Activedirectory
Active Directory — hybrid-synced users, groups, computers, administrative units, sign-in logs, and group memberships via Microsoft Graph. Four state kinds (users, groups, group-memberships, computers). Pure on-prem LDAP is planned.
weave activedirectory
Env: AZURE_TENANT_ID
Setup
Configure credentials via environment variables. We recommend sourcing them through 1Password or your secrets manager rather than committing them to the shell rc.
Official API reference
weave commands for this module are checked against the vendor's published API.
| Variable | Description | Status |
|---|---|---|
| AZURE_TENANT_ID | Required for authentication. | required |
| AZURE_CLIENT_ID | Required for authentication. | required |
| AZURE_CLIENT_SECRET | Required for authentication. | required |
| AZURE_TENANT_ID | Already required — same app registration as Entra / Teams Graph modules. | required |
| GRAPH_API_VERSION | Override Graph version (default: v1.0). | optional |
Sanity-check the wiring:
weave secrets check weave activedirectory --help weave doctor # reports AZURE_TENANT_ID status
Capabilities
What this module can do, by entity and verb. ✓
means a working CLI surface; · means
not (yet) wired.
| Entity | find | list | show | do | snapshot | diff | apply |
|---|---|---|---|---|---|---|---|
| administrative-unit | · | ✓ | · | · | · | · | · |
| au-members | · | · | ✓ | · | · | · | · |
| computer | ✓ | ✓ | ✓ | · | ✓ | ✓ | · |
| group | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| group-members | · | · | ✓ | · | · | · | · |
| group-memberships | · | · | · | · | ✓ | ✓ | ✓ |
| signin-log | · | ✓ | · | · | · | · | · |
| user | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | · |
| user-groups | · | · | ✓ | · | · | · | · |
| user-manager | · | · | ✓ | · | · | · | · |
Commands
Every registered CLI command, grouped by verb. Each example uses placeholder arguments — substitute real values for your environment.
find (3)
find computer
readFind a hybrid-joined computer by displayName or deviceId.
weave activedirectory find computer <identifier>
find group
readFind an AD group by displayName, sAMAccountName, or object id.
weave activedirectory find group <identifier>
find user
readFind a user by UPN, email, sAMAccountName, or object id.
weave activedirectory find user <identifier>
list (5)
list administrative-units
readList administrative units (OU-equivalent in Entra).
weave activedirectory list administrative-units <arg>
list computers
readList hybrid-joined computers.
weave activedirectory list computers <arg>
list groups
readList directory groups (default: AD-synced only).
weave activedirectory list groups <arg>
list signin-logs
readSign-in events (Graph audit log; per-user filter).
weave activedirectory list signin-logs <arg>
list users
readList directory users (default: AD-synced only).
weave activedirectory list users <arg>
show (7)
show au-members
readMembers of an administrative unit.
weave activedirectory show au-members <identifier>
show computer
readFull record for one computer.
weave activedirectory show computer <identifier>
show group
readFull record for one group.
weave activedirectory show group <identifier>
show group-members
readShow direct members of a group.
weave activedirectory show group-members <group>
show user
readFull record for one user.
weave activedirectory show user <identifier>
show user-groups
readGroups a user is a direct member of.
weave activedirectory show user-groups <identifier>
show user-manager
readReporting line for a user.
weave activedirectory show user-manager <identifier>
do (6)
do add-user-to-group
writeAdd a user to an AD group.
weave activedirectory do add-user-to-group <user>
do disable-user
writeDisable a user (accountEnabled=false).
weave activedirectory do disable-user <identifier>
do enable-user
writeRe-enable a previously disabled user.
weave activedirectory do enable-user <identifier>
do remove-user-from-group
writeRemove a user from an AD group.
weave activedirectory do remove-user-from-group <user>
do reset-password
writeReset a user's password (returns a new temporary password).
weave activedirectory do reset-password <identifier>
do unlock-account
writeRe-enable an account (Graph treats lockouts as accountEnabled flips).
weave activedirectory do unlock-account <identifier>
snapshot → edit YAML →
diff → apply --yes (or confirm
interactively; apply --dry-run previews the same diff).
State kinds
Resources this module can snapshot and
diff; apply where the kind supports
live writes (see Round-trip per kind). Always run
diff before apply; use
--yes in automation after review. Files live under
.weave-state/activedirectory/.
users
Hybrid-synced user profiles (snapshot+diff only).
State file skeleton
module: activedirectory kind: users items: - # <fields specific to this kind — see snapshot output>
groups
Hybrid-synced groups and member UPNs (apply when cloud-managed).
State file skeleton
module: activedirectory kind: groups items: - # <fields specific to this kind — see snapshot output>
group-memberships
Direct members of a single AD/Entra group (UPNs).
State file skeleton
module: activedirectory kind: group-memberships group: <value> items: - # <fields specific to this kind — see snapshot output>
computers
Hybrid-joined computers (snapshot+diff only).
State file skeleton
module: activedirectory kind: computers items: - # <fields specific to this kind — see snapshot output>
Workflows
End-to-end recipes from operators who already run this module in production. Copy, adapt, and put under change-control.
Snapshot hybrid users and groups
Account-wide inventory for drift review (apply blocked on users/computers).
weave activedirectory snapshot users weave activedirectory snapshot groups weave activedirectory diff users weave activedirectory diff groups
Git-review group membership changes
The primary AD admin loop — treat a security group like code.
weave activedirectory snapshot group-memberships --group=VPN-Users $EDITOR .weave-state/activedirectory/group-memberships-VPN-Users.yaml weave activedirectory diff group-memberships --group=VPN-Users weave activedirectory apply group-memberships --group=VPN-Users --yes
Offboard a user (disable + remove from groups)
Imperative verbs for one-off incidents; membership drift goes through state.
weave activedirectory find user jane.doe@contoso.com weave activedirectory show user-groups jane.doe@contoso.com weave activedirectory do disable-user jane.doe@contoso.com --yes # remove from sensitive groups via snapshot/apply on each group
Audit who is in Admins-Production
Read-only before you touch membership state.
weave activedirectory show group-members Admins-Production weave activedirectory snapshot group-memberships --group=Admins-Production git add .weave-state/activedirectory && git commit -m 'admins group audit'
Unlock after lockout
weave activedirectory find user <upn> weave activedirectory do unlock-account <upn> --yes
Terraform parity
For each Terraform resource in the canonical provider, here's the equivalent live-API verb in weave. Use this as a migration cheat-sheet, not a 1:1 contract — weave deliberately stays in the live-state lane, not the desired-state lane.
| Terraform resource | weave equivalent |
|---|---|
| azuread_group_member | weave activedirectory snapshot/diff/apply group-memberships |
| azuread_user | weave activedirectory find/list/show user + do disable/enable/reset-password |
| azuread_group | weave activedirectory find/list/show group + do add-user-to-group / remove-user-from-group |
| azuread_administrative_unit | weave activedirectory list administrative-units / show au-members |
| azuread_group (on-prem LDAP) | Not wired — pure on-prem LDAP planned (python-ldap) Hybrid objects use Microsoft Graph; on-prem-only AD needs Entra Connect sync. |
| azuread_user (profile) | weave activedirectory snapshot/diff users |
| azuread_group (members) | weave activedirectory snapshot/diff/apply groups or group-memberships |
Troubleshooting & source
Run weave doctor — it reports which env
vars (including AZURE_TENANT_ID) are set
and which are blank.
Re-run weave activedirectory diff <kind>
to confirm the controller's current state, then re-snapshot
before the next apply. The driver always re-snapshots
before diffing.
The module lives at https://github.com/andy-broyles/weavewhatever/tree/main/src/weave/modules/activedirectory. File a bug or feature request at https://github.com/andy-broyles/weavewhatever/issues.