Create an Azure AD Group in an Administrative Unit

[LaurentLesle]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The azuread provider can add an existing azure ad group created at the root of the directory. This issue is to raise a feature request to align with the portal that has now the option to create an Azure AD Group directly into the an Administrative Unit (AU).

Data source should also include the administrative unit when it is created only in an AU

New or Affected Resource(s)

• azuread_group (resource and data source)

Potential Terraform Configuration

resource "azuread_administrative_unit" "example" {
  display_name = "Example-AU"
  description  = "Just an example"
  visibility   = "Public"
}

resource "azuread_group" "example" {
  display_name     = "example"
  security_enabled = true
  administrative_unit_object_id = azuread_administrative_unit.example.id
}

References

https://learn.microsoft.com/en-us/graph/api/administrativeunit-post-members?view=graph-rest-1.0&tabs=http#example-2-create-a-new-group

[Threpio]

The current Hamilton Version does not have an Administrative unit field in the Group object.

This requires SDK changes.

[mb-northwave]

I've just spent a couple of hours looking for this very feature. So I would like this a lot.

One problem is that the az program or Powershell itself don't directly expose this either; the only way to do this, is by calling the Graph API directly. And I could not find any indication of an "azapi-like" provider that can call the Graph API directly. Is there anything that could do that? Or is the only way to do this currently, to use a 'restapi' provider?

[manicminer]

Thanks for opening this issue, however I believe support for this is already present in the provider using the azuread_administrative_unit_member resource which was added in v2.11.0.

[mb-northwave]

Hello @manicminer

The azuread_administrative_unit_member requires an existing group (member_object_id reference), which must be created before, and can currently only be created outside the Administrative Unit. Which is exactly the problem, as permissions to create groups inside the Administrative Unit don't mean you can create groups outside that Administrative Unit. Please check again. Thanks,

[manicminer]

Hi @mb-northwave, thanks for the clarification. That makes sense, and should be possible for us to add 👍

[s3bi77]

Hi, any update or eta. when this resource will be available? I'm working in a large enterprise project and am trying to terraform several groups where I could really benefit from having this feature. Otherwise I would need to create the group manually and then import it into the terraform state as an azuread_group resource :(

[pierre-mo]

This seems to be the only way to properly create groups in a multi-tenancy context.

Looking forward to this feature as well !

[ccadruvi]

As far as I can see, assigning an existing group to an administrative unit requires "Privileged Role Administrator", which is a way too broad permission, as this role can distribute "Global Administrator" permissions as well.
https://learn.microsoft.com/en-us/azure/active-directory/roles/admin-units-members-add

[hoizfux]

In Azure Portal it is possible to create a group in an administrative unit directly. This requires group administrator role in the administrative unit only.

[mb-northwave]

Indeed. That is why Administrative Units are so elegant. And this issue is about exposing that functionality also in Terraform, as Terraform does not support that currently. So I’d really appreciate this being supported, as we are eagerly awaiting this feature.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.