Managed identity role assignment showing "assigned to" an Entra group

Alex Blanchard 0 Reputation points
2024-11-13T20:04:05.2833333+00:00

I am recreating some existing azure resources with terraform. Among the resources is a user managed identity. When I look at the role assignments for that identity in the azure web console, I see that it is showing "assigned to" as an Entra group.

I need to recreate this role assignment with terraform, but absolutely nothing I try is able to create a matching role assignment.

I've tried setting the scope to be the managed identity

I've tried setting the principal ID to be the entra group (but then it doesn't show under the managed identity)

How do I recreate a matching role assignment with terraform? The "assigned to" field in the managed identity role assignments list also doesn't make sense to me at face value. Aren't all of the roles under the managed identity's Role Assignments assigned to the managed identity?

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,398 questions
{count} votes

1 answer

Sort by: Most helpful
  1. VenkateshDodda-MSFT 22,081 Reputation points Microsoft Employee
    2024-11-15T10:35:56.73+00:00

    @Alex Blanchard Thanks for sharing more details.

    Based on the above discussion, I understand that when you look at the Azure role assignment blade of user assigned identity in portal UI as shown below. You can see the RBAC role (App Configuration Data Reader) is assigned to an Entra group. which you want to achieve this using terraform.

    User's image

    You are seeing the Entra group name in AssignedTo since that particular managed identity is part of that Entra group and you can identity the scope (to which resource this permission is assigned) using resource column in the above image.

    If my above understanding is correct, you can use the below terraform script to create a user assigned identity, add it to Entra group and assign the App Configuration Data Reader RBAC role to Entra group with scope at resource group level.

    
    terraform {
      required_providers {
        azurerm = {
          source  = "hashicorp/azurerm"
          version = "=3.0.0"
        }
      }
    }
    
    provider "azuread" {}
    provider "azurerm" {
      features {  }
    }
    
    data "azurerm_resource_group" "rggrp" {
      name     = "{{Existing ResourceGroup Name}}"
    }
    
    #Create user assigned identity.
    
    resource "azurerm_user_assigned_identity" "userMI" {
        name = "{{UserAssigned Identity Name}}"
        location = data.azurerm_resource_group.rggrp.location
        resource_group_name = data.azurerm_resource_group.rggrp.name
    }
    
    #Fetch specific Entra group.
    
    data "azuread_group" "existinggroup" {
        display_name = "{{Existing Resource Group}}"
        security_enabled = "true"
    }
    
    #Resource block to add User assigned MI to Entra group.
    
    resource "azuread_group_member" "adduser_to_group" {
      group_object_id =  data.azuread_group.existinggroup.object_id
      member_object_id = azurerm_user_assigned_identity.userMI.principal_id
    }
    
    
    #Resource block to add App Configuration Data Reader RBAC on Entra group with scope to resource group.
    
    resource "azurerm_role_assignment" "addingroleassignemnt" {
      scope = data.azurerm_resource_group.example.id
      principal_id = azuread_group_member.adduser_to_group.group_object_id
      role_definition_name = "App Configuration Data Reader"
    }
    

    Hope this helps, let me know if you have any further questions on this.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.