Microsoft AZ-104 – Azure Admin Certification/Identity and Terraform

I am currently going through the A Cloud Guru AZ-104 Microsoft Azure Administrator Certification Prep class and thought I would take the discussion points and convert them into Terraform code rather than going through the labs with Azure Portal or Azure CLI.

Chapter 3 of the prep class covers Identity. The whole concept behind identity in Azure centers around Azure AD and Identity Access Management. The breakdown of the lectures in the acloud.guru class are as follows

  • Managing Azure AD
  • Creating Azure AD Users
  • Managing Users and Groups
  • Creating a Group and Adding Members
  • Configuring Azure AD Joing
  • Configuring Multi-factor authentication and SSPR

Before we dive into code we need to define what Azure AD and IAM are. Azure AD is the cloud based identity and access management solution (IAM) for the Azure cloud. AzureAD handles authentication as well as authorization allowing users to log into the Azure Portal and perform actions based on group affiliation and authorization roles (RBAC) associated with the user or the group.

There are four levels of Azure AD provided by Microsoft and each has a license and cost associated with consumption of Azure AD. The base level comes with an Azure license and allows you to have 500,000 directory objects and provides Single Sign-On (SSO) with other Microsoft products. This base license also has integration with IAM and business to business collaboration for federation of identities. The Office 365 License provides an additional layer of IAM with Microsoft 365 components and removes the limit on the number of directory objects. The Premium P1 and Premium P2 license provide additional layers like Dynamic Groups and Conditional Access as well as Identity Protection and Identity Governance for the Premium P2. These additional functions are good for larger corporations but not needed for small to medium businesses.

Two terms that also need definition are a tenant and a subscription. A tenant represents an organization via a domain name and gets mapped to the base Azure Portal account when it is created. This account needs to have a global administrator associated with the account but more users and subscriptions associated with it. A subscription is a billing entity within Azure. You can have multiple subscriptions under a tenant. Think of a subscription as a department or division of your company and the tenant as your parent company. The marketing department can be associated with a subscription so that billing can be tied to this profit and loss center while the engineering department is associated with another subscription that allows it to play with more features and functions of Azure but might have a smaller spending budget. These mapping are doing by the global administrator by creating new subscriptions under a tenant and giving the users and groups associated with the subscription rights and limits on what can and can’t be done. The subscription becomes the container for all Azure resources like storage, network configurations, and virtual machines.

If we look at the Azure AD Terraform documentation provided by HashiCorp we notice that this is official code provided by HashiCorp and provides a variety of mechanisms to authenticate into Azure AD. The simplest way is to use the Azure CLI to authenticate and leverage the authentication tokens returned to the CLI for Terraform to communicate with Azure. When I first tried to connect using a PowerShell 7.0 shell and the Az module the connection failed. I had to reconfigure the Azure account to allow for client authentication from the PowerShell CLI. To do this I had to go to the Azure AD implementation in the Azure Portal

then create a new App registration (I titled it AzureCLI because the name does not matter)

then changed the Allow public client flows from No to Yes to enable the Az CLI to connect.

Once the change was made in the Azure Portal the Connect-AzAccount conneciton works with the desired account connection.

Note that there is one subscription associated with this account and only one is shown. The Terraform azuread provider does not provide a new way of creating a tenant because typically this is not used very often. You can create a new tenant from the Azure Portal and this basically creates a new Primary domain that allows for a new vanity connection for users. In this example the primary domain is patpatshuff.onmicrosoft.com because patshuff.onmicrosoft.com was taken by another user. We could create a new domain patrickshuff.onmicrosoft.com or shuff.onmicrosoft.com since neither have been taken. Given that the vanity domain name has little consequence other than email addresses, creating a new tenant is not something that we will typically want to do and not having a way of creating or referencing a tenant from Terraform is not that significant.

SiliconValve posted a good description of Tenants, Subscriptions, Regions, and Geographies in Azure that is worth reading to understand more about tenants and subscriptions.

The next level down from tenants is subscriptions. A subscription is a billing entity in Azure and resources that are created like compute and storage are associated with a subscription and not a tenant. A new subscription can be created from the Azure portal but not through Terraform. Both the subscription ID and tenant ID can be pulled easily from Azure using the azuread_client_config data element and the azuread provider. Neither of these are required to use the azurerm provider that is typically used to create storage, networks, and virtual machines.

One of the key reasons why you would use both the azuread and azurerm provider is that you can pass in subscription_id and tenant_id to the azurerm provider. These values can be obtained from the azuread provider. Multiple azuread connections can be made to azuread using the alias field as well as passing credentials into the connection rather then using the default credentials from the command line connection in the PowerShell or command console that is executing the terraform binary. Multiple subscriptions can also be managed for one tenant by passing in the subscription ID into the azurerm provider and using an alias for the azurerm definition. Multiple subscriptions can be returned using the azurerm_subscriptions data declaration this reducing the need to use or manage the azuread provider.

Now that we have tenants and subscriptions under our belt (and don’t really need to address them with Terraform when it comes to creating the elements) we can leverage the azurerm provider to reference tenant_id and subscription_id to manage users and groups.

Users and Groups

Azure AD users are identities of an Azure AD tenant. A user is ties to a tenant and can be an administrator, member user, or guest user. An administrator user can take on different roles like global administrator, user administrator, or service administrator. Member users are users associated with the tenant and can be assigned to groups. Guest users are typically used to share documents or resources without storing credentials in Azure AD.

To create a user in AzureAD the azuread provider needs to be referenced and the resource azuread_user or data source azuread_user needs to be referenced. For the datasource the user_principal_name is the only required field (username). Multiple users can be referenced with the azuread_users data source with a list of multiple user_principal_names, object_ids, or mail_nicknames required to identify users in the directory. For the resource definition a user_principal_name, display_name, and password are required to identify a user. Only one user can be define at a time and a block module declaration can be created to take a map entry into a block definition to reduce the amount of terraform code needed to define multiple users.

provider "azuread" {
  version = "=0.7.0"
}

resource "azuread_user" "example" {
  user_principal_name = "jdoe@hashicorp.com"
  display_name        = "J. Doe"
  password            = "SecretP@sswd99!"
}

The user is mapped to the default tenant_id and subscription_id that is used during the azuread provider creation. If you are using the az command line it is the default tenant and subscription associated with the login credentials used.

Bulk operations as is available from the Azure portal to use a csv file defining users is not available from terraform. This might be a good opportunity to create a local-exec provision definition to call the Azure CLI that can leverage bulk import operations as discussed in the https://activedirectorypro.com/create-bulk-users-active-directory/ blog entry. Given that bulk import is typically a one time operation automating this in Terraform is typically not needed but can be performed with a local-exec if desired.

A sample Terraform file that will create a list of users is shown below:

provider "azuread" {
}

variable "pwd" {
  type = string
  default = "Password123"
}

variable "user_list" {
  type = map
  description = "list of users to create"
  default = {
    "0" = ["Bob@patpatshuff.onmicrosoft.com","Bob"],
    "1" = ["Ted@patpatshuff.onmicrosoft.com","Ted"],
    "2" = ["Alice@patpatshuff.onmicrosoft.com","Alice"]
  }
}

resource "azuread_user" "new_user" {
      user_principal_name = "bill@patpatshuff.onmicrosoft.com"
      display_name = "Bill"
      password = "Password_123"
}

resource "azuread_user" "new_users" {
  for_each = var.user_list
  user_principal_name = var.user_list[each.key][0]
  display_name = var.user_list[each.key][1]
  password = var.pwd
}

The definition is relatively simple. The user_list contains a list of usernames and display names and there are two examples of creating a user. The first is the new_user resource to create one user and the second is the new_users resource to create multiple users. Users just need to be added to the user_list and are created with the var.pwd (from the default or variable passed in via the command line or environment variable. The for_each walks through the user_list and creates all of these users. A terraform apply will create everything the first time and a terraform destroy will cleanup after you are finished.

In summary, tenants, subscriptions, and users can be managed from Terraform. Tenants and subscriptions are typically read only elements that can be read from a connection and not created or updated from Terraform. Users can be added, updated, or deleted easily using the azuread provider. Once we have the user created we can dive deeper into (in a later blog) role management, RBAC, and IAM definitions using azuread or azurerm providers.

140 thoughts on “Microsoft AZ-104 – Azure Admin Certification/Identity and Terraform”

  1. We’re a group of volunteers and opening a new scheme in our community.
    Your site offered us with valuable info to work on. You have
    done a formidable job and our entire community will be thankful to you.

  2. Доброго времени суток дамы и господа!

    Есть такой замечательный сайт https://ruposters.ru/

    Из последних новостей шоу бизнеса узнал, что:Знаменитости из России Лобода и Константин Меладзе поселились в Латвии, а детей пристроили в элитные школы.

    А певец Николай Басков впервые высказался по политической теме, осудив бежавших звезд из России.

    Рэпер Тимати посетил военный госпиталь, и привез около полусотни средств реабилитации для раненных военнослужащих, чтобы те быстрее возвращались к обычной жизни.

    От всей души Вам всех благ!

  3. Привет дамы и господа!
    Есть такой интересный сайт https://dengi-do-zarplaty.ru/
    Отличные наличные – ведущая компания в сфере микрокредитования, деньги будут у вас на карте через 15 минут. Оформить займ можно круглосуточно, в выходные и праздники.Мы применяем самые передовые технологии, чтобы вы могли за 15 минут получить займ на карту или наличными.Наш сервис доступен везде где есть интернет, получить деньги можно в одном из наших отделений или круглосуточно не выходя из дома.

  4. I definitely wanted to send a quick word to say thanks to you for all the fantastic items you are posting on this site. My particularly long internet search has now been recognized with extremely good ideas to write about with my pals. I would mention that most of us visitors are very much fortunate to exist in a very good website with so many brilliant people with useful strategies. I feel really grateful to have used the web page and look forward to many more entertaining moments reading here. Thank you again for a lot of things.

  5. I would like to express my thanks to you for rescuing me from this scenario. Just after looking throughout the internet and coming across notions that were not pleasant, I was thinking my entire life was well over. Existing devoid of the answers to the difficulties you’ve solved through your short post is a critical case, as well as the ones that would have badly damaged my entire career if I hadn’t noticed your blog post. Your good ability and kindness in controlling all the pieces was helpful. I am not sure what I would have done if I hadn’t come upon such a subject like this. I’m able to at this time relish my future. Thanks so much for the high quality and amazing help. I won’t be reluctant to endorse the website to anyone who should have care on this topic.

  6. Добрый день уважаемые!
    Есть такой замечательный сайт https://dengi-do-zarplaty.ru/
    Отличные наличные – ведущая компания в сфере микрокредитования, деньги будут у вас на карте через 15 минут. Оформить займ можно круглосуточно, в выходные и праздники.Мы применяем самые передовые технологии, чтобы вы могли за 15 минут получить займ на карту или наличными.Наш сервис доступен везде где есть интернет, получить деньги можно в одном из наших отделений или круглосуточно не выходя из дома.

  7. I wanted to write down a brief remark to be able to say thanks to you for all the great tactics you are giving on this website. My prolonged internet look up has at the end been compensated with high-quality content to share with my pals. I would state that that we visitors actually are truly endowed to live in a magnificent website with very many awesome people with beneficial strategies. I feel very much happy to have seen your entire webpage and look forward to many more fun minutes reading here. Thanks a lot once again for all the details.

  8. I and also my guys happened to be analyzing the nice pointers located on your web site and then the sudden I had a horrible suspicion I had not thanked the web site owner for them. My men were absolutely warmed to read all of them and now have actually been using them. Appreciation for really being so helpful as well as for obtaining variety of incredibly good ideas most people are really needing to be aware of. My personal honest apologies for not expressing appreciation to you earlier.

  9. Thanks for your own work on this blog. Betty really loves going through investigations and it’s obvious why. My partner and i hear all of the powerful means you create great guides through the blog and invigorate participation from other people on that subject matter and our own simple princess has always been being taught a lot. Take advantage of the remaining portion of the year. You have been performing a powerful job.

  10. First of all I want to say wonderful blog! I had a quick
    question which I’d like to ask if you do not mind.
    I was interested to find out how you center yourself and clear your mind prior to
    writing. I’ve had a hard time clearing my mind in getting my ideas out.
    I do enjoy writing however it just seems like the first 10 to 15 minutes are usually lost simply
    just trying to figure out how to begin. Any ideas or tips?
    Kudos!

  11. Excellent goods from you, man. I’ve understand your stuff previous to and you
    are just too excellent. I actually like what you’ve acquired here, certainly like what you’re saying and the way in which you say it.
    You make it entertaining and you still care for to keep it smart.

    I can’t wait to read much more from you. This is really a terrific site.

  12. I happen to be writing to make you be aware of of the awesome discovery my cousin’s princess encountered using your web page. She even learned some things, with the inclusion of what it’s like to have an amazing coaching mood to get other folks with no trouble learn a number of complicated issues. You really surpassed our expectations. Many thanks for presenting these effective, trustworthy, educational and as well as cool guidance on that topic to Ethel.

  13. My spouse and i felt so thankful that Albert could round up his web research from your precious recommendations he got through your weblog. It’s not at all simplistic to just always be making a gift of helpful hints that many people today have been making money from. And we also remember we’ve got the writer to appreciate for that. Most of the illustrations you made, the simple blog navigation, the friendships your site make it easier to engender – it’s mostly spectacular, and it is helping our son in addition to our family consider that the article is satisfying, and that’s unbelievably pressing. Thanks for everything!

  14. I and my guys appeared to be taking note of the good things from your web site while at once developed a terrible suspicion I had not thanked the blog owner for them. Most of the young boys ended up absolutely excited to learn all of them and have simply been loving these things. Thanks for actually being well kind as well as for utilizing certain brilliant things millions of individuals are really desperate to be informed on. My personal honest apologies for not expressing gratitude to you earlier.

  15. временная регистрация

    Наша общество предлагает комплексные услуги по юридическому сопровождению в процессе оформления временной регистрации в Москве. В штате только профильные юристы, которые гарантируют успешное получение ВР в любом регионе для нужный вам срок.

    временная регистрация

  16. I do agree with all the ideas you’ve offered
    in your post. They’re very convincing and can definitely work.

    Nonetheless, the posts are very brief for beginners.

    May you please prolong them a little from next time?
    Thank you for the post.

Leave a Reply

Your email address will not be published. Required fields are marked *