Problem Statement: Replication of Azure AD group members from one tenant (corp AAD) to another (dev tenant). User identities are already pushed from the corporate Azure AD to the dev tenant but not the group due to some limitation.
I am trying to replicate all members associated with a Azure AD security group from one tenant (corp) to another (dev environment). For configuring group and membership in the target tenant, the following piece of code is working with the data structure shown below:
terraform.tfvars:
user_groups = {
"my_dev_group_1" = [ "jjohn", "mjack", "rabby" ]
"my_dev_group_2" = [ "mjack", "jill" ]
}
domain = "@example.com"
variable.tf:
variable "user_groups" {}
variable "domain" {}
With the user_groups map / list, the following code adds users to a group:
locals {
users_flattened = toset(flatten(values(var.user_groups)))
groups_users_obj = { for k, v in var.user_groups :
k => [
for user in v :
data.azuread_user.user[user].object_id
]
}
}
data "azuread_user" "user" {
for_each = local.users_flattened
user_principal_name = "${each.key}${var.domain}"
}
resource "azuread_group" "group" {
for_each = local.groups_users_obj
display_name = each.key
security_enabled = true
mail_enabled = false
members = each.value
}
I can use the data block to read membership information of an AAD group:
data "azuread_group" "corp_ad_group" {
provider = azuread.corpad
display_name = "my_dev_group_1"
security_enabled = true
}
output "group_info" {
value = data.azuread_group.corp_ad_group
}
The code above gives me the object-id list of members associated with the group as shown below:
group_info = {
...
"display_name" = "my_dev_group_1"
"dynamic_membership" = tolist([])
...
"members" = tolist([
"9a771003-a0b1-4c8f-87d5-cc2f1f5f2d35",
"d71389b1-7778-4951-8415-cce7323737d4",
"3c237945-5650-4df7-a971-a2324f0ec9d5",
])
...
}
Since the object list is only relevant for this tenant, I need to find corresponding UPN (user principal name) corresponding to each object id. I can use the following terraform code for performing the lookup for a single object:
data "azuread_user" "corp_ad_user" {
provider = azuread.corpad
object_id = "3a1c84fb-346d-480f-bd6d-456b6d1b3dc9"
}
output "user_info" {
value = data.azuread_user.corp_ad_user
}
This gives me all the information about the user:
id = {
"account_enabled" = true
...
"user_principal_name" = "jjohn@example.com"
"user_type" = "Member"
}
I have a set of such development groups in the source tenant and dyanamic users in each of the group:
[ "my_dev_group1", "my_dev_group2"]
So my question is given a list of AAD security groups in the source tenant, how can I perform a query for each group to get a dynamic list of members object id, perform another lookup to get the UPN and create a list (either in local file system or an internal structure) in the format below:
user_groups = {
"my_dev_group_1" = [ "jjohn", "mjack", "rabby" ]
"my_dev_group_2" = [ "mjack", "jill" ]
}
and pass this list to the 2nd AAD tenant to synchronize the group membership?