Resource: azuread_group_role_management_policy

Manage a role policy for an Azure AD group.

API Permissions

The following API permissions are required in order to use this resource.

When authenticated with a service principal, this resource requires the RoleManagementPolicy.ReadWrite.AzureADGroup Microsoft Graph API permissions.

When authenticated with a user principal, this resource requires Global Administrator directory role, or the Privileged Role Administrator role in Identity Governance.

Example Usage

resource "azuread_group" "example" {
  display_name     = "group-name"
  security_enabled = true
}

resource "azuread_user" "member" {
  user_principal_name = "jdoe@hashicorp.com"
  display_name        = "J. Doe"
  mail_nickname       = "jdoe"
  password            = "SecretP@sswd99!"
}

resource "azuread_group_role_management_policy" "example" {
  group_id        = azuread_group.example.id
  assignment_type = "member"

  active_assignment_rules {
    expire_after = "P365D"
  }

  eligible_assignment_rules {
    expiration_required = false
  }

  notification_rules {
    eligible_assignments {
      approver_notifications {
        notification_level = "Critical"
        default_recipients = false
        additional_recipients = [
          "someone@example.com",
          "someone.else@example.com",
        ]
      }
    }
  }
}

Argument Reference


An activation_rules block supports the following:


An active_assignment_rules block supports the following:

One of expiration_required or expire_after must be provided.


An approval_stage block supports the following:


An eligible_assignment_rules block supports the following:

One of expiration_required or expire_after must be provided.


A notification_rules block supports the following:

At least one notification_target block must be provided.


A notification_settings block supports the following:


A notification_target block supports the following:

At least one notification_settings block must be provided.


A primary_approver block supports the following:

Attributes Reference

In addition to all arguments above, the following attributes are exported:

Import

Because these policies are created automatically by Entra ID, they will auto-import on first use.