Creating Groups In Administrative Units With Infrastructure as Code

Azure, Entra ID, Infrastructure as Code

An Administrative Unit in Entra ID is a container for resources in Entra ID, including users and groups. One of the benefits of using Administrative Units (AU) is that you can delegate rights to an AU to other users and grant them rights to create or manage things within that AU. A common scenario for this is granting people rights to create groups within an AU by granting them the “Group Administrator” role.

Recently, I was working to create some Infrastructure as Code, which had the task of creating Entra ID groups in a specific AU. I’m using a service principle to do the deployment, and I had granted it the following rights:

  • Group.ReadWrite.All to be able to create groups.
  • AdministrativeUnit.Read.All to read the details of the AU.

I then granted the service principal the group administrator role on the specific AU.

Once I started testing this, I found that I could create groups outside of the AU, but when I tried to put them in the AU, I got a permission error. It turns out that you need different permissions to join an existing group to an AU, compared to if you create the group in the AU in the first place.

To add an existing group to an AU you need the “Privileged Role Administrator” role, which requires many more permissions than the group administrator role. So, if you only have the Group Administrator role, you need to ensure you create the group inside the AU. So, in Terraform or Pulumi, this means specifying the AU in the group resource rather than using the Administrative Unit Member resource.

Terraform

resource "azuread_group" "example" {
  display_name     = "example"
  owners           = [data.azuread_client_config.current.object_id]
  security_enabled = true
  administrative_unit_ids = [
   "AUID"
  ]
}

Pulumi

var example = new AzureAD.Group("example", new()
    {
        DisplayName = "example",
        Owners = new[]
        {
            current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
        },
        SecurityEnabled = true,
      	administrativeUnitIds = new[]
        {
          "AUID"
        }
    });

Administrative Units is a list; if you specify more than one, then the group is created in the first one, and it will attempt to add it to the others, which will take us back to the original issue, so you may want to limit it to one AU if you have restricted permissions.