Hi, i'm trying to setup App Services with Managed Identity and Create a AAD Group with all the Apps as Members. The Problem is that it fails directly whi the preview when nothing exists.

Diagnostics:
  azuread:index:GroupMember (app3Member):
    error: azuread:index/groupMember:GroupMember resource 'app3Member' has a problem: Missing required property 'memberObjectId'

On the other hand, it works when I comment out the GroupMember generation, run

pulumi up

and deploy the appServices first, the comment the group member generation in and run

pulumi up

again. So with two round trips in works. I also checked doing forcing an Output<string> with

memberObjectId: pulimi.output(app1Service).apply(app=>app.identity.principalId)

This does not help, also playing around with setting dependsOn does also not helps. Any Ideas? Running the Script twice (first without the GroupMember generation) seems not a good option. Here is the complete sample (extract of a longer script)

import * as pulumi from "@pulumi/pulumi";
import * as azure from "@pulumi/azure";
import * as azuread from "@pulumi/azuread";
import { Kinds } from "@pulumi/azure/appservice";
import { Locations } from "@pulumi/azure";

const appName = 'testapp';

const env = 'dev-';

const rgName = `rg-${env}${appName}`;
const planName = `${env}${appName}`;
const serviceName = `${env}${appName}`;

const resourceGroup = new azure.core.ResourceGroup(rgName, {
    location: Locations.WestEurope
});

const resourceGroupArgs = {
    resourceGroupName: resourceGroup.name,
    location: resourceGroup.location
};

const servicePlan = new azure.appservice.Plan(planName, {
    ...resourceGroupArgs,
    kind: <http://Kinds.App|Kinds.App>,
    sku: {
        capacity: 1,
        size: 'B1',
        tier: 'Basic'
    }
})

const app1Service = new azure.appservice.AppService('app1' + serviceName, {
    ...resourceGroupArgs,
    appServicePlanId: servicePlan.id,
    appSettings: {
        "ASPNETCORE_ENVIRONMENT": env.startsWith('dev') ? 'development' : 'production'
    },
    identity: {
        type: 'SystemAssigned'
    }
})

const app2Service = new azure.appservice.AppService('app2-' + serviceName, {
    ...resourceGroupArgs,
    appServicePlanId: servicePlan.id,
    appSettings: {
        "ASPNETCORE_ENVIRONMENT": env.startsWith('dev') ? 'development' : 'production'
    },
    identity: {
        type: 'SystemAssigned'
    }
})

const app3Service = new azure.appservice.AppService('app3-' + serviceName, {
    ...resourceGroupArgs,
    appServicePlanId: servicePlan.id,
    appSettings: {
        "ASPNETCORE_ENVIRONMENT": env.startsWith('dev') ? 'development' : 'production'
    },
    identity: {
        type: 'SystemAssigned'
    }
})

const appGroupName = `${appName}-App`;

const appGroup = new azuread.Group(appGroupName, {
});

new azuread.GroupMember('app1Member', {
    groupObjectId: appGroup.id,
    memberObjectId: app1Service.identity.principalId
}, { dependsOn: [appGroup, app1Service] })

new azuread.GroupMember('app2Member', {
    groupObjectId: appGroup.id,
    memberObjectId: app2Service.identity.principalId
}, { dependsOn: [appGroup, app2Service] })

new azuread.GroupMember('app3Member', {
    groupObjectId: appGroup.id,
    memberObjectId: app3Service.identity.principalId
}, { dependsOn: [appGroup, app3Service] })

I suspect you might need to do something like this https://github.com/pulumi/examples/blob/master/azure-ts-msi-keyvault-rbac/index.ts#L122

@tall-librarian-49374 yes, that helped. What a shame ;)