对于权限type，Scope对应于Delegated权限类型，其中Role是Application类型。
email OpenID作用域是Delegated权限类型，因此您需要将权限type从Role更改为Scope。

resource_access {
    id = "64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0"
    type = "Scope"
}

字符串

为了解决OP询问的第二部分，确实可以通过Terraform“授予管理员同意”。请参阅azuread_app_role_assignment documentation，其中有一个很好的例子来说明如何实现这一点。
下文引用了相关的例子。

data "azuread_application_published_app_ids" "well_known" {}

resource "azuread_service_principal" "msgraph" {
  application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
  use_existing   = true
}

resource "azuread_application" "example" {
  display_name = "example"

  required_resource_access {
    resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph

    resource_access {
      id   = azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
      type = "Role"
    }

    resource_access {
      id   = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.ReadWrite"]
      type = "Scope"
    }
  }
}

resource "azuread_service_principal" "example" {
  application_id = azuread_application.example.application_id
}

resource "azuread_app_role_assignment" "example" {
  app_role_id         = azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
  principal_object_id = azuread_service_principal.example.object_id
  resource_object_id  = azuread_service_principal.msgraph.object_id
}

字符串