"Failed to read data source" when creating authenticationContextClassReferences

[oocx]

I try to create a conditional access authentication context. I use the following code:

resource "msgraph_update_resource" "authctx_pim_role_activation" {
  url        = "identity/conditionalAccess/authenticationContextClassReferences/c2"
  api_version = "v1.0"
  body = {
    displayName = "Privileged Identity Management: Role Activation"
    description = "This context is used to apply conditional access policies to Privileged Identity Management (PIM) activations."
    isAvailable = true
  }

}

However, apply fails with this error:

Error: Failed to read data source
│ 
│   with module.conditional_access.msgraph_update_resource.authctx_pim_role_activation,
│   on conditional_access/main.tf line 64, in resource "msgraph_update_resource" "authctx_pim_role_activation":
│   64: resource "msgraph_update_resource" "authctx_pim_role_activation" {
│ 
│ GET
│ https://graph.microsoft.com/v1.0/identity/conditionalAccess/authenticationContextClassReferences/c2
│ --------------------------------------------------------------------------------
│ RESPONSE 201: 201 Created
│ ERROR CODE UNAVAILABLE
│ --------------------------------------------------------------------------------
│ {
│   "@odata.context": "[https://graph.microsoft.com/v1.0/$metadata#identity/conditionalAccess/authenticationContextClassReferences/$entity",](https://graph.microsoft.com/v1.0/$metadata#identity/conditionalAccess/authenticationContextClassReferences/$entity%22,)
│   "id": "c2",
│   "displayName": "Privileged Identity Management: Role Activation",
│   "description": "This context is used to apply conditional access policies to Privileged Identity Management (PIM) activations.",
│   "isAvailable": true
│ }

The authentication context was created successfully even though terraform reports an error.

[ChristopheLux]

Hello @oocx

How do you login to graph for terraform: through an Service Principal or do you test with your own account?

[theheatDK]

Hi,
I have tested the above code using a user signed in via Azure CLI.

This fails because the App Reg used by Azure CLI are missing some scopes.

Until this is fixed the MSGRAPH provider is not really usable if you work in an organization with focus on security.

Anyway the conclusion must be that @oocx has used a Service Principal not his own account.

terraform apply "main.tfplan"
msgraph_update_resource.authctx_pim_role_activation: Creating...
╷
│ Error: Failed to create resource
│
│   with msgraph_update_resource.authctx_pim_role_activation,
│   on main.tf line 1, in resource "msgraph_update_resource" "authctx_pim_role_activation":
│    1: resource "msgraph_update_resource" "authctx_pim_role_activation" {
│
│ PATCH https://graph.microsoft.com/v1.0/identity/conditionalAccess/authenticationContextClassReferences/c2
│ --------------------------------------------------------------------------------
│ RESPONSE 403: 403 Forbidden
│ ERROR CODE: AccessDenied
│ --------------------------------------------------------------------------------
│ {
│   "error": {
│     "code": "AccessDenied",
│     "message": "You cannot perform the requested operation, required scopes are missing in the token.",
│     "innerError": {
│       "date": "2025-10-21T13:29:16",
│       "request-id": "ee55c5f6-1b5e-4347-842f-9bf6dd1ae095",
│       "client-request-id": "ee55c5f6-1b5e-4347-842f-9bf6dd1ae095"
│     }
│   }
│ }
│ --------------------------------------------------------------------------------```

[theheatDK]

I just tested using a Service principal and experience the same as @oocx. I get an error but the authentication context is created.

terraform apply "main.tfplan"
msgraph_update_resource.authctx_pim_role_activation: Creating...
╷
│ Error: Failed to read data source
│
│   with msgraph_update_resource.authctx_pim_role_activation,
│   on main.tf line 1, in resource "msgraph_update_resource" "authctx_pim_role_activation":
│    1: resource "msgraph_update_resource" "authctx_pim_role_activation" {
│
│ GET https://graph.microsoft.com/v1.0/identity/conditionalAccess/authenticationContextClassReferences/c3
│ --------------------------------------------------------------------------------
│ RESPONSE 201: 201 Created
│ ERROR CODE UNAVAILABLE
│ --------------------------------------------------------------------------------
│ {
│   "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identity/conditionalAccess/authenticationContextClassReferences/$entity",
│   "id": "c3",
│   "displayName": "Require Reauth",
│   "description": "Require the user to reauthenticate - Password + MFA",
│   "isAvailable": true
│ }
│ --------------------------------------------------------------------------------

[ChristopheLux]

I tried to add the scope to Azure Cli but I still have the error...
(Delegated version)
id 04bXXX is the SPN of the Azure Cli I created in my tenant
az ad app permission grant --api 00000003-0000-0000-c000-000000000000 --id 04b0XXXX-XXX-XXXX-XXXX-XXXXXXXXXX --scope AuthenticationContext.ReadWrite.All

[oocx]

Hi! Sorry that I could not respond sooner.

@ChristopheLux I use a service principal, as we apply all our terraform configuration changes via Azure DevOps Services pipelines.

As a workaround, I am currently using the following approach:

resource "msgraph_resource_action" "authctx_pim_role_activation" {
  resource_url = "identity/conditionalAccess/authenticationContextClassReferences/c2"
  method       = "PATCH"

  body = {
    displayName = "Privileged Identity Management: Role Activation"
    description = "This context is used to apply conditional access policies to Privileged Identity Management (PIM) activations."
    isAvailable = true
  }
}

Using a resource action successfully creates the auth context. However, this approach does not detect any changes made to the context after creation. It's ok as a temporary workaround.

[ms-henglu]

HI @oocx ,

Thank you for taking time to report this issue and apologize for late response.

This issue is an upstream API issue, I've created this issue to track the root cause: microsoftgraph/msgraph-metadata#977

I'd also recommend to use the msgraph_resource_action as a workaround.