No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

See the last sentence in “Identity” <https://www.pulumi.com/docs/guides/crosswalk/kubernetes/control-plane/#identity>

Thanks <@UB39JFCKC>, I have found that I can do this using the Microsoft Graph API.  It seems to work best if I first use Pulumi to add the rights and then the API to grant consent for them.

In theory the API can do both steps i.e. add the permissions and provide consent but when I do that they seem to appear in the "Other Permissions" section rather than the "Configured Permissions" section.  If I assign the permission with Pulumi and then use the API to grant consent they appear in the preferred "Configured Permissions" section.

My issue is that I can't call the API until Pulumi has created the App Registration, its associated Service Principal and assigned the required permissions.  I then need to use the Object ID of the Service Principal when calling the API.  Is there a way I can call normal .Net code (i.e to call the API) once the required object has been created (so I know I have a valid object ID to pass to it)?

<@UB39JFCKC> yeah looks promising.  Is there a way to integrate the API call in to my code as described above (i.e. once the objectId exists)?

.NET doesn’t have dynamic provides yet, which would be the first-class solution for this kind of problems in Node.js or Python. In .NET you could add your API calls to `Apply` , something similar to the pattern in <https://blog.headforcloud.com/2020/02/09/pulumi-azure-static-sites/>

You’d have to make sure it’s idempotent, because it can and will run multiple times