" Message="Unknown service error" 
Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2020-05-13T10:54:33","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}]

By default, when not specified, the owner is set to the SP deploying the resources and it works fine. However if I try to set the Owners property with an InputList containing a user and my SP name, it fails.

It could be linked to this issue on terraform provider.

The single test in this repo creates a user with a statically-known name. If two executions of this test run concurrently, the test will fail like so:

Plan apply failed: Error creating User ("[email protected]"): graphrbac.UsersClient#Create: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Request_BadRequest","date":"2019-09-18T19:04:02","message":{"lang":"en","value":"Another object with the same value for property userPrincipalName already exists."},"requestId":"6f20c65d-05b4-4a55-9bda-83a38551e947","values":[{"item":"PropertyName","value":"userPrincipalName"},{"item":"PropertyErrorCode","value":"ObjectConflict"}]}}]

We should fix the test s.t. it uses a fresh name on each run.

Using pulumi-azuread 4.1.0 I get the following warning:

    warning: provider config warning: Deprecated Attribute

I never actually configure the provider and I get no indication of what the attribute in question is. I'm assuming it's metadata_host, but I don't see it on the stack as well.

Expected behavior

No warnings.

Current behavior

I get a warning related to a default configuration.

Steps to reproduce

Upgrade to pulumi-azuread 4.1.0 and just run anything.

Updated to pulumi-azuread 5.0.0

dotnet add package pulumi.AzureAD --version 5.0.0

now crashes when calling

var adApp = new Pulumi.AzureAD.Application(appName, new ApplicationArgs() { DisplayName = appName });

Regeneration of the provider gives us the following error:

go install -ldflags "-X github.com/pulumi/pulumi-azuread/pkg/version.Version=v0.18.3-dev.1562587268+g09109f6" github.com/pulumi/pulumi-azuread/cmd/pulumi-tfgen-azuread
vendor/github.com/Azure/go-autorest/autorest/adal/token.go:37:2: cannot find package "github.com/Azure/go-autorest/tracing" in any of:
    /home/travis/gopath/src/github.com/pulumi/pulumi-azuread/vendor/github.com/Azure/go-autorest/tracing (vendor tree)
    /home/travis/.gimme/versions/go1.12.6.linux.amd64/src/github.com/Azure/go-autorest/tracing (from $GOROOT)
    /home/travis/gopath/src/github.com/Azure/go-autorest/tracing (from $GOPATH)
make: *** [tfgen] Error 1

I'm currently working with both packages in my solution and according to the pulumi documentation the configuration for each package use the following variables:

pulumi-azure

• azure:clientId or ARM_CLIENT_ID
• azure:subscriptionId or ARM_SUBSCRIPTION_ID
• azure:tenantId or ARM_TENANT_ID
• azure:clientSecret or ARM_CLIENT_SECRET

pulumi-azuread

• azuread:clientId or ARM_CLIENT_ID
• azuread:subscriptionId or ARM_SUBSCRIPTION_ID
• azuread:tenantId or ARM_TENANT_ID
• azuread:clientSecret or ARM_CLIENT_SECRET
• azuread:certificatePassword or ARM_CLIENT_CERTIFICATE_PASSWORD
• azuread:clientCertificatePath or ARM_CLIENT_CERTIFICATE_PATH
• azuread:environment or ARM_ENVIRONMENT

Would it make sense to rename azuread:* to azure:* because they use the same environment variables?

Azure allows setting 3 different optional claim types: idToken, accessToken and saml2Token.
See: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#optionalclaims-type

Looking at Pulumi.AzureAD.Outputs, only idToken and accessToken seem to be supported:
https://github.com/pulumi/pulumi-azuread/blob/ace17ccb1de2b8308b03f8fbef73ee82fa5f99d8/sdk/dotnet/Outputs/ApplicationOptionalClaims.cs

saml2Token should be added to maintain 100% coverage of Azure.

Ping @mikhailshilkov

Tracking items for release:

• Depend on the most recent release of the upstream Terraform provider and have mapped all data sources and resources which make sense.
• Have the various configuration options for the provider listed in the README file such that package consumers can easily find them.
• Have documentation ready to publish (in the pulumi/docs repo)
• Have at least one example running in CI against the provider
• Tag a version and ensure it's published as latest

At the bottom of the readme.md file, there's a link that leads to nowhere.

Please find "the AzureAD provider docs" at the end: https://github.com/pulumi/pulumi-azuread/blob/master/README.md

TLDR; does auto-naming no longer work with AzureAD 3.0?

Groups created with AzureAD < 3.0 can't easily be managed with AzureAD >= 3.0. Here's an example:

// with AzureAD v 2.6.0 or lower
var group = new Group("my-group", new GroupArgs()
{
    Description = "description-of-group"
});
// creates a group that's actually named something like "my-groupb3e7f11"

// with AzureAD v 3.0.0 or higher
var group = new Group("my-group", new GroupArgs()
{
    Description = "description-of-group"
});

pulumi up then gives you this error:

error: azuread:index/group:Group resource 'my-group' has a problem: ExactlyOne: "display_name": one of `display_name,name` must be specified
    error: azuread:index/group:Group resource 'my-group' has a problem: ExactlyOne: "name": one of `display_name,name` must be specified

so I try to specify the exact group name:

var group = new Group("my-group", new GroupArgs()
{
    DisplayName = "my-groupb3e7f11",
    Description = "description-of-group"
});

pulumi up then wants to replace the existing group:

++azuread:index/group:Group: (create-replacement)
        [id=....]
        [urn=urn:pulumi:stackName::stack::azuread:index/group:Group::my-group]
        [provider: urn:pulumi:stackName::stack::pulumi:providers:azuread::default_2_4_0::0000000 => urn:pulumi:stackName::stack::pulumi:providers:azuread::default_3_4_0::output<string>]
      + displayName: "my-groupb3e7f11"

trying again with Name instead:

var group = new Group("my-group", new GroupArgs()
{
    Name = "my-groupb3e7f11",
    Description = "description-of-group"
});

and finally that works, but:

• now i'm stuck with the hardcoded group name, so auto naming doesn't work
• I also get a warning that I'm using a deprecated property

azuread:index:Group        my-group                                                 [diff: ~__defaults,provider]; 1 warning

azuread:index:Group (my-group):
    warning: urn:pulumi:stackName::stack::azuread:index/group:Group::my-group verification warning: Deprecated Attribute

Additionally, I tried using pulumi import to see exactly what code I should be using, but it breaks in the same way:

azuread:index:Group (my_group):
    error: azuread:index/group:Group resource 'my_group' has a problem: ExactlyOne: "name": one of `display_name,name` must be specified
    error: azuread:index/group:Group resource 'my_group' has a problem: ExactlyOne: "display_name": one of `display_name,name` must be specified

This will be based on the Pulumi 3.0.0-beta.1

Create a new provider and pass in required clientID, client secret and tenant ID. Pulumi up shows metadatahost is required.

Cannot determine what is the correct input for this field that will allow successful login

https://www.pulumi.com/docs/intro/cloud-providers/azuread/ links to https://www.pulumi.com/docs/intro/cloud-providers/azure-classic/setup/ for the setup. As far as I know, we have to use azuread:* not azure:* as it's based on the provider name. If I'm wrong, please let me know.

I'm trying to set up IaC via Pulumi.

One of the challenges is to set up appropriate permissions.

So I needed to get an Azure AD group object id:

var group = Output.Create(
    GetGroup.InvokeAsync(
        new GetGroupArgs
        {
            Name = "Administrators"
        }));

However, I got the following error:

PS C:\dev\___> pulumi preview
Previewing update (dev):
     Type                 Name          Plan     Info
     pulumi:pulumi:Stack  Frontend-dev           1 error

Diagnostics:
  pulumi:pulumi:Stack (Frontend-dev):
    error: Running program 'C:\dev\___\bin\Debug\netcoreapp3.1\Frontend.dll' failed with an unhandled exception:
    Grpc.Core.RpcException: Status(StatusCode=Unknown, Detail="invocation of azuread:index/getGroup:getGroup returned an error: Error building AzureAD Client: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).

    To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'
    auth method - instructions for which can be found here: (THERE IS NO LINK HERE)

    Alternatively you can authenticate using the Azure CLI by using a User Account.")
       at Pulumi.GrpcMonitor.InvokeAsync(InvokeRequest request)
       at Pulumi.Deployment.InvokeAsync[T](String token, InvokeArgs args, InvokeOptions options, Boolean convertResult)
       at Pulumi.Output`1.ApplyHelperAsync[U](Task`1 dataTask, Func`2 func)
       at Pulumi.Output`1.Pulumi.IOutput.GetDataAsync()
       at Pulumi.Serialization.Serializer.SerializeAsync(String ctx, Object prop)
       at Pulumi.Deployment.SerializeFilteredPropertiesAsync(String label, IDictionary`2 args, Predicate`1 acceptKey)
       at Pulumi.Deployment.SerializeAllPropertiesAsync(String label, IDictionary`2 args)
       at Pulumi.Deployment.RegisterResourceOutputsAsync(Resource resource, Output`1 outputs)
       at Pulumi.Deployment.Runner.WhileRunningAsync()

There's no link where it was supposed to be.

Somewhere in the documentation, we're asked to put the credentials in the Pulumi.<stack>.yml via pulumi config set commands which led me to believe that that should be enough.

However, it seems to me now that we must have the credentials also set up as environment variables.

In powershell, you may type the following:

$env:ARM_CLIENT_ID="0000000000000000000000000"
$env:ARM_CLIENT_SECRET="0000000000000000000000000"
$env:ARM_TENANT_ID="0000000000000000000000000"
$env:ARM_SUBSCRIPTION_ID="0000000000000000000000000"

After doing that, my Pulumi stack was able to retrieve the Azure AD group object id successfully.

Could this be sorted please? Is it expected that we duplicate the credentials or is there a better way?

Original question:
https://stackoverflow.com/questions/62259552/how-to-get-group-in-azure-ad-in-pulumi/62263761#62263761

I try to import the resource below with pulumi import, but it fails with error

error: azuread:index/application:Application resource 'aada-test' has a problem: ExactlyOne: "display_name": one of display_name,name must be specified. Examine values at 'Application.DisplayName'.
error: azuread:index/application:Application resource 'aada-test' has a problem: ExactlyOne: "name": one of display_name,name must be specified. Examine values at 'Application.Name'.
error: Preview failed: one or more inputs failed to validate
error: preview failed

{
    "type": "azuread:index/application:Application",
    "name": "aada-test",
    "id": "<objectId>"
}

Doing the same thing with the service principal works.

{
    "type": "azuread:index/servicePrincipal:ServicePrincipal",
    "name": "aadsp-test",
    "id": "<objectId>"
}

Hi,

I just created a new B2C tenant in Azure. I don't expect Pulumi to help me create it. But what I ask is that in order to use this tenant, I need to add a link in the Resource Group of my project.

How can I do that with Pulumi? I want to be able to have this tenant link side by side with my other resources (Storage Account, Azure App Service, etc...).

I updated from 1.7.0 to 2.3.0, now my pulumi refresh fails with

 azuread:index:ServicePrincipalPassword (psd-mes-aks-service-principal-password):
    error: Preview failed: refreshing urn:pulumi:dev::customerdeployments::azuread:index/servicePrincipalPassword:ServicePrincipalPassword::psd-mes-aks-service-principal-password: Error parsing Application Password ID: Credential ID should be in the format {objectId}/{keyType}/{keyId} - but got "12345678-1234-1234-1234-012345678901/12345678-1234-1234-1234-012345678901"

(I replaced the actual id with 1234, but the format is the same)

Source code:

const spPassword = "...";

    const aksApp = new azuread.Application(`${prefix}-aks-app`, { name: `${prefix}-aks-app` });

    const aksServicePrincipal = new azuread.ServicePrincipal(`${prefix}-aks-service-principal`, { applicationId: aksApp.applicationId });

    const aksPassword = new azuread.ServicePrincipalPassword(`${prefix}-aks-service-principal-password`, {
        servicePrincipalId: aksServicePrincipal.id,
        value: spPassword,
        endDate: "2099-01-01T00:00:00Z"
    });

Environment

OS: Windows 10 1809 x64
Pulumi version: v2.4.0
Pulumi-azuread: 2.3.0
Node: v12.16.1

I'm just starting a new project so pulled in the latest version which happened to be v3.0.0

Creating a new azuread app works under 2.6.1 as simply.
const test = new azuread.Application("test", undefined);

But under 3.0.0 this now results in an error: TypeError: pulumi.runtime.registerResourceModule is not a function

pulumi preview --debug
Previewing update (prod):
debug: AzureRM Client User Agent: HashiCorp Terraform/0.11+compatible (+https://www.terraform.io) Terraform Plugin SDK/1.10.0 terraform-provider-azuredevops/dev
debug: 2020/12/08 19:15:33 getAzdoClient(): Created core, build, operations, and serviceendpoint clients successfully!
debug: Registering resource: t=pulumi:pulumi:Stack, name=azure-devops-prod, custom=false, remote=false
debug: RegisterResource RPC prepared: t=pulumi:pulumi:Stack, name=azure-devops-prod
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:prod::azure-devops::pulumi:pulumi:Stack::azure-devops-prod]
debug: RegisterResource RPC finished: resource:azure-devops-prod[pulumi:pulumi:Stack]; err: null, resp: urn:pulumi:prod::azure-devops::pulumi:pulumi:Stack::azure-devops-prod,,,,
debug: Running program '/Users/chrismurray/git/Infrastructure/pulumi/azure-devops' in pwd '/Users/chrismurray/git/Infrastructure/pulumi/azure-devops' w/ args:
debug: RegisterResourceOutputs RPC prepared: urn=urn:pulumi:prod::azure-devops::pulumi:pulumi:Stack::azure-devops-prod
error: Running program '/Users/chrismurray/git/Infrastructure/pulumi/azure-devops' failed with an unhandled exception:
TypeError: pulumi.runtime.registerResourceModule is not a function
    at Object.<anonymous> (/Users/chrismurray/git/Infrastructure/pulumi/azure-devops/node_modules/@pulumi/index.ts:82:16)
    at Module._compile (node:internal/modules/cjs/loader:1102:14)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1131:10)
    at Module.load (node:internal/modules/cjs/loader:967:32)
    at Function.Module._load (node:internal/modules/cjs/loader:807:14)
    at Module.require (node:internal/modules/cjs/loader:991:19)
    at require (node:internal/modules/cjs/helpers:92:18)
    at Object.<anonymous> (/Users/chrismurray/git/Infrastructure/pulumi/azure-devops/index.ts:3:1)
    at Module._compile (node:internal/modules/cjs/loader:1102:14)
    at Module.m._compile (/Users/chrismurray/git/Infrastructure/pulumi/azure-devops/node_modules/ts-node/src/index.ts:439:23)
debug: RegisterResourceOutputs RPC finished: urn=urn:pulumi:prod::azure-devops::pulumi:pulumi:Stack::azure-devops-prod; err: null, resp:

Reverting to v2.6.1 resolves the issue.

ApplicationApiOauth2PermissionScopeArgs has an Id field that says it is a computed field. However, when I run pulumi up with this code:

 Api = new ApplicationApiArgs
                    {
                        Oauth2PermissionScopes = new ApplicationApiOauth2PermissionScopeArgs
                        {
                            AdminConsentDescription =
                                $"Allow the application to access {Constants.ResourcePrefixes.ActiveDirectory.ServicePrincipal}-{inputArguments.AppServiceName} on behalf of the signed-in user.",
                            AdminConsentDisplayName =
                                $"Access {Constants.ResourcePrefixes.ActiveDirectory.ServicePrincipal}-{inputArguments.AppServiceName}",
                            Type = "User",
                            UserConsentDescription =
                                $"Allow the application to access {Constants.ResourcePrefixes.ActiveDirectory.ServicePrincipal}-{inputArguments.AppServiceName} on your behalf.",
                            UserConsentDisplayName =
                                $"Access {Constants.ResourcePrefixes.ActiveDirectory.ServicePrincipal}-{inputArguments.AppServiceName}",
                            Value = "user_impersonation"
                        }
                    }

I get the error: System.ArgumentNullException: [Input] Pulumi.AzureAD.Inputs.ApplicationApiOauth2PermissionScopeArgs.Id is required but was not given a value (Parameter 'Id')

It seems like it either isn't computing properly or it isn't really computed anymore.

Using Pulumi.AzureAD version 4.3.0