Monday, January 24, 2022

Calling Terraform Modules for Azure Active Directory (azuread)


Terraform is one of the most popular open source "infrastructure-as-code" tool and support many cloud providers e.g. AWS, Azure, Google Cloud etc. With terraform modules, we can easily create reusable infrastructure. 

The Azure AD Terraform provider can manage users, groups, service principals, and application as code. 

Note: This article assumes you are well familiar with Terraform and Azure AD.

I have created modules for the below azure ad resources to manage applications and service principal in Azure Active directory:

azuread_application - Manages an application registration within Azure Active Directory. 

Link for the module:

azuread_application_password - Manages a password credential associated with an application within Azure Active Directory. These are also referred to as client secrets during authentication. 

Link for the module:

azuread_application_pre_authorized - Manages client applications that are pre-authorized with the specified permissions to access an application's APIs without requiring user consent.

Link for the module:

azuread_service_principal - Manages a service principal associated with an application within Azure Active Directory. 

Link for the module:

I have created Terraform code repository to consume the above modules for creating applications (link of the GitHub provided at the end), scopes, app roles, redirect URIs, service principal, password credentials, pre-authorizing client applications and API permissions.

The code creates the following scenario below:

Creates Authorizer application (web API / audience application)

Authorizer application will create:
  1. App roles as `Query-01.Read` and `Query-01.Write`
  2. Oauth2_permission_scope `TestScope_01`
  3. Microsoft Graph `User.Read` permission
  4. Identifier Uris ( # To set application uri to api//<app_id>, you need to update via script, this is not possible in terraform)
The code snippet below creates Audience application using terraform module:


Creates Authorized application (client application)

Client application will create:
  1. Grant application permissions for client app to access the above created web API
  2. Microsoft Graph User.Read delegated permission
  3. Redirect URIs or reply URIs where the authorization server sends the user once the app has been successfully authorized and granted an authorization code or access token. The authorization server sends the code or token to the redirect URI, so it's important you register the correct location as part of the app registration process.
The code snippet below creates Client application using same terraform module:


Creates Service principal for Authorizer and authorized applications 

Service principal for audience and client app is created using module:


Creates Password credentials for client (authorized) applications 

Creating password credentials for client application and storing in the existing key vault

Data source is used to access information about an existing key vault and below code snippets are used to create password credentials and store the password in the key vault. Password credentials are created using module:



Pre-authorizes client (authorized) applications 

Client applications can be pre-authorized, the code snippet below does the needful using module:




Please feel free to download the code from my GitHub repository at: 








1 comment:

  1. Shri KantMay 13, 2022 at 2:51 PM

    Just came across your blog today while searching some AD terraform stuffs. Good Work :)

    ReplyDelete