How can I create Azure AD group memberships using Terraform?

Question

I'm trying to create Group Memberships in an Azure AD group for the purpose of inheriting the other group's access

I can do this in the Azure portal here: Azure Portal Group Membership Blade

But I can't figure out how to do this with powershell/azure-cli or terraform

Is this even possible ? If not, is there a workaround for it ?

Answer 1

Azure support got back to me with a solution:

There's 2 ways to do this with powershell:

With the msonline module (this does not directly work in powershell core)

> Add-MsolGroupMember -GroupObjectId $groupid -GroupMemberType User -GroupMemberObjectId $userid

With the azuread module (this works directly in powershell core)

> Add-AzADGroupMember -MemberObjectId $targetGroupIdValue --TargetGroupObjectId $groupIdValue

Note, this solution adds a member to the other group for no apparent reason, might be a bug

Answer 2

You can give it a try using the Terraform Azure AD provider. We use it for user membership but I see there's support for a group object as well.

data "azuread_user" "example" {
  user_principal_name = "jdoe@hashicorp.com"
}

resource "azuread_group" "example" {
  name = "my_group"
}

resource "azuread_group_member" "example" {
  group_object_id  = azuread_group.example.id
  member_object_id = data.azuread_user.example.id
}

member_object_id - (Required) The Object ID of the Azure AD Object you want to add as a Member to the Group. Supported Object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.

So you would use something like this instead:

data "azuread_group" "example" {
  display_name     = "MyGroupName"
  security_enabled = true
}

resource "azuread_group_member" "example" {
  group_object_id  = azuread_group.example.id
  member_object_id = data.azuread_group.example.id
}