Unable to create azuread_application_registration with service principal credentials

[1oglop1]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

• provider registry.terraform.io/hashicorp/azuread v3.6.0

Affected Resource(s)

• azuread_application_registration

Terraform Configuration Files

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
    azuread = {
      source  = "hashicorp/azuread"
      version = "~> 2.0"
    }
    time = {
      source  = "hashicorp/time"
      version = "~> 0.10"
    }
  }
}

provider "azuread" {
  # Azure AD provider configuration will use environment variables or Azure CLI
}


# Azure AD Application Registration
resource "azuread_application_registration" "aar" {
  display_name = "my-app-tf"
}

# Timer for propagation wait
resource "time_sleep" "wait_for_app_propagation" {
  create_duration = "5s"

  depends_on = [azuread_application_registration.aar]
}

output "app_client_id" {
  value       = azuread_application_registration.aar.client_id
  description = "The application client ID"
}

output "app_object_id" {
  value       = azuread_application_registration.aar.object_id
  description = "The application object ID"
}

Debug Output

Panic Output

Expected Behavior

Actual Behavior

Resource is created but not written to the state due to error

{"error":{"code":"Request_ResourceNotFound","message":"Resource '7b8d7f18-95d1-48b0-9d81-d2f820f90cfb' does not exist or one of its queried reference-property objects are not present.","innerError":{"date":"2025-11-14T14:45:58","request-id":"314975ef-6bd3-49db-828e-0de63b3cad01","client-request-id":"314975ef-6bd3-49db-828e-0de63b3cad01"}}}
eventSink::Debug(<{%reset%}>{"error":{"code":"Request_ResourceNotFound","message":"Resource '7b8d7f18-95d1-48b0-9d81-d2f820f90cfb' does not exist or one of its queried reference-property objects are not present.","innerError":{"date":"2025-11-14T14:45:58","request-id":"314975ef-6bd3-49db-828e-0de63b3cad01","client-request-id":"314975ef-6bd3-49db-828e-0de63b3cad01"}}}<{%reset%}>)
============================= End AzureAD Response ============================
eventSink::Debug(<{%reset%}>============================= End AzureAD Response ============================<{%reset%}>)
eventSink::Info(<{%reset%}>[DEBUG] Application (Application: "7b8d7f18-95d1-48b0-9d81-d2f820f90cfb") was not found - removing from state<{%reset%}>)
provider received rpc error `Unknown`: `expected non-nil error with nil state during Create of urn:pulumi:my-stack::my-pulumi-project::azuread:index/applicationRegistration:ApplicationRegistration::my-app`
rpc error kind `Unknown` may not be recoverable
Provider[azuread, 0xc0019bd7c0].Create(urn:pulumi:my-stack::my-pulumi-project::azuread:index/applicationRegistration:ApplicationRegistration::my-app) failed: expected non-nil error with nil state during Create of urn:pulumi:my-stack::my-pulumi-project::azuread:index/applicationRegistration:ApplicationRegistration::my-app
eventSink::Error(<{%reset%}>expected non-nil error with nil state during Create of urn:pulumi:my-stack::my-pulumi-project::azuread:index/applicationRegistration:ApplicationRegistration::my-app<{%reset%}>)

azuread_application_registration.bccom_bait_first: Creating...
╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to azuread_application_registration.my-app-tf, provider "provider[\"registry.terraform.io/hashicorp/azuread\"]" produced an unexpected new value: Root object was present, but now
│ absent.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵

Steps to Reproduce

0. Use Service Principal credentials inside kubernetes pod.
1. terraform apply

Important Factoids

References

• #0000

[1oglop1]

As discussed in the Slack, the resource probably needs to implement polling logic.

[Virrjet]

Im getting similar errors with azuread:index:ApplicationAppRole

[egsnowden]

@1oglop1 same here using the older azuread_application resource. Will follow up with more details that we capture

[ejohn20]

We are getting similar errors with a number of resources (groups, app registrations, and service principals). It seems like the API is having eventual consistency errors.

╷
│ Error: Waiting for update of `display_name` for Group (Group: "ba151456-2e43-4b9d-b305-2c1c32530b8a")
│ 
│   with azuread_group.aks_cluster_admin,
│   on ad.tf line 2, in resource "azuread_group" "aks_cluster_admin":
│    2: resource "azuread_group" "aks_cluster_admin" {
│ 
│ timeout while waiting for state to become 'Done' (last state: 'Waiting',
│ timeout: 19m43.736685135s)
╵
╷
│ Error: Waiting for update of `display_name` for Group (Group: "abbc55a7-06b7-4324-8072-0650569cae9b")
│ 
│   with azuread_group.aks_security_auditor,
│   on ad.tf line 13, in resource "azuread_group" "aks_security_auditor":
│   13: resource "azuread_group" "aks_security_auditor" {
│ 
│ context deadline exceeded
╵
╷
│ Error: Timed out whilst waiting for new service principal to be replicated in Azure AD
│ 
│   with azuread_service_principal.sp,
│   on ad.tf line 24, in resource "azuread_service_principal" "sp":
│   24: resource "azuread_service_principal" "sp" {
│ 
│ unexpected status 404 (404 Not Found) with error: Request_ResourceNotFound:
│ Resource '9fd6edd2-7213-4992-b7fc-9f26dae8443c' does not exist or one of
│ its queried reference-property objects are not present.
╵
╷
│ Error: Could not remove initial owner from application with object ID: "e2255937-812a-4492-9f51-79b9adfbba2c"
│ 
│   with azuread_application.app,
│   on ad.tf line 51, in resource "azuread_application" "app":
│   51: resource "azuread_application" "app" {
│ 
│ unexpected status 404 (404 Not Found) with error: Request_ResourceNotFound:
│ Resource 'e2255937-812a-4492-9f51-79b9adfbba2c' does not exist or one of
│ its queried reference-property objects are not present.
╵

These errors cause the resources to be tainted, which causes a loop of creating, failing, deleting, creating, and failing again. I had to use the terraform untaint command to remove the tainted resources and let Terraform update the objects instead. After importing a few things, the deployment succeeded.

[gerrytan]

Related discussion in Terraform-Azure slack: https://terraform-azure.slack.com/archives/CB9RVKPDL/p1763206913888229

[amro-acc]

Same issue. Any solution or work around for this?

[KurpLondon]

I'm so glad so many peoples are having the same issues. I've been running extensive testing for the last 2 weeks. my workflow was working flawlessly (azuread 3.6.0). Then all of the sudden, on Friday or Saturday last week I'm hitting this error on multiple resources. Basically it creates the resources but then when it tries to amend the name it says the resource is no longer there. I've experienced it with azuread_application_registration, azuread_application, azuread_group

I've tried with different account, different subscription and different tenants I hit the same issue all the time. Below I'm just creating a app registration. Nothing else created previously

│

SAML> tofu destroy --auto-approve

No changes. No objects need to be destroyed.

Either you have not created any objects yet or the existing objects were already deleted outside of OpenTofu.

SAML> tofu apply --auto-approve

OpenTofu used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:

• create

OpenTofu will perform the following actions:

azuread_application_registration.checkpoint_app will be created

• resource "azuread_application_registration" "checkpoint_app" {
  • client_id = (known after apply)
  • disabled_by_microsoft = (known after apply)
  • display_name = "CheckPoint-SP-SAML"
  • id = (known after apply)
  • object_id = (known after apply)
  • publisher_domain = (known after apply)
  • requested_access_token_version = 2
  • sign_in_audience = "AzureADMyOrg"
    }

random_uuid.sp_guid will be created

• resource "random_uuid" "sp_guid" {
  • id = (known after apply)
  • result = (known after apply)
    }

Plan: 2 to add, 0 to change, 0 to destroy.
random_uuid.sp_guid: Creating...
random_uuid.sp_guid: Creation complete after 0s [id=a5233b3c-c8b4-c484-6983-0cb3da1cc9c5]
azuread_application_registration.checkpoint_app: Creating...
╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to azuread_application_registration.checkpoint_app, provider "provider["registry.opentofu.org/hashicorp/azuread"]" produced an unexpected new value: root object was present, but now absent.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

[talksinmath]

Same here. Code that worked previously now does not anymore - I'm trying to create a new deployment with identical resources.

I'm seeing an app registration being created with a name like "TERRAFORM_UPDATE_3a4f5e14-7de4-c178-4151-8023abc6ee08" while the terraform returns errors like this:

Error: Could not remove initial owner from application with object ID: "3e0191cb-fcb9-44d0-896c-41610946adcd"
with azuread_application.xyz-registration
on app-registration.tf line 13, in resource "azuread_application" "xyz-registration":
resource "azuread_application" "xyz-registration" {
unexpected status 404 (404 Not Found) with error: Request_ResourceNotFound: Resource '3e0191cb-fcb9-44d0-896c-41610946adcd' does not exist or one of its queried reference-property objects are not present.

Over my trying to fix this error in the last our, I also saw the errors posted above.

UPDATE: using azuread provider 3.7 did NOT fix the problem.

Also, I cannot create Entra Groups anymore. Something is very off here.

[KurpLondon]

This is clearly an issue of eventual consistency. I wonder if this is down to a specific region or global. I'm in UK South. Others ?

[talksinmath]

West Germany.

[alesiamaramygina-a11y]

I am getting the same issue, sometimes with different resources, for example:

1. Timed out whilst waiting for new service principal to be replicated in Azure AD:
2. Could not remove initial owner from application with object ID: <app_id>,
3. etc.

Each of them ending with Request_ResourceNotFound: Resource <resource_id> does not exist or one of its queried reference-property objects are not present.

Added numerous time_sleeps, but it did not help. Also noticed the same thing as mentioned before with app registrations having names like "TERRAFORM_UPDATE_...". I am working in westus2 region.

What helped me to get out of this situation is to manually remove the resource from state and then import it back to the state by id:

terraform state rm module.ad_account.azuread_application.databricks
terraform import "${TF_VAR_ARGS[@]}" module.ad_account.azuread_application.databricks "/applications/<app_id>"

upd: which is of course a temporary workaround

[KurpLondon]

I am getting the same issue, sometimes with different resources, for example:

1. Timed out whilst waiting for new service principal to be replicated in Azure AD:
2. Could not remove initial owner from application with object ID: <app_id>,
3. etc.

Each of them ending with Request_ResourceNotFound: Resource <resource_id> does not exist or one of its queried reference-property objects are not present.

Added numerous time_sleeps, but it did not help. Also noticed the same thing as mentioned before with app registrations having names like "TERRAFORM_UPDATE_...". I am working in westus2 region.

What helped me to get out of this situation is to manually remove the resource from state and then import it back to the state by id:

terraform state rm module.ad_account.azuread_application.databricks
terraform import "${TF_VAR_ARGS[@]}" module.ad_account.azuread_application.databricks "/applications/<app_id>"

Yeah the sleep timers won't help as the failure is occurring during a resource creation and is not the result of inter resources dependencies . Within a resource, the provider first makes an API call to create the resource, then a read or update API call to check/amend the resource (i.e like the display Name issue you pointed "TERRAFORM_UPDATE_" temp name ) but when it does that, the resource is not yet available and the API returns a 404.

The provider should include a sleep time between API calls of a resource to make sure AzureAD had a chance to replicate/propagate the changes.

the import is hardly an option. Fine for a resource but when you have dozens to deploy ...

[talksinmath]

this was working perfectly fine - does anybody have an idea what broke this?
if it is in the provider, is there a working version we can go back to ?