I’ve successfully configured Azure AD authentication manually through the Azure portal for my web app but I’m struggling to automate it with Terraform.

Setup Details

• Manual Configuration in Azure Portal: Works as expected. (Attached is a screenshot of the setup.)
• Terraform Configuration: Encountering issues with Identity and Tenant requirements that do not reflect the manual setup. Specifically:
• a) Identity Requirement defaults to “Specific Identities”, but I need it to be “Any Identity”.
• b) Tenant Requirement defaults to “Use default restrictions based on issuer”. I need to specify two tenants — one where the app is and another where AAD is located.

Current Behavior

After setting up authentication via Terraform, successful AAD login results in:
Error Message: “HTTP ERROR 500”
And URL After Login is: https://.azurewebsites.net/.auth/login/aad/callback

My setup is in the attached picture.

When I try to configure it with Terraform “Identity requirement” is set to “specific identities” list is empty.
Also, Tenant requirements are set to default restrictions based on the issuer. To make it work I had to add two tenants – one where the app lives and a second where AAD lives.

My terraform is pasted below.

Questions:

• Is there a way to configure “Allowed Tenants” via Terraform?
• Is there a way to make the “Identity Requirement” to “Any Identity” using Terraform? I tried empty lists and omitting the parameters and always ended up with specific identities.
• After creating authentication via terraform I tried manually adjusting both things as they should be and it still didn’t work. I had to remove it and create manually from scratch to make it work. What might be causing that?

resource "azurerm_linux_web_app" "my_web_app" {
  service_plan_id     = azurerm_service_plan.my_app_serive_plan.id
  name                = local.my_web_app_name
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name

  site_config {
    application_stack {
      python_version = "3.11"
    }
  }

    app_settings = {
    "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET" = var.web_app_client_secret
    ...
  }

  sticky_settings {
    app_setting_names = ["MICROSOFT_PROVIDER_AUTHENTICATION_SECRET"]
  }

  auth_settings_v2 {
    auth_enabled           = true
    default_provider       = "aad"
    require_authentication = true
    require_https          = true
    unauthenticated_action = "RedirectToLoginPage"


    login {
      token_store_enabled  = true
    }

    active_directory_v2 {
      client_id = var.web_app_client_id
      tenant_auth_endpoint = "https://login.microsoftonline.com/${var.auth_tenant_id}/v2.0/"

      client_secret_setting_name =  "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET"
      allowed_applications = [
            "https://${local.my_web_app_name}.azurewebsites.net"
          ]
      # allowed_identities = [ ]

      # tenants = ["...", "..." ]

    }    
  }

  identity {
    type = "SystemAssigned"
  }
}

Working manual setup

Docs: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_web_app#active_directory_v2