diff --git a/.github/workflows/azure_terraform_apply.yml b/.github/workflows/azure_terraform_apply.yml
index 4afd912..09c6fea 100644
--- a/.github/workflows/azure_terraform_apply.yml
+++ b/.github/workflows/azure_terraform_apply.yml
@@ -31,6 +31,7 @@ jobs:
       matrix:
         stack:
           - acm-general
+          - sysadmin-demo
 
     defaults:
       run:
diff --git a/.github/workflows/azure_terraform_plan.yml b/.github/workflows/azure_terraform_plan.yml
index 5c75bd3..2495ec4 100644
--- a/.github/workflows/azure_terraform_plan.yml
+++ b/.github/workflows/azure_terraform_plan.yml
@@ -28,6 +28,7 @@ jobs:
       matrix:
         stack:
           - acm-general
+          - sysadmin-demo
 
     defaults:
       run:
diff --git a/azure/terraform/stacks/acm-general/.terraform.lock.hcl b/azure/terraform/stacks/acm-general/.terraform.lock.hcl
index 0e2a851..06bef88 100644
--- a/azure/terraform/stacks/acm-general/.terraform.lock.hcl
+++ b/azure/terraform/stacks/acm-general/.terraform.lock.hcl
@@ -2,61 +2,41 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/azuread" {
-  version = "2.39.0"
+  version     = "3.0.2"
+  constraints = "3.0.2"
   hashes = [
-    "h1:eArrGnAP438ajO6peHLzDZxHI+mFiHeT82pObfpgObs=",
-    "zh:11d03e0bdcb372dcbebbfac53b71526ca3a2e4d280103a43f4294be66f264b96",
+    "h1:sYCyzbPpSYu2XDah8XqBUITQAfB0x4j4Twh6lw2C4CA=",
+    "zh:16e724b80a9004c7978c30f69a73c98ff63eb8a03937dd44c2a8f0ea0438b7a3",
     "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7",
-    "zh:1e1e40cb7b3028fec4a1527c9f74b29f80bca5f365a1c8bc2eb4374d48f7efcd",
-    "zh:1e2418804ca6af82d1b222c2177579bceba869f75c2411316774f0f937aca39a",
-    "zh:273f67427b5fdb23e074ebc017422995e184b58fb36e441ea5a059e6846461f5",
-    "zh:27f4b16e829608a675f056dea93997662eeebe5297dce1d19add8dc8b0842596",
-    "zh:40c2b2797c993e4b003d1ad2aa0105040401ca48d85a8cda6e885fed30de1cb7",
-    "zh:6f069afbc76c577447721bca164bb98ebb83de35650b09ccee38040d80493ca4",
-    "zh:9ac84becff0e48062f26e9b35cb91f706341f587c0cf2ab2c2971cc14f51f8dd",
-    "zh:a54119d7a4838f5aa282aa0b2d7c8db8c9defaf876142b8f40b337930b507457",
-    "zh:aa2ce28f3555f3e1fb183d12a03cdc9d64940f017ab6dd67cb414ade02df6c56",
-    "zh:befac5781b062e79be6e1a6407892f7e5368baf3f32e3bc6cf6c74a73f43f09d",
+    "zh:2bbbf13713ca4767267b889471c9fc14a56a8fdf5d1013da3ca78667e3caec64",
+    "zh:409ccb05431d643a079da082d89db2d95d6afed4769997ac537c8b7de3bff867",
+    "zh:53e4bca0f5d015380f7f524f36344afe6211ccaf614bfc69af73ca64a9f47d6c",
+    "zh:5780be2c1981d090604d7fa4cef675462f17f40e7f3dc501a031488e87a35b8f",
+    "zh:850e61a1b3e64c752c418526ccf48653514c861b36f5feb631619f906f7e99a0",
+    "zh:8c3565bfcea006a734149cc080452a9daf7d2a9d5362eb7e0a088b6c0d7f0f03",
+    "zh:908b9e6ad49d5d21173ecefc7924902047611be93bbf8e7d021aa9563358396f",
+    "zh:a2a79765c029bc58966eff61cb6e9b0ee14d2ac52b0a22fc7dfa35c9a49af669",
+    "zh:c7f56cbe8743e9ba81fce871bc97d9c07abe86770d9ee7ffefbf3882a61ba89a",
+    "zh:d4dba80e33421b30d81c62611fb7fc62ad39afecc6484436e635913cd8553e67",
   ]
 }
 
 provider "registry.terraform.io/hashicorp/azurerm" {
-  version     = "3.63.0"
-  constraints = "3.63.0"
+  version     = "4.9.0"
+  constraints = "4.9.0"
   hashes = [
-    "h1:PT0lfMSxYAL+Pcu5BwWiWDLq6u/mzx1O/dVfxFotDDU=",
-    "zh:0bb8263de0abf1a7457168673f9fcf7e404ae59d03d0e8eda91f1e024f8d9253",
-    "zh:24dd5883c95801f2d4a88be22b9a3bb4e20de7b6b65e8b7cc90b12a0895d7adf",
-    "zh:4fe19fe81a68811d09d33aeea05f20987bef84dc7377c4b34782b94dda2c658f",
-    "zh:673fcd9d15b3f1307a1c41323598678b9a705751851d0f65e6abdf78c9e5361f",
-    "zh:6c401d348d04436ed891482c3e2151c34d6fbce0a6ee8880c6025de589e22e9a",
-    "zh:6f6b9909d62e9928d56b1d02c88a514d45022fae72048166e58e288759c73493",
-    "zh:7de2aa6636ba657166ef992a3b7a822394a2d1f8c319fdbabec69b99950990ea",
-    "zh:976ca97ab21708f8707c360c18dc64c03a6e497b7a157bb0ff7a8a54c03ebc55",
-    "zh:af220c20ce6e76c4c072fbc9aa3c02597260117ba7deaa0e0d585fb1957a775b",
+    "h1:PaXhZEEv2W1p1LArJ98yMnfXBPF1uJiAf+7s1JAcejE=",
+    "zh:09c17cb67e3f4c2984648ee8592645c77c5f2f1a2902dbb8de340e2ed0ebfa56",
+    "zh:13f3f912cd7c61a7d8e9046425b919e9fae8477919a6d9d55d8b3a1ca0f49e38",
+    "zh:2f361f1e16a8e93834d26fd3f5df82e6f91fd20d4c5af70510cbf607d301ec5a",
+    "zh:59d5a51efb751290a6c9a2110257b20ce6504c541c2f58f9f1a1131dacb35ca4",
+    "zh:8ccc71b611200a8311a083b952b7551371f4d60134f7d1f46586ecead81c469f",
+    "zh:94a128603b55abfd64da1b4217e97ca7e905a822a2dd8b56f37819a94b4ed9aa",
+    "zh:97b1e3ece7489bfc1b24d687b3b52a62a99daadbea3e75d4c93ca5a8d59dd15a",
+    "zh:a8ade9445ebdc9ad3abaf9bca63dbee59fa462652a2e9592ffd170b4f642b785",
+    "zh:d5fa3afba4c2e1c01a8e12499fb9684f8aa39cab3e86af21bfd0f0da27ecc5d2",
+    "zh:d796c83a5f6da08f910ee3d616b6f842ccb24997ed3a71e050de348bb4d3da59",
+    "zh:ecf2c5288e18bad3b02cbde536efb38ad10dfec022828beaae8f07a78e0a9d63",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:fb4055762069cf0f58a36110853811f63e52c7077e332d8731a66fade1ba9f15",
-    "zh:fc95c1c80e98c317ec38fa33d16d55b5a62058dc893fbf578d100fb91401356e",
-  ]
-}
-
-provider "registry.terraform.io/linyinfeng/shell" {
-  version = "1.7.12"
-  hashes = [
-    "h1:s6dxJj1htfz0i7i+VWE9inu7qRPkJc8w6GgNDpXlpY8=",
-    "zh:089de5cff698b5e4d2ab4a6fbc67d90c1a71efd1c8e666071cd8b81c28c14326",
-    "zh:1cb6b16d4edf3a14a3fd293b4287cfe1f7372847db3fa570f73ebb9e32a74492",
-    "zh:23c40760244613932dc5733fc945ccad1bf1371585552cbe3e294a74442e092f",
-    "zh:32b921f25e6e3cef299ba88d60621e5d77a2eee088b998769c11a6779b43d112",
-    "zh:4cf97d63e43838ad74a778199a9693cc354e54b742d14829734b8f79090b9b2b",
-    "zh:51ddd1a63dcabfad61f14e99ebc0b5a2d819a1b43b1962471ce73d3d0ed32976",
-    "zh:7bf11b78d09650d7d8d430d637b8d81b8a1ce6b1947177f910467609d735cb8b",
-    "zh:9a6b515f70df34a3cfc803f8221766a4edcff0c0c537238f4c1dbfeef81233c8",
-    "zh:9ca235f5e695d391990887bbfee2b60ed3702dffa33f8696fa5ef3c84589d054",
-    "zh:a20ddfd9853186a2717910698a905bbb2738da6e2e9b19abbddce7b52644cd15",
-    "zh:cbfc3299a0b874339972a22b3044bc330c0e2ab6ac6cf1ea57b8c0c60f4f6e1f",
-    "zh:e7a2dd66372deb5a346366fcbf14e5e6728086b909c69519a949e42196bac0d8",
-    "zh:f0ecd3a4b9a03cac1ba90a9bccceed0ed7f16d85472a7d6221bde031ce639e94",
-    "zh:f7d39bb21977cb15c8d77d6512982eeba61464242f5a1c88d04babc74bfc7fc7",
   ]
 }
diff --git a/azure/terraform/stacks/acm-general/external-dns.tf b/azure/terraform/stacks/acm-general/external-dns.tf
index 2b7238b..c8cbb2f 100644
--- a/azure/terraform/stacks/acm-general/external-dns.tf
+++ b/azure/terraform/stacks/acm-general/external-dns.tf
@@ -8,7 +8,7 @@ resource "azuread_application" "externaldns" {
 }
 
 resource "azuread_service_principal" "externaldns" {
-  application_id               = azuread_application.externaldns.application_id
+  client_id                    = azuread_application.externaldns.client_id
   app_role_assignment_required = false
   owners                       = distinct(concat([data.azuread_client_config.current.object_id], var.additional_owner_ids))
   description                  = "Service Principal for ExternalDNS within on-prem Kubernetes"
@@ -16,7 +16,7 @@ resource "azuread_service_principal" "externaldns" {
 
 resource "azuread_service_principal_password" "externaldns" {
   display_name         = "${var.external_dns_namespace}Password"
-  service_principal_id = azuread_service_principal.externaldns.object_id
+  service_principal_id = azuread_service_principal.externaldns.id
 }
 
 resource "azurerm_role_assignment" "externaldns_reader" {
@@ -43,8 +43,8 @@ output "externaldns_sp_keyid" {
   value = azuread_service_principal_password.externaldns.key_id
 }
 
-output "externaldns_sp_appid" {
-  value = azuread_application.externaldns.application_id
+output "externaldns_sp_clientid" {
+  value = azuread_application.externaldns.client_id
 }
 
 output "externaldns_sp_password" {
diff --git a/azure/terraform/stacks/acm-general/providers.tf b/azure/terraform/stacks/acm-general/providers.tf
index c62ceb6..f95678b 100644
--- a/azure/terraform/stacks/acm-general/providers.tf
+++ b/azure/terraform/stacks/acm-general/providers.tf
@@ -1,9 +1,13 @@
 terraform {
-  required_version = "1.5.2"
+  required_version = "1.9.8"
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.63.0"
+      version = "4.9.0"
+    }
+    azuread = {
+      source  = "hashicorp/azuread"
+      version = "3.0.2"
     }
   }
 }
@@ -13,3 +17,6 @@ provider "azurerm" {
   features {}
 }
 
+provider "azuread" {
+  # Configuration options
+}
diff --git a/azure/terraform/stacks/acm-general/service_principal.tf b/azure/terraform/stacks/acm-general/service_principal.tf
deleted file mode 100644
index 4ff6f43..0000000
--- a/azure/terraform/stacks/acm-general/service_principal.tf
+++ /dev/null
@@ -1,34 +0,0 @@
-data "azurerm_client_config" "current" {}
-
-data "azurerm_subscription" "primary" {}
-
-
-resource "azuread_application" "terraform_sysadmin_demo" {
-  display_name = "terraform-sysadmindemo-svc"
-  owners       = var.additional_owner_ids # Azure AD Owner IDs
-}
-
-resource "azuread_service_principal" "terraform_sysadmin_demo" {
-  application_id               = azuread_application.terraform_sysadmin_demo.application_id
-  app_role_assignment_required = false
-  owners                       = var.additional_owner_ids # Azure AD Owner IDs
-}
-
-resource "azuread_application_password" "terraform_sysadmin_demo" {
-  application_object_id = azuread_application.terraform_sysadmin_demo.object_id
-  display_name          = "rbac-sysadmindemo-apppass"
-  end_date_relative     = "240h"
-}
-
-resource "azurerm_role_assignment" "terraform_sysadmin_demo_reader" {
-  scope                = data.azurerm_subscription.primary.id
-  role_definition_name = "Reader"
-  principal_id         = azuread_service_principal.terraform_sysadmin_demo.id
-}
-
-resource "azurerm_role_assignment" "terraform_sysadmin_demo_dns" {
-  scope                = data.azurerm_subscription.primary.id
-  role_definition_name = "DNS Zone Contributor"
-  principal_id         = azuread_service_principal.terraform_sysadmin_demo.id
-}
-
diff --git a/azure/terraform/stacks/sysadmin-demo/.terraform.lock.hcl b/azure/terraform/stacks/sysadmin-demo/.terraform.lock.hcl
index 7477f4e..446e84b 100644
--- a/azure/terraform/stacks/sysadmin-demo/.terraform.lock.hcl
+++ b/azure/terraform/stacks/sysadmin-demo/.terraform.lock.hcl
@@ -2,21 +2,21 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/azurerm" {
-  version     = "3.27.0"
-  constraints = "3.27.0"
+  version     = "4.9.0"
+  constraints = "4.9.0"
   hashes = [
-    "h1:0CrzPeSTqt0Q1i9HymfWMovS2/2omGYS//cFYkDU0So=",
-    "zh:02e014e70113c321aca49e76c4c39e7d7ca0f45763f095a063d523f0af1a9327",
-    "zh:17457072dbc2e0cb112dcc246173895f873c5d7d907e2f6883c19a104e053e66",
-    "zh:2f38a5326dbadeba80da45c1c6f4eabe207a7672d3e7c9056df1861433148790",
-    "zh:63f608417196fd88d3a5a20b037de0064302985414f49ff494aa65e00dc5d218",
-    "zh:705d67e00c77181bcc6c50613bb8aa2c77988f86534bc240a300a1826efbc24c",
-    "zh:72f7eca9bd3b7b1e6fffb5bc7b11a9281c1f34319b2073b2c7db1b08b558b2f8",
-    "zh:7579eef7a029f0bb8440f161afd53e59859541a4aa05008d0d88c5ecf2d81c23",
-    "zh:78429d5602a356acadc3c4b2d19bbed3e1a373f8c89e2bb9871527a1c56f51cb",
-    "zh:e0eb79998b61d7d2a4be05cc28f7c2caa8bc50edddd2f0e0bfb99a833982ae6b",
-    "zh:e6b3d8da3e75d6793a21f318937ce3ba81d6267c18cc058a9366ba35d37cf3be",
+    "h1:PaXhZEEv2W1p1LArJ98yMnfXBPF1uJiAf+7s1JAcejE=",
+    "zh:09c17cb67e3f4c2984648ee8592645c77c5f2f1a2902dbb8de340e2ed0ebfa56",
+    "zh:13f3f912cd7c61a7d8e9046425b919e9fae8477919a6d9d55d8b3a1ca0f49e38",
+    "zh:2f361f1e16a8e93834d26fd3f5df82e6f91fd20d4c5af70510cbf607d301ec5a",
+    "zh:59d5a51efb751290a6c9a2110257b20ce6504c541c2f58f9f1a1131dacb35ca4",
+    "zh:8ccc71b611200a8311a083b952b7551371f4d60134f7d1f46586ecead81c469f",
+    "zh:94a128603b55abfd64da1b4217e97ca7e905a822a2dd8b56f37819a94b4ed9aa",
+    "zh:97b1e3ece7489bfc1b24d687b3b52a62a99daadbea3e75d4c93ca5a8d59dd15a",
+    "zh:a8ade9445ebdc9ad3abaf9bca63dbee59fa462652a2e9592ffd170b4f642b785",
+    "zh:d5fa3afba4c2e1c01a8e12499fb9684f8aa39cab3e86af21bfd0f0da27ecc5d2",
+    "zh:d796c83a5f6da08f910ee3d616b6f842ccb24997ed3a71e050de348bb4d3da59",
+    "zh:ecf2c5288e18bad3b02cbde536efb38ad10dfec022828beaae8f07a78e0a9d63",
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-    "zh:f7905b2ac7e3a71ebbdc6846bbbc417df4be5690e7afd74d2aba48828a21398e",
   ]
 }
diff --git a/azure/terraform/stacks/sysadmin-demo/chasetest.tf b/azure/terraform/stacks/sysadmin-demo/chasetest.tf
new file mode 100644
index 0000000..e9b86dd
--- /dev/null
+++ b/azure/terraform/stacks/sysadmin-demo/chasetest.tf
@@ -0,0 +1,7 @@
+resource "azurerm_dns_a_record" "chasetest" {
+  name                = "chasetest"
+  zone_name           = data.azurerm_dns_zone.acmuic_org.name
+  resource_group_name = data.azurerm_resource_group.acm_general.name
+  ttl                 = 60
+  records             = ["127.0.0.1"]
+}
diff --git a/azure/terraform/stacks/sysadmin-demo/configuration/prod.tfvars b/azure/terraform/stacks/sysadmin-demo/configuration/prod.tfvars
new file mode 100644
index 0000000..baa7bf5
--- /dev/null
+++ b/azure/terraform/stacks/sysadmin-demo/configuration/prod.tfvars
@@ -0,0 +1 @@
+# Prod environment variables
diff --git a/azure/terraform/stacks/sysadmin-demo/providers.tf b/azure/terraform/stacks/sysadmin-demo/providers.tf
index 71c7352..e1f6786 100644
--- a/azure/terraform/stacks/sysadmin-demo/providers.tf
+++ b/azure/terraform/stacks/sysadmin-demo/providers.tf
@@ -1,9 +1,9 @@
 terraform {
-  required_version = "1.3.2"
+  required_version = "1.9.8"
   required_providers {
     azurerm = {
       source  = "hashicorp/azurerm"
-      version = "3.27.0"
+      version = "4.9.0"
     }
   }
 }