Table of Contents
- Terraform + Azure Entra ID Mini Project: Step-by-Step Beginner Guide (Users & Groups from CSV)
- π― What Weβre Building
- π’ Step 1 β Configure Provider & Fetch Domain
- π’ Step 2 β Test CSV Reading
- π’ Step 3 β Create ONE Test User
- π’ Step 4 β Create Users from CSV
- π’ Step 5 β Create Group & Add Members
- π§ Key Beginner Lessons
- π What You Can Try Next
- π Final Thoughts
Terraform + Azure Entra ID Mini Project: Step-by-Step Beginner Guide (Users & Groups from CSV)
In this mini project, I automated user and group management in Microsoft Entra ID using Terraform.
Instead of creating infrastructure like VMs or VNets, we manage:
- π€ Users
- π₯ Groups
- π Group memberships
I followed my instructorβs tutorial but implemented it in my own small, testable steps. This blog shows exactly how you can do the same and debug easily as a beginner.
π― What Weβre Building
We will:
β
Fetch our tenant domain
β
Read users from a CSV file
β
Create Entra ID users from CSV
β
Detect duplicate usernames
β
Create a group
β
Add users to the group based on department
π’ Step 1 β Configure Provider & Fetch Domain
azadprovider.tf
terraform {
required_providers {
azuread = {
source = "hashicorp/azuread"
version = "2.41.0"
}
}
}
π This tells Terraform to use the Azure AD provider.
domainfetch.tf
data "azuread_domains" "tenant" {
only_initial = true
}
output "domain" {
value = data.azuread_domains.tenant.domains.0.domain_name
}
Run
terraform init
terraform apply
Verify
You should see:
domain = "yourtenant.onmicrosoft.com"
β Now Terraform can build valid usernames.
π’ Step 2 β Test CSV Reading
locals {
users = csvdecode(file("users.csv"))
}
output "users_debug" {
value = local.users
}
Why?
Before creating users, confirm Terraform reads the CSV correctly.
Run
terraform plan
You should see structured user data printed.
β If this fails β your CSV format is wrong.
π’ Step 3 β Create ONE Test User
Always test with one user first.
resource "azuread_user" "testuserminipro867" {
user_principal_name = "testuserminipro867@yourdomain.onmicrosoft.com"
display_name = "Test User"
password = "Password123!"
}
Verify in Portal
Entra ID β Users β Confirm creation.
β
Works? Good.
Then comment it out.
π’ Step 4 β Create Users from CSV
Now we automate.
Generate UPNs
locals {
upns = [
for u in local.users :
lower("${u.first_name}.${u.last_name}@${data.azuread_domains.tenant.domains[0].domain_name}")
]
}
π Creates usernames like:
michael.scott@tenant.onmicrosoft.com
Detect Duplicates
output "duplicate_check" {
value = length(local.upns) != length(distinct(local.upns))
? "β DUPLICATES FOUND"
: "β
No duplicates"
}
π‘ Beginner Tip:
Duplicate usernames will break Terraform β always check first!
Preview Planned Users
output "planned_users" {
value = local.upns
}
Create Users
resource "azuread_user" "users" {
for_each = {
for idx, user in local.users :
local.upns[idx] => user
}
user_principal_name = each.key
display_name = "${each.value.first_name} ${each.value.last_name}"
mail_nickname = lower("${each.value.first_name}${each.value.last_name}")
department = each.value.department
password = "Password123!"
}
Apply
terraform apply
Verify
Check Entra ID β Users.
β Users created automatically!
π₯ Important Learning
If you change the CSV later:
Terraform will
β create new users
β update existing users
β remove deleted users
π This is Terraformβs desired state model in action.
π’ Step 5 β Create Group & Add Members
Create Group
resource "azuread_group" "test_group" {
display_name = "Test Group"
security_enabled = true
}
Add Members by Department
resource "azuread_group_member" "education" {
for_each = {
for u in azuread_user.users :
u.mail_nickname => u
if u.department == "Education"
}
group_object_id = azuread_group.test_group.id
member_object_id = each.value.id
}
Apply
terraform apply
Verify
Portal β Groups β Members tab
β Only Education department users added.
π§ Key Beginner Lessons
β Work in Small Steps
Donβt deploy everything at once.
β Always Check Data First
Validate CSV before creating resources.
β Use Outputs for Debugging
Outputs save hours of troubleshooting.
β Terraform is Declarative
It maintains the desired state automatically.
π What You Can Try Next
π Add more users to CSV
π Create groups by job title
π Use Service Principal authentication
π Generate random passwords
π Assign roles to groups
π Final Thoughts
This project shows how powerful Terraform is beyond infrastructure β it can manage identity too.
If you’re learning cloud or DevOps, this skill is extremely valuable because real organizations manage thousands of users and groups.
Start small, test often, and build confidence step-by-step β exactly like you did here.
Leave a Reply