hashicorp · katbyte · Aug 21, 2019 · Jul 24, 2019 · Jul 25, 2019 · Jul 25, 2019
diff --git a/azuread/resource_service_principal.go b/azuread/resource_service_principal.go
@@ -21,6 +21,7 @@ func resourceServicePrincipal() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceServicePrincipalCreate,
 		Read:   resourceServicePrincipalRead,
+		Update: resourceServicePrincipalUpdate,
 		Delete: resourceServicePrincipalDelete,
 		Importer: &schema.ResourceImporter{
 			State: schema.ImportStatePassthrough,
@@ -44,6 +45,11 @@ func resourceServicePrincipal() *schema.Resource {
 				Computed: true,
 			},
 
+			"app_role_assignment_required": {
+				Type:     schema.TypeBool,
+				Optional: true,
+			},
+
 			"oauth2_permissions": graph.SchemaOauth2Permissions(),
 
 			"tags": {
@@ -71,6 +77,11 @@ func resourceServicePrincipalCreate(d *schema.ResourceData, meta interface{}) er
 		// given there's no way to change it - we'll just default this to true
 		AccountEnabled: p.Bool(true),
 	}
+
+	if v, ok := d.GetOk("app_role_assignment_required"); ok {
+		properties.AppRoleAssignmentRequired = p.Bool(v.(bool))
+	}
+
 	if v, ok := d.GetOk("tags"); ok {
 		properties.Tags = tf.ExpandStringSlicePtr(v.(*schema.Set).List())
 	}
@@ -94,6 +105,23 @@ func resourceServicePrincipalCreate(d *schema.ResourceData, meta interface{}) er
 	return resourceServicePrincipalRead(d, meta)
 }
 
+func resourceServicePrincipalUpdate(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*ArmClient).servicePrincipalsClient
+	ctx := meta.(*ArmClient).StopContext
+
+	var properties graphrbac.ServicePrincipalUpdateParameters
+
+	if d.HasChange("app_role_assignment_required") {
+		properties.AppRoleAssignmentRequired = p.Bool(d.Get("app_role_assignment_required").(bool))
+	}
+
+	if _, err := client.Update(ctx, d.Id(), properties); err != nil {
+		return fmt.Errorf("Error patching Azure AD Service Principal with ID %q: %+v", d.Id(), err)
+	}
+
+	return resourceServicePrincipalRead(d, meta)
+}
+
 func resourceServicePrincipalRead(d *schema.ResourceData, meta interface{}) error {
 	client := meta.(*ArmClient).servicePrincipalsClient
 	ctx := meta.(*ArmClient).StopContext
@@ -113,6 +141,7 @@ func resourceServicePrincipalRead(d *schema.ResourceData, meta interface{}) erro
 	d.Set("application_id", app.AppID)
 	d.Set("display_name", app.DisplayName)
 	d.Set("object_id", app.ObjectID)
+	d.Set("app_role_assignment_required", app.AppRoleAssignmentRequired)
 
 	// tags doesn't exist as a property, so extract it
 	if err := d.Set("tags", app.Tags); err != nil {

diff --git a/azuread/resource_service_principal_test.go b/azuread/resource_service_principal_test.go
@@ -27,6 +27,7 @@ func TestAccAzureADServicePrincipal_basic(t *testing.T) {
 					resource.TestCheckResourceAttrSet(resourceName, "display_name"),
 					resource.TestCheckResourceAttrSet(resourceName, "application_id"),
 					resource.TestCheckResourceAttr(resourceName, "oauth2_permissions.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "app_role_assignment_required", "false"),
 					resource.TestCheckResourceAttr(resourceName, "oauth2_permissions.0.admin_consent_description", fmt.Sprintf("Allow the application to access %s on behalf of the signed-in user.", fmt.Sprintf("acctestApp-%s", id))),
 					resource.TestCheckResourceAttrSet(resourceName, "object_id"),
 				),
@@ -53,6 +54,7 @@ func TestAccAzureADServicePrincipal_complete(t *testing.T) {
 				Config: testAccADServicePrincipal_complete(id),
 				Check: resource.ComposeTestCheckFunc(
 					testCheckADServicePrincipalExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "app_role_assignment_required", "true"),
 					resource.TestCheckResourceAttr(resourceName, "tags.#", "3"),
 					resource.TestCheckResourceAttrSet(resourceName, "object_id"),
 				),
@@ -131,7 +133,8 @@ resource "azuread_application" "test" {
 }
 
 resource "azuread_service_principal" "test" {
-  application_id = "${azuread_application.test.application_id}"
+	application_id = "${azuread_application.test.application_id}"
+	app_role_assignment_required = true
 
   tags = ["test", "multiple", "CapitalS"]
 }

diff --git a/website/docs/r/service_principal.html.markdown b/website/docs/r/service_principal.html.markdown
@@ -27,6 +27,7 @@ resource "azuread_application" "example" {
 
 resource "azuread_service_principal" "example" {
   application_id = "${azuread_application.example.application_id}"
+  app_role_assignment_required  = false
 
   tags = ["example", "tags", "here"]
 }
@@ -38,6 +39,8 @@ The following arguments are supported:
 
 * `application_id` - (Required) The ID of the Azure AD Application for which to create a Service Principal.
 
+* `app_role_assignment_required` - (Optional) Does this Service Principal require an AppRoleAssignment to a user or group before Azure AD will issue a user or access token to the application? Defaults to `false`.
+
 * `tags` - (Optional) A list of tags to apply to the Service Principal.
 
 ## Attributes Reference
@@ -52,6 +55,8 @@ The following attributes are exported:
 
 * `display_name` - The Display Name of the Azure Active Directory Application associated with this Service Principal.
 
+* `app_role_assignment_required` - Whether this Service Principal requires an AppRoleAssignment to a user or group before Azure AD will issue a user or access token to the application.
+
 * `oauth2_permissions` - A collection of OAuth 2.0 permissions exposed by the associated application. Each permission is covered by a `oauth2_permission` block as documented below.
 
 ---