Resource: azuread_group

Manages a group within Azure Active Directory.

API Permissions

The following API permissions are required in order to use this resource.

When authenticated with a service principal, this resource requires one of the following application roles: Group.ReadWrite.All or Directory.ReadWrite.All.

Alternatively, if the authenticated service principal is also an owner of the group being managed, this resource can use the application role: Group.Create.

If using the assignable_to_role property, this resource additionally requires the RoleManagement.ReadWrite.Directory application role.

If specifying owners for a group, which are user principals, this resource additionally requires one of the following application roles: User.Read.All, User.ReadWrite.All, Directory.Read.All or Directory.ReadWrite.All

When authenticated with a user principal, this resource requires one of the following directory roles: Groups Administrator, User Administrator or Global Administrator

When creating this resource in administrative units exclusively, the role Groups Administrator is required to be scoped on any administrative unit used.

The external_senders_allowed, auto_subscribe_new_members, hide_from_address_lists and hide_from_outlook_clients properties can only be configured when authenticating as a user and cannot be configured when authenticating as a service principal. Additionally, the user being used for authentication must be a Member of the tenant where the group is being managed and _not_ a Guest. This is a known API issue; please see the Microsoft Graph Known Issues official documentation.

Example Usage

Basic example

data "azuread_client_config" "current" {}

resource "azuread_group" "example" {
  display_name     = "example"
  owners           = [data.azuread_client_config.current.object_id]
  security_enabled = true
}

Microsoft 365 group

data "azuread_client_config" "current" {}

resource "azuread_user" "group_owner" {
  user_principal_name = "example-group-owner@hashicorp.com"
  display_name        = "Group Owner"
  mail_nickname       = "example-group-owner"
  password            = "SecretP@sswd99!"
}

resource "azuread_group" "example" {
  display_name     = "example"
  mail_enabled     = true
  mail_nickname    = "ExampleGroup"
  security_enabled = true
  types            = ["Unified"]

  owners = [
    data.azuread_client_config.current.object_id,
    azuread_user.group_owner.object_id,
  ]
}

Group with members

data "azuread_client_config" "current" {}

resource "azuread_user" "example" {
  display_name        = "J Doe"
  owners              = [data.azuread_client_config.current.object_id]
  password            = "notSecure123"
  user_principal_name = "jdoe@hashicorp.com"
}

resource "azuread_group" "example" {
  display_name     = "MyGroup"
  owners           = [data.azuread_client_config.current.object_id]
  security_enabled = true

  members = [
    azuread_user.example.object_id,
    /* more users */
  ]
}

Group with dynamic membership

data "azuread_client_config" "current" {}

resource "azuread_group" "example" {
  display_name     = "MyGroup"
  owners           = [data.azuread_client_config.current.object_id]
  security_enabled = true
  types            = ["DynamicMembership"]

  dynamic_membership {
    enabled = true
    rule    = "user.department -eq \"Sales\""
  }
}

Argument Reference

The following arguments are supported:


dynamic_membership block supports the following:

Attributes Reference

In addition to all arguments above, the following attributes are exported:

Import

Groups can be imported using their object ID, e.g.

terraform import azuread_group.my_group 00000000-0000-0000-0000-000000000000