Delete computer object from domain upon destroy (domain-join extension)

Hi there,

I am using azurerm_virtual_machine_extension to join my VM’s to the domain. Is there a way that i can use this extension to delete the computer object on destroy? Or is there any other way of doing this on destroy only?


resource "azurerm_virtual_machine_extension" "join-domain" {

  count                = var.join_domain ? 1 : 0
  name                 = "join-domain"
  virtual_machine_id   =
  publisher            = "Microsoft.Compute"
  type                 = "JsonADDomainExtension"
  type_handler_version = "1.3"

  settings = <<SETTINGS
    "Name": "${var.active_directory_domain}",
    "OUPath": "${var.oupath}",
    "User": "${var.active_directory_netbios_domain}\\${var.active_directory_username}",
    "Restart": "true",
    "Options": "3"

  protected_settings = <<PROTECTED_SETTINGS
        "Password": "${var.active_directory_password}"

  depends_on = [azurerm_windows_virtual_machine.vm]


I haven’t worked with the specific use case of deleting the computer account from AD. If there is not a built in mechanism for this, then one option could be to use a destroy time provisioner;

It could potentially run a script to remove itself from the domain (or the delete the computer account from AD) prior to destroy. Remote-Exec would allow you to use PowerShell or Command line to do that via WinRM.

Again, there may be a better way to achieve this natively via API if you are using AzureAD or AzureAD DS for for example.



Thanks for replying. This looks like something i can experiment with.

I am using AzureAD