Resource: azuread_custom_directory_role

Manages a Custom Directory Role within Azure Active Directory.

This resource is for managing custom directory roles. For management of built-in roles, see the azuread_directory_role resource.

API Permissions

The following API permissions are required in order to use this resource.

When authenticated with a service principal, this resource requires one of the following application roles: RoleManagement.ReadWrite.Directory or Directory.ReadWrite.All

When authenticated with a user principal, this resource requires one of the following directory roles: Privileged Role Administrator or Global Administrator

Example Usage

resource "azuread_custom_directory_role" "example" {
  display_name = "My Custom Role"
  description  = "Allows reading applications and updating groups"
  enabled      = true
  version      = "1.0"

  permissions {
    allowed_resource_actions = [
      "microsoft.directory/applications/basic/update",
      "microsoft.directory/applications/create",
      "microsoft.directory/applications/standard/read",
    ]
  }

  permissions {
    allowed_resource_actions = [
      "microsoft.directory/groups/allProperties/read",
      "microsoft.directory/groups/allProperties/read",
      "microsoft.directory/groups/basic/update",
      "microsoft.directory/groups/create",
      "microsoft.directory/groups/delete",
    ]
  }
}

Argument Reference

The following arguments are supported:


permissions blocks support the following:

Attributes Reference

In addition to all arguments above, the following attributes are exported:

Import

This resource does not support importing.