Skip to main content

Terraform for Azure AD

Use this integration to collect evidence from your Azure Active Directory resources

Micah Spieler avatar
Written by Micah Spieler
Updated over a month ago

Use Terraform for Azure AD to collect evidence from your Azure Active Directory tenant, including user access lists, group memberships, application registrations, and security configurations.

With our Terraform for Azure AD integration, you can collect evidence of your identity and access management settings directly from Azure AD. Terraform integrations are a flexible, low-code solution that allow you to customize what evidence is collected from your cloud systems. Read more about our Terraform integrations.

Important note: You do not need to use Terraform in your tech stack in order to use Terraform for Azure AD to collect evidence.

Types of evidence you might collect with Terraform for Azure AD

There are many different types of evidence that you can collect from Azure AD. The flexibility of this integration is limited only by what is available from Terraform in terms of data sources supported by the Azure AD provider.

Here is a short, non-exhaustive list of some of the possible evidence you may collect from this integration:

  • User access lists and group memberships

  • Application registrations and service principals

  • Domain configurations and client configuration details

  • Directory roles and templates

  • Service principal and application information

Follow the instructions on this page to get started collecting evidence from Azure AD using Terraform.

Configuring Terraform for Azure AD

To configure the Terraform integration with Azure AD, you (or someone in your organization) will need Azure AD administrative privileges to create and configure service principals with appropriate permissions.

Prerequisites

  • Azure AD tenant with administrative access

  • Permissions to create app registrations and service principals

  • Ability to grant admin consent for API permissions

Step 1: Create a Service Principal

Navigate to the Azure Portal and go to Azure Active Directory, then select App registrations and click New registration:

  • Provide a meaningful name for your application (e.g., "Strike Graph Terraform Integration")

  • Grant single tentant access ("accounts in this organizational directory only")

  • Select "Web" for Redirect URI and leave the URL blank

  • Register the application. Note down the Application (client) ID and Directory (tenant) ID as you'll need these later.

Step 2: Create a Client Secret

In your newly created app registration:

  1. Go to Certificates & secrets under the Manage section

  2. Click New client secret

  3. Provide a description and set an appropriate expiration period

  4. Copy the client secret Value immediately (you won't be able to see it again)

Step 3: Grant Subscription Access

This step is crucial and often overlooked. Navigate to Subscriptions in the Azure Portal:

  1. Select the subscription you wish to use

  2. Click Access Control (IAM)

  3. Select Add > Add role assignment

  4. Choose an appropriate role (such as Reader for read-only access)

  5. Search for and select the service principal you created

  6. Complete the role assignment

Step 4: Configure API Permissions

Return to your app registration and configure the necessary API permissions:

  1. Under the Manage category, select API permissions

  2. Click Add a permission

  3. Select Microsoft Graph

  4. Add the following permissions (at minimum):

    • Domain.Read.All (required for credential validation)

    • User.Read.All

    • Group.Read.All

    • Application.Read.All

    • Additional permissions based on the data sources you want to collect

Step 5: Grant Admin Consent

Many API permissions require admin consent. If you see permissions marked as "Not granted for [your organization]":

If you are an admin:

  1. In the API permissions blade, click Grant admin consent for [your organization]

  2. Confirm the consent when prompted

If you are not an admin:

  1. Request admin consent by clicking Grant admin consent

  2. Follow up with your Azure AD administrator to approve the consent request

  3. Alternatively, you can navigate to the subscription's IAM settings, find your app registration under Role Assignments, go to the Permissions blade, and click Grant admin consent

Step 6: Configure the Integration in Strike Graph

Navigate to the Integration Manager in Strike Graph and open the Terraform for Azure AD integration.

Note: If you do not see this integration listed, it may not be available for your organization or role yet; reach out to support or your Customer Success Manager to request access.

  1. Click on the "+ Connect" button to begin configuring a new integration

  2. Enter the following information:

    • Connection Name: A meaningful name for this integration

    • Tenant ID: Your Azure AD Directory (tenant) ID

    • Client ID: Your Application (client) ID

    • Client Secret: The client secret value you copied earlier

  3. Click Save

You can create multiple Azure AD connections as needed to manage different tenants or permission scopes. Everyone with access to your Strike Graph organization will be able to use any configured Azure AD connections during evidence collection.

Using Terraform for Azure AD to collect evidence

Once you have configured a Terraform for Azure AD integration, you can begin using it to collect evidence of your Azure AD resources.

Start by navigating in Strike Graph to the item that you want to collect evidence for. You can choose to attach evidence directly for one-time evidence collection, or configure automated collection (recommended).

Click on either Attach Directly or Automated Collection, and then select the desired Terraform for Azure AD integration from the list of available integrations. If you have configured multiple Terraform for Azure AD integrations, make sure you select the one with the right permissions for the evidence that you plan to collect.

Define the data to collect

Terraform integrations allow you to use a few lines of code to define what data you would like to collect as evidence. These are called "data blocks" and more information about data blocks and local values can be found on the Terraform overview page.

With Terraform for Azure AD, you can collect evidence of identity and access management settings from supported data sources. There is a list of which data sources may be available at the bottom of this page, as well as on the Terraform Azure AD provider page (data sources are listed under the sections on the left side of the page).

Step 1: Define the data block. Data blocks are extensible, but follow a typical pattern:

  • data_source: This defines which Azure AD data source we should read from. Terraform for Azure AD supports data collection from any resource with a supported data source from Terraform's Azure AD provider (see below for a list).

  • temp_name: This is a temporary name you define and is used to refer to this data block during execution. It only has labeling significance within the scope of this configuration. It is also used in the output's filename, so it's recommended that you name it with something recognizable. Names can be repeated across configurations, are limited to alphanumeric characters, and do not allow spaces.

  • query constraints / arguments: Many data sources require specific argument(s) to be included (like the object ID of the resource you're pulling data from), or provide methods for constraining the data based on specific queries so that you can tailor the output. These are written as key/value pairs and can include multiple arguments as accepted by the data source. Refer to the specific data source requirements in the Terraform Azure AD provider documentation.

Step 2: Define the local values used for the execution. This also follows a typical pattern that is derived from the data block: data.data_source.temp_name (sometimes followed by a key if a filter argument is desirable).

Run the data collection

After you have defined the data block and local values, click the "Attach" button to execute the data collection. This may take a few minutes as we set up the data pipeline to collect the attachment.

Once the collection is finished, the attachment modal will close and you can see the collected data has been added to the evidence. You can confirm what was collected by clicking on the attachment to view the data.

Using Terraform for Azure AD with Automated Collection

It is highly recommended that you configure your evidence collection with automated collection. With Automated Collection, Strike Graph can recollect evidence attachments from Azure AD a few days before expiration so that your evidence remains in an effective 'audit ready' state.

To configure your evidence with Automated Collection, follow the steps above after clicking on the "Automated Collection" button found on the evidence item detail pages. Additional information about Automated Collection is available here.

Removing your Terraform for Azure AD integration

You can remove the integration at any time. Please note that removing an integration does not delete any files that were attached using that integration. Removing an integration will also disrupt automated collection.

To remove:

  1. Go to the Integrations Manager and click on the Terraform for Azure AD card to access the integration configurations

  2. Click the "Deactivate" button next to your configuration

Note: You may have access to remove integrations for other users on your team.

If you are fully removing access between Strike Graph and your Azure AD tenant, you may also wish to:

  • Delete the app registration from Azure AD

  • Remove any role assignments for the service principal

  • Revoke any granted admin consent

Before making these changes, verify that you are not using the service principal for other purposes.

Troubleshooting

For additional Terraform integration troubleshooting tips, click here.

Terraform integrations will return an error if we were unable to execute the collection request. The errors returned will be different depending on which step of the collection failed.

Authentication and Permission Errors

"AzureAD integration validation failed"

This error during integration set up usually indicates invalid credentials or authentication failures. Check the following:

  • Verify that your tenant ID, client ID, and client secret are correct

  • Check that the client secret has not expired

  • Ensure the service principal has been granted the necessary role assignment in the subscription

"Azure AD credential validation failed"

This error during integration set up usually indicates that while the service principle is correct, we were unable to verify API permissions, specifically against the Domain.Read.All requirement.

  • Verify that you have granted the required API permissions to your app registration (see above)

  • Check that admin consent has been granted for permissions that require it

  • Ensure the service principal has sufficient permissions to read the requested resources

API Permission Issues

Verify:

  • Ensure you have granted Domain.Read.All permission as this is required for credential validation

  • Verify that admin consent has been provided for this permission

Resource access errors:

  • Check that you have the appropriate read permissions for the specific Azure AD resources you're trying to access

  • Some resources may require additional permissions beyond basic read access

General Configuration Errors

Invalid data source errors:

  • Check that the resource you defined in the data_source is available from the Azure AD Terraform provider

  • Ensure that you have included any required query constraints/arguments

  • Refer to the Azure AD provider documentation for specific requirements

Formatting errors:

  • Check that your temp_name is formatted correctly (no spaces, only alphanumeric characters)

  • Verify there are no unexpected characters or formatting issues in the data block or local values

  • Confirm that the local values reference the correct data_source and temp_name

Supported Azure AD Data Sources

The following list is a snapshot of confirmed data sources from the Azure AD Terraform provider. For up-to-date support and specific data source requirements, visit the Terraform documentation.

Administrative Units:

  • azuread_administrative_unit

Applications:

  • azuread_application

  • azuread_application_published_app_ids

  • azuread_application_template

Conditional Access:

  • azuread_named_location

Directory Role Templates:

  • azuread_directory_role_templates

Directory Roles:

  • azuread_directory_roles

Domains:

  • azuread_domains

Groups:

  • azuread_group

  • azuread_groups

Identity Governance:

  • azuread_access_package

  • azuread_access_package_catalog

  • azuread_access_package_catalog_role

Policies:

  • azuread_group_role_management_policy

Service Principles:

  • azuread_service_principal

  • azuread_service_principals

Users:

  • azuread_user

  • azuread_users

Note: Some items may be available as resources (for creation/management) but not as data sources (for reading existing configurations). Always refer to the current Terraform Azure AD provider documentation for the most accurate and complete list of available data sources.

Did this answer your question?