Terraform-based Infrastructure-as-Code for Microsoft Entra ID identity objects.
This project demonstrates declarative provisioning of Entra ID resources using the hashicorp/azuread Terraform provider. Resources include users, security groups, conditional access policies, named locations, and application registrations.
```hcl module "ca_baseline" { source = "./modules/ca-baseline" blocked_country_codes = ["KP", "IR", "RU", "BY", "CN"] } ```
- Users with job titles and department metadata
- Security groups with declarative membership
- Conditional Access policies (legacy auth block, admin MFA, geo-blocking)
- Named locations (country-based)
- Application registrations with Microsoft Graph API permissions
- Service principals
- Cross-resource dependencies (groups referencing users, CA policies referencing named locations)
- Built-in directory role targeting via fixed object IDs
- App registration + service principal pairing
- Conservative defaults (CA policies created in
disabledstate for safe promotion)
Uses Azure CLI authentication via az login. Provider picks up cached credentials automatically.
terraform init
terraform plan
terraform apply- security-learning-artifacts — Multi-platform IAM labs across Entra ID, AWS, Okta, and hybrid identity. Provides the conceptual foundation this IaC implementation builds on.
- entra-attack-path-visualizer — Python tooling for detecting privilege escalation in Entra ID.
- Terraform ≥ 1.5.0
- hashicorp/azuread ~> 2.50
- Tenant: lab environment (Microsoft 365 E5 trial)
Darius Frank — Information Security Specialist focused on identity, access management, and identity governance.





