Entra ID Group constantly gets removed/added to an Administrative Unit each time Terraform runs

[matthorgan]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

• terraform v1.7.5
• azuread v2.47.0
• azurerm v3.96.0

Affected Resource(s)

• azuread_administrative_unit_member

Terraform Configuration Files

resource "azuread_administrative_unit" "example" {
  display_name = "Example-AU"
}

resource "azuread_group" "example" {
  display_name            = "Example Users"
  security_enabled        = true
}

resource "azuread_administrative_unit_member" "example" {
  administrative_unit_object_id = azuread_administrative_unit.example.id
  member_object_id              = azuread_group.example.id
}

Debug Output

https://gist.github.com/matthorgan/a09b9aed9c0b1ac145c58f362791544a

Expected Behavior

Entra ID group gets added to the Administrative Unit and on subsequent runs, no changes are expected.

Actual Behavior

The Entra ID group gets added to the Administrative Unit, but on the next run, it gets removed and this add/remove behaviour continues on each run.

Steps to Reproduce

1. terraform apply

Important Factoids

This issue does not happen if you add a User to the Administrative Unit using azuread_administrative_unit_member. It seems specific to the azuread_group resource.

In the debug logs it looks like it's using the beta API. Could this be an issue? It looks like AUs have functionality in the v1 of the api

I've noticed that the state refresh for the azuread_administrative_unit_member.example resource can take upwards of a minute.

References

https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/administrative_unit_member

[nbaju1]

Do you experience the same issue if you reference the object IDs directly? I.e.

resource "azuread_administrative_unit_member" "example" {
  administrative_unit_object_id = azuread_administrative_unit.example.object_id
  member_object_id              = azuread_group.example.object_id
}

[matthorgan]

Do you experience the same issue if you reference the object IDs directly? I.e.

resource "azuread_administrative_unit_member" "example" {
  administrative_unit_object_id = azuread_administrative_unit.example.object_id
  member_object_id              = azuread_group.example.object_id
}

it's the same issue using azuread_group.example.object_id and when you statically reference the object instead of referencing it from the azuread_group resource.

[manicminer]

Hi @matthorgan, thanks for opening this issue. This is actually expected behavior due to the azuread_administrative_unit_member resource and the administrative_unit_ids property of the azuread_group resource essentially managing the same thing. When using the azuread_administrative_unit_member resource to manage a group, you will need to use the ignore_changes lifecycle meta argument to suppress the resulting diff that occurs with the azuread_group resource. For example:

resource "azuread_administrative_unit" "example" {
  display_name = "Example-AU"
}

resource "azuread_group" "example" {
  display_name            = "Example Users"
  security_enabled        = true

  lifecycle {
    ignore_changes = [administrative_unit_ids]
  }
}

resource "azuread_administrative_unit_member" "example" {
  administrative_unit_object_id = azuread_administrative_unit.example.id
  member_object_id              = azuread_group.example.id
}

However, I noticed that we don't call this out specifically in the documentation for either resource, so I will open a PR to fix that.