Group

The following arguments are supported:

• administrative_unit_ids - (Optional) The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.

Warning

Do not use the administrative_unit_ids property at the same time as the azuread_administrative_unit_member resource, or the members property of the azuread_administrative_unit resource, for the same group. Doing so will cause a conflict and administrative unit members will be removed.

• assignable_to_role - (Optional) Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to false. Can only be set to true for security-enabled groups. Changing this forces a new resource to be created.
• auto_subscribe_new_members - (Optional) Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

Known Permissions Issue

The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

• behaviors - (Optional) A set of behaviors for a Microsoft 365 group. Possible values are AllowOnlyMembersToPost, HideGroupInOutlook, SubscribeMembersToCalendarEventsDisabled, SubscribeNewGroupMembers and WelcomeEmailDisabled. See official documentation for more details. Changing this forces a new resource to be created.
• description - (Optional) The description for the group.
• display_name - (Required) The display name for the group.
• dynamic_membership - (Optional) A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.
• external_senders_allowed - (Optional) Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

Known Permissions Issue

The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

• hide_from_address_lists - (Optional) Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.

Known Permissions Issue

The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

• hide_from_outlook_clients - (Optional) Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

Known Permissions Issue

The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

• mail_enabled - (Optional) Whether the group is a mail enabled, with a shared group mailbox. At least one of mail_enabled or security_enabled must be specified. Only Microsoft 365 groups can be mail enabled (see the types property).
• mail_nickname - (Optional) The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
• members - (Optional) A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

Warning

Do not use the members property at the same time as the azuread_group_member resource for the same group. Doing so will cause a conflict and group members will be removed.

• onpremises_group_type - (Optional) The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are UniversalDistributionGroup, UniversalMailEnabledSecurityGroup, or UniversalSecurityGroup.
• owners - (Optional) A set of object IDs of principals that will be granted ownership of the group. Supported object types are users or service principals. By default, the principal being used to execute Terraform is assigned as the sole owner. Groups cannot be created with no owners or have all their owners removed.

Group Ownership

It's recommended to always specify one or more group owners, including the principal being used to execute Terraform, such as in the example above. When removing group owners, if a user principal has been assigned ownership, the last user cannot be removed as an owner. Microsoft 365 groups are required to always have at least one owner which must be a user (i.e. not a service principal).

• prevent_duplicate_names - (Optional) If true, will return an error if an existing group is found with the same name. Defaults to false.
• provisioning_options - (Optional) A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.
• security_enabled - (Optional) Whether the group is a security group for controlling access to in-app resources. At least one of security_enabled or mail_enabled must be specified. A Microsoft 365 group can be security enabled and mail enabled (see the types property).
• theme - (Optional) The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.
• types - (Optional) A set of group types to configure for the group. Supported values are DynamicMembership, which denotes a group with dynamic membership, and Unified, which specifies a Microsoft 365 group. Required when mail_enabled is true. Changing this forces a new resource to be created.

Supported Group Types

At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

• visibility - (Optional) The group join policy and group content visibility. Possible values are Private, Public, or Hiddenmembership. Only Microsoft 365 groups can have Hiddenmembership visibility and this value must be set when the group is created. By default, security groups will receive Private visibility and Microsoft 365 groups will receive Public visibility.

Group Name Uniqueness

Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

• writeback_enabled - (Optional) Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.

dynamic_membership block supports the following:

• enabled - (Required) Whether rule processing is "On" (true) or "Paused" (false).
• rule - (Required) The rule that determines membership of this group. For more information, see official documentation on membership rules syntax.

Dynamic Group Memberships

Remember to include DynamicMembership in the set of types for the group when configuring a dynamic membership rule. Dynamic membership is a premium feature which requires an Azure Active Directory P1 or P2 license.

‍