Get a free AWS Well-Architected Assessment ->

Microsoft Azure


Azure Active Directory (Azure AD) user is a user account that is stored in the Azure AD directory. Azure AD users can be assigned to groups, assigned roles and permissions, and used to authenticate and authorize access to Azure resources and applications. Azure AD provides several authentication methods for Azure AD users, including username and password, multi-factor authentication (MFA), and smart card authentication. Azure AD also provides conditional access policies, which allow users to define access policies based on the user's location, device, and other factors to help protect their organization's resources.‍
aws cost
Direct Cost
Indirect Cost
No items found.
Terraform Name

The following arguments are supported:

  • account_enabled - (Optional) Whether or not the account should be enabled.
  • age_group - (Optional) The age group of the user. Supported values are Adult, NotAdult and Minor. Omit this property or specify a blank string to unset.
  • business_phones - (Optional) A list of telephone numbers for the user. Only one number can be set for this property. Read-only for users synced with Azure AD Connect.
  • city - (Optional) The city in which the user is located.
  • company_name - (Optional) The company name which the user is associated. This property can be useful for describing the company that an external user comes from.
  • consent_provided_for_minor - (Optional) Whether consent has been obtained for minors. Supported values are Granted, Denied and NotRequired. Omit this property or specify a blank string to unset.
  • cost_center - (Optional) The cost center associated with the user.
  • country - (Optional) The country/region in which the user is located, e.g. US or UK.
  • department - (Optional) The name for the department in which the user works.
  • disable_password_expiration - (Optional) Whether the user's password is exempt from expiring. Defaults to false.
  • disable_strong_password - (Optional) Whether the user is allowed weaker passwords than the default policy to be specified. Defaults to false.
  • display_name - (Required) The name to display in the address book for the user.
  • division - (Optional) The name of the division in which the user works.
  • employee_id - (Optional) The employee identifier assigned to the user by the organisation.
  • employee_type - (Optional) Captures enterprise worker type. For example, Employee, Contractor, Consultant, or Vendor.
  • fax_number - (Optional) The fax number of the user.
  • force_password_change - (Optional) Whether the user is forced to change the password during the next sign-in. Only takes effect when also changing the password. Defaults to false.
  • given_name - (Optional) The given name (first name) of the user.
  • job_title - (Optional) The user’s job title.
  • mail - (Optional) The SMTP address for the user. This property cannot be unset once specified.
  • mail_nickname - (Optional) The mail alias for the user. Defaults to the user name part of the user principal name (UPN).
  • manager_id - (Optional) The object ID of the user's manager.
  • mobile_phone - (Optional) The primary cellular telephone number for the user.
  • office_location - (Optional) The office location in the user's place of business.
  • onpremises_immutable_id - (Optional) The value used to associate an on-premise Active Directory user account with their Azure AD user object. This must be specified if you are using a federated domain for the user's user_principal_name property when creating a new user account.
  • other_mails - (Optional) A list of additional email addresses for the user.
  • password - (Optional) The password for the user. The password must satisfy minimum requirements as specified by the password policy. The maximum length is 256 characters. This property is required when creating a new user.

Passwords and importing users

Passwords can be changed but not cleared. Removing the password property for an existing user resource, or setting the password value to a blank string, will not remove the password. When importing a user, Terraform will not reset the password unless the value is subsequently changed in your configuration.

  • postal_code - (Optional) The postal code for the user's postal address. The postal code is specific to the user's country/region. In the United States of America, this attribute contains the ZIP code.
  • preferred_language - (Optional) The user's preferred language, in ISO 639-1 notation.
  • show_in_address_list - (Optional) Whether or not the Outlook global address list should include this user. Defaults to true.
  • state - (Optional) The state or province in the user's address.
  • street_address - (Optional) The street address of the user's place of business.
  • surname - (Optional) The user's surname (family name or last name).
  • usage_location - (Optional) The usage location of the user. Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. The usage location is a two letter country code (ISO standard 3166). Examples include: NO, JP, and GB. Cannot be reset to null once set.
  • user_principal_name - (Required) The user principal name (UPN) of the user.

Associating resources with a
Resources do not "belong" to a
Rather, one or more Security Groups are associated to a resource.
via Terraform:
The following HCL manages a user within Azure Active Directory

resource "azuread_user" "example" {
 user_principal_name = ""
 display_name        = "J. Doe"
 mail_nickname       = "jdoe"
 password            = "SecretP@sswd99!"

via CLI:

az ad user create --display-name
                 [--force-change-password-next-sign-in {false, true}]


az ad user create --display-name myuser --password password --user-principal-name

Best Practices for

Categorized by Availability, Security & Compliance and Cost

No items found.
Explore all the rules our platform covers
Related blog posts