Manage your Tenant with Infrastructure as Code: it works for Workforce and Customer instances
This workshop supports interactive tracking via GitHub Issues! Each stage creates a dedicated issue with:
- Full documentation and instructions
- Progress checkboxes to track your completion
- Labels for easy filtering
-
-
Copy the workshop to your account - the pipeline will create GitHub Issues:
- Go to Issues tab
-
Track Your Progress:
- Each stage has its own GitHub Issue with checkboxes
- Check the boxes as you complete each step
- Close the issue when you finish the stage
-
Recommended Workflow:
Step Action 1 Open the stage issue 2 Read the documentation 3 Complete all tasks 4 Check all checkboxes 5 Close the issue 6 Move to next stage
Tip: Use the issue comments to note any problems or learnings during each stage!
| Version | Date | Description |
|---|---|---|
| v0.8 | 2025.04.28 | Alpha |
| v0.9 | 2025.05.07 | Beta - dryrun |
| v0.9.1 | 2025.05.16 | For Self-Workshop: more pictures and description |
| v0.10 | 2026.01.03 | Typos and doc improvment & update provider version |
| v1.0 | 2026.01.05 | 🎆 Public repository version |
| Question | Answer |
|---|---|
| Do I need an Entra ID Tenant? | Yes, when you run a workshop on your own; no, during an online or onsite workshop. |
| Do I need an Azure Subscription? | No, we will use Entra ID only. |
| Do I need to have a Workforce or an External ID tenant? | All steps are for Workforce, 1-4 will work with the External ID tenant. |
| Do I need the Global Admin role? | Yes. |
| Is the workshop to learn Terraform? | No, the workshop is to manage Entra ID as code with Terraform. |
-
✅ A global administrator or the authentication policy administrator permission is required.
-
✅ Entra ID P1 or P2 license (required for Stages 4-6: Conditional Access, Access Packages, PIM)
-
✅ Security Defaults disabled in tenant (required for Stage 4: Conditional Access)
-
✅ VSCode
-
✅ Terraform (v1.0+)
-
✅ Git (to clone the repository)
-
✅ Windows Workstation (all flows I tested on Windows - but you can use any OS)
| Stage | Required Graph API Permissions |
|---|---|
| 0-3 | Application.ReadWrite.All |
| 4 | + Policy.ReadWrite.ConditionalAccess, Policy.Read.All |
| 5 | + EntitlementManagement.ReadWrite.All, Group.ReadWrite.All, Directory.ReadWrite.All |
| 6 | + PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup |
- ✅ Basic knowledge of scripting and the command line
- ✅ Basic understanding of Service Principal Authentication
- ✅ Familiarity with Azure Portal navigation
- Authenticate with service access (Service Principal)
- Set up basic Entra ID elements with Terraform.
- Understand limitations.
- Set up the workstation environment
- Create a Service Principal
- Prepare the Terraform file structure
- First Terraform resource and module
- Init&Plan&Apply
- Create a couple of Entra ID resources
- Spacelift.io for integration
VS Code
winget install Microsoft.VisualStudioCode
Terraform
winget install HashiCorp.Terraform
init
terraform init
plan
terraform plan
apply
terraform apply
destroy
terraform destroy
- Cost of the Terraform license (if any).
- Manage the Terraform state file.
- Secret management (client_id and client_secret) access to Entra ID tenant and Azure subscription (not covered at all).
| Issue | Solution |
|---|---|
| No changes in the Terraform plan. | Always be sure to save the changes in the main.tf. |
| Can't remove(destroy) the resources. | Check Access Package assignments. Remove all assignments to your package. |
Error: Module not installed |
Run "terraform init" to install all modules required by this configuration. |
Found a bug, have a question, or want to suggest an improvement? Please report any issues with the workshop at:
https://github.com/mjendza/workshop-entra-as-code-interactive/issues