hashicorp · baranyaimate · Apr 18, 2026 · Apr 18, 2026 · Apr 18, 2026 · Apr 18, 2026
@@ -25,6 +25,7 @@ type ResourceManagerAccount struct {
 	ObjectId       string
 	SubscriptionId string
 	TenantId       string
+	PrincipalType  string
 
 	AuthenticatedAsAServicePrincipal bool
 	RegisteredResourceProviders      resourceproviders.ResourceProviders
@@ -118,13 +119,19 @@ func NewResourceManagerAccount(ctx context.Context, config auth.Credentials, sub
 		return nil, errors.New("unable to configure ResourceManagerAccount: subscription ID could not be determined and was not specified")
 	}
 
+	principalType := "User"
+	if authenticatedAsServicePrincipal {
+		principalType = "ServicePrincipal"
+	}
+
 	account := ResourceManagerAccount{
 		Environment: config.Environment,
 
 		ClientId:       clientId,
 		ObjectId:       objectId,
 		SubscriptionId: subscriptionId,
 		TenantId:       tenantId,
+		PrincipalType:  principalType,
 
 		AuthenticatedAsAServicePrincipal: authenticatedAsServicePrincipal,
 		RegisteredResourceProviders:      registeredResourceProviders,

@@ -41,6 +41,11 @@ func dataSourceArmClientConfig() *pluginsdk.Resource {
 				Type:     pluginsdk.TypeString,
 				Computed: true,
 			},
+
+			"principal_type": {
+				Type:     pluginsdk.TypeString,
+				Computed: true,
+			},
 		},
 	}
 }
@@ -50,12 +55,13 @@ func dataSourceArmClientConfigRead(d *pluginsdk.ResourceData, meta interface{})
 	_, cancel := timeouts.ForRead(meta.(*clients.Client).StopContext, d)
 	defer cancel()
 
-	id := fmt.Sprintf("clientConfigs/clientId=%s;objectId=%s;subscriptionId=%s;tenantId=%s", client.Account.ClientId, client.Account.ObjectId, client.Account.SubscriptionId, client.Account.TenantId)
+	id := fmt.Sprintf("clientConfigs/clientId=%s;objectId=%s;subscriptionId=%s;tenantId=%s;principalType=%s", client.Account.ClientId, client.Account.ObjectId, client.Account.SubscriptionId, client.Account.TenantId, client.Account.PrincipalType)
 	d.SetId(base64.StdEncoding.EncodeToString([]byte(id)))
 	d.Set("client_id", client.Account.ClientId)
 	d.Set("object_id", client.Account.ObjectId)
 	d.Set("subscription_id", client.Account.SubscriptionId)
 	d.Set("tenant_id", client.Account.TenantId)
+	d.Set("principal_type", client.Account.PrincipalType)
 
 	return nil
 }
@@ -20,6 +20,7 @@ func TestAccClientConfigDataSource_basic(t *testing.T) {
 	tenantId := os.Getenv("ARM_TENANT_ID")
 	subscriptionId := os.Getenv("ARM_SUBSCRIPTION_ID")
 	objectIdRegex := regexp.MustCompile("^[A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12}$")
+	principalTypeRegex := regexp.MustCompile("^(ServicePrincipal|User)$")
 
 	data.DataSourceTest(t, []acceptance.TestStep{
 		{
@@ -29,6 +30,7 @@ func TestAccClientConfigDataSource_basic(t *testing.T) {
 				check.That(data.ResourceName).Key("tenant_id").HasValue(tenantId),
 				check.That(data.ResourceName).Key("subscription_id").HasValue(subscriptionId),
 				check.That(data.ResourceName).Key("object_id").MatchesRegex(objectIdRegex),
+				check.That(data.ResourceName).Key("principal_type").MatchesRegex(principalTypeRegex),
 			),
 		},
 	})

@@ -76,7 +76,7 @@ function runGraduallyDeprecatedFunctions {
     fi
 
     # exceptions to avoid false positives and legacy resources should have their original behaviour preserved
-    exceptions=("run-gradually-deprecated" "/legacy/" "network/ip_group_cidr_resource.go" "network/network_security_group_resource.go" "internal/provider" "vendor/" "internal/acceptance/testing.go")
+    exceptions=("run-gradually-deprecated" "/legacy/" "network/ip_group_cidr_resource.go" "network/network_security_group_resource.go" "internal/provider" "vendor/" "internal/acceptance/testing.go" "authorization/client_config_data_source_test.go")
     toSkip=false
     for e in "${exceptions[@]}"; do
       isThisException=$(echo "$f" | grep "$e")

@@ -31,6 +31,7 @@ There are no arguments available for this data source.
 * `tenant_id` is set to the Azure Tenant ID.
 * `subscription_id` is set to the Azure Subscription ID.
 * `object_id` is set to the Azure Object ID.
+* `principal_type` is set to the principal type of the authenticated account, e.g. `ServicePrincipal` or `User`.
 
 ---