Azure Active Directory (Azure AD) v6.2.0, Jan 21 25

Azure Active Directory (Azure AD) v6.2.0 published on Tuesday, Jan 21, 2025 by Pulumi

azuread.Group

Explore with Pulumi AI

Azure Active Directory (Azure AD) v6.2.0 published on Tuesday, Jan 21, 2025 by Pulumi

pulumi/pulumi-azuread

API Permissions

The following API permissions are required in order to use this resource.

When authenticated with a service principal, this resource requires one of the following application roles: Group.ReadWrite.All or Directory.ReadWrite.All.

Alternatively, if the authenticated service principal is also an owner of the group being managed, this resource can use the application role: Group.Create.

If using the assignable_to_role property, this resource additionally requires the RoleManagement.ReadWrite.Directory application role.

If specifying owners for a group, which are user principals, this resource additionally requires one of the following application roles: User.Read.All, User.ReadWrite.All, Directory.Read.All or Directory.ReadWrite.All

When authenticated with a user principal, this resource requires one of the following directory roles: Groups Administrator, User Administrator or Global Administrator

When creating this resource in administrative units exclusively, the directory role Groups Administrator is required to be scoped on any administrative unit used. Additionally, it must be possible to read the administrative units being used, which can be granted through the AdministrativeUnit.Read.All or Directory.Read.All application roles.

The external_senders_allowed, auto_subscribe_new_members, hide_from_address_lists and hide_from_outlook_clients properties can only be configured when authenticating as a user and cannot be configured when authenticating as a service principal. Additionally, the user being used for authentication must be a Member of the tenant where the group is being managed and not a Guest. This is a known API issue; please see the Microsoft Graph Known Issues official documentation.

Example Usage

Basic example

import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const current = azuread.getClientConfig({});
const example = new azuread.Group("example", {
    displayName: "example",
    owners: [current.then(current => current.objectId)],
    securityEnabled: true,
});

import pulumi
import pulumi_azuread as azuread

current = azuread.get_client_config()
example = azuread.Group("example",
    display_name="example",
    owners=[current.object_id],
    security_enabled=True)

package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		current, err := azuread.GetClientConfig(ctx, map[string]interface{}{}, nil)
		if err != nil {
			return err
		}
		_, err = azuread.NewGroup(ctx, "example", &azuread.GroupArgs{
			DisplayName: pulumi.String("example"),
			Owners: pulumi.StringArray{
				pulumi.String(current.ObjectId),
			},
			SecurityEnabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var current = AzureAD.GetClientConfig.Invoke();

    var example = new AzureAD.Group("example", new()
    {
        DisplayName = "example",
        Owners = new[]
        {
            current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
        },
        SecurityEnabled = true,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.Group;
import com.pulumi.azuread.GroupArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var current = AzureadFunctions.getClientConfig();

        var example = new Group("example", GroupArgs.builder()
            .displayName("example")
            .owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
            .securityEnabled(true)
            .build());

    }
}

resources:
  example:
    type: azuread:Group
    properties:
      displayName: example
      owners:
        - ${current.objectId}
      securityEnabled: true
variables:
  current:
    fn::invoke:
      function: azuread:getClientConfig
      arguments: {}

Microsoft 365 group

import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const current = azuread.getClientConfig({});
const groupOwner = new azuread.User("group_owner", {
    userPrincipalName: "example-group-owner@example.com",
    displayName: "Group Owner",
    mailNickname: "example-group-owner",
    password: "SecretP@sswd99!",
});
const example = new azuread.Group("example", {
    displayName: "example",
    mailEnabled: true,
    mailNickname: "ExampleGroup",
    securityEnabled: true,
    types: ["Unified"],
    owners: [
        current.then(current => current.objectId),
        groupOwner.objectId,
    ],
});

import pulumi
import pulumi_azuread as azuread

current = azuread.get_client_config()
group_owner = azuread.User("group_owner",
    user_principal_name="example-group-owner@example.com",
    display_name="Group Owner",
    mail_nickname="example-group-owner",
    password="SecretP@sswd99!")
example = azuread.Group("example",
    display_name="example",
    mail_enabled=True,
    mail_nickname="ExampleGroup",
    security_enabled=True,
    types=["Unified"],
    owners=[
        current.object_id,
        group_owner.object_id,
    ])

package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		current, err := azuread.GetClientConfig(ctx, map[string]interface{}{}, nil)
		if err != nil {
			return err
		}
		groupOwner, err := azuread.NewUser(ctx, "group_owner", &azuread.UserArgs{
			UserPrincipalName: pulumi.String("example-group-owner@example.com"),
			DisplayName:       pulumi.String("Group Owner"),
			MailNickname:      pulumi.String("example-group-owner"),
			Password:          pulumi.String("SecretP@sswd99!"),
		})
		if err != nil {
			return err
		}
		_, err = azuread.NewGroup(ctx, "example", &azuread.GroupArgs{
			DisplayName:     pulumi.String("example"),
			MailEnabled:     pulumi.Bool(true),
			MailNickname:    pulumi.String("ExampleGroup"),
			SecurityEnabled: pulumi.Bool(true),
			Types: pulumi.StringArray{
				pulumi.String("Unified"),
			},
			Owners: pulumi.StringArray{
				pulumi.String(current.ObjectId),
				groupOwner.ObjectId,
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var current = AzureAD.GetClientConfig.Invoke();

    var groupOwner = new AzureAD.User("group_owner", new()
    {
        UserPrincipalName = "example-group-owner@example.com",
        DisplayName = "Group Owner",
        MailNickname = "example-group-owner",
        Password = "SecretP@sswd99!",
    });

    var example = new AzureAD.Group("example", new()
    {
        DisplayName = "example",
        MailEnabled = true,
        MailNickname = "ExampleGroup",
        SecurityEnabled = true,
        Types = new[]
        {
            "Unified",
        },
        Owners = new[]
        {
            current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
            groupOwner.ObjectId,
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.User;
import com.pulumi.azuread.UserArgs;
import com.pulumi.azuread.Group;
import com.pulumi.azuread.GroupArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var current = AzureadFunctions.getClientConfig();

        var groupOwner = new User("groupOwner", UserArgs.builder()
            .userPrincipalName("example-group-owner@example.com")
            .displayName("Group Owner")
            .mailNickname("example-group-owner")
            .password("SecretP@sswd99!")
            .build());

        var example = new Group("example", GroupArgs.builder()
            .displayName("example")
            .mailEnabled(true)
            .mailNickname("ExampleGroup")
            .securityEnabled(true)
            .types("Unified")
            .owners(            
                current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()),
                groupOwner.objectId())
            .build());

    }
}

resources:
  groupOwner:
    type: azuread:User
    name: group_owner
    properties:
      userPrincipalName: example-group-owner@example.com
      displayName: Group Owner
      mailNickname: example-group-owner
      password: SecretP@sswd99!
  example:
    type: azuread:Group
    properties:
      displayName: example
      mailEnabled: true
      mailNickname: ExampleGroup
      securityEnabled: true
      types:
        - Unified
      owners:
        - ${current.objectId}
        - ${groupOwner.objectId}
variables:
  current:
    fn::invoke:
      function: azuread:getClientConfig
      arguments: {}

Group with members

Coming soon!

Coming soon!

Coming soon!

Coming soon!

Coming soon!

resources:
  example:
    type: azuread:User
    properties:
      displayName: J Doe
      owners:
        - ${current.objectId}
      password: notSecure123
      userPrincipalName: jdoe@example.com
  exampleGroup:
    type: azuread:Group
    name: example
    properties:
      displayName: MyGroup
      owners:
        - ${current.objectId}
      securityEnabled: true
      members:
        - ${example.objectId}
variables:
  current:
    fn::invoke:
      function: azuread:getClientConfig
      arguments: {}

Group with dynamic membership

import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const current = azuread.getClientConfig({});
const example = new azuread.Group("example", {
    displayName: "MyGroup",
    owners: [current.then(current => current.objectId)],
    securityEnabled: true,
    types: ["DynamicMembership"],
    dynamicMembership: {
        enabled: true,
        rule: "user.department -eq \"Sales\"",
    },
});

import pulumi
import pulumi_azuread as azuread

current = azuread.get_client_config()
example = azuread.Group("example",
    display_name="MyGroup",
    owners=[current.object_id],
    security_enabled=True,
    types=["DynamicMembership"],
    dynamic_membership={
        "enabled": True,
        "rule": "user.department -eq \"Sales\"",
    })

package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		current, err := azuread.GetClientConfig(ctx, map[string]interface{}{}, nil)
		if err != nil {
			return err
		}
		_, err = azuread.NewGroup(ctx, "example", &azuread.GroupArgs{
			DisplayName: pulumi.String("MyGroup"),
			Owners: pulumi.StringArray{
				pulumi.String(current.ObjectId),
			},
			SecurityEnabled: pulumi.Bool(true),
			Types: pulumi.StringArray{
				pulumi.String("DynamicMembership"),
			},
			DynamicMembership: &azuread.GroupDynamicMembershipArgs{
				Enabled: pulumi.Bool(true),
				Rule:    pulumi.String("user.department -eq \"Sales\""),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var current = AzureAD.GetClientConfig.Invoke();

    var example = new AzureAD.Group("example", new()
    {
        DisplayName = "MyGroup",
        Owners = new[]
        {
            current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
        },
        SecurityEnabled = true,
        Types = new[]
        {
            "DynamicMembership",
        },
        DynamicMembership = new AzureAD.Inputs.GroupDynamicMembershipArgs
        {
            Enabled = true,
            Rule = "user.department -eq \"Sales\"",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.Group;
import com.pulumi.azuread.GroupArgs;
import com.pulumi.azuread.inputs.GroupDynamicMembershipArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var current = AzureadFunctions.getClientConfig();

        var example = new Group("example", GroupArgs.builder()
            .displayName("MyGroup")
            .owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
            .securityEnabled(true)
            .types("DynamicMembership")
            .dynamicMembership(GroupDynamicMembershipArgs.builder()
                .enabled(true)
                .rule("user.department -eq \"Sales\"")
                .build())
            .build());

    }
}

resources:
  example:
    type: azuread:Group
    properties:
      displayName: MyGroup
      owners:
        - ${current.objectId}
      securityEnabled: true
      types:
        - DynamicMembership
      dynamicMembership:
        enabled: true
        rule: user.department -eq "Sales"
variables:
  current:
    fn::invoke:
      function: azuread:getClientConfig
      arguments: {}

Create Group Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new Group(name: string, args: GroupArgs, opts?: CustomResourceOptions);

@overload
def Group(resource_name: str,
          args: GroupArgs,
          opts: Optional[ResourceOptions] = None)

@overload
def Group(resource_name: str,
          opts: Optional[ResourceOptions] = None,
          display_name: Optional[str] = None,
          mail_enabled: Optional[bool] = None,
          assignable_to_role: Optional[bool] = None,
          mail_nickname: Optional[str] = None,
          onpremises_group_type: Optional[str] = None,
          members: Optional[Sequence[str]] = None,
          dynamic_membership: Optional[GroupDynamicMembershipArgs] = None,
          external_senders_allowed: Optional[bool] = None,
          hide_from_address_lists: Optional[bool] = None,
          hide_from_outlook_clients: Optional[bool] = None,
          administrative_unit_ids: Optional[Sequence[str]] = None,
          behaviors: Optional[Sequence[str]] = None,
          auto_subscribe_new_members: Optional[bool] = None,
          description: Optional[str] = None,
          owners: Optional[Sequence[str]] = None,
          prevent_duplicate_names: Optional[bool] = None,
          provisioning_options: Optional[Sequence[str]] = None,
          security_enabled: Optional[bool] = None,
          theme: Optional[str] = None,
          types: Optional[Sequence[str]] = None,
          visibility: Optional[str] = None,
          writeback_enabled: Optional[bool] = None)

func NewGroup(ctx *Context, name string, args GroupArgs, opts ...ResourceOption) (*Group, error)

public Group(string name, GroupArgs args, CustomResourceOptions? opts = null)

public Group(String name, GroupArgs args)
public Group(String name, GroupArgs args, CustomResourceOptions options)

type: azuread:Group
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args GroupArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args GroupArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args GroupArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args GroupArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args GroupArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var groupResource = new AzureAD.Group("groupResource", new()
{
    DisplayName = "string",
    MailEnabled = false,
    AssignableToRole = false,
    MailNickname = "string",
    OnpremisesGroupType = "string",
    Members = new[]
    {
        "string",
    },
    DynamicMembership = new AzureAD.Inputs.GroupDynamicMembershipArgs
    {
        Enabled = false,
        Rule = "string",
    },
    ExternalSendersAllowed = false,
    HideFromAddressLists = false,
    HideFromOutlookClients = false,
    AdministrativeUnitIds = new[]
    {
        "string",
    },
    Behaviors = new[]
    {
        "string",
    },
    AutoSubscribeNewMembers = false,
    Description = "string",
    Owners = new[]
    {
        "string",
    },
    PreventDuplicateNames = false,
    ProvisioningOptions = new[]
    {
        "string",
    },
    SecurityEnabled = false,
    Theme = "string",
    Types = new[]
    {
        "string",
    },
    Visibility = "string",
    WritebackEnabled = false,
});

example, err := azuread.NewGroup(ctx, "groupResource", &azuread.GroupArgs{
	DisplayName:         pulumi.String("string"),
	MailEnabled:         pulumi.Bool(false),
	AssignableToRole:    pulumi.Bool(false),
	MailNickname:        pulumi.String("string"),
	OnpremisesGroupType: pulumi.String("string"),
	Members: pulumi.StringArray{
		pulumi.String("string"),
	},
	DynamicMembership: &azuread.GroupDynamicMembershipArgs{
		Enabled: pulumi.Bool(false),
		Rule:    pulumi.String("string"),
	},
	ExternalSendersAllowed: pulumi.Bool(false),
	HideFromAddressLists:   pulumi.Bool(false),
	HideFromOutlookClients: pulumi.Bool(false),
	AdministrativeUnitIds: pulumi.StringArray{
		pulumi.String("string"),
	},
	Behaviors: pulumi.StringArray{
		pulumi.String("string"),
	},
	AutoSubscribeNewMembers: pulumi.Bool(false),
	Description:             pulumi.String("string"),
	Owners: pulumi.StringArray{
		pulumi.String("string"),
	},
	PreventDuplicateNames: pulumi.Bool(false),
	ProvisioningOptions: pulumi.StringArray{
		pulumi.String("string"),
	},
	SecurityEnabled: pulumi.Bool(false),
	Theme:           pulumi.String("string"),
	Types: pulumi.StringArray{
		pulumi.String("string"),
	},
	Visibility:       pulumi.String("string"),
	WritebackEnabled: pulumi.Bool(false),
})

var groupResource = new Group("groupResource", GroupArgs.builder()
    .displayName("string")
    .mailEnabled(false)
    .assignableToRole(false)
    .mailNickname("string")
    .onpremisesGroupType("string")
    .members("string")
    .dynamicMembership(GroupDynamicMembershipArgs.builder()
        .enabled(false)
        .rule("string")
        .build())
    .externalSendersAllowed(false)
    .hideFromAddressLists(false)
    .hideFromOutlookClients(false)
    .administrativeUnitIds("string")
    .behaviors("string")
    .autoSubscribeNewMembers(false)
    .description("string")
    .owners("string")
    .preventDuplicateNames(false)
    .provisioningOptions("string")
    .securityEnabled(false)
    .theme("string")
    .types("string")
    .visibility("string")
    .writebackEnabled(false)
    .build());

group_resource = azuread.Group("groupResource",
    display_name="string",
    mail_enabled=False,
    assignable_to_role=False,
    mail_nickname="string",
    onpremises_group_type="string",
    members=["string"],
    dynamic_membership={
        "enabled": False,
        "rule": "string",
    },
    external_senders_allowed=False,
    hide_from_address_lists=False,
    hide_from_outlook_clients=False,
    administrative_unit_ids=["string"],
    behaviors=["string"],
    auto_subscribe_new_members=False,
    description="string",
    owners=["string"],
    prevent_duplicate_names=False,
    provisioning_options=["string"],
    security_enabled=False,
    theme="string",
    types=["string"],
    visibility="string",
    writeback_enabled=False)

const groupResource = new azuread.Group("groupResource", {
    displayName: "string",
    mailEnabled: false,
    assignableToRole: false,
    mailNickname: "string",
    onpremisesGroupType: "string",
    members: ["string"],
    dynamicMembership: {
        enabled: false,
        rule: "string",
    },
    externalSendersAllowed: false,
    hideFromAddressLists: false,
    hideFromOutlookClients: false,
    administrativeUnitIds: ["string"],
    behaviors: ["string"],
    autoSubscribeNewMembers: false,
    description: "string",
    owners: ["string"],
    preventDuplicateNames: false,
    provisioningOptions: ["string"],
    securityEnabled: false,
    theme: "string",
    types: ["string"],
    visibility: "string",
    writebackEnabled: false,
});

type: azuread:Group
properties:
    administrativeUnitIds:
        - string
    assignableToRole: false
    autoSubscribeNewMembers: false
    behaviors:
        - string
    description: string
    displayName: string
    dynamicMembership:
        enabled: false
        rule: string
    externalSendersAllowed: false
    hideFromAddressLists: false
    hideFromOutlookClients: false
    mailEnabled: false
    mailNickname: string
    members:
        - string
    onpremisesGroupType: string
    owners:
        - string
    preventDuplicateNames: false
    provisioningOptions:
        - string
    securityEnabled: false
    theme: string
    types:
        - string
    visibility: string
    writebackEnabled: false

Group Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The Group resource accepts the following input properties:

DisplayName string

The display name for the group.

AdministrativeUnitIds List<string>

The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.

Caution When using the azuread.AdministrativeUnitMember resource, or the members property of the azuread.AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an ignore_changes = [administrative_unit_ids] lifecycle meta argument for the azuread.Group resource, in order to avoid a persistent diff.

AssignableToRole bool

Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to false. Can only be set to true for security-enabled groups. Changing this forces a new resource to be created.

AutoSubscribeNewMembers bool

Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

Known Permissions Issue The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

Behaviors List<string>

A set of behaviors for a Microsoft 365 group. Possible values are AllowOnlyMembersToPost, HideGroupInOutlook, SkipExchangeInstantOn, SubscribeMembersToCalendarEventsDisabled, SubscribeNewGroupMembers and WelcomeEmailDisabled. See official documentation for more details. Changing this forces a new resource to be created.

Description string

The description for the group.

DynamicMembership Pulumi.AzureAD.Inputs.GroupDynamicMembership

A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.

ExternalSendersAllowed bool

Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

Known Permissions Issue The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

HideFromAddressLists bool

Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.

Known Permissions Issue The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

HideFromOutlookClients bool

Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

Known Permissions Issue The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

MailEnabled bool

Whether the group is a mail enabled, with a shared group mailbox. At least one of mail_enabled or security_enabled must be specified. Only Microsoft 365 groups can be mail enabled (see the types property).

MailNickname string

The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.

Members List<string>

A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

!> Warning Do not use the members property at the same time as the azuread.GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.

OnpremisesGroupType string

The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are UniversalDistributionGroup, UniversalMailEnabledSecurityGroup, or UniversalSecurityGroup.

Owners List<string>

A set of owners who own this group. Supported object types are Users or Service Principals

PreventDuplicateNames bool

If true, will return an error if an existing group is found with the same name. Defaults to false.

ProvisioningOptions List<string>

A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.

SecurityEnabled bool

Whether the group is a security group for controlling access to in-app resources. At least one of security_enabled or mail_enabled must be specified. A Microsoft 365 group can be security enabled and mail enabled (see the types property).

Theme string

The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.

Types List<string>

A set of group types to configure for the group. Supported values are DynamicMembership, which denotes a group with dynamic membership, and Unified, which specifies a Microsoft 365 group. Required when mail_enabled is true. Changing this forces a new resource to be created.

Supported Group Types At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

Visibility string

The group join policy and group content visibility. Possible values are Private, Public, or Hiddenmembership. Only Microsoft 365 groups can have Hiddenmembership visibility and this value must be set when the group is created. By default, security groups will receive Private visibility and Microsoft 365 groups will receive Public visibility.

Group Name Uniqueness Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

WritebackEnabled bool

Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.

DisplayName string

The display name for the group.

AdministrativeUnitIds []string

Caution When using the azuread.AdministrativeUnitMember resource, or the members property of the azuread.AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an ignore_changes = [administrative_unit_ids] lifecycle meta argument for the azuread.Group resource, in order to avoid a persistent diff.

AssignableToRole bool

AutoSubscribeNewMembers bool

Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

Known Permissions Issue The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

Behaviors []string

Description string

The description for the group.

DynamicMembership GroupDynamicMembershipArgs

A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.

ExternalSendersAllowed bool

Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

Known Permissions Issue The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

HideFromAddressLists bool

Known Permissions Issue The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

HideFromOutlookClients bool

Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

Known Permissions Issue The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

MailEnabled bool

MailNickname string

The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.

Members []string

A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

!> Warning Do not use the members property at the same time as the azuread.GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.

OnpremisesGroupType string

Owners []string

A set of owners who own this group. Supported object types are Users or Service Principals

PreventDuplicateNames bool

If true, will return an error if an existing group is found with the same name. Defaults to false.

ProvisioningOptions []string

A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.

SecurityEnabled bool

Theme string

The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.

Types []string

Supported Group Types At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

Visibility string

Group Name Uniqueness Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

WritebackEnabled bool

Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.

displayName String

The display name for the group.

administrativeUnitIds List<String>

Caution When using the azuread.AdministrativeUnitMember resource, or the members property of the azuread.AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an ignore_changes = [administrative_unit_ids] lifecycle meta argument for the azuread.Group resource, in order to avoid a persistent diff.

assignableToRole Boolean

autoSubscribeNewMembers Boolean

Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

Known Permissions Issue The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

behaviors List<String>

description String

The description for the group.

dynamicMembership GroupDynamicMembership

A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.

externalSendersAllowed Boolean

Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

Known Permissions Issue The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

hideFromAddressLists Boolean

Known Permissions Issue The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

hideFromOutlookClients Boolean

Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

Known Permissions Issue The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

mailEnabled Boolean

mailNickname String

The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.

members List<String>

A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

!> Warning Do not use the members property at the same time as the azuread.GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.

onpremisesGroupType String

owners List<String>

A set of owners who own this group. Supported object types are Users or Service Principals

preventDuplicateNames Boolean

If true, will return an error if an existing group is found with the same name. Defaults to false.

provisioningOptions List<String>

A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.

securityEnabled Boolean

theme String

The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.

types List<String>

Supported Group Types At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

visibility String

Group Name Uniqueness Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

writebackEnabled Boolean

Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.

displayName string

The display name for the group.

administrativeUnitIds string[]

Caution When using the azuread.AdministrativeUnitMember resource, or the members property of the azuread.AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an ignore_changes = [administrative_unit_ids] lifecycle meta argument for the azuread.Group resource, in order to avoid a persistent diff.

assignableToRole boolean

autoSubscribeNewMembers boolean

Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

Known Permissions Issue The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

behaviors string[]

description string

The description for the group.

dynamicMembership GroupDynamicMembership

A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.

externalSendersAllowed boolean

Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

Known Permissions Issue The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

hideFromAddressLists boolean

Known Permissions Issue The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

hideFromOutlookClients boolean

Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

Known Permissions Issue The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

mailEnabled boolean

mailNickname string

The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.

members string[]

A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

!> Warning Do not use the members property at the same time as the azuread.GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.

onpremisesGroupType string

owners string[]

A set of owners who own this group. Supported object types are Users or Service Principals

preventDuplicateNames boolean

If true, will return an error if an existing group is found with the same name. Defaults to false.

provisioningOptions string[]

A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.

securityEnabled boolean

theme string

The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.

types string[]

Supported Group Types At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

visibility string

Group Name Uniqueness Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

writebackEnabled boolean

Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.

display_name str

The display name for the group.

administrative_unit_ids Sequence[str]

Caution When using the azuread.AdministrativeUnitMember resource, or the members property of the azuread.AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an ignore_changes = [administrative_unit_ids] lifecycle meta argument for the azuread.Group resource, in order to avoid a persistent diff.

assignable_to_role bool

auto_subscribe_new_members bool

Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

Known Permissions Issue The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

behaviors Sequence[str]

description str

The description for the group.

dynamic_membership GroupDynamicMembershipArgs

A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.

external_senders_allowed bool

Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

Known Permissions Issue The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

hide_from_address_lists bool

Known Permissions Issue The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

hide_from_outlook_clients bool

Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

Known Permissions Issue The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

mail_enabled bool

mail_nickname str

The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.

members Sequence[str]

A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

!> Warning Do not use the members property at the same time as the azuread.GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.

onpremises_group_type str

owners Sequence[str]

A set of owners who own this group. Supported object types are Users or Service Principals

prevent_duplicate_names bool

If true, will return an error if an existing group is found with the same name. Defaults to false.

provisioning_options Sequence[str]

A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.

security_enabled bool

theme str

The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.

types Sequence[str]

Supported Group Types At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

visibility str

Group Name Uniqueness Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

writeback_enabled bool

Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.

displayName String

The display name for the group.

administrativeUnitIds List<String>

Caution When using the azuread.AdministrativeUnitMember resource, or the members property of the azuread.AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an ignore_changes = [administrative_unit_ids] lifecycle meta argument for the azuread.Group resource, in order to avoid a persistent diff.

assignableToRole Boolean

autoSubscribeNewMembers Boolean

Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

Known Permissions Issue The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

behaviors List<String>

description String

The description for the group.

dynamicMembership Property Map

A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.

externalSendersAllowed Boolean

Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

Known Permissions Issue The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

hideFromAddressLists Boolean

Known Permissions Issue The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

hideFromOutlookClients Boolean

Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

Known Permissions Issue The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

mailEnabled Boolean

mailNickname String

The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.

members List<String>

A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

!> Warning Do not use the members property at the same time as the azuread.GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.

onpremisesGroupType String

owners List<String>

A set of owners who own this group. Supported object types are Users or Service Principals

preventDuplicateNames Boolean

If true, will return an error if an existing group is found with the same name. Defaults to false.

provisioningOptions List<String>

A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.

securityEnabled Boolean

theme String

The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.

types List<String>

Supported Group Types At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

visibility String

Group Name Uniqueness Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

writebackEnabled Boolean

Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.

Outputs

All input properties are implicitly available as output properties. Additionally, the Group resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
Mail string: The SMTP address for the group.
ObjectId string: The object ID of the group.
OnpremisesDomainName string: The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
OnpremisesNetbiosName string: The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
OnpremisesSamAccountName string: The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
OnpremisesSecurityIdentifier string: The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
OnpremisesSyncEnabled bool: Whether this group is synchronised from an on-premises directory (true), no longer synchronised (false), or has never been synchronised (null).
PreferredLanguage string: The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
ProxyAddresses List<string>: List of email addresses for the group that direct to the same group mailbox.

Id string: The provider-assigned unique ID for this managed resource.
Mail string: The SMTP address for the group.
ObjectId string: The object ID of the group.
OnpremisesDomainName string: The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
OnpremisesNetbiosName string: The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
OnpremisesSamAccountName string: The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
OnpremisesSecurityIdentifier string: The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
OnpremisesSyncEnabled bool: Whether this group is synchronised from an on-premises directory (true), no longer synchronised (false), or has never been synchronised (null).
PreferredLanguage string: The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
ProxyAddresses []string: List of email addresses for the group that direct to the same group mailbox.

id String: The provider-assigned unique ID for this managed resource.
mail String: The SMTP address for the group.
objectId String: The object ID of the group.
onpremisesDomainName String: The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
onpremisesNetbiosName String: The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
onpremisesSamAccountName String: The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
onpremisesSecurityIdentifier String: The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
onpremisesSyncEnabled Boolean: Whether this group is synchronised from an on-premises directory (true), no longer synchronised (false), or has never been synchronised (null).
preferredLanguage String: The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
proxyAddresses List<String>: List of email addresses for the group that direct to the same group mailbox.

id string: The provider-assigned unique ID for this managed resource.
mail string: The SMTP address for the group.
objectId string: The object ID of the group.
onpremisesDomainName string: The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
onpremisesNetbiosName string: The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
onpremisesSamAccountName string: The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
onpremisesSecurityIdentifier string: The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
onpremisesSyncEnabled boolean: Whether this group is synchronised from an on-premises directory (true), no longer synchronised (false), or has never been synchronised (null).
preferredLanguage string: The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
proxyAddresses string[]: List of email addresses for the group that direct to the same group mailbox.

id str: The provider-assigned unique ID for this managed resource.
mail str: The SMTP address for the group.
object_id str: The object ID of the group.
onpremises_domain_name str: The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
onpremises_netbios_name str: The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
onpremises_sam_account_name str: The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
onpremises_security_identifier str: The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
onpremises_sync_enabled bool: Whether this group is synchronised from an on-premises directory (true), no longer synchronised (false), or has never been synchronised (null).
preferred_language str: The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
proxy_addresses Sequence[str]: List of email addresses for the group that direct to the same group mailbox.

id String: The provider-assigned unique ID for this managed resource.
mail String: The SMTP address for the group.
objectId String: The object ID of the group.
onpremisesDomainName String: The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
onpremisesNetbiosName String: The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
onpremisesSamAccountName String: The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
onpremisesSecurityIdentifier String: The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
onpremisesSyncEnabled Boolean: Whether this group is synchronised from an on-premises directory (true), no longer synchronised (false), or has never been synchronised (null).
preferredLanguage String: The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
proxyAddresses List<String>: List of email addresses for the group that direct to the same group mailbox.

Look up Existing Group Resource

Get an existing Group resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: GroupState, opts?: CustomResourceOptions): Group

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        administrative_unit_ids: Optional[Sequence[str]] = None,
        assignable_to_role: Optional[bool] = None,
        auto_subscribe_new_members: Optional[bool] = None,
        behaviors: Optional[Sequence[str]] = None,
        description: Optional[str] = None,
        display_name: Optional[str] = None,
        dynamic_membership: Optional[GroupDynamicMembershipArgs] = None,
        external_senders_allowed: Optional[bool] = None,
        hide_from_address_lists: Optional[bool] = None,
        hide_from_outlook_clients: Optional[bool] = None,
        mail: Optional[str] = None,
        mail_enabled: Optional[bool] = None,
        mail_nickname: Optional[str] = None,
        members: Optional[Sequence[str]] = None,
        object_id: Optional[str] = None,
        onpremises_domain_name: Optional[str] = None,
        onpremises_group_type: Optional[str] = None,
        onpremises_netbios_name: Optional[str] = None,
        onpremises_sam_account_name: Optional[str] = None,
        onpremises_security_identifier: Optional[str] = None,
        onpremises_sync_enabled: Optional[bool] = None,
        owners: Optional[Sequence[str]] = None,
        preferred_language: Optional[str] = None,
        prevent_duplicate_names: Optional[bool] = None,
        provisioning_options: Optional[Sequence[str]] = None,
        proxy_addresses: Optional[Sequence[str]] = None,
        security_enabled: Optional[bool] = None,
        theme: Optional[str] = None,
        types: Optional[Sequence[str]] = None,
        visibility: Optional[str] = None,
        writeback_enabled: Optional[bool] = None) -> Group

func GetGroup(ctx *Context, name string, id IDInput, state *GroupState, opts ...ResourceOption) (*Group, error)

public static Group Get(string name, Input<string> id, GroupState? state, CustomResourceOptions? opts = null)

public static Group get(String name, Output<String> id, GroupState state, CustomResourceOptions options)

resources:  _:    type: azuread:Group    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AdministrativeUnitIds List<string>

Caution When using the azuread.AdministrativeUnitMember resource, or the members property of the azuread.AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an ignore_changes = [administrative_unit_ids] lifecycle meta argument for the azuread.Group resource, in order to avoid a persistent diff.

AssignableToRole bool

AutoSubscribeNewMembers bool

Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

Known Permissions Issue The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

Behaviors List<string>

Description string

The description for the group.

DisplayName string

The display name for the group.

DynamicMembership Pulumi.AzureAD.Inputs.GroupDynamicMembership

A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.

ExternalSendersAllowed bool

Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

Known Permissions Issue The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

HideFromAddressLists bool

Known Permissions Issue The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

HideFromOutlookClients bool

Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

Known Permissions Issue The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

Mail string

The SMTP address for the group.

MailEnabled bool

MailNickname string

The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.

Members List<string>

A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

!> Warning Do not use the members property at the same time as the azuread.GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.

ObjectId string

The object ID of the group.

OnpremisesDomainName string

The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.

OnpremisesGroupType string

OnpremisesNetbiosName string

The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.

OnpremisesSamAccountName string

The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.

OnpremisesSecurityIdentifier string

The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.

OnpremisesSyncEnabled bool

Whether this group is synchronised from an on-premises directory (true), no longer synchronised (false), or has never been synchronised (null).

Owners List<string>

A set of owners who own this group. Supported object types are Users or Service Principals

PreferredLanguage string

The preferred language for a Microsoft 365 group, in ISO 639-1 notation.

PreventDuplicateNames bool

If true, will return an error if an existing group is found with the same name. Defaults to false.

ProvisioningOptions List<string>

A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.

ProxyAddresses List<string>

List of email addresses for the group that direct to the same group mailbox.

SecurityEnabled bool

Theme string

The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.

Types List<string>

Supported Group Types At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

Visibility string

Group Name Uniqueness Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

WritebackEnabled bool

Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.

AdministrativeUnitIds []string

Caution When using the azuread.AdministrativeUnitMember resource, or the members property of the azuread.AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an ignore_changes = [administrative_unit_ids] lifecycle meta argument for the azuread.Group resource, in order to avoid a persistent diff.

AssignableToRole bool

AutoSubscribeNewMembers bool

Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

Known Permissions Issue The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

Behaviors []string

Description string

The description for the group.

DisplayName string

The display name for the group.

DynamicMembership GroupDynamicMembershipArgs

A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.

ExternalSendersAllowed bool

Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

Known Permissions Issue The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

HideFromAddressLists bool

Known Permissions Issue The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

HideFromOutlookClients bool

Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

Known Permissions Issue The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

Mail string

The SMTP address for the group.

MailEnabled bool

MailNickname string

The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.

Members []string

A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

!> Warning Do not use the members property at the same time as the azuread.GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.

ObjectId string

The object ID of the group.

OnpremisesDomainName string

The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.

OnpremisesGroupType string

OnpremisesNetbiosName string

The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.

OnpremisesSamAccountName string

The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.

OnpremisesSecurityIdentifier string

The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.

OnpremisesSyncEnabled bool

Whether this group is synchronised from an on-premises directory (true), no longer synchronised (false), or has never been synchronised (null).

Owners []string

A set of owners who own this group. Supported object types are Users or Service Principals

PreferredLanguage string

The preferred language for a Microsoft 365 group, in ISO 639-1 notation.

PreventDuplicateNames bool

If true, will return an error if an existing group is found with the same name. Defaults to false.

ProvisioningOptions []string

A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.

ProxyAddresses []string

List of email addresses for the group that direct to the same group mailbox.

SecurityEnabled bool

Theme string

The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.

Types []string

Supported Group Types At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

Visibility string

Group Name Uniqueness Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

WritebackEnabled bool

Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.

administrativeUnitIds List<String>

Caution When using the azuread.AdministrativeUnitMember resource, or the members property of the azuread.AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an ignore_changes = [administrative_unit_ids] lifecycle meta argument for the azuread.Group resource, in order to avoid a persistent diff.

assignableToRole Boolean

autoSubscribeNewMembers Boolean

Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

Known Permissions Issue The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

behaviors List<String>

description String

The description for the group.

displayName String

The display name for the group.

dynamicMembership GroupDynamicMembership

A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.

externalSendersAllowed Boolean

Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

Known Permissions Issue The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

hideFromAddressLists Boolean

Known Permissions Issue The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

hideFromOutlookClients Boolean

Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

Known Permissions Issue The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

mail String

The SMTP address for the group.

mailEnabled Boolean

mailNickname String

The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.

members List<String>

A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

!> Warning Do not use the members property at the same time as the azuread.GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.

objectId String

The object ID of the group.

onpremisesDomainName String

The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.

onpremisesGroupType String

onpremisesNetbiosName String

The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.

onpremisesSamAccountName String

The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.

onpremisesSecurityIdentifier String

The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.

onpremisesSyncEnabled Boolean

Whether this group is synchronised from an on-premises directory (true), no longer synchronised (false), or has never been synchronised (null).

owners List<String>

A set of owners who own this group. Supported object types are Users or Service Principals

preferredLanguage String

The preferred language for a Microsoft 365 group, in ISO 639-1 notation.

preventDuplicateNames Boolean

If true, will return an error if an existing group is found with the same name. Defaults to false.

provisioningOptions List<String>

A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.

proxyAddresses List<String>

List of email addresses for the group that direct to the same group mailbox.

securityEnabled Boolean

theme String

The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.

types List<String>

Supported Group Types At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

visibility String

Group Name Uniqueness Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

writebackEnabled Boolean

Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.

administrativeUnitIds string[]

Caution When using the azuread.AdministrativeUnitMember resource, or the members property of the azuread.AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an ignore_changes = [administrative_unit_ids] lifecycle meta argument for the azuread.Group resource, in order to avoid a persistent diff.

assignableToRole boolean

autoSubscribeNewMembers boolean

Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

Known Permissions Issue The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

behaviors string[]

description string

The description for the group.

displayName string

The display name for the group.

dynamicMembership GroupDynamicMembership

A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.

externalSendersAllowed boolean

Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

Known Permissions Issue The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

hideFromAddressLists boolean

Known Permissions Issue The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

hideFromOutlookClients boolean

Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

Known Permissions Issue The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

mail string

The SMTP address for the group.

mailEnabled boolean

mailNickname string

The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.

members string[]

A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

!> Warning Do not use the members property at the same time as the azuread.GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.

objectId string

The object ID of the group.

onpremisesDomainName string

The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.

onpremisesGroupType string

onpremisesNetbiosName string

The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.

onpremisesSamAccountName string

The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.

onpremisesSecurityIdentifier string

The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.

onpremisesSyncEnabled boolean

Whether this group is synchronised from an on-premises directory (true), no longer synchronised (false), or has never been synchronised (null).

owners string[]

A set of owners who own this group. Supported object types are Users or Service Principals

preferredLanguage string

The preferred language for a Microsoft 365 group, in ISO 639-1 notation.

preventDuplicateNames boolean

If true, will return an error if an existing group is found with the same name. Defaults to false.

provisioningOptions string[]

A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.

proxyAddresses string[]

List of email addresses for the group that direct to the same group mailbox.

securityEnabled boolean

theme string

The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.

types string[]

Supported Group Types At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

visibility string

Group Name Uniqueness Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

writebackEnabled boolean

Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.

administrative_unit_ids Sequence[str]

Caution When using the azuread.AdministrativeUnitMember resource, or the members property of the azuread.AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an ignore_changes = [administrative_unit_ids] lifecycle meta argument for the azuread.Group resource, in order to avoid a persistent diff.

assignable_to_role bool

auto_subscribe_new_members bool

Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

Known Permissions Issue The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

behaviors Sequence[str]

description str

The description for the group.

display_name str

The display name for the group.

dynamic_membership GroupDynamicMembershipArgs

A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.

external_senders_allowed bool

Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

Known Permissions Issue The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

hide_from_address_lists bool

Known Permissions Issue The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

hide_from_outlook_clients bool

Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

Known Permissions Issue The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

mail str

The SMTP address for the group.

mail_enabled bool

mail_nickname str

The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.

members Sequence[str]

A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

!> Warning Do not use the members property at the same time as the azuread.GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.

object_id str

The object ID of the group.

onpremises_domain_name str

The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.

onpremises_group_type str

onpremises_netbios_name str

The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.

onpremises_sam_account_name str

The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.

onpremises_security_identifier str

The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.

onpremises_sync_enabled bool

Whether this group is synchronised from an on-premises directory (true), no longer synchronised (false), or has never been synchronised (null).

owners Sequence[str]

A set of owners who own this group. Supported object types are Users or Service Principals

preferred_language str

The preferred language for a Microsoft 365 group, in ISO 639-1 notation.

prevent_duplicate_names bool

If true, will return an error if an existing group is found with the same name. Defaults to false.

provisioning_options Sequence[str]

A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.

proxy_addresses Sequence[str]

List of email addresses for the group that direct to the same group mailbox.

security_enabled bool

theme str

The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.

types Sequence[str]

Supported Group Types At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

visibility str

Group Name Uniqueness Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

writeback_enabled bool

Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.

administrativeUnitIds List<String>

Caution When using the azuread.AdministrativeUnitMember resource, or the members property of the azuread.AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an ignore_changes = [administrative_unit_ids] lifecycle meta argument for the azuread.Group resource, in order to avoid a persistent diff.

assignableToRole Boolean

autoSubscribeNewMembers Boolean

Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

Known Permissions Issue The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

behaviors List<String>

description String

The description for the group.

displayName String

The display name for the group.

dynamicMembership Property Map

A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.

externalSendersAllowed Boolean

Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

Known Permissions Issue The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

hideFromAddressLists Boolean

Known Permissions Issue The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

hideFromOutlookClients Boolean

Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

Known Permissions Issue The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

mail String

The SMTP address for the group.

mailEnabled Boolean

mailNickname String

The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.

members List<String>

A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

!> Warning Do not use the members property at the same time as the azuread.GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.

objectId String

The object ID of the group.

onpremisesDomainName String

The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.

onpremisesGroupType String

onpremisesNetbiosName String

The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.

onpremisesSamAccountName String

The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.

onpremisesSecurityIdentifier String

The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.

onpremisesSyncEnabled Boolean

Whether this group is synchronised from an on-premises directory (true), no longer synchronised (false), or has never been synchronised (null).

owners List<String>

A set of owners who own this group. Supported object types are Users or Service Principals

preferredLanguage String

The preferred language for a Microsoft 365 group, in ISO 639-1 notation.

preventDuplicateNames Boolean

If true, will return an error if an existing group is found with the same name. Defaults to false.

provisioningOptions List<String>

A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.

proxyAddresses List<String>

List of email addresses for the group that direct to the same group mailbox.

securityEnabled Boolean

theme String

The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.

types List<String>

Supported Group Types At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

visibility String

Group Name Uniqueness Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

writebackEnabled Boolean

Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.

Supporting Types

GroupDynamicMembership, GroupDynamicMembershipArgs

Enabled bool: Whether rule processing is "On" (true) or "Paused" (false).
Rule string: The rule that determines membership of this group. For more information, see official documentation on membership rules syntax.
Dynamic Group Memberships Remember to include DynamicMembership in the set of types for the group when configuring a dynamic membership rule. Dynamic membership is a premium feature which requires an Azure Active Directory P1 or P2 license.

Enabled bool: Whether rule processing is "On" (true) or "Paused" (false).
Rule string: The rule that determines membership of this group. For more information, see official documentation on membership rules syntax.
Dynamic Group Memberships Remember to include DynamicMembership in the set of types for the group when configuring a dynamic membership rule. Dynamic membership is a premium feature which requires an Azure Active Directory P1 or P2 license.

enabled Boolean: Whether rule processing is "On" (true) or "Paused" (false).
rule String: The rule that determines membership of this group. For more information, see official documentation on membership rules syntax.
Dynamic Group Memberships Remember to include DynamicMembership in the set of types for the group when configuring a dynamic membership rule. Dynamic membership is a premium feature which requires an Azure Active Directory P1 or P2 license.

enabled boolean: Whether rule processing is "On" (true) or "Paused" (false).
rule string: The rule that determines membership of this group. For more information, see official documentation on membership rules syntax.
Dynamic Group Memberships Remember to include DynamicMembership in the set of types for the group when configuring a dynamic membership rule. Dynamic membership is a premium feature which requires an Azure Active Directory P1 or P2 license.

enabled bool: Whether rule processing is "On" (true) or "Paused" (false).
rule str: The rule that determines membership of this group. For more information, see official documentation on membership rules syntax.
Dynamic Group Memberships Remember to include DynamicMembership in the set of types for the group when configuring a dynamic membership rule. Dynamic membership is a premium feature which requires an Azure Active Directory P1 or P2 license.

enabled Boolean: Whether rule processing is "On" (true) or "Paused" (false).
rule String: The rule that determines membership of this group. For more information, see official documentation on membership rules syntax.
Dynamic Group Memberships Remember to include DynamicMembership in the set of types for the group when configuring a dynamic membership rule. Dynamic membership is a premium feature which requires an Azure Active Directory P1 or P2 license.

Import

Groups can be imported using their object ID, e.g.

$ pulumi import azuread:index/group:Group my_group /groups/00000000-0000-0000-0000-000000000000

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Azure Active Directory (Azure AD) pulumi/pulumi-azuread
License: Apache-2.0
Notes: This Pulumi package is based on the azuread Terraform Provider.

Azure Active Directory (Azure AD) v6.2.0 published on Tuesday, Jan 21, 2025 by Pulumi

pulumi/pulumi-azuread

azuread.Group

On this page

On this page

API Permissions

Example Usage

Create Group Resource

Constructor syntax

Parameters

Constructor example

Group Resource Properties

Inputs

Outputs

Look up Existing Group Resource

Supporting Types

GroupDynamicMembership, GroupDynamicMembershipArgs

Import

Package Details

On this page

On this page