azuread_group: Support for AzureAD B2B user invitations (guests)

[daniel-simpson]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Building on this comment, I would like to be able to add guest users to a group using AzureAD B2B.

My use case for this is a clean separation of concerns between user authentication (handled in a separate tenant) and authorization (RBAC on groups). There are Microsoft Graph APIs available for:

• Get User in Tenant
• Add user to tenant (via invitation)
• Delete user from tenant

The main part I can't get my head around is whether or not this would require an azuread_guest resource type or if we can infer it using the first snippet below.

If we don't need a new azuread_guest resource type, the side effect of extra guest users in this tenant is mitigated by the fact that once removed from all groups, the invited guest's permissions are effectively zero, though I'm aware that in Terraform we don't like things to be implicit 😄

New or Affected Resource(s)

• azuread_group
• (Optional) azuread_guest

Potential Terraform Configuration

resource "azuread_group" "mygroup" {
  name = "MyGroup"
  # owners = ["foo.bar@example.com"]
  # members = ["foo.bar2@example.com"]
  guests = ["externalAadUser@test.onmicrosoft.com"]
}

OR

resource "azuread_guest" "guest_invite" {
  email = "test@mail.com"
}

resource "azuread_group" "mygroup" {
  name = "MyGroup"
  members = ["${azuread_guest.guest_invite.id}"]
}

References

• Depends on New Data Source/Resource: azuread_user #8 (merged)
• Original comment on azuread_group: Support owners and members management  #36

[Lachlan-White]

Would be very interested in this functionality!

[dansanabria]

wonder if there's an update on this ?

[CodingAnarchy]

Wanted to note for our desired use case, we want the azuread_guest without concern for groups. We can use groups if that's how it is implemented, but mainly we just need to invite a guest user and assign them roles, which would be great if we can do it all via Terraform.

[yuri-tieto]

Any update on this one?

[angeloedades]

Hi guys, just wanted to add - this feature would be really useful in helping me manage users in code. Is there a rough timeline that we can expect some progress? I know from the previous update that the API required is not avialable in Go. Have you guys reached out to Microsoft?

[angeloedades]

Hi Issue Followers,

If this feature is something that you would like make sure to vote on #307 too

[manicminer]

Thanks @angeloedades. When I opened the other issue I forgot there already was one, but now they both have upvotes we'll keep them both open 👍

[angeloedades]

Thanks @manicminer - just to give a bit more background as to why I am 100% in on this feature - I manage a few Azure tenants and the majority of them use B2B users as guests. This feature would immensely help me manage guest users better rather than writing some custom mechanism to issue invites

[bridgepate]

Please add this feature

[KoenR3]

Same here, we have a lot of B2B users that need to be managed. Currently we cannot add the management to Terraform and we have to leave the environment for this, which is a shame.

[manicminer]

This functionality has been merged with #401, which adds a user_type property to the azuread_user resource - you should then be able to add guest users as group members.

[bridgepate]

Thanks.

…

On Wed, 24 Feb 2021, 01:12 Tom Bamford, ***@***.***> wrote: This functionality has been merged with #401 <#401>, which adds a user_type property to the azuread_user resource - you should then be able to add guest users as group members. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#41 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABNX26PXALFWOEYFO2MC5I3TAOLTPANCNFSM4GXAYNGQ> .

[manicminer]

Unfortunately we need to revert the support for this property as the API appears very broken, more info in #413

We'll keep this issue closed and supercede it with 307 since that's focused on the invitations API in MS Graph. This feature is prominently on our roadmap and we'll be implementing it as soon as we are able.

[manicminer]

For group member support, I would suggest looking up guest users with the azuread_user data source, which supports user principal names in the format user_guestcorp.com#EXT#@invitingtenant.net. You will need to create these users out of band for now.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

[ghost]

This has been released in version 1.5.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azuread" {
    version = "~> 1.5.0"
}
# ... other configuration ...