Update Terraform azuread to v3

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
azuread (source)	required_provider	major	2.33.0 → 3.7.0

---

Release Notes

hashicorp/terraform-provider-azuread (azuread)

v3.7.0

Compare Source

FEATURES:

• New Resource: azuread_flexible_federated_identity_credential (#​1788)

EHANCEMENTS:

• Dependencies: go-azure-sdk updated to v0.20251029.1173336 (#​1787)
• Dependencies: Go updated to v1.25.3 (#​1792)

BUG FIXES:

• azuread_application - allow retry on 409 Conflict during creation (#​1768)
• azuread_conditional_access_policy - add support for the authentication_flow_transfer_methods property (#​1796)
• azuread_group_role_management_policy - fix update for activation_rule.required_conditional_access_authentication_context (#​1783)

v3.6.0

Compare Source

ENHANCEMENTS:

• data.azuread_named_location - add support for the object_id property (#​1703)
• azuread_named_location - add support for the object_id property (#​1703)

BUG FIXES:

• data.azuread_users - queries that return multiple users with the same mail nickname no longer causes an error (#​1762)

v3.5.0

Compare Source

ENHANCEMENTS:

• azuread_conditional_access_policy - add support for the client_applications.filter property (#​1744)

BUG FIXES:

• azuread_conditional_access_policy - fix support for everyTime restrictions in session_controls request payload (#​1719)

v3.4.0

Compare Source

• dependencies: update hashicorp/hc-install to v0.9.2 (#​1696)
• dependencies: update hashicorp/terraform-exec to v0.23.0 (#​1696)
• dependencies: update hashicorp/terraform-registry-address to v0.2.5 (#​1696)
• dependencies: update x/crypto to v0.38.0 (#​1696)
• dependencies: update x/net to v0.40.0 (#​1696)
• dependencies: update x/oauth2 to v0.30.0 (#​1702)
• dependencies: update x/sync to v0.14.0 (#​1696)
• dependencies: update x/sys to v0.33.0 (#​1696)
• dependencies: update x/text to v0.25.0 (#​1696)
• azuread_application - add support for brk-multihub scheme for redirect_uris (#​1663)
• azuread_application_redirect_uris - add support for brk-multihub scheme for redirect_uris (#​1663)
• azuread_conditional_access_policy - populate members only when membership_kind is set to enumerated (#​1601)

v3.3.0

Compare Source

ENHANCEMENTS:

• dependencies: update Go to 1.24.1 (#​1675)

BUG FIXES:

• azuread_application_pre_authorized - fix unexpected removal of unmanaged pre-authorized apps on delete (#​1659)
• azuread_directory_role - fix for changes in Graph API response for ListRolesResponse in create (#​1575)
• azuread_directory_role_eligibility_schedule_request - fix Read for time based service automatic deletion of request resource (#​1682)

v3.2.0

Compare Source

FEATURES:

• New Resource: azuread_group_without_members (#​1623)

ENHANCEMENTS:

• dependencies: update go-azure-sdk to v0.20250131.1134653 (#​1635)

BUG FIXES:

• azuread_access_package_assignment_policy - fix crash in Read (#​1664)
• azuread_access_package_assignment_policy - fix use of alternative_approver in approval_settings (#​1567)
• azuread_group_role_management_policy - fix endless drift due to approval_status computed (#​1666)

v3.1.0

Compare Source

ENHANCEMENTS:

• dependencies - update golang.org/x/crypto to 0.31.0 (#​1585)
• data.azuread_named_location - add support for country_lookup_method (#​1589)
• azuread_conditional_access_policy - add support for the insider_risk_levels property (#​1597)
• azuread_named_location - add support for country_lookup_method (#​1589)

BUG FIXES:

• azuread_access_package_resource_catalog_association - allow origin IDs that contain / (#​1592)
• azuread_application - the password block can now correctly be removed (#​1430)
• azuread_conditional_access_policy - fix potential panic in expanding conditions (#​1619)
• azuread_group - prevent creation retry when caller hasn't been specified as an owner (#​1593)
• azuread_user - add support for employee_hire_date (#​1437)

v3.0.2

Compare Source

BUG FIXES:

• azuread_group - Fix crash and memory leak (#​1518)

v3.0.1

Compare Source

BUG FIXES:

• data.azuread_group - fix ID parsing bugs and some crashes (#​1499)
• azuread_conditional_access_policy - fix a parsing bug for authentication_strength_policy_id (#​1499)
• azuread_service_principal_certificate - fix a parsing bug for service_principal_id (#​1499)
• azuread_service_principal_claims_mapping_policy_assignment - fix a parsing bug for service_principal_id (#​1499)
• azuread_service_principal_password - fix a parsing bug for service_principal_id (#​1499)
• azuread_service_principal_token_signing_certificate - fix a parsing bug for service_principal_id (#​1499)
• azuread_synchronization_job - fix a parsing bug for service_principal_id (#​1499)
• azuread_synchronization_job_provision_on_demand - fix parsing bugs for service_principal_id and synchronization_job_id (#​1499)
• azuread_synchronization_secret - fix a parsing bug for service_principal_id (#​1499)

v3.0.0

Compare Source

NOTES:

• Major Version: Version 3.0 of the AzureAD Provider is a major version. Some behaviors have changed and some deprecated fields/resources have been removed. Please refer to the 3.0 upgrade guide for more information.
• When upgrading to v3.0 of the AzureAD Provider, we recommend upgrading to the latest version of Terraform Core (which can be found here).

v2.53.1

Compare Source

BUG FIXES:

• azuread_application - export the password attribute only when it is set in configuration, to prevent marking existing resources as sensitive (#​1422)

v2.53.0

Compare Source

ENHANCEMENTS:

• azuread_application - support for the password block (#​1389)

BUG FIXES:

• azuread_claims_mapping_policy - set the correct timeouts for this resource (#​1419)
• azuread_service_principal_claims_mapping_policy_assignment - set the correct timeouts for this resource (#​1419)
• azuread_synchronization_secret - set the correct timeouts for this resource (#​1419)

v2.52.0

Compare Source

BUG FIXES:

• azuread_application - fix a bug that could prevent the ignore_changes lifecycle argument from working for the app_role, oauth2_permission_scope, identifier_uris, optional_claims, and required_resource_access properties (#​1403)
• azuread_application - add a workaround for an API bug when instantiating an application from template using the template_id property (#​1406)

v2.51.0

Compare Source

ENHANCEMENTS:

• data.azuread_users - support for the mails property (#​1400)

BUG FIXES:

• azuread_access_package_assignment_policy - fix a bug preventing removal of the assignment_review_settings block (#​1394)

v2.50.0

Compare Source

ENHANCEMENTS:

• dependencies: updating to v0.68.0 of github.com/manicminer/hamilton (#​1382)
• data.azuread_application - support looking up applications with the identifier_uri property [GH 1303]
• azuread_conditional_access_policy - improve handling of the session_controls block (#​1382)

BUG FIXES:

• data.azuread_service_principal - treat the display_name property case-insensitively (#​1381)
• azuread_conditional_access_policy - fix a bug that could cause a persistent diff when setting certain properties in the session_controls block (#​1382)
• azuread_user - don't overwrite the existing password in state, when a password change fails (#​1308)

v2.49.1

Compare Source

BUG FIXES:

• data.azuread_group_role_management_policy - resolve a potential crash (#​1375)
• azuread_group_role_management_policy - resolve a number of potential crashes (#​1375)
• azuread_privileged_access_group_assignment_schedule - resolve a number of potential crashes (#​1375)
• azuread_privileged_access_group_eligibility_schedule - resolve a number of potential crashes (#​1375)

v2.49.0

Compare Source

FEATURES:

• New Data Source: azuread_group_role_management_policy (#​1327)
• New Resource: azuread_group_role_management_policy (#​1327)
• New Resource: azuread_privileged_access_group_assignment_schedule (#​1327)
• New Resource: azuread_privileged_access_group_eligibility_schedule (#​1327)
• New Resource: azuread_synchronization_job_provision_on_demand (#​1032)

ENHANCEMENTS:

• data.azuread_group - support for the include_transitive_members property (#​1300)
• azuread_application - relax validation for the identifier_uris property to allow more values (#​1351)
• azuread_application_identifier_uri - relax validation for the identifier_uri property to allow more values (#​1351)
• azuread_group - support the SkipExchangeInstantOn value for the behaviors property (#​1370)
• azuread_user - relax validation for the employee_type property to allow more values (#​1328)

BUG FIXES:

• azuread_application_pre_authorized - fix a destroy-time bug that could prevent deletion of the resource (#​1299)

v2.48.0

Compare Source

ENHANCEMENTS:

• dependencies: updating to v0.20240411.1104331 of github.com/hashicorp/go-azure-sdk/sdk (#​1353)

BUG FIXES:

• provider: fix an issue where the provider was not correctly configured when using a custom metadata host (#​1353)

v2.47.0

Compare Source

BUG FIXES:

• azuread_access_package_assignment_policy - fix a potential crash when removing the question block (#​1273)
• data.azuread_named_location - fix a potential crash if the named location is not found (#​1274)

v2.46.0

Compare Source

ENHANCEMENTS:

• data.azuread_application - update the resource ID format to match the azuread_application resource (#​1255)
• azuread_named_location - add validation for the ip_ranges property in the ip block (#​1254)

v2.45.0

Compare Source

FEATURES:

• New Resource: azuread_application_optional_claims (#​1223)

ENHANCEMENTS:

• azuread_conditional_access_policy - improved plan-time validation for the session_controls block (#​1229)
• azuread_conditional_access_policy - support for the sign_in_frequency_authentication_type and sign_in_frequency_interval properties in the session_controls block (#​1229)
• azuread_conditional_access_policy - support for the included_guests_or_external_users and excluded_guests_or_external_users blocks in the users block (#​1222)

BUG FIXES:

• azuread_conditional_access_policy - removing the devices or session_controls blocks will no longer force a new resource to be created (#​1229)

v2.44.1

Compare Source

BUG FIXES:

• azuread_application_certificate - work around an unexpected diff with the application_object_id property (#​1221)
• azuread_application_federated_identity_credential - work around an unexpected diff with the application_object_id property (#​1221)
• azuread_application_password - work around an unexpected diff with the application_object_id property (#​1221)
• azuread_application_pre_authorized - work around an unexpected diff with the application_object_id property (#​1221)

v2.44.0

Compare Source

• Developer Note: the Typed Resource SDK, as also used in the AzureRM provider, is now the preferred way of introducing new resources (#​1188)

FEATURES:

• New Resource: azuread_application_api_access (#​1214)
• New Resource: azuread_application_app_role (#​1214)
• New Resource: azuread_application_fallback_public_client (#​1214)
• New Resource: azuread_application_from_template (#​1214)
• New Resource: azuread_application_identifier_uri (#​1214)
• New Resource: azuread_application_known_clients (#​1214)
• New Resource: azuread_application_owner (#​1214)
• New Resource: azuread_application_permission_scope (#​1214)
• New Resource: azuread_application_redirect_uris (#​1214)
• New Resource: azuread_application_registration (#​1214)
• New Resource: azuread_authentication_strength_policy (#​1171)

ENHANCEMENTS:

• data.azuread_application - export the client_id attribute, deprecate the application_id attribute (#​1214)
• data.azuread_service_principal - support for the client_id property, deprecate the application_id property (#​1214)
• data.azuread_service_principals - support for the client_ids property, deprecate the application_ids property (#​1214)
• data.azuread_service_principals - export the client_id attribute in the service_principals block, deprecate the application_id attribute (#​1214)
• azuread_application - export the client_id attribute, deprecate the application_id attribute (#​1214)
• azuread_application_federated_identity_credential - support for the application_id property, deprecate the application_object_id property (#​1214)
• azuread_application_certificate - support for the application_id property, deprecate the application_object_id property (#​1214)
• azuread_application_password - support for the application_id property, deprecate the application_object_id property (#​1214)
• azuread_application_pre_authorized - support for the application_id property, deprecate the application_object_id property (#​1214)
• azuread_service_principal - support for the client_id property, deprecate the application_id property (#​1214)
• azuread_conditional_access_policy - support for the authentication_strength_policy_id property in the grant_controls block [GH_1171]

BUG FIXES:

• azuread_group_member - resolve a bug when refreshing state if the group is missing (#​1198)

v2.43.0

Compare Source

FEATURES:

• New Resource: azuread_directory_role_eligibility_schedule_request (#​974)

v2.42.0

Compare Source

IMPROVEMENTS:

• provider: support for the client_id_file_path and client_secret_file_path provider properties (#​1189)
• data.azuread_group - support for looking up a group with the mail_nickname property (#​1173)

BUG FIXES:

• azuread_conditional_access_policy - allow specifying terms_of_use in place of built_in_controls in the grant_controls block (#​1168)

v2.41.0

Compare Source

FEATURES:

• New Data Source: azuread_directory_role_templates (#​1152)
• New Data Source: azuread_named_location (#​1156)

IMPROVEMENTS:

• azuread_access_package_assignment_policy - support the Manager value for the review_type property in the assignment_review_settings block (#​1159)
• azuread_conditional_access_policy - support for the service_principal_risk_levels property in the conditions block (#​1145)
• azuread_conditional_access_policy - the grant_controls block is now optional (#​1155)

BUG FIXES:

• azuread_access_package_resource_package_association - support destruction of this resource (#​1124)
• azuread_application - set the display_name property correctly on creation to improve UX in the event of failure (#​1160)

v2.40.0

Compare Source

IMPROVEMENTS:

• dependencies: updating to v0.62.0 of github.com/manicminer/hamilton
• data.azuread_user - supporting looking up a user using the employee_id property (#​1040)
• data.azuread_users - supporting looking up users using the employee_ids property (#​1040)
• azuread_conditional_access_policy - support for the client_applications block in the conditions block (#​1047)
• azuread_conditional_access_policy - support for the disable_resilience_defaults property in the session_controls block (#​1135)
• azuread_group - the behaviors property now supports the CalendarMemberReadOnly and ConnectorsDisabled values (#​1144)

v2.39.0

Compare Source

IMPROVEMENTS:

• dependencies: updating to v0.20230511.1094507 of github.com/hashicorp/go-azure-sdk (#​1100)

BUG FIXES:

• provider: fix a token refresh bug that could cause authentication errors after initial token expiry (#​1100)

v2.38.0

Compare Source

FEATURES:

• New Data Source: azuread_access_package_catalog_role (#​1033)
• New Resource: azuread_access_package_catalog_role_assignment (#​1033)

BUG FIXES:

• Provider: fix an issue where API requests might not be retried correctly (#​1090)
• azuread_service_principal_token_signing_certificate - fix a crash when importing legacy certificates (#​1082)

v2.37.2

Compare Source

BUG FIXES:

• azuread_group - remove conditional ForceNew for the onpremises_group_type property, resolve breaking change in v2.37.1 (#​1076)
• azuread_group - improve a workaround for reading Microsoft 365-only properties for groups in a non-M365 tenant (#​1076)
• azuread_group - improve a workaround for detecting unwanted changes to the description property (#​1074)

v2.37.1

Compare Source

NOTES:

• This release contains a breaking change with the azuread_group resource, in order to fix a regression. Please see #​1072 for workaround information.

BUG FIXES:

• azuread_group - fix a regression that caused onpremises_group_type to be set when not configured, and unsetting this property now forces replacement of the resource (#​1070)

v2.37.0

Compare Source

FEATURES:

• New Data Source: azuread_access_package (#​903)
• New Data Source: azuread_access_package_catalog (#​903)
• New Resource: azuread_access_package (#​903)
• New Resource: azuread_access_package_assignment_policy (#​903)
• New Resource: azuread_access_package_catalog (#​903)
• New Resource: azuread_access_package_resource_catalog_association (#​903)
• New Resource: azuread_access_package_resource_package_association (#​903)
• New Resource: azuread_administrative_unit_role_member (#​983)
• New Resource: azuread_user_flow_attribute (#​1063)

IMPROVEMENTS:

• dependencies: updating to v0.60.0 of github.com/manicminer/hamilton (#​1062)
• data.azuread_application - support for the service_management_reference attribute (#​1046)
• data.azuread_group - support for the onpremises_group_type and writeback_enabled attributes (#​964)
• data.azuread_user - support for the mail property (#​996)
• azuread_application - support for the service_management_reference property (#​1046)
• azuread_group - support for the onpremises_group_type and writeback_enabled properties (#​964)

v2.36.0

Compare Source

IMPROVEMENTS:

• Provider: requests to Microsoft Graph no longer include the tenant ID as part of the URI path (#​1039)

BUG FIXES:

• azuread_group - work around an API issue that prevented group creation for some configurations where the calling principal is specified as an owner (#​1037)

v2.35.0

Compare Source

BUG FIXES:

• azuread_application_federated_identity_credential - the audiences property now only supports a single value due to a breaking API change (#​1027)
• azuread_group - only try to set additional fields when explicitly configured, to work around an API bug when application-only permissions are used (#​1028)
• azuread_service_principal - resolve an issue where newly created service principals might not be found when specifying use_existing = true (#​1025)

IMPROVEMENTS:

• Provider: support for the metadata_host property (#​1026)
• Provider: authentication now uses the github.com/hashicorp/go-azure-sdk/sdk/auth package (#​1026)
• Provider: cloud configuration now uses the github.com/hashicorp/go-azure-sdk/sdk/environments package (#​1026)
• data.azuread_application - support for the notes attribute (#​1027)
• data.azuread_directory_roles - support for the template_ids attribute (#​1011)
• azuread_application - support for the notes property (#​1027)
• azuread_group - support for the administrative_unit_ids property (#​984)
• azuread_synchronization_job - fix a bug where the incorrect API version was used, preventing this resource from working properly (#​1030)
• azuread_synchronization_secret - fix a bug where the incorrect API version was used, preventing this resource from working properly (#​1030)

v2.34.1

Compare Source

BUG FIXES:

• azuread_administrative_unit - revert to the Microsoft Graph beta API version to resolve an API error when using this resource (#​1023)
• azuread_application - revert to the Microsoft Graph beta API version to resolve an issue preventing creation of new applications (#​1023)
• azuread_application - revert to the Microsoft Graph beta API version to resolve an issue preventing setting the oauth2_post_response_required property (#​1023)
• azuread_application_pre_authorized - revert to the Microsoft Graph beta API version to resolve an issue creating this resource (#​1023)
• azuread_group - revert to the Microsoft Graph beta API version to resolve an issue when managing group members (#​1023)
• azuread_group_member - revert to the Microsoft Graph beta API version to resolve an issue when managing group members (#​1023)
• azuread_user - revert to the Microsoft Graph beta API version to resolve a persistent diff for the account_enabled and show_in_address_list properties (#​1023)

v2.34.0

Compare Source

IMPROVEMENTS:

• Provider: All resources will now explicitly use the Microsoft Graph v1.0 API unless stated otherwise in the provider documentation (#​990)
• data.azuread_application - support the description attribute (#​991)
• azuread_application - support app role and scope values up to 249 characters (#​1010)

BUG FIXES:

• Provider: Support authentication scenarios where the oid claim is missing from the access token (#​1014)
• data.azuread_application_template - revert a workaround from v2.31.0 and no longer use the beta API for this data source (#​987)
• azuread_application - work around an API bug where mapped_claims_enabled could be set on create when holding the Application.ReadWrite.OwnedBy role (#​1008)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[hmcts-platform-operations]

Plan Result (demo_cnp_dummy_library_test - demo - terraform plan)

Plan: 0 to add, 0 to change, 0 to destroy.

Change Result (Click me)

Plan: 0 to add, 0 to change, 0 to destroy.

⚠️ Errors

• add a label demo_cnp_dummy_library_test - demo - terraform plan/add-or-update: POST https://api.github.com/repos/hmcts/cnp-dummy-library-test/issues/42/labels: 422 Validation Failed [{Resource:Label Field:name Code:invalid Message:}]

[hmcts-platform-operations]

Plan Result (sbox_cnp_dummy_library_test - sbox - terraform plan)

Plan: 0 to add, 0 to change, 0 to destroy.

Change Result (Click me)

Plan: 0 to add, 0 to change, 0 to destroy.

⚠️ Errors

• add a label sbox_cnp_dummy_library_test - sbox - terraform plan/add-or-update: POST https://api.github.com/repos/hmcts/cnp-dummy-library-test/issues/42/labels: 422 Validation Failed [{Resource:Label Field:name Code:invalid Message:}]

[hmcts-platform-operations]

Plan Result (perftest_cnp_dummy_library_test - test - terraform plan)

Plan: 0 to add, 0 to change, 0 to destroy.

Change Result (Click me)

Plan: 0 to add, 0 to change, 0 to destroy.

⚠️ Errors

• add a label perftest_cnp_dummy_library_test - test - terraform plan/add-or-update: POST https://api.github.com/repos/hmcts/cnp-dummy-library-test/issues/42/labels: 422 Validation Failed [{Resource:Label Field:name Code:invalid Message:}]

[hmcts-platform-operations]

Plan Result (aat_cnp_dummy_library_test - stg - terraform plan)

Plan: 0 to add, 0 to change, 0 to destroy.

Change Result (Click me)

Plan: 0 to add, 0 to change, 0 to destroy.

⚠️ Errors

• add a label aat_cnp_dummy_library_test - stg - terraform plan/add-or-update: POST https://api.github.com/repos/hmcts/cnp-dummy-library-test/issues/42/labels: 422 Validation Failed [{Resource:Label Field:name Code:invalid Message:}]

[hmcts-platform-operations]

Plan Result (ithc_cnp_dummy_library_test - ithc - terraform plan)

Plan: 0 to add, 0 to change, 0 to destroy.

Change Result (Click me)

Plan: 0 to add, 0 to change, 0 to destroy.

⚠️ Errors

• add a label ithc_cnp_dummy_library_test - ithc - terraform plan/add-or-update: POST https://api.github.com/repos/hmcts/cnp-dummy-library-test/issues/42/labels: 422 Validation Failed [{Resource:Label Field:name Code:invalid Message:}]

[hmcts-platform-operations]

Plan Result (ptlsbox_cnp_dummy_library_test - ptlsbox - terraform plan)

Plan: 0 to add, 0 to change, 0 to destroy.

Change Result (Click me)

Plan: 0 to add, 0 to change, 0 to destroy.

⚠️ Errors

• add a label ptlsbox_cnp_dummy_library_test - ptlsbox - terraform plan/add-or-update: POST https://api.github.com/repos/hmcts/cnp-dummy-library-test/issues/42/labels: 422 Validation Failed [{Resource:Label Field:name Code:invalid Message:}]