IaC Bazaar
Get started
AzureLive-tested

Entra ID Workload Identity Baseline

App registrations, service principals, groups and federated credentials (OIDC for GitHub/Terraform) — the identity plumbing every Azure org rebuilds by hand.

terraformAzure#azure
azure-entra-id-baselineterraform v1.7

Verification

Live-tested

Really deployed, verified, idempotent and destroyed in a cloud sandbox.

Conformance

  • Static validation (fmt · validate · tflint)
  • Security scan: findings disclosed (Checkov)
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live-tested — applied, verified, destroyed

Last verified 2026-06-29 · how we verify

Documentation

azure-entra-id-baseline

The Entra ID workload-identity plumbing every Azure org rebuilds by hand: app registrations, their service principals, keyless federated OIDC credentials (GitHub Actions, Terraform Cloud, Kubernetes), security groups, and Azure RBAC role assignments — all from one composable module call. Works with Terraform and OpenTofu (>= 1.6), hashicorp/azuread >= 3.0, < 4.0 plus hashicorp/azurerm >= 4.0, < 5.0 (for the resource-plane role grants).

Status: static-validated, live-test pending. Validated with tofu fmt, tofu validate, and tflint against the hashicorp/azuread and hashicorp/azurerm providers. Not yet applied against a live tenant — creating app registrations needs Microsoft Graph admin consent (Application.ReadWrite.All, Group.ReadWrite.All) in a throwaway tenant, and no such sandbox exists yet, so it ships under live-test quarantine.

Design & secure defaults

  • No secrets, ever. The module never creates a client secret or password. External workloads federate via OIDC (azuread_application_federated_identity_credential) and present short-lived tokens — nothing exportable to leak, rotate, or commit by accident.
  • Deny-by-default app access. Service principals are created with app_role_assignment_required = true: Entra issues tokens only to principals explicitly assigned to the app. Opt out per-app if you really mean to.
  • Least-privilege Graph permissions. No required_resource_access unless you declare it; Role (application) vs Scope (delegated) is validated.
  • Implicit grant off. Web clients use auth-code + PKCE; legacy implicit token/ID-token issuance stays disabled.
  • Owned by construction. Every app, service principal, and group requires at least one owner — ownerless directory objects are an operational hazard (no one can manage or clean them up). The deploying principal is a sane default.
  • Security groups only. Groups are security_enabled = true, mail_enabled = false — for RBAC/assignment, not mailboxes.
  • Duplicate-name guard. prevent_duplicate_names = true stops a typo from silently adopting a stranger's existing registration.
  • No SP replication race. Role assignments to module-created service principals set skip_service_principal_aad_check = true so a fresh apply does not fail while the SP propagates across Entra.

Requirements

RequirementVersion
Terraform / OpenTofu>= 1.6
hashicorp/azuread>= 3.0, < 4.0
hashicorp/azurerm>= 4.0, < 5.0

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending a throwaway-tenant sandbox — see catalog status.

License

Commercial — LicenseRef-IaCBazaar-Commercial. © IaC Bazaar. Original work (not derived from a third-party module).

Usage code & full reference unlock after purchase

The complete copy-paste usage, the full input/output reference, and operational notes ship with your licence — shown here and bundled in the download.

  • Usage
  • Inputs
  • Outputs
  • Notes for integrators