Unable to import Microsoft Graph service principal by application/client ID

[Wompipomp]

What problem are you facing?

The provider currently only allows importing existing service principals using their object ID via annotation "crossplane.io/external-name". This is problematic when trying to import the Microsoft Graph service principal because its object ID varies across different Azure AD tenants. The expected behavior is to be able to import the Microsoft Graph service principal using its well-known, fixed application ID (00000003-0000-0000-c000-000000000000).

What could help solve your problem?

The provider should allow importing the Microsoft Graph service principal by its application ID (00000003-0000-0000-c000-000000000000). This ID is constant across all Azure AD tenants, whereas the object ID seems to be tenant-specific.

In terraform you can import the Microsoft Graph service principal via:

data "azuread_application_published_app_ids" "well_known" {}

resource "azuread_service_principal" "msgraph" {
  client_id    = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
  use_existing = true
}

Similar configuration does not work in crossplane.

apiVersion: serviceprincipals.azuread.upbound.io/v1beta1
kind: Principal
metadata:
  name: msgraph
spec:
  managementPolicies:
  - Observe
  forProvider:
    clientId: '00000003-0000-0000-c000-000000000000'
    useExisting: true

The only way I found to import the service principal was by looking up the object id and set it via "crossplane.io/external-name" but this is not a good solution.