terraform

Announcing Terraform AzureAD Provider 2.0

Terraform AzureAD provider Version 2.0 exclusively uses the Microsoft Graph API and has numerous schema and behavioral changes to align with the new API.

The HashiCorp Terraform Azure providers team is excited to announce the general availability of version 2.0 of the Terraform AzureAD provider. This release completes the transition to the Microsoft Graph API, which replaces the legacy Azure Active Directory Graph API. This transition includes numerous changes to existing resources to enhance the user experience and improve Azure Active Directory object management.

Please consult the upgrade guide before upgrading, as this release contains several breaking changes. You may need to update your configuration since several deprecated resources and attributes were removed in this version.

Version 2.0 of the Terraform AzureAD provider supports Terraform version 0.12 and above.

»Changes to Authentication

While existing authentication methods continue to be supported, because the provider uses a different API, you will likely need to revisit the API permissions granted to your authentication principals .

We have included comprehensive instructions in our upgrade guide. In addition, the documentation page for each resource now includes a dedicated section detailing the API roles required for that particular resource. One important change is that we no longer recommend using directory roles when authenticating using a service principal; Microsoft Graph features more comprehensive, fine-grained API roles that provide more control and better auditability.

»New Required UUID Properties

A notable change in this version of the AzureAD provider is that you must set several properties in your configuration; these properties were previously managed by the provider. This includes the id field for application roles and OAuth 2.0 permission scopes. Requiring these fields enables Terraform to more reliably manage these aspects of your configuration, and unlocks workflows where these UUID values are well-known or pre-existing.

Our upgrade guide explains this change in more detail, with examples demonstrating how you can use the Terraform random provider to emulate the earlier behavior.

»New Resources

While new features have been purposely minimized for this major version, the provider introduces a new resource and data source:

  1. The azuread_application_pre_authorized resource allows you to manage pre-authorized applications linked to an existing Terraform-managed application.
  2. The azuread_application_published_app_ids data source helps improve the readability of your application configurations by providing named lookups for commonly used Microsoft-published APIs.

»Getting Started

We recommend reading our upgrade guide to find out more about the changes in this version of the Terraform AzureAD provider before upgrading your configuration.

Version 2.0 of the Terraform AzureAD provider is available now on the Terraform Registry. You can use this version in your Terraform configuration like this:

terraform {
  required_providers {
    azuread = {
      source  = "hashicorp/azuread"
      version = "~> 2.0.0"
    }
  }
}
terraform {  required_providers {    azuread = {      source  = "hashicorp/azuread"      version = "~> 2.0.0"    }  }}

We also recommend upgrading to Terraform 1.0 even though the Terraform AzureAD provider will work with Terraform 0.12 or newer. Visit the Terraform 1.0 upgrade guide for more details.

After you have upgraded all your configurations to version 2.0 of the Terraform AzureAD provider, don’t forget to audit your existing API permissions or directory roles and remove any that are no longer needed.

In addition, we have created a HashiCorp Learn tutorial to guide you through using Terraform and the Azure AD 2.0 provider. In the process, you will learn about Terraform's configuration language, the Terraform Azure AD provider, and how to leverage both to simplify and automate your workflows.

Sign up for the latest HashiCorp news