Resource: azuread_directory_role

Manages a Directory Role within Azure Active Directory. Directory Roles are also known as Administrator Roles.

Directory Roles are built-in to Azure Active Directory and are immutable. However, by default they are not activated in a tenant (except for the Global Administrator role). This resource ensures a directory role is activated from its associated role template, and exports the object ID of the role, so that role assignments can be made for it.

Once activated, directory roles cannot be deactivated and so this resource does not perform any actions on destroy.

API Permissions

The following API permissions are required in order to use this resource.

When authenticated with a service principal, this resource requires one of the following application roles: RoleManagement.ReadWrite.Directory or Directory.ReadWrite.All

When authenticated with a user principal, this resource requires one of the following directory roles: Privileged Role Administrator or Global Administrator

Example Usage

Activate a directory role by its template ID

resource "azuread_directory_role" "example" {
  template_id = "00000000-0000-0000-0000-000000000000"
}

Activate a directory role by display name

resource "azuread_directory_role" "example" {
  display_name = "Printer administrator"
}

Argument Reference

The following arguments are supported:

Attributes Reference

In addition to all arguments above, the following attributes are exported:

Import

This resource does not support importing.