Azure Active Directory Provider

The Azure Provider can be used to configure infrastructure in Azure Active Directory using the Microsoft Graph API. Documentation regarding the Data Sources and Resources supported by the Azure Active Directory Provider can be found in the navigation to the left.

Interested in the provider's latest features, or want to make sure you're up to date? Check out the changelog for version information and release notes.

Getting Started

If you're new to the AzureAD provider, check out our Learn tutorial, which guides practitioners through learning the Terraform configuration language and the AzureAD provider, with an example workflow for managing users and groups.

Example Usage

# Configure Terraform
terraform {
  required_providers {
    azuread = {
      source  = "hashicorp/azuread"
      version = "~> 2.15.0"
    }
  }
}

# Configure the Azure Active Directory Provider
provider "azuread" {
  tenant_id = "00000000-0000-0000-0000-000000000000"
}

# Retrieve domain information
data "azuread_domains" "example" {
  only_initial = true
}

# Create an application
resource "azuread_application" "example" {
  display_name = "ExampleApp"
}

# Create a service principal
resource "azuread_service_principal" "example" {
  application_id = azuread_application.example.application_id
}

# Create a user
resource "azuread_user" "example" {
  user_principal_name = "ExampleUser@${data.azuread_domains.example.domains.0.domain_name}"
  display_name        = "Example User"
  password            = "..."
}

Authenticating to Azure Active Directory

Terraform supports a number of different methods for authenticating to Azure Active Directory:


We recommend using either a Service Principal or Managed Identity when running Terraform non-interactively (such as when running Terraform in a CI/CD pipeline), and authenticating using the Azure CLI when running Terraform locally.

Features and Bug Requests

Bugs and feature requests can be reported on the GitHub issues tracker. Please avoid "me too" or "+1" comments. Instead, use a thumbs up reaction on enhancement requests. Provider maintainers will often prioritise work based on the number of thumbs on an issue.

Community input is appreciated on outstanding issues! We love to hear what use cases you have for new features, and want to provide the best possible experience for you using the Azure Active Directory provider.

If you have a bug or feature request without an existing issue:

The provider maintainers will often use the assignee field on an issue to mark who is working on it.


If you have configuration questions, or general questions about using the provider, try checking out:

Argument Reference

The following arguments are supported:


When authenticating as a Service Principal using a Client Certificate, the following fields can be set:

More information on how to configure a Service Principal using a Client Certificate can be found in this guide.


When authenticating as a Service Principal using a Client Secret, the following fields can be set:


When authenticating as a Service Principal using Open ID Connect, the following fields can be set:

More information on how to configure a Service Principal using OpenID Connect can be found in this guide.


When authenticating using Managed Identity, the following fields can be set:

More information on how to configure a Service Principal using Managed Identity can be found in this guide.


For Azure CLI authentication, the following fields can be set:


Advanced Usage

For more advanced scenarios, the following additional arguments are supported:

It's also possible to use multiple Provider blocks within a single Terraform configuration, for example to work with resources across multiple Azure Active Directory Tenants or Environments - more information can be found in the documentation for Providers.


Logging and Tracing

Logging output can be controlled with the TF_LOG or TF_LOG_PROVIDER environment variables. Exporting TF_LOG=DEBUG will increase the log verbosity and emit HTTP request and response traces to stdout when running Terraform. This output is very useful when reporting a bug in the provider.

Note that whilst we make every effort to remove authentication tokens from HTTP traces, they can still contain very identifiable and personal information which you should carefully censor before posting on our issue tracker.