Pulumi Azure Active Directory (Azure AD)

6.9.0 · active · verified Wed Apr 15

Pulumi AzureAD is a Python package for defining, deploying, and managing Azure Active Directory (now Microsoft Entra ID) cloud resources using Pulumi's Infrastructure as Code approach. It is currently at version 6.9.0 and follows Pulumi's rapid release cadence, often receiving weekly or bi-weekly updates to incorporate new features and bug fixes from the upstream Terraform provider.

Warnings

breaking Upgrading from Pulumi AzureAD v5.x to v6.x may introduce breaking changes. These often stem from updates to the underlying Terraform AzureAD provider, leading to schema changes, removed deprecated properties, and potential changes in resource behavior (e.g., case-sensitive enum values). Review the official migration guide for the specific version range you are upgrading to/from.
Fix: Consult the Pulumi AzureAD migration guide for detailed steps. Be prepared to update resource property names, types, or provide missing required properties. Preview your changes (`pulumi preview`) carefully to identify potential replacements or diffs.
gotcha Authentication errors are common if Azure credentials are not correctly configured. The provider relies on the Azure CLI login (`az login`) or specific environment variables (e.g., `ARM_CLIENT_ID`, `ARM_TENANT_ID`, `ARM_CLIENT_SECRET`, `ARM_SUBSCRIPTION_ID`) for authentication. If you encounter errors like 'failed to load Azure credentials' or 'Error obtaining Authorization Token', it's usually an authentication issue.
Fix: Ensure you are logged in via `az login` or that the necessary `ARM_` environment variables are correctly set. For CI/CD environments, consider using OpenID Connect (OIDC) or a Service Principal with appropriate permissions.
deprecated The `end_date_relative` property on the `azuread.ServicePrincipalCertificate` resource is deprecated. It will be removed in a future version.
Fix: Instead of `end_date_relative`, use the `end_date` property and calculate its value using a function like Terraform's `timeadd()` (or Python's `datetime` equivalent) to specify an absolute expiry date.
gotcha Pulumi has two main Azure providers: `pulumi-azuread` and `pulumi-azure-native` (or `pulumi-azure` for the older Classic provider). `pulumi-azuread` is specifically for managing Azure Active Directory (Entra ID) resources like Users, Groups, Applications, and Service Principals. `pulumi-azure-native` is for general Azure ARM resources (e.g., Virtual Machines, Storage Accounts, Resource Groups). Confusing the two can lead to 'resource not found' or 'property not supported' errors.
Fix: Use `pulumi-azuread` for identity-related resources within Entra ID. Use `pulumi-azure-native` for all other Azure infrastructure resources. For new projects, `pulumi-azure-native` is generally recommended for ARM resources over the deprecated `pulumi-azure` (Classic) provider.

Install

pip install pulumi-azuread Install with pip

Imports

azuread
```
import pulumi_azuread as azuread
```
Group
```
from pulumi_azuread import Group
```

Quickstart

This quickstart program creates a new Azure Active Directory (Entra ID) security group. Before running, ensure you have configured your Azure credentials, typically by running `az login` or setting environment variables like `ARM_CLIENT_ID`, `ARM_CLIENT_SECRET`, and `ARM_TENANT_ID`.

import pulumi
import pulumi_azuread as azuread
import os

# Ensure Azure credentials are set via environment variables or `az login`
# Example: ARM_CLIENT_ID, ARM_CLIENT_SECRET, ARM_TENANT_ID, ARM_SUBSCRIPTION_ID
# Pulumi typically picks these up automatically or via `pulumi config set`.
# For local testing, ensure `az login` has been run or environment variables are configured.
# For CI/CD, consider OIDC or Service Principal authentication.

# Create an Azure AD Group
my_group = azuread.Group(
    "my-python-group",
    display_name="MyPythonManagedGroup",
    mail_enabled=False,
    security_enabled=True
)

# Export the ID of the created group
pulumi.export("groupId", my_group.id)

view raw JSON →