This Terraform module simplifies the creation and management of Microsoft Entra ID applications and service principals. It supports advanced configuration options such as app roles, permission scopes, federated identity credentials, optional claims, and password rotation. The module is designed to automate and standardize Microsoft Entra ID application registration for a variety of use cases, including web apps, APIs, and automation scenarios.
The following requirements are needed by this module:
The following providers are used by this module:
The following resources are used by this module:
- azuread_app_role_assignment.this (resource)
- azuread_application_api_access.this (resource)
- azuread_application_app_role.this (resource)
- azuread_application_fallback_public_client.this (resource)
- azuread_application_federated_identity_credential.this (resource)
- azuread_application_identifier_uri.default (resource)
- azuread_application_identifier_uri.this (resource)
- azuread_application_optional_claims.this (resource)
- azuread_application_owner.this (resource)
- azuread_application_password.this (resource)
- azuread_application_permission_scope.this (resource)
- azuread_application_redirect_uris.public_client (resource)
- azuread_application_redirect_uris.spa (resource)
- azuread_application_redirect_uris.web (resource)
- azuread_application_registration.this (resource)
- azuread_service_principal.this (resource)
- azuread_service_principal_delegated_permission_grant.this (resource)
- random_uuid.role (resource)
- random_uuid.scope (resource)
- time_rotating.this (resource)
- azuread_service_principal.required_access (data source)
The following input variables are required:
Description: The display name for the application.
Type: string
The following input variables are optional (have default values):
Description: Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application.
Type: bool
Default: false
Description: (Optional) A description of the application, as shown to end users.
Type: string
Default: null
Description: (Optional) Specifies explicitly whether the application is a public client. Appropriate for apps using token grant flows that don't use a redirect URI.
Type: bool
Default: null
Description: (Optional) A collection of federated identity credentials for this application.
Type:
map(object({
audiences = optional(list(string), ["api://AzureADTokenExchange"])
description = optional(string)
display_name = string
issuer = string
subject = string
}))Default: {}
Description: Whether to generate a password for the application.
Type: bool
Default: false
Description: Whether to grant admin consent on the application permissions.
Type: bool
Default: false
Description: Whether to grant admin consent on the delegated permissions.
Type: bool
Default: false
Description: (Optional) Configures the groups claim issued in a user or OAuth access token that the app expects. Possible values are None, SecurityGroup, DirectoryRole, ApplicationGroup or All.
Type: list(string)
Default: null
Description: (Optional) Home page or landing page of the application.
Type: string
Default: null
Description: (Optional) A list of the user-defined URI or URI-like string that uniquely identifies an application within its Azure AD tenant, or within a verified custom domain if the application is multi-tenant.
Type: list(string)
Default: []
Description: (Optional) Whether this application can request an access token using OAuth implicit flow.
Type: bool
Default: null
Description: (Optional) Whether this web application can request an ID token using OAuth implicit flow.
Type: bool
Default: null
Description: (Optional) The URL that will be used by Microsoft's authorization service to sign out a user using front-channel, back-channel or SAML logout protocols.
Type: string
Default: null
Description: (Optional) URL of the marketing page for the application.
Type: string
Default: null
Description: (Optional) User-specified notes relevant for the management of the application.
Type: string
Default: null
Description: (Optional) A collection of optional claims to be included in the access token, ID token, and SAML2 token.
Type:
object({
access_token = optional(list(object({
additional_properties = optional(list(string))
essential = optional(bool)
name = string
source = optional(string)
})), [])
id_token = optional(list(object({
additional_properties = optional(list(string))
essential = optional(bool)
name = string
source = optional(string)
})), [])
saml2_token = optional(list(object({
additional_properties = optional(list(string))
essential = optional(bool)
name = optional(string)
source = optional(string)
})), [])
})Default: null
Description: (Optional) A list of object IDs of the principals that will be granted ownership of the application.
Type: list(string)
Default: []
Description: Number of days before the password is rotated. If set to 0, the password will not be rotated.
Type: number
Default: 180
Description: (Optional) A collection of exposed permission scopes by the application.
Type:
map(object({
admin_consent_description = string
admin_consent_display_name = string
id = optional(string)
type = optional(string)
user_consent_description = optional(string)
user_consent_display_name = optional(string)
value = optional(string)
}))Default: {}
Description: (Optional) URL of the privacy statement for the application.
Type: string
Default: null
Description: (Optional) A list of redirect URIs for public client applications (e.g., mobile or desktop apps).
Type: list(string)
Default: []
Description: (Optional) A list of redirect URIs for single-page applications (SPAs). These are typically used in web applications that run entirely in the browser.
Type: list(string)
Default: []
Description: (Optional) A list of redirect URIs for web applications. These are typically used in server-side web applications.
Type: list(string)
Default: []
Description: (Optional) The access token version expected by this resource. Must be one of 1 or 2, and must be 2 when sign_in_audience is either AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount Defaults to 2.
Type: number
Default: 2
Description: (Optional) A collection of required API access by this application.
Type:
map(object({
api_client_id = string
scope_ids = optional(list(string), [])
role_ids = optional(list(string), [])
}))Default: {}
Description: (Optional) A collection of roles for this application.
Type:
map(object({
allowed_member_types = optional(list(string), ["User"])
description = optional(string)
display_name = optional(string)
id = optional(string)
value = optional(string)
}))Default: {}
Description: (Optional) References application context information from a Service or Asset Management database.
Type: string
Default: null
Description: (Optional) The Microsoft account types that are supported for the current application. Must be one of AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount. Defaults to AzureADMyOrg.
Type: string
Default: "AzureADMyOrg"
Description: (Optional) URL of the support page for the application.
Type: string
Default: null
Description: A set of tags to apply to the service principal.
Type: list(string)
Default:
[
"WindowsAzureActiveDirectoryIntegratedApp"
]Description: (Optional) URL of the terms of service statement for the application.
Type: string
Default: null
The following outputs are exported:
Description: Application client ID.
Description: Application resource ID.
Description: Exposed OAuth2 permission scopes mapping.
Description: Application object ID.
Description: Application password value. Only available if 'generate_password' is true.
Description: Application roles mapping.
Description: Exposed OAuth2 permission scope URIs.
Description: Service principal object ID for the application.