How to Manage Active Directory Objects with Azure AD Provider for Terraform

How to Manage Active Directory Objects with Azure AD Provider for Terraform

The Azure AD provider for Terraform can be used to manage your Azure Active Directory resources declaratively. This allows you to do things like:

  • Automatically provision users and make sure they belong to the correct groups.
  • Manage Azure compute permissions via Azure AD groups.

In this post, you will learn what the Azure AD Terraform provider is used for, how to authenticate and grant permissions, and see examples of what you can do with it. Let’s get started.

Step 1 - Create a Group in Azure AD

The following example shows how to use the Azure AD provider to create a group in Azure AD:

terraform {
 required_providers {
   azuread = {
     source  = "hashicorp/azuread"
     version = "= 1.6.0"

resource "azuread_group" "test" {
 display_name = "Test Group"

The terraform section at the beginning is used to specify the version of the provider that we want to use, while the azuread_group  resource defines our group.

Step 2 - Authenticate with Azure

The Azure AD provider allows for multiple authentication methods, which are outlined in the provider’s documentation. To allow you to get up and running quickly, the AD provider will attempt to get your credentials via the Azure CLI.

While this is fine for experimentation and local testing, for non-interactive scenarios like CI you will need to use a Service Principal or a Managed Service Identity.

Step 3 - Grant Permissions

In order to manage your Azure AD objects, the account used by Terraform needs to have the correct permissions to perform its actions. You can manage these permissions via the Roles and administrators section of Azure AD:

Roles and administrators section of Azure AD

For example, to allow a Service Principal to manage groups, you would add it to the Groups administrator role:

Azure AD Groups administrator

The Terraform provider is well documented, and will typically contain a notice at the top of each resource explaining the permissions that are required for using it.

Step 4 - Assign API Permissions

Another option that can be used with Service Principals instead of granting an administrator role is to assign specific API permissions to them. To do this, first find the AD Application linked to your Service Principal in the App Registrations section:

Service Principal in the App Registrations section

Go to the API permissions page for the application, and click on Add a permission:

Manage Active Directory Objects

In the window that appears, choose the Azure Active Directory Graph API, and then select the relevant permission you want to add:

Azure Active Directory Graph API

Before the Service Principal can actually use the permission you just added, you need to take a final step called granting Admin Consent. You can do this by clicking on the Grant admin consent for <tenant> button displayed above the permissions table:

Azure AD Admin Consent


  • When adding permissions to your Service Principal, you need to add Application permissions rather than Delegated permissions. This means that the Service Principal is allowed to perform the specified actions as itself, rather than on behalf of another user.
  • The set of permissions that you can add via API permissions is quite limited. For example, to create AD groups you need to add the Directory.ReadWrite.All permission, but this will not allow your Service Principal to delete any of the groups it creates. In order to be able to delete groups, you need to grant it the Group Administrator role, so depending on your requirements there may not be any point in granting API permissions.
  • The Azure AD Terraform provider switches to the Microsoft Graph API as of version 2.0.0, so when version 2 is released you will need to grant permissions to the Microsoft Graph API instead of to the Azure Active Directory Graph API.

More Examples

Example 1 – Managing Users and Groups

The following example creates two users and two groups, and assigns each user to a group:

resource "azuread_user" "adamc" {
 user_principal_name   = "adamc@mydomain.com"
 display_name          = "Adam Connelly"
 password              = "SuperSecret01@!"
 force_password_change = true

resource "azuread_user" "bobd" {
 user_principal_name   = "bobd@mydomain.com"
 display_name          = "Bob Dolton"
 password              = "SuperSecret01@!"
 force_password_change = true

resource "azuread_group" "development" {
 display_name = "Development"
 members = [

resource "azuread_group" "sales" {
 display_name = "Sales"
 members = [

Example 2 – Creating a Service Principal and granting RBAC permissions

The following example combines the Azure AD provider with the Azure RM provider, allowing you to create a Service Principal and assign it permission to manage certain Azure resources:

# Create an AD Application
resource "azuread_application" "automation" {
 display_name = "sp-automation"

# Create a Service Principal from that Application
resource "azuread_service_principal" "automation" {
 application_id               = azuread_application.automation.application_id
 app_role_assignment_required = false

# Get information about the configured Azure subscription
data "azurerm_subscription" "primary" {}

# Grant our service principal "Contributor" access over the subscription
resource "azurerm_role_assignment" "automation_contributor" {
 scope                = data.azurerm_subscription.primary.id
 role_definition_name = "Contributor"
 principal_id         = azuread_service_principal.automation.object_id

Key Points

In this post, we’ve covered what the Azure AD Terraform provider is used for, how to authenticate and grant the correct permissions, as well as showing a few examples of what can be done with it. Hopefully, you’ve found it useful!

If you’re interested in finding out about how you can use Spacelift to manage your Azure resources via the Terraform Azure Provider, check out our Azure documentation. There you can also learn how to configure the following authentication methods in Spacelift: Spacelift Managed Integration, Static Credentials and Managed Service Identities. And don’t forget that you can easily take Spacelift for a free test drive!

Flexible and robust platform to manage Terraform

Spacelift helps manage Terraform state, build more complex workflows, supports policy as code, programmatic configuration, context sharing, drift detection, resource visualization and many more.

Start free trial
Terraform CLI Commands Cheatsheet

Initialize/ plan/ apply your IaC, manage modules, state, and more.

Share your data and download the cheatsheet