Configuring Groups Optional Claims in Terraform for an Azure AD Application

by

Recently I was looking at automation of an Azure AD application, one of the requirements of this was to configure groups optional claims within terraform. In this blog post, I will show how I achieved this, as the current Terraform documentation is slightly tricky to understand.

Contents hide
1 Further reading on this setup and more details on Azure AD Application Groups optional claims:
2 The Terraform Deployment

Further reading on this setup and more details on Azure AD Application Groups optional claims:

https://learn.microsoft.com/en-gb/azure/active-directory/develop/optional-claims#configure-groups-optional-claims

The Terraform Deployment

I was looking to achieve similar in the below screenshot via Terraform

To achieve this, I used the optional_claims argument as below, adding claims for access_token, id_token and saml2_token

  optional_claims {

    access_token {
      name                  = "groups"
    }

    id_token {
      name                  = "groups"
    }

    saml2_token {
      name                  = "groups"
    }
  }

With the example below used in my terraform for azuread_application

resource "azuread_application" "azuread_application" {
  display_name = "tamops"

  optional_claims {

    access_token {
      name                  = "groups"
    }

    id_token {
      name                  = "groups"
    }

    saml2_token {
      name                  = "groups"
    }
  }

  owners = [var.app_service_object_id]
}

In this example, I creating an Azure AD application named “tamops” and configuring the optional claims for groups. The optional_claims block contains three sub-blocks for access_token, id_token, and saml2_token. Each sub-block has a name property set to “groups”.

The owners property is also set to a variable named app_service_object_id. This is the object ID of the Azure AD application that will be accessing this application.

Now, let’s take a closer look at the optional_claims block. This block is used to configure optional claims for the application. Optional claims are claims that are not included in the standard set of claims that are returned by Azure AD. In this case, we’re configuring the optional claim for groups.

The access_token, id_token, and saml2_token sub-blocks are used to specify which tokens the optional claim should be included in. In this example, we’re including the optional claim for groups in all three types of tokens.

I hope this blog post helps you understand how to configure groups optional claims in Terraform for an Azure AD application. If you have any questions or comments, please feel free to leave them below.

2 thoughts on “Configuring Groups Optional Claims in Terraform for an Azure AD Application”

Leave a Reply

Discover more from Thomas Thornton Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading

Discover more from Thomas Thornton Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading