You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Many large customers have additional requirements around the management of the Entra ID object that a service connection creates and the permissions it is assigned to.
6
+
Many Enterprise customers have requirements around the management of Entra [workload identities](https://learn.microsoft.com/entra/workload-id/workload-identities-overview) (applications, service principals, managed identities) and the permissions they are assigned to.
7
7
8
8
These are a few common requirements and constraints:
9
9
10
10
- Specific secret expiration and auto-rotation control
11
11
- Custom role assignments for Azure [data plane](https://learn.microsoft.com/azure/azure-resource-manager/management/control-plane-and-data-plane#data-plane) access e.g. [Key Vault](https://learn.microsoft.com/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations), [Kusto](https://learn.microsoft.com/azure/data-explorer/kusto/access-control/role-based-access-control), [Storage](https://learn.microsoft.com/azure/storage/blobs/assign-azure-role-data-access?tabs=portal)
12
-
- Creation of app registrations is [disabled in Entra ID](https://learn.microsoft.com/entra/identity/role-based-access-control/delegate-app-roles#restrict-who-can-create-applications) or the use of Managed Identities for Azure access is explicitly mandated
13
-
- Required ITSM metadata on Entra ID app registration (IT Service Management Reference, naming convention, notes)
14
-
- Co-owners are required to exist for Entra ID app registrations
15
-
- The organization has an IT fulfillment process where identities are automatically created based on a service request
12
+
- Creation of app registrations is [disabled in Entra ID](https://learn.microsoft.com/entra/identity/role-based-access-control/delegate-app-roles#restrict-who-can-create-applications) and/or
13
+
the use of Managed Identities for Azure access is mandated
14
+
- ITSM metadata is required on Entra ID objects (service nanagement reference, naming convention, notes)
15
+
- Co-owners are required to exist for Entra ID apps
16
+
- An IT fulfillment process exists where identities are automatically provisioned based on a service request
16
17
17
18
## Why Terraform?
18
19
19
-
Terraform employs a provider model which enable all changes to be made by a single tool and configuration:
20
+
Terraform employs a provider model which enables all changes to be made by a single tool and configuration:
| Entra ID |[azuread](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs)|[Microsoft Graph API](https://learn.microsoft.com/graph/use-the-api)|
26
27
27
-
Terraform is a declarative tool that is capable if inferring dependencies to create resources in the correct order. This is the output from `terraform graph`:
28
+
HCL, the language used, is declarative and the tool is capable if inferring dependencies to create resources in order. This is the output from `terraform graph`:
28
29
29
30
30
31
More information:
@@ -42,6 +43,13 @@ Provisioning is a matter of specifying [variables](https://developer.hashicorp.c
42
43
43
44
Terraform variable can be provided as a .auto.tfvars file, see [sample](config.auto.tfvars.sample).
0 commit comments