Administrative Unit Support

[akingscote]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Would it be possible to add support for (Administrative Units)[https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-administrative-units]?
It seems that its an AzureAD feature. There is support in the Microsoft Graph API so I assume it would be possible?
https://docs.microsoft.com/en-us/graph/api/resources/administrativeunit?view=graph-rest-1.0

New or Affected Resource(s)

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

References

• #0000

[manicminer]

Hi @akingscote, thanks for requesting this feature. You are correct, administrative units are supported by Microsoft Graph. We are currently working on MS Graph support and once this has landed, we'll be able to look at implementing this.

More details: #323

[Grant-Rc]

Hello

Im looking into administrative units as our AAD team are looking to limit our teams access. Right now I can create and manage groups via azuread_user and azuread_group but once they create administrative unit and move all my objects to these units I assume its going to break my state etc

I dont want to manage administrative units but I assume azuread_user need some sort of "-scope" support to be added directly to a unit on creation?

[manicminer]

Hi @Grant-Rc, to the best of my knowledge, objects can be members of multiple AUs and it doesn't affect their scope in the directory. I haven't tested it yet, but I would not expect managing a user with this provider (and hence the deprecated API) to break AU memberships, or vice versa changing AU memberships should not affect your Terraform state. However you won't be able to manage AUs or their memberships with the provider until we are ready with API support.

That said, I haven't tested this so would advise caution and test these assumptions before rolling out in production.

In terms of privilege/permissions management, I am not sure how the AAD Graph API interacts with, or respects, admin roles that are scoped to AUs. This you would also have to test to be certain. It may be the case that the API simply does not support them, in which case you would still need tenant-scoped roles in order for [the principal you use to execute] Terraform to still manage your tenant.

[SteveKurutz]

I picked up on this thread while trying to figure out how to get TF to link a TF-created AzureAD group to an administrative unit. I see that the AzureAD provider supports the management of AU's, and the management of AzureAD groups . . . but I can't seem to find where I can link an AU to an AzureAD group. Is that feature planned?

[manicminer]

@SteveKurutz are you looking for the azuread_administrative_unit_member resource (or the members property of azuread_administrative_unit)?

Also, closing this issue as this was recently released!

[SteveKurutz]

@manicminer - thanks for checking back on this. Regarding your question, yes, that's it. I had gotten confused regarding the term 'member' and didn't recognize that principals managed within an AU scope are "members". I think I'm set, thanks!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.