Manages a single directory role assignment scoped to an administrative unit within Azure Active Directory.
The following API permissions are required in order to use this resource.
When authenticated with a service principal, this resource requires one of the following application roles: AdministrativeUnit.ReadWrite.All
and RoleManagement.ReadWrite.Directory
, or Directory.ReadWrite.All
When authenticated with a user principal, this resource requires one of the following directory roles: Privileged Role Administrator
or Global Administrator
data "azuread_user" "example" {
user_principal_name = "jdoe@hashicorp.com"
}
resource "azuread_administrative_unit" "example" {
display_name = "Example-AU"
}
resource "azuread_directory_role" "example" {
display_name = "Security administrator"
}
resource "azuread_administrative_unit_role_member" "example" {
role_object_id = azuread_directory_role.example.object_id
administrative_unit_object_id = azuread_administrative_unit.example.id
member_object_id = data.azuread_user.example.id
}
The following arguments are supported:
administrative_unit_object_id
- (Required) The object ID of the administrative unit you want to add the member to. Changing this forces a new resource to be created.member_object_id
- (Required) The object ID of the user, group or service principal you want to add as a member of the administrative unit. Changing this forces a new resource to be created.role_object_id
- (Required) The object ID of the directory role you want to assign. Changing this forces a new resource to be created.In addition to all arguments above, the following attributes are exported:
No additional attributes are exported
Administrative unit role members can be imported using the object ID of the administrative unit and the unique ID of the role assignment, e.g.
terraform import azuread_administrative_unit_role_member.example 00000000-0000-0000-0000-000000000000/roleMember/zX37MRLyF0uvE-xf2WH4B7x-6CPLfudNnxFGj800htpBXqkxW7bITqGb6Rj4kuTuS