The [Azure AD provider for Terraform](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs) can be used to manage your Azure Active Directory resources declaratively. This allows you to do things like:

* Automatically provision users and make sure they belong to the correct groups.
* Manage Azure compute permissions via Azure AD groups.

  \

In this post, you will learn what the Azure AD Terraform provider is used for, how to authenticate and grant permissions and see examples of what you can do with it. Let’s get started.

\
# Step 1 - Create a Group in Azure AD

The following example shows how to use the Azure AD provider to create a [group](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) in Azure AD:

\
```
terraform {
 required_providers {
   azuread = {
     source  = "hashicorp/azuread"
     version = "= 1.6.0"
   }
 }
}

resource "azuread_group" "test" {
 display_name = "Test Group"
}
```

\
The `terraform` section at the beginning is used to specify the version of the provider that we want to use, while the `azuread_group`  resource defines our group.

\
# Step 2 - Authenticate with Azure

The Azure AD provider allows for multiple authentication methods, which are outlined in the [provider’s documentation](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs#authenticating-to-azure-active-directory). To allow you to get up and running quickly, the AD provider will attempt to get your credentials via the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli).

\
While this is fine for experimentation and local testing, for non-interactive scenarios like CI you will need to use a *Service Principal* or a *Managed Service Identity*.

\
# Step 3 - Grant Permissions

In order to manage your Azure AD objects, the account used by [Terraform](https://spacelift.io/blog/what-is-terraform) needs to have the correct permissions to perform its actions. You can manage these permissions via the Roles and administrators section of Azure AD:

\
 ![](https://cdn.hackernoon.com/images/XmlQcNECRvOSDW8Pk5KvuzlDhHx1-5l03754.jpeg)

For example, to allow a Service Principal to manage groups, you would add it to the Groups administrator role:

\
 ![](https://cdn.hackernoon.com/images/XmlQcNECRvOSDW8Pk5KvuzlDhHx1-lo137sf.jpeg)

The Terraform provider is well documented and will typically contain a notice at the top of each resource explaining the permissions that are required for using it.

\
# Step 4 - Assign API Permissions

Another option that can be used with Service Principals instead of granting an administrator role is to assign specific API permissions to them. To do this, first find the AD Application linked to your Service Principal in the *App Registrations* section:

\
 ![](https://cdn.hackernoon.com/images/XmlQcNECRvOSDW8Pk5KvuzlDhHx1-vi237qr.jpeg)

Go to the *API permissions* page for the application, and click on *Add a permission*:

\
 ![](https://cdn.hackernoon.com/images/XmlQcNECRvOSDW8Pk5KvuzlDhHx1-dw337wd.jpeg)

In the window that appears, choose the *Azure Active Directory Graph* API, and then select the relevant permission you want to add:

\
 ![](https://cdn.hackernoon.com/images/XmlQcNECRvOSDW8Pk5KvuzlDhHx1-cs437zg.jpeg)

Before the Service Principal can actually use the permission you just added, you need to take a final step called granting *Admin Consent*. You can do this by clicking on the *Grant admin consent for <tenant>* button displayed above the permissions table:

\
 ![](https://cdn.hackernoon.com/images/XmlQcNECRvOSDW8Pk5KvuzlDhHx1-c553791.jpeg)

### NOTES:

* When adding permissions to your Service Principal, you need to add *Application permissions* rather than *Delegated permissions*. This means that the Service Principal is allowed to perform the specified actions as itself, rather than on behalf of another user.
* The set of permissions that you can add via API permissions is quite limited. For example, to create AD groups, you need to add the *Directory.ReadWrite.All* permission, but this will not allow your Service Principal to delete any of the groups it creates. In order to be able to delete groups, you need to grant it the *Group Administrator* role, so depending on your requirements, there may not be any point in granting API permissions.
* The Azure AD Terraform provider switches to the *Microsoft Graph API* as of version 2.0.0, so when version 2 is released, you will need to grant permissions to the *Microsoft Graph API* instead of to the *Azure Active Directory Graph API*.

\
# More Examples

## Example 1 – Managing Users and Groups

The following example creates two users and two groups and assigns each user to a group:

\
```
resource "azuread_user" "adamc" {
 user_principal_name   = "adamc@mydomain.com"
 display_name          = "Adam Connelly"
 password              = "SuperSecret01@!"
 force_password_change = true
}

resource "azuread_user" "bobd" {
 user_principal_name   = "bobd@mydomain.com"
 display_name          = "Bob Dolton"
 password              = "SuperSecret01@!"
 force_password_change = true
}

resource "azuread_group" "development" {
 display_name = "Development"
 members = [
   azuread_user.adamc.id
 ]
}

resource "azuread_group" "sales" {
 display_name = "Sales"
 members = [
   azuread_user.bobd.id
 ]
}
```

\
## Example 2 – Creating a Service Principal and granting RBAC permissions

The following example combines the Azure AD provider with the [Azure RM provider](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs), allowing you to create a Service Principal and assign it permission to manage certain Azure resources:

\
```
# Create an AD Application
resource "azuread_application" "automation" {
 display_name = "sp-automation"
}

# Create a Service Principal from that Application
resource "azuread_service_principal" "automation" {
 application_id               = azuread_application.automation.application_id
 app_role_assignment_required = false
}

# Get information about the configured Azure subscription
data "azurerm_subscription" "primary" {}

# Grant our service principal "Contributor" access over the subscription
resource "azurerm_role_assignment" "automation_contributor" {
 scope                = data.azurerm_subscription.primary.id
 role_definition_name = "Contributor"
 principal_id         = azuread_service_principal.automation.object_id
}
```

\
# Key Points

In this post, we’ve covered what the Azure AD Terraform provider is used for, how to authenticate and grant the correct permissions, as well as showing a few examples of what can be done with it. Hopefully, you’ve found it useful!

\
*First Published [here](https://spacelift.io/blog/how-to-manage-active-directory-objects-with-azure-ad-provider-for-terraform)*

Microsoft

ReadWrite

Read My Stories

Too Long; Didn't Read

Cassandra Forward a free Cassandra-focused community event

Managing Active Directory Objects with Azure AD Provider for Terraform

Too Long; Didn't Read

People Mentioned

Companies Mentioned

@adamconnelly

RELATED STORIES