Skip to content

Terraform Provider Support for External Identities and Connected Organisation in Identity Governance #1713

New issue
New issue
Open
Open
Terraform Provider Support for External Identities and Connected Organisation in Identity Governance#1713
@Harish-alla

Description

@Harish-alla
Harish-alla
opened on May 30, 2025

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

The current azuread Terraform provider supports some Identity Governance features, such as Access Packages and Catalogs, but lacks support for managing Connected Organizations, which are a critical component of Entitlement Management under Azure AD Identity Governance.

Additionally, there is currently no native Terraform support for managing Azure AD External Identities, including:

  • Azure B2B collaboration users

  • Cross-tenant access settings

  • External Identity policies

This limits automation and infrastructure-as-code capabilities for organizations managing multi-tenant or B2B collaboration environments.

While the Microsoft Graph API (Beta) offers some of these capabilities, current workarounds — such as invoking az rest through local-exec provisioners — break consistency with the standard Terraform provider model and hinder modular, reusable infrastructure code.

New or Affected Resource(s)

  • Expected new or extended support for:

  • azuread_connected_organization

  • azuread_cross_tenant_access_policy

  • azuread_external_identity_policy

  • Related data sources (e.g., data.azuread_connected_organization)

Potential Terraform Configuration
Example of what a Connected Organization resource could look like:

  resource "azuread_connected_organization" "example" {
  display_name = "Contoso External"
  description  = "Partner tenant for support access"
  tenant_id    = "00000000-0000-0000-0000-000000000000"
}

Example for cross-tenant access:**

resource "azuread_cross_tenant_access_policy" "default" {
  b2b_collaboration_inbound {
    is_default = true
    access_type = "Allow"
  }
}

Rationale

  • Adding native support for these Azure AD features will:
  • Close the current functionality gap in Identity Governance and External Identities
  • Improve DevOps automation and compliance via infrastructure as code
  • Eliminate workarounds involving raw REST API calls or scripting with az CLI

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions