Manages a Directory Role within Azure Active Directory. Directory Roles are also known as Administrator Roles.
Directory Roles are built-in to Azure Active Directory and are immutable. However, by default they are not activated in a tenant (except for the Global Administrator role). This resource ensures a directory role is activated from its associated role template, and exports the object ID of the role, so that role assignments can be made for it.
Once activated, directory roles cannot be deactivated and so this resource does not perform any actions on destroy.
The following API permissions are required in order to use this resource.
When authenticated with a service principal, this resource requires one of the following application roles: RoleManagement.ReadWrite.Directory
or Directory.ReadWrite.All
When authenticated with a user principal, this resource requires one of the following directory roles: Privileged Role Administrator
or Global Administrator
Activate a directory role by its template ID
resource "azuread_directory_role" "example" {
template_id = "00000000-0000-0000-0000-000000000000"
}
Activate a directory role by display name
resource "azuread_directory_role" "example" {
display_name = "Printer administrator"
}
The following arguments are supported:
display_name
- (Optional) The display name of the directory role to activate. Changing this forces a new resource to be created.template_id
- (Optional) The object ID of the role template from which to activate the directory role. Changing this forces a new resource to be created.In addition to all arguments above, the following attributes are exported:
description
- The description of the directory role.object_id
- The object ID of the directory role.This resource does not support importing.