Identity Management with Azure Active Directory

Question

Pulumi · Accepted Answer

Azure Active Directory (AAD) is Microsoft's cloud-based identity and access management service, which helps your employees sign in and access resources. You can use it to control access to your apps and app resources, based on your business requirements.

In Pulumi, you can manage Azure Active Directory resources using the `pulumi_azuread` package. This package allows you to create and manage Azure Active Directory objects such as users, groups, and applications.

Here's a Pulumi program that demonstrates how to create a new Azure AD user and a service principal. The service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources. This identity is known as a service principal.

First, you would need to install the `pulumi_azuread` package using pip:

```bash
pip install pulumi_azuread
```

Now, let's write the Pulumi program to create a user and a service principal in Azure Active Directory.

```python
import pulumi
import pulumi_azuread as azuread

# Create an Azure AD user
user = azuread.User("example-user",
    # Specifies the various properties required to create a user.
    user_principal_name="jdoe@pulumiexample.onmicrosoft.com",
    display_name="John Doe",
    mail_nickname="johndoe",
    password="Supersecret123#",
    # The account_enable argument enables the user account, allowing the user to sign in.
    account_enabled=True,
)

# Create an Azure AD application
application = azuread.Application("example-application",
    display_name="example-app"
)

# Create a service principal for the application
service_principal = azuread.ServicePrincipal("example-service-principal",
    application_id=application.application_id,
)

# Outputs
pulumi.export('user_principal_name', user.user_principal_name)
pulumi.export('application_id', application.application_id)
pulumi.export('service_principal_id', service_principal.id)
```

Here's what each part of the code does:

- The `azuread.User` resource creates a new user in Azure Active Directory. You must provide at least the `user_principal_name`, `display_name`, `mail_nickname`, and `password` for the user.
- The `azuread.Application` resource creates a new application registration in Azure AD. This application can then be configured with permissions to allow it to access other Azure resources.
- The `azuread.ServicePrincipal` resource creates a service principal associated with the application. This service principal is what you'd typically use within your applications or automation scripts to allow them to authenticate against and use Azure resources.

After running the Pulumi program with `pulumi up`, it will output the user principal name, the application ID, and the service principal ID. These details can be used to interact with other Azure services or to manage permissions.

This program will work in a Pulumi environment where the Azure provider has been configured with the necessary credentials. In a typical setup, you would have a prior `pulumi login` and Azure CLI login with `az login`, or you would set the required environment variables for Azure authentication.