1. Packages
  2. Azure Active Directory (Azure AD)
  3. API Docs
  4. Group
Azure Active Directory (Azure AD) v5.47.1 published on Friday, Feb 9, 2024 by Pulumi

azuread.Group

Explore with Pulumi AI

azuread logo
Azure Active Directory (Azure AD) v5.47.1 published on Friday, Feb 9, 2024 by Pulumi

    Manages a group within Azure Active Directory.

    API Permissions

    The following API permissions are required in order to use this resource.

    When authenticated with a service principal, this resource requires one of the following application roles: Group.ReadWrite.All or Directory.ReadWrite.All.

    Alternatively, if the authenticated service principal is also an owner of the group being managed, this resource can use the application role: Group.Create.

    If using the assignable_to_role property, this resource additionally requires one of the following application roles: RoleManagement.ReadWrite.Directory or Directory.ReadWrite.All

    If specifying owners for a group, which are user principals, this resource additionally requires one of the following application roles: User.Read.All, User.ReadWrite.All, Directory.Read.All or Directory.ReadWrite.All

    When authenticated with a user principal, this resource requires one of the following directory roles: Groups Administrator, User Administrator or Global Administrator

    When creating this resource in administrative units exclusively, the role Groups Administrator is required to be scoped on any administrative unit used.

    The external_senders_allowed, auto_subscribe_new_members, hide_from_address_lists and hide_from_outlook_clients properties can only be configured when authenticating as a user and cannot be configured when authenticating as a service principal. Additionally, the user being used for authentication must be a Member of the tenant where the group is being managed and not a Guest. This is a known API issue; please see the Microsoft Graph Known Issues official documentation.

    Example Usage

    Basic example

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using AzureAD = Pulumi.AzureAD;
    
    return await Deployment.RunAsync(() => 
    {
        var current = AzureAD.GetClientConfig.Invoke();
    
        var example = new AzureAD.Group("example", new()
        {
            DisplayName = "example",
            Owners = new[]
            {
                current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
            },
            SecurityEnabled = true,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		current, err := azuread.GetClientConfig(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		_, err = azuread.NewGroup(ctx, "example", &azuread.GroupArgs{
    			DisplayName: pulumi.String("example"),
    			Owners: pulumi.StringArray{
    				*pulumi.String(current.ObjectId),
    			},
    			SecurityEnabled: pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azuread.AzureadFunctions;
    import com.pulumi.azuread.Group;
    import com.pulumi.azuread.GroupArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var current = AzureadFunctions.getClientConfig();
    
            var example = new Group("example", GroupArgs.builder()        
                .displayName("example")
                .owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
                .securityEnabled(true)
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_azuread as azuread
    
    current = azuread.get_client_config()
    example = azuread.Group("example",
        display_name="example",
        owners=[current.object_id],
        security_enabled=True)
    
    import * as pulumi from "@pulumi/pulumi";
    import * as azuread from "@pulumi/azuread";
    
    const current = azuread.getClientConfig({});
    const example = new azuread.Group("example", {
        displayName: "example",
        owners: [current.then(current => current.objectId)],
        securityEnabled: true,
    });
    
    resources:
      example:
        type: azuread:Group
        properties:
          displayName: example
          owners:
            - ${current.objectId}
          securityEnabled: true
    variables:
      current:
        fn::invoke:
          Function: azuread:getClientConfig
          Arguments: {}
    

    Microsoft 365 group

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using AzureAD = Pulumi.AzureAD;
    
    return await Deployment.RunAsync(() => 
    {
        var current = AzureAD.GetClientConfig.Invoke();
    
        var groupOwner = new AzureAD.User("groupOwner", new()
        {
            UserPrincipalName = "example-group-owner@example.com",
            DisplayName = "Group Owner",
            MailNickname = "example-group-owner",
            Password = "SecretP@sswd99!",
        });
    
        var example = new AzureAD.Group("example", new()
        {
            DisplayName = "example",
            MailEnabled = true,
            MailNickname = "ExampleGroup",
            SecurityEnabled = true,
            Types = new[]
            {
                "Unified",
            },
            Owners = new[]
            {
                current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
                groupOwner.ObjectId,
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		current, err := azuread.GetClientConfig(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		groupOwner, err := azuread.NewUser(ctx, "groupOwner", &azuread.UserArgs{
    			UserPrincipalName: pulumi.String("example-group-owner@example.com"),
    			DisplayName:       pulumi.String("Group Owner"),
    			MailNickname:      pulumi.String("example-group-owner"),
    			Password:          pulumi.String("SecretP@sswd99!"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = azuread.NewGroup(ctx, "example", &azuread.GroupArgs{
    			DisplayName:     pulumi.String("example"),
    			MailEnabled:     pulumi.Bool(true),
    			MailNickname:    pulumi.String("ExampleGroup"),
    			SecurityEnabled: pulumi.Bool(true),
    			Types: pulumi.StringArray{
    				pulumi.String("Unified"),
    			},
    			Owners: pulumi.StringArray{
    				*pulumi.String(current.ObjectId),
    				groupOwner.ObjectId,
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azuread.AzureadFunctions;
    import com.pulumi.azuread.User;
    import com.pulumi.azuread.UserArgs;
    import com.pulumi.azuread.Group;
    import com.pulumi.azuread.GroupArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var current = AzureadFunctions.getClientConfig();
    
            var groupOwner = new User("groupOwner", UserArgs.builder()        
                .userPrincipalName("example-group-owner@example.com")
                .displayName("Group Owner")
                .mailNickname("example-group-owner")
                .password("SecretP@sswd99!")
                .build());
    
            var example = new Group("example", GroupArgs.builder()        
                .displayName("example")
                .mailEnabled(true)
                .mailNickname("ExampleGroup")
                .securityEnabled(true)
                .types("Unified")
                .owners(            
                    current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()),
                    groupOwner.objectId())
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_azuread as azuread
    
    current = azuread.get_client_config()
    group_owner = azuread.User("groupOwner",
        user_principal_name="example-group-owner@example.com",
        display_name="Group Owner",
        mail_nickname="example-group-owner",
        password="SecretP@sswd99!")
    example = azuread.Group("example",
        display_name="example",
        mail_enabled=True,
        mail_nickname="ExampleGroup",
        security_enabled=True,
        types=["Unified"],
        owners=[
            current.object_id,
            group_owner.object_id,
        ])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as azuread from "@pulumi/azuread";
    
    const current = azuread.getClientConfig({});
    const groupOwner = new azuread.User("groupOwner", {
        userPrincipalName: "example-group-owner@example.com",
        displayName: "Group Owner",
        mailNickname: "example-group-owner",
        password: "SecretP@sswd99!",
    });
    const example = new azuread.Group("example", {
        displayName: "example",
        mailEnabled: true,
        mailNickname: "ExampleGroup",
        securityEnabled: true,
        types: ["Unified"],
        owners: [
            current.then(current => current.objectId),
            groupOwner.objectId,
        ],
    });
    
    resources:
      groupOwner:
        type: azuread:User
        properties:
          userPrincipalName: example-group-owner@example.com
          displayName: Group Owner
          mailNickname: example-group-owner
          password: SecretP@sswd99!
      example:
        type: azuread:Group
        properties:
          displayName: example
          mailEnabled: true
          mailNickname: ExampleGroup
          securityEnabled: true
          types:
            - Unified
          owners:
            - ${current.objectId}
            - ${groupOwner.objectId}
    variables:
      current:
        fn::invoke:
          Function: azuread:getClientConfig
          Arguments: {}
    

    Group with members

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using AzureAD = Pulumi.AzureAD;
    
    return await Deployment.RunAsync(() => 
    {
        var current = AzureAD.GetClientConfig.Invoke();
    
        var example = new AzureAD.Group("example", new()
        {
            DisplayName = "MyGroup",
            Owners = new[]
            {
                current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
            },
            SecurityEnabled = true,
            Types = new[]
            {
                "DynamicMembership",
            },
            DynamicMembership = new AzureAD.Inputs.GroupDynamicMembershipArgs
            {
                Enabled = true,
                Rule = "user.department -eq \"Sales\"",
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		current, err := azuread.GetClientConfig(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		_, err = azuread.NewGroup(ctx, "example", &azuread.GroupArgs{
    			DisplayName: pulumi.String("MyGroup"),
    			Owners: pulumi.StringArray{
    				*pulumi.String(current.ObjectId),
    			},
    			SecurityEnabled: pulumi.Bool(true),
    			Types: pulumi.StringArray{
    				pulumi.String("DynamicMembership"),
    			},
    			DynamicMembership: &azuread.GroupDynamicMembershipArgs{
    				Enabled: pulumi.Bool(true),
    				Rule:    pulumi.String("user.department -eq \"Sales\""),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azuread.AzureadFunctions;
    import com.pulumi.azuread.User;
    import com.pulumi.azuread.UserArgs;
    import com.pulumi.azuread.Group;
    import com.pulumi.azuread.GroupArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var current = AzureadFunctions.getClientConfig();
    
            var exampleUser = new User("exampleUser", UserArgs.builder()        
                .displayName("J Doe")
                .owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
                .password("notSecure123")
                .userPrincipalName("jdoe@example.com")
                .build());
    
            var exampleGroup = new Group("exampleGroup", GroupArgs.builder()        
                .displayName("MyGroup")
                .owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
                .securityEnabled(true)
                .members(exampleUser.objectId())
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_azuread as azuread
    
    current = azuread.get_client_config()
    example = azuread.Group("example",
        display_name="MyGroup",
        owners=[current.object_id],
        security_enabled=True,
        types=["DynamicMembership"],
        dynamic_membership=azuread.GroupDynamicMembershipArgs(
            enabled=True,
            rule="user.department -eq \"Sales\"",
        ))
    
    import * as pulumi from "@pulumi/pulumi";
    import * as azuread from "@pulumi/azuread";
    
    const current = azuread.getClientConfig({});
    const example = new azuread.Group("example", {
        displayName: "MyGroup",
        owners: [current.then(current => current.objectId)],
        securityEnabled: true,
        types: ["DynamicMembership"],
        dynamicMembership: {
            enabled: true,
            rule: "user.department -eq \"Sales\"",
        },
    });
    
    resources:
      exampleUser:
        type: azuread:User
        properties:
          displayName: J Doe
          owners:
            - ${current.objectId}
          password: notSecure123
          userPrincipalName: jdoe@example.com
      exampleGroup:
        type: azuread:Group
        properties:
          displayName: MyGroup
          owners:
            - ${current.objectId}
          securityEnabled: true
          members:
            - ${exampleUser.objectId}
    variables:
      current:
        fn::invoke:
          Function: azuread:getClientConfig
          Arguments: {}
    

    Group with dynamic membership

    Coming soon!

    Coming soon!

    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azuread.AzureadFunctions;
    import com.pulumi.azuread.Group;
    import com.pulumi.azuread.GroupArgs;
    import com.pulumi.azuread.inputs.GroupDynamicMembershipArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var current = AzureadFunctions.getClientConfig();
    
            var example = new Group("example", GroupArgs.builder()        
                .displayName("MyGroup")
                .owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
                .securityEnabled(true)
                .types("DynamicMembership")
                .dynamicMembership(GroupDynamicMembershipArgs.builder()
                    .enabled(true)
                    .rule("user.department -eq \"Sales\"")
                    .build())
                .build());
    
        }
    }
    

    Coming soon!

    Coming soon!

    resources:
      example:
        type: azuread:Group
        properties:
          displayName: MyGroup
          owners:
            - ${current.objectId}
          securityEnabled: true
          types:
            - DynamicMembership
          dynamicMembership:
            enabled: true
            rule: user.department -eq "Sales"
    variables:
      current:
        fn::invoke:
          Function: azuread:getClientConfig
          Arguments: {}
    

    Create Group Resource

    new Group(name: string, args: GroupArgs, opts?: CustomResourceOptions);
    @overload
    def Group(resource_name: str,
              opts: Optional[ResourceOptions] = None,
              administrative_unit_ids: Optional[Sequence[str]] = None,
              assignable_to_role: Optional[bool] = None,
              auto_subscribe_new_members: Optional[bool] = None,
              behaviors: Optional[Sequence[str]] = None,
              description: Optional[str] = None,
              display_name: Optional[str] = None,
              dynamic_membership: Optional[GroupDynamicMembershipArgs] = None,
              external_senders_allowed: Optional[bool] = None,
              hide_from_address_lists: Optional[bool] = None,
              hide_from_outlook_clients: Optional[bool] = None,
              mail_enabled: Optional[bool] = None,
              mail_nickname: Optional[str] = None,
              members: Optional[Sequence[str]] = None,
              onpremises_group_type: Optional[str] = None,
              owners: Optional[Sequence[str]] = None,
              prevent_duplicate_names: Optional[bool] = None,
              provisioning_options: Optional[Sequence[str]] = None,
              security_enabled: Optional[bool] = None,
              theme: Optional[str] = None,
              types: Optional[Sequence[str]] = None,
              visibility: Optional[str] = None,
              writeback_enabled: Optional[bool] = None)
    @overload
    def Group(resource_name: str,
              args: GroupArgs,
              opts: Optional[ResourceOptions] = None)
    func NewGroup(ctx *Context, name string, args GroupArgs, opts ...ResourceOption) (*Group, error)
    public Group(string name, GroupArgs args, CustomResourceOptions? opts = null)
    public Group(String name, GroupArgs args)
    public Group(String name, GroupArgs args, CustomResourceOptions options)
    
    type: azuread:Group
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args GroupArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args GroupArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args GroupArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args GroupArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args GroupArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Group Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The Group resource accepts the following input properties:

    DisplayName string
    The display name for the group.
    AdministrativeUnitIds List<string>

    The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.

    !> Warning Do not use the administrative_unit_ids property at the same time as the azuread.AdministrativeUnitMember resource, for the same group. Doing so will cause a conflict and administrative unit members will be removed.

    AssignableToRole bool
    Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to false. Can only be set to true for security-enabled groups. Changing this forces a new resource to be created.
    AutoSubscribeNewMembers bool

    Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

    Known Permissions Issue The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    Behaviors List<string>
    A set of behaviors for a Microsoft 365 group. Possible values are AllowOnlyMembersToPost, HideGroupInOutlook, SubscribeMembersToCalendarEventsDisabled, SubscribeNewGroupMembers and WelcomeEmailDisabled. See official documentation for more details. Changing this forces a new resource to be created.
    Description string
    The description for the group.
    DynamicMembership Pulumi.AzureAD.Inputs.GroupDynamicMembership
    A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.
    ExternalSendersAllowed bool

    Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

    Known Permissions Issue The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    HideFromAddressLists bool

    Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.

    Known Permissions Issue The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    HideFromOutlookClients bool

    Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

    Known Permissions Issue The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    MailEnabled bool
    Whether the group is a mail enabled, with a shared group mailbox. At least one of mail_enabled or security_enabled must be specified. Only Microsoft 365 groups can be mail enabled (see the types property).
    MailNickname string
    The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
    Members List<string>

    A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

    !> Warning Do not use the members property at the same time as the azuread.GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.

    OnpremisesGroupType string
    The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are UniversalDistributionGroup, UniversalMailEnabledSecurityGroup, or UniversalSecurityGroup.
    Owners List<string>
    A set of owners who own this group. Supported object types are Users or Service Principals
    PreventDuplicateNames bool
    If true, will return an error if an existing group is found with the same name. Defaults to false.
    ProvisioningOptions List<string>
    A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.
    SecurityEnabled bool
    Whether the group is a security group for controlling access to in-app resources. At least one of security_enabled or mail_enabled must be specified. A Microsoft 365 group can be security enabled and mail enabled (see the types property).
    Theme string
    The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.
    Types List<string>

    A set of group types to configure for the group. Supported values are DynamicMembership, which denotes a group with dynamic membership, and Unified, which specifies a Microsoft 365 group. Required when mail_enabled is true. Changing this forces a new resource to be created.

    Supported Group Types At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

    Visibility string

    The group join policy and group content visibility. Possible values are Private, Public, or Hiddenmembership. Only Microsoft 365 groups can have Hiddenmembership visibility and this value must be set when the group is created. By default, security groups will receive Private visibility and Microsoft 365 groups will receive Public visibility.

    Group Name Uniqueness Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

    WritebackEnabled bool
    Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
    DisplayName string
    The display name for the group.
    AdministrativeUnitIds []string

    The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.

    !> Warning Do not use the administrative_unit_ids property at the same time as the azuread.AdministrativeUnitMember resource, for the same group. Doing so will cause a conflict and administrative unit members will be removed.

    AssignableToRole bool
    Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to false. Can only be set to true for security-enabled groups. Changing this forces a new resource to be created.
    AutoSubscribeNewMembers bool

    Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

    Known Permissions Issue The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    Behaviors []string
    A set of behaviors for a Microsoft 365 group. Possible values are AllowOnlyMembersToPost, HideGroupInOutlook, SubscribeMembersToCalendarEventsDisabled, SubscribeNewGroupMembers and WelcomeEmailDisabled. See official documentation for more details. Changing this forces a new resource to be created.
    Description string
    The description for the group.
    DynamicMembership GroupDynamicMembershipArgs
    A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.
    ExternalSendersAllowed bool

    Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

    Known Permissions Issue The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    HideFromAddressLists bool

    Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.

    Known Permissions Issue The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    HideFromOutlookClients bool

    Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

    Known Permissions Issue The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    MailEnabled bool
    Whether the group is a mail enabled, with a shared group mailbox. At least one of mail_enabled or security_enabled must be specified. Only Microsoft 365 groups can be mail enabled (see the types property).
    MailNickname string
    The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
    Members []string

    A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

    !> Warning Do not use the members property at the same time as the azuread.GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.

    OnpremisesGroupType string
    The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are UniversalDistributionGroup, UniversalMailEnabledSecurityGroup, or UniversalSecurityGroup.
    Owners []string
    A set of owners who own this group. Supported object types are Users or Service Principals
    PreventDuplicateNames bool
    If true, will return an error if an existing group is found with the same name. Defaults to false.
    ProvisioningOptions []string
    A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.
    SecurityEnabled bool
    Whether the group is a security group for controlling access to in-app resources. At least one of security_enabled or mail_enabled must be specified. A Microsoft 365 group can be security enabled and mail enabled (see the types property).
    Theme string
    The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.
    Types []string

    A set of group types to configure for the group. Supported values are DynamicMembership, which denotes a group with dynamic membership, and Unified, which specifies a Microsoft 365 group. Required when mail_enabled is true. Changing this forces a new resource to be created.

    Supported Group Types At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

    Visibility string

    The group join policy and group content visibility. Possible values are Private, Public, or Hiddenmembership. Only Microsoft 365 groups can have Hiddenmembership visibility and this value must be set when the group is created. By default, security groups will receive Private visibility and Microsoft 365 groups will receive Public visibility.

    Group Name Uniqueness Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

    WritebackEnabled bool
    Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
    displayName String
    The display name for the group.
    administrativeUnitIds List<String>

    The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.

    !> Warning Do not use the administrative_unit_ids property at the same time as the azuread.AdministrativeUnitMember resource, for the same group. Doing so will cause a conflict and administrative unit members will be removed.

    assignableToRole Boolean
    Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to false. Can only be set to true for security-enabled groups. Changing this forces a new resource to be created.
    autoSubscribeNewMembers Boolean

    Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

    Known Permissions Issue The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    behaviors List<String>
    A set of behaviors for a Microsoft 365 group. Possible values are AllowOnlyMembersToPost, HideGroupInOutlook, SubscribeMembersToCalendarEventsDisabled, SubscribeNewGroupMembers and WelcomeEmailDisabled. See official documentation for more details. Changing this forces a new resource to be created.
    description String
    The description for the group.
    dynamicMembership GroupDynamicMembership
    A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.
    externalSendersAllowed Boolean

    Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

    Known Permissions Issue The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    hideFromAddressLists Boolean

    Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.

    Known Permissions Issue The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    hideFromOutlookClients Boolean

    Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

    Known Permissions Issue The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    mailEnabled Boolean
    Whether the group is a mail enabled, with a shared group mailbox. At least one of mail_enabled or security_enabled must be specified. Only Microsoft 365 groups can be mail enabled (see the types property).
    mailNickname String
    The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
    members List<String>

    A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

    !> Warning Do not use the members property at the same time as the azuread.GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.

    onpremisesGroupType String
    The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are UniversalDistributionGroup, UniversalMailEnabledSecurityGroup, or UniversalSecurityGroup.
    owners List<String>
    A set of owners who own this group. Supported object types are Users or Service Principals
    preventDuplicateNames Boolean
    If true, will return an error if an existing group is found with the same name. Defaults to false.
    provisioningOptions List<String>
    A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.
    securityEnabled Boolean
    Whether the group is a security group for controlling access to in-app resources. At least one of security_enabled or mail_enabled must be specified. A Microsoft 365 group can be security enabled and mail enabled (see the types property).
    theme String
    The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.
    types List<String>

    A set of group types to configure for the group. Supported values are DynamicMembership, which denotes a group with dynamic membership, and Unified, which specifies a Microsoft 365 group. Required when mail_enabled is true. Changing this forces a new resource to be created.

    Supported Group Types At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

    visibility String

    The group join policy and group content visibility. Possible values are Private, Public, or Hiddenmembership. Only Microsoft 365 groups can have Hiddenmembership visibility and this value must be set when the group is created. By default, security groups will receive Private visibility and Microsoft 365 groups will receive Public visibility.

    Group Name Uniqueness Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

    writebackEnabled Boolean
    Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
    displayName string
    The display name for the group.
    administrativeUnitIds string[]

    The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.

    !> Warning Do not use the administrative_unit_ids property at the same time as the azuread.AdministrativeUnitMember resource, for the same group. Doing so will cause a conflict and administrative unit members will be removed.

    assignableToRole boolean
    Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to false. Can only be set to true for security-enabled groups. Changing this forces a new resource to be created.
    autoSubscribeNewMembers boolean

    Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

    Known Permissions Issue The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    behaviors string[]
    A set of behaviors for a Microsoft 365 group. Possible values are AllowOnlyMembersToPost, HideGroupInOutlook, SubscribeMembersToCalendarEventsDisabled, SubscribeNewGroupMembers and WelcomeEmailDisabled. See official documentation for more details. Changing this forces a new resource to be created.
    description string
    The description for the group.
    dynamicMembership GroupDynamicMembership
    A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.
    externalSendersAllowed boolean

    Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

    Known Permissions Issue The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    hideFromAddressLists boolean

    Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.

    Known Permissions Issue The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    hideFromOutlookClients boolean

    Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

    Known Permissions Issue The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    mailEnabled boolean
    Whether the group is a mail enabled, with a shared group mailbox. At least one of mail_enabled or security_enabled must be specified. Only Microsoft 365 groups can be mail enabled (see the types property).
    mailNickname string
    The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
    members string[]

    A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

    !> Warning Do not use the members property at the same time as the azuread.GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.

    onpremisesGroupType string
    The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are UniversalDistributionGroup, UniversalMailEnabledSecurityGroup, or UniversalSecurityGroup.
    owners string[]
    A set of owners who own this group. Supported object types are Users or Service Principals
    preventDuplicateNames boolean
    If true, will return an error if an existing group is found with the same name. Defaults to false.
    provisioningOptions string[]
    A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.
    securityEnabled boolean
    Whether the group is a security group for controlling access to in-app resources. At least one of security_enabled or mail_enabled must be specified. A Microsoft 365 group can be security enabled and mail enabled (see the types property).
    theme string
    The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.
    types string[]

    A set of group types to configure for the group. Supported values are DynamicMembership, which denotes a group with dynamic membership, and Unified, which specifies a Microsoft 365 group. Required when mail_enabled is true. Changing this forces a new resource to be created.

    Supported Group Types At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

    visibility string

    The group join policy and group content visibility. Possible values are Private, Public, or Hiddenmembership. Only Microsoft 365 groups can have Hiddenmembership visibility and this value must be set when the group is created. By default, security groups will receive Private visibility and Microsoft 365 groups will receive Public visibility.

    Group Name Uniqueness Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

    writebackEnabled boolean
    Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
    display_name str
    The display name for the group.
    administrative_unit_ids Sequence[str]

    The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.

    !> Warning Do not use the administrative_unit_ids property at the same time as the azuread.AdministrativeUnitMember resource, for the same group. Doing so will cause a conflict and administrative unit members will be removed.

    assignable_to_role bool
    Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to false. Can only be set to true for security-enabled groups. Changing this forces a new resource to be created.
    auto_subscribe_new_members bool

    Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

    Known Permissions Issue The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    behaviors Sequence[str]
    A set of behaviors for a Microsoft 365 group. Possible values are AllowOnlyMembersToPost, HideGroupInOutlook, SubscribeMembersToCalendarEventsDisabled, SubscribeNewGroupMembers and WelcomeEmailDisabled. See official documentation for more details. Changing this forces a new resource to be created.
    description str
    The description for the group.
    dynamic_membership GroupDynamicMembershipArgs
    A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.
    external_senders_allowed bool

    Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

    Known Permissions Issue The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    hide_from_address_lists bool

    Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.

    Known Permissions Issue The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    hide_from_outlook_clients bool

    Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

    Known Permissions Issue The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    mail_enabled bool
    Whether the group is a mail enabled, with a shared group mailbox. At least one of mail_enabled or security_enabled must be specified. Only Microsoft 365 groups can be mail enabled (see the types property).
    mail_nickname str
    The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
    members Sequence[str]

    A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

    !> Warning Do not use the members property at the same time as the azuread.GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.

    onpremises_group_type str
    The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are UniversalDistributionGroup, UniversalMailEnabledSecurityGroup, or UniversalSecurityGroup.
    owners Sequence[str]
    A set of owners who own this group. Supported object types are Users or Service Principals
    prevent_duplicate_names bool
    If true, will return an error if an existing group is found with the same name. Defaults to false.
    provisioning_options Sequence[str]
    A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.
    security_enabled bool
    Whether the group is a security group for controlling access to in-app resources. At least one of security_enabled or mail_enabled must be specified. A Microsoft 365 group can be security enabled and mail enabled (see the types property).
    theme str
    The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.
    types Sequence[str]

    A set of group types to configure for the group. Supported values are DynamicMembership, which denotes a group with dynamic membership, and Unified, which specifies a Microsoft 365 group. Required when mail_enabled is true. Changing this forces a new resource to be created.

    Supported Group Types At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

    visibility str

    The group join policy and group content visibility. Possible values are Private, Public, or Hiddenmembership. Only Microsoft 365 groups can have Hiddenmembership visibility and this value must be set when the group is created. By default, security groups will receive Private visibility and Microsoft 365 groups will receive Public visibility.

    Group Name Uniqueness Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

    writeback_enabled bool
    Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
    displayName String
    The display name for the group.
    administrativeUnitIds List<String>

    The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.

    !> Warning Do not use the administrative_unit_ids property at the same time as the azuread.AdministrativeUnitMember resource, for the same group. Doing so will cause a conflict and administrative unit members will be removed.

    assignableToRole Boolean
    Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to false. Can only be set to true for security-enabled groups. Changing this forces a new resource to be created.
    autoSubscribeNewMembers Boolean

    Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

    Known Permissions Issue The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    behaviors List<String>
    A set of behaviors for a Microsoft 365 group. Possible values are AllowOnlyMembersToPost, HideGroupInOutlook, SubscribeMembersToCalendarEventsDisabled, SubscribeNewGroupMembers and WelcomeEmailDisabled. See official documentation for more details. Changing this forces a new resource to be created.
    description String
    The description for the group.
    dynamicMembership Property Map
    A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.
    externalSendersAllowed Boolean

    Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

    Known Permissions Issue The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    hideFromAddressLists Boolean

    Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.

    Known Permissions Issue The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    hideFromOutlookClients Boolean

    Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

    Known Permissions Issue The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    mailEnabled Boolean
    Whether the group is a mail enabled, with a shared group mailbox. At least one of mail_enabled or security_enabled must be specified. Only Microsoft 365 groups can be mail enabled (see the types property).
    mailNickname String
    The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
    members List<String>

    A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

    !> Warning Do not use the members property at the same time as the azuread.GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.

    onpremisesGroupType String
    The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are UniversalDistributionGroup, UniversalMailEnabledSecurityGroup, or UniversalSecurityGroup.
    owners List<String>
    A set of owners who own this group. Supported object types are Users or Service Principals
    preventDuplicateNames Boolean
    If true, will return an error if an existing group is found with the same name. Defaults to false.
    provisioningOptions List<String>
    A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.
    securityEnabled Boolean
    Whether the group is a security group for controlling access to in-app resources. At least one of security_enabled or mail_enabled must be specified. A Microsoft 365 group can be security enabled and mail enabled (see the types property).
    theme String
    The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.
    types List<String>

    A set of group types to configure for the group. Supported values are DynamicMembership, which denotes a group with dynamic membership, and Unified, which specifies a Microsoft 365 group. Required when mail_enabled is true. Changing this forces a new resource to be created.

    Supported Group Types At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

    visibility String

    The group join policy and group content visibility. Possible values are Private, Public, or Hiddenmembership. Only Microsoft 365 groups can have Hiddenmembership visibility and this value must be set when the group is created. By default, security groups will receive Private visibility and Microsoft 365 groups will receive Public visibility.

    Group Name Uniqueness Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

    writebackEnabled Boolean
    Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Group resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Mail string
    The SMTP address for the group.
    ObjectId string
    The object ID of the group.
    OnpremisesDomainName string
    The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
    OnpremisesNetbiosName string
    The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
    OnpremisesSamAccountName string
    The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
    OnpremisesSecurityIdentifier string
    The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
    OnpremisesSyncEnabled bool
    Whether this group is synchronised from an on-premises directory (true), no longer synchronised (false), or has never been synchronised (null).
    PreferredLanguage string
    The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
    ProxyAddresses List<string>
    List of email addresses for the group that direct to the same group mailbox.
    Id string
    The provider-assigned unique ID for this managed resource.
    Mail string
    The SMTP address for the group.
    ObjectId string
    The object ID of the group.
    OnpremisesDomainName string
    The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
    OnpremisesNetbiosName string
    The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
    OnpremisesSamAccountName string
    The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
    OnpremisesSecurityIdentifier string
    The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
    OnpremisesSyncEnabled bool
    Whether this group is synchronised from an on-premises directory (true), no longer synchronised (false), or has never been synchronised (null).
    PreferredLanguage string
    The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
    ProxyAddresses []string
    List of email addresses for the group that direct to the same group mailbox.
    id String
    The provider-assigned unique ID for this managed resource.
    mail String
    The SMTP address for the group.
    objectId String
    The object ID of the group.
    onpremisesDomainName String
    The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
    onpremisesNetbiosName String
    The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
    onpremisesSamAccountName String
    The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
    onpremisesSecurityIdentifier String
    The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
    onpremisesSyncEnabled Boolean
    Whether this group is synchronised from an on-premises directory (true), no longer synchronised (false), or has never been synchronised (null).
    preferredLanguage String
    The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
    proxyAddresses List<String>
    List of email addresses for the group that direct to the same group mailbox.
    id string
    The provider-assigned unique ID for this managed resource.
    mail string
    The SMTP address for the group.
    objectId string
    The object ID of the group.
    onpremisesDomainName string
    The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
    onpremisesNetbiosName string
    The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
    onpremisesSamAccountName string
    The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
    onpremisesSecurityIdentifier string
    The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
    onpremisesSyncEnabled boolean
    Whether this group is synchronised from an on-premises directory (true), no longer synchronised (false), or has never been synchronised (null).
    preferredLanguage string
    The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
    proxyAddresses string[]
    List of email addresses for the group that direct to the same group mailbox.
    id str
    The provider-assigned unique ID for this managed resource.
    mail str
    The SMTP address for the group.
    object_id str
    The object ID of the group.
    onpremises_domain_name str
    The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
    onpremises_netbios_name str
    The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
    onpremises_sam_account_name str
    The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
    onpremises_security_identifier str
    The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
    onpremises_sync_enabled bool
    Whether this group is synchronised from an on-premises directory (true), no longer synchronised (false), or has never been synchronised (null).
    preferred_language str
    The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
    proxy_addresses Sequence[str]
    List of email addresses for the group that direct to the same group mailbox.
    id String
    The provider-assigned unique ID for this managed resource.
    mail String
    The SMTP address for the group.
    objectId String
    The object ID of the group.
    onpremisesDomainName String
    The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
    onpremisesNetbiosName String
    The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
    onpremisesSamAccountName String
    The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
    onpremisesSecurityIdentifier String
    The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
    onpremisesSyncEnabled Boolean
    Whether this group is synchronised from an on-premises directory (true), no longer synchronised (false), or has never been synchronised (null).
    preferredLanguage String
    The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
    proxyAddresses List<String>
    List of email addresses for the group that direct to the same group mailbox.

    Look up Existing Group Resource

    Get an existing Group resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: GroupState, opts?: CustomResourceOptions): Group
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            administrative_unit_ids: Optional[Sequence[str]] = None,
            assignable_to_role: Optional[bool] = None,
            auto_subscribe_new_members: Optional[bool] = None,
            behaviors: Optional[Sequence[str]] = None,
            description: Optional[str] = None,
            display_name: Optional[str] = None,
            dynamic_membership: Optional[GroupDynamicMembershipArgs] = None,
            external_senders_allowed: Optional[bool] = None,
            hide_from_address_lists: Optional[bool] = None,
            hide_from_outlook_clients: Optional[bool] = None,
            mail: Optional[str] = None,
            mail_enabled: Optional[bool] = None,
            mail_nickname: Optional[str] = None,
            members: Optional[Sequence[str]] = None,
            object_id: Optional[str] = None,
            onpremises_domain_name: Optional[str] = None,
            onpremises_group_type: Optional[str] = None,
            onpremises_netbios_name: Optional[str] = None,
            onpremises_sam_account_name: Optional[str] = None,
            onpremises_security_identifier: Optional[str] = None,
            onpremises_sync_enabled: Optional[bool] = None,
            owners: Optional[Sequence[str]] = None,
            preferred_language: Optional[str] = None,
            prevent_duplicate_names: Optional[bool] = None,
            provisioning_options: Optional[Sequence[str]] = None,
            proxy_addresses: Optional[Sequence[str]] = None,
            security_enabled: Optional[bool] = None,
            theme: Optional[str] = None,
            types: Optional[Sequence[str]] = None,
            visibility: Optional[str] = None,
            writeback_enabled: Optional[bool] = None) -> Group
    func GetGroup(ctx *Context, name string, id IDInput, state *GroupState, opts ...ResourceOption) (*Group, error)
    public static Group Get(string name, Input<string> id, GroupState? state, CustomResourceOptions? opts = null)
    public static Group get(String name, Output<String> id, GroupState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AdministrativeUnitIds List<string>

    The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.

    !> Warning Do not use the administrative_unit_ids property at the same time as the azuread.AdministrativeUnitMember resource, for the same group. Doing so will cause a conflict and administrative unit members will be removed.

    AssignableToRole bool
    Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to false. Can only be set to true for security-enabled groups. Changing this forces a new resource to be created.
    AutoSubscribeNewMembers bool

    Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

    Known Permissions Issue The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    Behaviors List<string>
    A set of behaviors for a Microsoft 365 group. Possible values are AllowOnlyMembersToPost, HideGroupInOutlook, SubscribeMembersToCalendarEventsDisabled, SubscribeNewGroupMembers and WelcomeEmailDisabled. See official documentation for more details. Changing this forces a new resource to be created.
    Description string
    The description for the group.
    DisplayName string
    The display name for the group.
    DynamicMembership Pulumi.AzureAD.Inputs.GroupDynamicMembership
    A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.
    ExternalSendersAllowed bool

    Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

    Known Permissions Issue The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    HideFromAddressLists bool

    Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.

    Known Permissions Issue The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    HideFromOutlookClients bool

    Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

    Known Permissions Issue The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    Mail string
    The SMTP address for the group.
    MailEnabled bool
    Whether the group is a mail enabled, with a shared group mailbox. At least one of mail_enabled or security_enabled must be specified. Only Microsoft 365 groups can be mail enabled (see the types property).
    MailNickname string
    The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
    Members List<string>

    A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

    !> Warning Do not use the members property at the same time as the azuread.GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.

    ObjectId string
    The object ID of the group.
    OnpremisesDomainName string
    The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
    OnpremisesGroupType string
    The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are UniversalDistributionGroup, UniversalMailEnabledSecurityGroup, or UniversalSecurityGroup.
    OnpremisesNetbiosName string
    The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
    OnpremisesSamAccountName string
    The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
    OnpremisesSecurityIdentifier string
    The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
    OnpremisesSyncEnabled bool
    Whether this group is synchronised from an on-premises directory (true), no longer synchronised (false), or has never been synchronised (null).
    Owners List<string>
    A set of owners who own this group. Supported object types are Users or Service Principals
    PreferredLanguage string
    The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
    PreventDuplicateNames bool
    If true, will return an error if an existing group is found with the same name. Defaults to false.
    ProvisioningOptions List<string>
    A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.
    ProxyAddresses List<string>
    List of email addresses for the group that direct to the same group mailbox.
    SecurityEnabled bool
    Whether the group is a security group for controlling access to in-app resources. At least one of security_enabled or mail_enabled must be specified. A Microsoft 365 group can be security enabled and mail enabled (see the types property).
    Theme string
    The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.
    Types List<string>

    A set of group types to configure for the group. Supported values are DynamicMembership, which denotes a group with dynamic membership, and Unified, which specifies a Microsoft 365 group. Required when mail_enabled is true. Changing this forces a new resource to be created.

    Supported Group Types At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

    Visibility string

    The group join policy and group content visibility. Possible values are Private, Public, or Hiddenmembership. Only Microsoft 365 groups can have Hiddenmembership visibility and this value must be set when the group is created. By default, security groups will receive Private visibility and Microsoft 365 groups will receive Public visibility.

    Group Name Uniqueness Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

    WritebackEnabled bool
    Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
    AdministrativeUnitIds []string

    The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.

    !> Warning Do not use the administrative_unit_ids property at the same time as the azuread.AdministrativeUnitMember resource, for the same group. Doing so will cause a conflict and administrative unit members will be removed.

    AssignableToRole bool
    Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to false. Can only be set to true for security-enabled groups. Changing this forces a new resource to be created.
    AutoSubscribeNewMembers bool

    Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

    Known Permissions Issue The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    Behaviors []string
    A set of behaviors for a Microsoft 365 group. Possible values are AllowOnlyMembersToPost, HideGroupInOutlook, SubscribeMembersToCalendarEventsDisabled, SubscribeNewGroupMembers and WelcomeEmailDisabled. See official documentation for more details. Changing this forces a new resource to be created.
    Description string
    The description for the group.
    DisplayName string
    The display name for the group.
    DynamicMembership GroupDynamicMembershipArgs
    A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.
    ExternalSendersAllowed bool

    Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

    Known Permissions Issue The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    HideFromAddressLists bool

    Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.

    Known Permissions Issue The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    HideFromOutlookClients bool

    Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

    Known Permissions Issue The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    Mail string
    The SMTP address for the group.
    MailEnabled bool
    Whether the group is a mail enabled, with a shared group mailbox. At least one of mail_enabled or security_enabled must be specified. Only Microsoft 365 groups can be mail enabled (see the types property).
    MailNickname string
    The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
    Members []string

    A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

    !> Warning Do not use the members property at the same time as the azuread.GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.

    ObjectId string
    The object ID of the group.
    OnpremisesDomainName string
    The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
    OnpremisesGroupType string
    The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are UniversalDistributionGroup, UniversalMailEnabledSecurityGroup, or UniversalSecurityGroup.
    OnpremisesNetbiosName string
    The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
    OnpremisesSamAccountName string
    The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
    OnpremisesSecurityIdentifier string
    The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
    OnpremisesSyncEnabled bool
    Whether this group is synchronised from an on-premises directory (true), no longer synchronised (false), or has never been synchronised (null).
    Owners []string
    A set of owners who own this group. Supported object types are Users or Service Principals
    PreferredLanguage string
    The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
    PreventDuplicateNames bool
    If true, will return an error if an existing group is found with the same name. Defaults to false.
    ProvisioningOptions []string
    A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.
    ProxyAddresses []string
    List of email addresses for the group that direct to the same group mailbox.
    SecurityEnabled bool
    Whether the group is a security group for controlling access to in-app resources. At least one of security_enabled or mail_enabled must be specified. A Microsoft 365 group can be security enabled and mail enabled (see the types property).
    Theme string
    The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.
    Types []string

    A set of group types to configure for the group. Supported values are DynamicMembership, which denotes a group with dynamic membership, and Unified, which specifies a Microsoft 365 group. Required when mail_enabled is true. Changing this forces a new resource to be created.

    Supported Group Types At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

    Visibility string

    The group join policy and group content visibility. Possible values are Private, Public, or Hiddenmembership. Only Microsoft 365 groups can have Hiddenmembership visibility and this value must be set when the group is created. By default, security groups will receive Private visibility and Microsoft 365 groups will receive Public visibility.

    Group Name Uniqueness Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

    WritebackEnabled bool
    Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
    administrativeUnitIds List<String>

    The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.

    !> Warning Do not use the administrative_unit_ids property at the same time as the azuread.AdministrativeUnitMember resource, for the same group. Doing so will cause a conflict and administrative unit members will be removed.

    assignableToRole Boolean
    Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to false. Can only be set to true for security-enabled groups. Changing this forces a new resource to be created.
    autoSubscribeNewMembers Boolean

    Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

    Known Permissions Issue The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    behaviors List<String>
    A set of behaviors for a Microsoft 365 group. Possible values are AllowOnlyMembersToPost, HideGroupInOutlook, SubscribeMembersToCalendarEventsDisabled, SubscribeNewGroupMembers and WelcomeEmailDisabled. See official documentation for more details. Changing this forces a new resource to be created.
    description String
    The description for the group.
    displayName String
    The display name for the group.
    dynamicMembership GroupDynamicMembership
    A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.
    externalSendersAllowed Boolean

    Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

    Known Permissions Issue The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    hideFromAddressLists Boolean

    Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.

    Known Permissions Issue The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    hideFromOutlookClients Boolean

    Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

    Known Permissions Issue The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    mail String
    The SMTP address for the group.
    mailEnabled Boolean
    Whether the group is a mail enabled, with a shared group mailbox. At least one of mail_enabled or security_enabled must be specified. Only Microsoft 365 groups can be mail enabled (see the types property).
    mailNickname String
    The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
    members List<String>

    A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

    !> Warning Do not use the members property at the same time as the azuread.GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.

    objectId String
    The object ID of the group.
    onpremisesDomainName String
    The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
    onpremisesGroupType String
    The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are UniversalDistributionGroup, UniversalMailEnabledSecurityGroup, or UniversalSecurityGroup.
    onpremisesNetbiosName String
    The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
    onpremisesSamAccountName String
    The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
    onpremisesSecurityIdentifier String
    The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
    onpremisesSyncEnabled Boolean
    Whether this group is synchronised from an on-premises directory (true), no longer synchronised (false), or has never been synchronised (null).
    owners List<String>
    A set of owners who own this group. Supported object types are Users or Service Principals
    preferredLanguage String
    The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
    preventDuplicateNames Boolean
    If true, will return an error if an existing group is found with the same name. Defaults to false.
    provisioningOptions List<String>
    A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.
    proxyAddresses List<String>
    List of email addresses for the group that direct to the same group mailbox.
    securityEnabled Boolean
    Whether the group is a security group for controlling access to in-app resources. At least one of security_enabled or mail_enabled must be specified. A Microsoft 365 group can be security enabled and mail enabled (see the types property).
    theme String
    The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.
    types List<String>

    A set of group types to configure for the group. Supported values are DynamicMembership, which denotes a group with dynamic membership, and Unified, which specifies a Microsoft 365 group. Required when mail_enabled is true. Changing this forces a new resource to be created.

    Supported Group Types At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

    visibility String

    The group join policy and group content visibility. Possible values are Private, Public, or Hiddenmembership. Only Microsoft 365 groups can have Hiddenmembership visibility and this value must be set when the group is created. By default, security groups will receive Private visibility and Microsoft 365 groups will receive Public visibility.

    Group Name Uniqueness Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

    writebackEnabled Boolean
    Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
    administrativeUnitIds string[]

    The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.

    !> Warning Do not use the administrative_unit_ids property at the same time as the azuread.AdministrativeUnitMember resource, for the same group. Doing so will cause a conflict and administrative unit members will be removed.

    assignableToRole boolean
    Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to false. Can only be set to true for security-enabled groups. Changing this forces a new resource to be created.
    autoSubscribeNewMembers boolean

    Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

    Known Permissions Issue The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    behaviors string[]
    A set of behaviors for a Microsoft 365 group. Possible values are AllowOnlyMembersToPost, HideGroupInOutlook, SubscribeMembersToCalendarEventsDisabled, SubscribeNewGroupMembers and WelcomeEmailDisabled. See official documentation for more details. Changing this forces a new resource to be created.
    description string
    The description for the group.
    displayName string
    The display name for the group.
    dynamicMembership GroupDynamicMembership
    A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.
    externalSendersAllowed boolean

    Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

    Known Permissions Issue The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    hideFromAddressLists boolean

    Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.

    Known Permissions Issue The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    hideFromOutlookClients boolean

    Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

    Known Permissions Issue The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    mail string
    The SMTP address for the group.
    mailEnabled boolean
    Whether the group is a mail enabled, with a shared group mailbox. At least one of mail_enabled or security_enabled must be specified. Only Microsoft 365 groups can be mail enabled (see the types property).
    mailNickname string
    The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
    members string[]

    A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

    !> Warning Do not use the members property at the same time as the azuread.GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.

    objectId string
    The object ID of the group.
    onpremisesDomainName string
    The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
    onpremisesGroupType string
    The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are UniversalDistributionGroup, UniversalMailEnabledSecurityGroup, or UniversalSecurityGroup.
    onpremisesNetbiosName string
    The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
    onpremisesSamAccountName string
    The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
    onpremisesSecurityIdentifier string
    The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
    onpremisesSyncEnabled boolean
    Whether this group is synchronised from an on-premises directory (true), no longer synchronised (false), or has never been synchronised (null).
    owners string[]
    A set of owners who own this group. Supported object types are Users or Service Principals
    preferredLanguage string
    The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
    preventDuplicateNames boolean
    If true, will return an error if an existing group is found with the same name. Defaults to false.
    provisioningOptions string[]
    A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.
    proxyAddresses string[]
    List of email addresses for the group that direct to the same group mailbox.
    securityEnabled boolean
    Whether the group is a security group for controlling access to in-app resources. At least one of security_enabled or mail_enabled must be specified. A Microsoft 365 group can be security enabled and mail enabled (see the types property).
    theme string
    The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.
    types string[]

    A set of group types to configure for the group. Supported values are DynamicMembership, which denotes a group with dynamic membership, and Unified, which specifies a Microsoft 365 group. Required when mail_enabled is true. Changing this forces a new resource to be created.

    Supported Group Types At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

    visibility string

    The group join policy and group content visibility. Possible values are Private, Public, or Hiddenmembership. Only Microsoft 365 groups can have Hiddenmembership visibility and this value must be set when the group is created. By default, security groups will receive Private visibility and Microsoft 365 groups will receive Public visibility.

    Group Name Uniqueness Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

    writebackEnabled boolean
    Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
    administrative_unit_ids Sequence[str]

    The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.

    !> Warning Do not use the administrative_unit_ids property at the same time as the azuread.AdministrativeUnitMember resource, for the same group. Doing so will cause a conflict and administrative unit members will be removed.

    assignable_to_role bool
    Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to false. Can only be set to true for security-enabled groups. Changing this forces a new resource to be created.
    auto_subscribe_new_members bool

    Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

    Known Permissions Issue The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    behaviors Sequence[str]
    A set of behaviors for a Microsoft 365 group. Possible values are AllowOnlyMembersToPost, HideGroupInOutlook, SubscribeMembersToCalendarEventsDisabled, SubscribeNewGroupMembers and WelcomeEmailDisabled. See official documentation for more details. Changing this forces a new resource to be created.
    description str
    The description for the group.
    display_name str
    The display name for the group.
    dynamic_membership GroupDynamicMembershipArgs
    A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.
    external_senders_allowed bool

    Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

    Known Permissions Issue The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    hide_from_address_lists bool

    Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.

    Known Permissions Issue The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    hide_from_outlook_clients bool

    Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

    Known Permissions Issue The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    mail str
    The SMTP address for the group.
    mail_enabled bool
    Whether the group is a mail enabled, with a shared group mailbox. At least one of mail_enabled or security_enabled must be specified. Only Microsoft 365 groups can be mail enabled (see the types property).
    mail_nickname str
    The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
    members Sequence[str]

    A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

    !> Warning Do not use the members property at the same time as the azuread.GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.

    object_id str
    The object ID of the group.
    onpremises_domain_name str
    The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
    onpremises_group_type str
    The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are UniversalDistributionGroup, UniversalMailEnabledSecurityGroup, or UniversalSecurityGroup.
    onpremises_netbios_name str
    The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
    onpremises_sam_account_name str
    The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
    onpremises_security_identifier str
    The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
    onpremises_sync_enabled bool
    Whether this group is synchronised from an on-premises directory (true), no longer synchronised (false), or has never been synchronised (null).
    owners Sequence[str]
    A set of owners who own this group. Supported object types are Users or Service Principals
    preferred_language str
    The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
    prevent_duplicate_names bool
    If true, will return an error if an existing group is found with the same name. Defaults to false.
    provisioning_options Sequence[str]
    A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.
    proxy_addresses Sequence[str]
    List of email addresses for the group that direct to the same group mailbox.
    security_enabled bool
    Whether the group is a security group for controlling access to in-app resources. At least one of security_enabled or mail_enabled must be specified. A Microsoft 365 group can be security enabled and mail enabled (see the types property).
    theme str
    The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.
    types Sequence[str]

    A set of group types to configure for the group. Supported values are DynamicMembership, which denotes a group with dynamic membership, and Unified, which specifies a Microsoft 365 group. Required when mail_enabled is true. Changing this forces a new resource to be created.

    Supported Group Types At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

    visibility str

    The group join policy and group content visibility. Possible values are Private, Public, or Hiddenmembership. Only Microsoft 365 groups can have Hiddenmembership visibility and this value must be set when the group is created. By default, security groups will receive Private visibility and Microsoft 365 groups will receive Public visibility.

    Group Name Uniqueness Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

    writeback_enabled bool
    Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
    administrativeUnitIds List<String>

    The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.

    !> Warning Do not use the administrative_unit_ids property at the same time as the azuread.AdministrativeUnitMember resource, for the same group. Doing so will cause a conflict and administrative unit members will be removed.

    assignableToRole Boolean
    Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to false. Can only be set to true for security-enabled groups. Changing this forces a new resource to be created.
    autoSubscribeNewMembers Boolean

    Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.

    Known Permissions Issue The auto_subscribe_new_members property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    behaviors List<String>
    A set of behaviors for a Microsoft 365 group. Possible values are AllowOnlyMembersToPost, HideGroupInOutlook, SubscribeMembersToCalendarEventsDisabled, SubscribeNewGroupMembers and WelcomeEmailDisabled. See official documentation for more details. Changing this forces a new resource to be created.
    description String
    The description for the group.
    displayName String
    The display name for the group.
    dynamicMembership Property Map
    A dynamic_membership block as documented below. Required when types contains DynamicMembership. Cannot be used with the members property.
    externalSendersAllowed Boolean

    Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.

    Known Permissions Issue The external_senders_allowed property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    hideFromAddressLists Boolean

    Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.

    Known Permissions Issue The hide_from_address_lists property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    hideFromOutlookClients Boolean

    Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.

    Known Permissions Issue The hide_from_outlook_clients property can only be set when authenticating as a Member user of the tenant and not when authenticating as a Guest user or as a service principal. Please see the Microsoft Graph Known Issues documentation.

    mail String
    The SMTP address for the group.
    mailEnabled Boolean
    Whether the group is a mail enabled, with a shared group mailbox. At least one of mail_enabled or security_enabled must be specified. Only Microsoft 365 groups can be mail enabled (see the types property).
    mailNickname String
    The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
    members List<String>

    A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the dynamic_membership block.

    !> Warning Do not use the members property at the same time as the azuread.GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.

    objectId String
    The object ID of the group.
    onpremisesDomainName String
    The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
    onpremisesGroupType String
    The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are UniversalDistributionGroup, UniversalMailEnabledSecurityGroup, or UniversalSecurityGroup.
    onpremisesNetbiosName String
    The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
    onpremisesSamAccountName String
    The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
    onpremisesSecurityIdentifier String
    The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
    onpremisesSyncEnabled Boolean
    Whether this group is synchronised from an on-premises directory (true), no longer synchronised (false), or has never been synchronised (null).
    owners List<String>
    A set of owners who own this group. Supported object types are Users or Service Principals
    preferredLanguage String
    The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
    preventDuplicateNames Boolean
    If true, will return an error if an existing group is found with the same name. Defaults to false.
    provisioningOptions List<String>
    A set of provisioning options for a Microsoft 365 group. The only supported value is Team. See official documentation for details. Changing this forces a new resource to be created.
    proxyAddresses List<String>
    List of email addresses for the group that direct to the same group mailbox.
    securityEnabled Boolean
    Whether the group is a security group for controlling access to in-app resources. At least one of security_enabled or mail_enabled must be specified. A Microsoft 365 group can be security enabled and mail enabled (see the types property).
    theme String
    The colour theme for a Microsoft 365 group. Possible values are Blue, Green, Orange, Pink, Purple, Red or Teal. By default, no theme is set.
    types List<String>

    A set of group types to configure for the group. Supported values are DynamicMembership, which denotes a group with dynamic membership, and Unified, which specifies a Microsoft 365 group. Required when mail_enabled is true. Changing this forces a new resource to be created.

    Supported Group Types At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.

    visibility String

    The group join policy and group content visibility. Possible values are Private, Public, or Hiddenmembership. Only Microsoft 365 groups can have Hiddenmembership visibility and this value must be set when the group is created. By default, security groups will receive Private visibility and Microsoft 365 groups will receive Public visibility.

    Group Name Uniqueness Group names are not unique within Azure Active Directory. Use the prevent_duplicate_names argument to check for existing groups if you want to avoid name collisions.

    writebackEnabled Boolean
    Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.

    Supporting Types

    GroupDynamicMembership, GroupDynamicMembershipArgs

    Enabled bool
    Whether rule processing is "On" (true) or "Paused" (false).
    Rule string

    The rule that determines membership of this group. For more information, see official documentation on membership rules syntax.

    Dynamic Group Memberships Remember to include DynamicMembership in the set of types for the group when configuring a dynamic membership rule. Dynamic membership is a premium feature which requires an Azure Active Directory P1 or P2 license.

    Enabled bool
    Whether rule processing is "On" (true) or "Paused" (false).
    Rule string

    The rule that determines membership of this group. For more information, see official documentation on membership rules syntax.

    Dynamic Group Memberships Remember to include DynamicMembership in the set of types for the group when configuring a dynamic membership rule. Dynamic membership is a premium feature which requires an Azure Active Directory P1 or P2 license.

    enabled Boolean
    Whether rule processing is "On" (true) or "Paused" (false).
    rule String

    The rule that determines membership of this group. For more information, see official documentation on membership rules syntax.

    Dynamic Group Memberships Remember to include DynamicMembership in the set of types for the group when configuring a dynamic membership rule. Dynamic membership is a premium feature which requires an Azure Active Directory P1 or P2 license.

    enabled boolean
    Whether rule processing is "On" (true) or "Paused" (false).
    rule string

    The rule that determines membership of this group. For more information, see official documentation on membership rules syntax.

    Dynamic Group Memberships Remember to include DynamicMembership in the set of types for the group when configuring a dynamic membership rule. Dynamic membership is a premium feature which requires an Azure Active Directory P1 or P2 license.

    enabled bool
    Whether rule processing is "On" (true) or "Paused" (false).
    rule str

    The rule that determines membership of this group. For more information, see official documentation on membership rules syntax.

    Dynamic Group Memberships Remember to include DynamicMembership in the set of types for the group when configuring a dynamic membership rule. Dynamic membership is a premium feature which requires an Azure Active Directory P1 or P2 license.

    enabled Boolean
    Whether rule processing is "On" (true) or "Paused" (false).
    rule String

    The rule that determines membership of this group. For more information, see official documentation on membership rules syntax.

    Dynamic Group Memberships Remember to include DynamicMembership in the set of types for the group when configuring a dynamic membership rule. Dynamic membership is a premium feature which requires an Azure Active Directory P1 or P2 license.

    Import

    Groups can be imported using their object ID, e.g.

    $ pulumi import azuread:index/group:Group my_group 00000000-0000-0000-0000-000000000000
    

    Package Details

    Repository
    Azure Active Directory (Azure AD) pulumi/pulumi-azuread
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the azuread Terraform Provider.
    azuread logo
    Azure Active Directory (Azure AD) v5.47.1 published on Friday, Feb 9, 2024 by Pulumi