module · Identity & SSO

Microsoft Entra ID

Microsoft Entra ID — users, groups, applications, service principals, directory roles, administrative units, devices, Conditional Access policies, sign-in / audit logs, and round-trip state for the most-edited resources.

Namespace: weave entra Env: AZURE_TENANT_ID

Commands

State kinds

Identity & SSO

Setup

Configure credentials via environment variables. We recommend sourcing them through 1Password or your secrets manager rather than committing them to the shell rc.

Official API reference

weave commands for this module are checked against the vendor's published API.

Microsoft Graph

Variable	Description	Status
AZURE_TENANT_ID	Required for authentication.	required
AZURE_CLIENT_ID	Required for authentication.	required
AZURE_CLIENT_SECRET	Required for authentication.	required
AZURE_AD_ENDPOINT	Sovereign-cloud login endpoint (defaults to https://login.microsoftonline.com)	optional
GRAPH_BASE_URL	Sovereign-cloud Graph base URL (defaults to https://graph.microsoft.com)	optional

Sanity-check the wiring:

weave secrets check
weave entra --help
weave doctor   # reports AZURE_TENANT_ID status

Capabilities

What this module can do, by entity and verb. ✓ means a working CLI surface; · means not (yet) wired.

Entity	find	list	show	do	snapshot	diff	apply
administrative-unit	·	✓	·	✓	✓	✓	✓
app	✓	✓	·	✓	✓	✓	·
au-members	·	·	✓	·	·	·	·
audit-log	·	✓	·	·	·	·	·
conditional-access-policies	·	·	·	·	✓	✓	·
conditional-access-policy	·	✓	·	·	·	·	·
device	·	✓	✓	✓	✓	✓	·
directory-role	·	✓	·	·	·	·	·
group	✓	✓	·	✓	✓	✓	✓
group-members	·	·	✓	·	·	·	·
group-memberships	·	·	·	·	✓	✓	✓
group-owners	·	·	✓	·	·	·	·
named-location	·	✓	·	·	✓	✓	·
role	·	·	·	✓	·	·	·
role-assignment	·	✓	·	·	✓	✓	✓
service-principal	✓	✓	·	·	✓	✓	·
signin-log	·	✓	·	·	·	·	·
user	✓	✓	✓	✓	✓	✓	·
user-licenses	·	·	✓	·	·	·	·
user-manager	·	·	✓	·	·	·	·
user-mfa	·	·	✓	·	·	·	·

Commands

Every registered CLI command, grouped by verb. Each example uses placeholder arguments — substitute real values for your environment.

find (4)

find app

read

Find an application by displayName, appId, or object id.

weave entra find app <identifier>

find group

read

Find a group by displayName or object id.

weave entra find group <identifier>

find service-principal

read

Find a service principal by displayName, appId, or id.

weave entra find service-principal <identifier>

find user

read

Find a user by UPN, email, or object id.

weave entra find user <identifier>

list (12)

list administrative-units

read

List administrative units (OU-equivalent).

weave entra list administrative-units <arg>

list apps

read

List application registrations.

weave entra list apps <arg>

list audit-logs

read

Directory audit log (admin actions, lifecycle events).

weave entra list audit-logs <arg>

list conditional-access-policies

read

List Conditional Access policies.

weave entra list conditional-access-policies <arg>

list devices

read

List devices registered in the tenant.

weave entra list devices <arg>

list directory-roles

read

List active directory roles in the tenant.

weave entra list directory-roles <arg>

list groups

read

List directory groups.

weave entra list groups <arg>

list named-locations

read

List Conditional Access named locations.

weave entra list named-locations <arg>

list role-assignments

read

List directory role assignments (unified RBAC).

weave entra list role-assignments <arg>

list service-principals

read

List service principals (enterprise apps).

weave entra list service-principals <arg>

list signin-logs

read

Sign-in events (last 24h by default).

weave entra list signin-logs <arg>

list users

read

List directory users.

weave entra list users <arg>

show (9)

show app-role-assignments

read

Application permissions (appRoles) granted to an app's service principal.

weave entra show app-role-assignments <app>

show au-members

read

Members of an administrative unit.

weave entra show au-members <identifier>

show device

read

Full record for one device.

weave entra show device <identifier>

show group-members

read

Direct members of a group.

weave entra show group-members <identifier>

show group-owners

read

Owners of a group.

weave entra show group-owners <identifier>

show user

read

Full record for one user.

weave entra show user <identifier>

show user-licenses

read

License plans assigned to a user.

weave entra show user-licenses <identifier>

show user-manager

read

Manager (reporting line) for a user.

weave entra show user-manager <identifier>

show user-mfa

read

Authentication / MFA methods registered for a user.

weave entra show user-mfa <identifier>

do (20)

do add-au-member

write

Add a user/group to an administrative unit.

weave entra do add-au-member <object-id>

do add-member

write

Add a user to a group.

weave entra do add-member <user>

do add-owner

write

Add a user as a group owner.

weave entra do add-owner <user>

do assign-role

write

Assign a directory role to a principal.

weave entra do assign-role <principal>

do create-app-password

write

Mint a client secret for an application registration.

weave entra do create-app-password <app-id>

do delete-app-password

write

Revoke an application client secret by keyId.

weave entra do delete-app-password <app-id>

do delete-device

write

Permanently delete a device record.

weave entra do delete-device <identifier>

do disable

write

Disable a user (accountEnabled=false).

weave entra do disable <identifier>

do disable-device

write

Disable a device (accountEnabled=false).

weave entra do disable-device <identifier>

do enable

write

Re-enable a previously disabled user.

weave entra do enable <identifier>

do enable-device

write

Re-enable a previously disabled device.

weave entra do enable-device <identifier>

do grant-app-role

write

Grant an application permission (appRole) to an app's service principal — the admin-consent equivalent.

weave entra do grant-app-role <app> <permission>

do remove-au-member

write

Remove a user/group from an administrative unit.

weave entra do remove-au-member <object-id>

do remove-member

write

Remove a user from a group.

weave entra do remove-member <user>

do remove-owner

write

Remove a group owner.

weave entra do remove-owner <user>

do reset-password

write

Reset a user's password (returns a new temporary password).

weave entra do reset-password <identifier>

do restore

write

Restore a soft-deleted user (within 30-day window).

weave entra do restore <identifier>

do revoke-app-role

write

Revoke an application permission (appRoleAssignment) by id.

weave entra do revoke-app-role <app>

do revoke-sessions

write

Force sign-out of all sessions for a user.

weave entra do revoke-sessions <identifier>

do unassign-role

write

Remove a directory role assignment by id.

weave entra do unassign-role <assignment-id>

snapshot / diff / apply are generated automatically from the State Kinds declared on this module — see the State kinds section below for per-kind details. Workflow: snapshot → edit YAML → diff → apply --yes (or confirm interactively; apply --dry-run previews the same diff).

State kinds

Resources this module can snapshot and diff; apply where the kind supports live writes (see Round-trip per kind). Always run diff before apply; use --yes in automation after review. Files live under .weave-state/entra/.

users

snapshot diff apply

Directory users — UPN, profile fields, accountEnabled (snapshot+diff only).

Scope: —
Round-trip: Snapshot + diff (apply not wired).

State file skeleton

module: entra
kind: users
items:
  - # <fields specific to this kind — see snapshot output>

groups

snapshot diff apply

All Entra directory groups with their member UPNs (full apply; dynamic / on-prem groups noop).

Scope: —
Round-trip: Full round-trip — snapshot, diff, apply.

State file skeleton

module: entra
kind: groups
items:
  - # <fields specific to this kind — see snapshot output>

group-memberships

snapshot diff apply

Direct members of one specified group (full apply, scoped via --group).

Scope: group
Round-trip: Full round-trip — snapshot, diff, apply.

State file skeleton

module: entra
kind: group-memberships
group: <value>
items:
  - # <fields specific to this kind — see snapshot output>

apps

snapshot diff apply

Application registrations — metadata only, no secrets (snapshot+diff only).

Scope: —
Round-trip: Snapshot + diff (apply not wired).

State file skeleton

module: entra
kind: apps
items:
  - # <fields specific to this kind — see snapshot output>

service-principals

snapshot diff apply

Service principals (enterprise-app projection) — metadata only (snapshot+diff only).

Scope: —
Round-trip: Snapshot + diff (apply not wired).

State file skeleton

module: entra
kind: service-principals
items:
  - # <fields specific to this kind — see snapshot output>

role-assignments

snapshot diff apply

Directory-role assignments (principal × role × scope) — full apply.

Scope: —
Round-trip: Full round-trip — snapshot, diff, apply.

State file skeleton

module: entra
kind: role-assignments
items:
  - # <fields specific to this kind — see snapshot output>

administrative-units

snapshot diff apply

Administrative-unit containers (display fields; members tracked via do verbs).

Scope: —
Round-trip: Full round-trip — snapshot, diff, apply.

State file skeleton

module: entra
kind: administrative-units
items:
  - # <fields specific to this kind — see snapshot output>

devices

snapshot diff apply

Registered device inventory (snapshot+diff only; lifecycle via do verbs).

Scope: —
Round-trip: Snapshot + diff (apply not wired).

State file skeleton

module: entra
kind: devices
items:
  - # <fields specific to this kind — see snapshot output>

conditional-access-policies

snapshot diff apply

Conditional Access policies (snapshot+diff only — write API is per-type).

Scope: —
Round-trip: Snapshot + diff (apply not wired).

State file skeleton

module: entra
kind: conditional-access-policies
items:
  - # <fields specific to this kind — see snapshot output>

named-locations

snapshot diff apply

Conditional Access named locations (IP / country) — snapshot+diff only.

Scope: —
Round-trip: Snapshot + diff (apply not wired).

State file skeleton

module: entra
kind: named-locations
items:
  - # <fields specific to this kind — see snapshot output>

Workflows

End-to-end recipes from operators who already run this module in production. Copy, adapt, and put under change-control.

Onboard a new hire

Find the user, drop them in groups, assign manager, sanity-check their MFA inventory.

weave entra find user new.hire@example.com
weave entra do add-member new.hire@example.com --group 'All Engineering' --yes
weave entra do add-member new.hire@example.com --group 'VPN-Users' --yes
weave entra show user-manager new.hire@example.com
weave entra show user-mfa new.hire@example.com   # confirm registration

Quarantine a compromised account

Disable, revoke every session, watch the sign-in log for blocked retries.

weave entra find user alice@example.com
weave entra do disable alice@example.com --yes
weave entra do revoke-sessions alice@example.com --yes
weave entra list signin-logs --user alice@example.com --since 1h

Quarterly access review

Snapshot groups + role assignments, commit, diff next quarter to spot drift.

weave entra snapshot groups
weave entra snapshot role-assignments
weave entra snapshot administrative-units
git add .weave-state/entra && git commit -m 'entra access review Q1'
# … next quarter …
weave entra diff groups
weave entra diff role-assignments

Rotate a service-account client secret

Mint a new password for the Entra app reg, capture it once, revoke the old keyId.

weave entra find app 11111111-2222-3333-4444-555555555555
weave entra do create-app-password 11111111-2222-3333-4444-555555555555 --months 6 --show-secret --yes
# update the consuming service with the new secret …
weave entra do delete-app-password 11111111-2222-3333-4444-555555555555 --key-id <old-keyId> --yes

Terraform parity

For each Terraform resource in the canonical provider, here's the equivalent live-API verb in weave. Use this as a migration cheat-sheet, not a 1:1 contract — weave deliberately stays in the live-state lane, not the desired-state lane.

Terraform resource	weave equivalent
azuread_user	weave entra find/list/show user / snapshot users + do disable / enable / revoke-sessions / reset-password / restore
azuread_user_password_lifecycle	weave entra do reset-password (--show-secret to display the temp password)
azuread_group	weave entra find/list/show group / snapshot groups (full apply)
azuread_group_member	weave entra do add-member / remove-member / show group-members + snapshot group-memberships --group=<id\|name>
azuread_group_owner	weave entra do add-owner / remove-owner / show group-owners
azuread_application	weave entra find/list app / snapshot apps (snapshot+diff only — secrets / certs / redirect URIs aren't safe to round-trip)
azuread_application_password	weave entra do create-app-password / delete-app-password (--show-secret to display the value once)
azuread_application_certificate	Not exposed — certificates need an X.509 upload flow Use Terraform's azuread_application_certificate or the portal.
azuread_application_pre_authorized	Embedded in the app registration body; managed via Terraform Snapshot captures it as part of the apps record.
azuread_service_principal	weave entra find/list service-principal / snapshot service-principals (snapshot+diff only)
azuread_service_principal_password	Same shape as application password — use create-app-password against the SP's appId
azuread_directory_role	weave entra list directory-roles
azuread_directory_role_assignment	weave entra list role-assignments / do assign-role / unassign-role / snapshot role-assignments (full apply)
azuread_administrative_unit	weave entra list administrative-units / snapshot administrative-units (full apply)
azuread_administrative_unit_member	weave entra show au-members / do add-au-member / remove-au-member
azuread_administrative_unit_role_member	Tracked through role-assignments scoped to the AU id (use --scope=<au-id> on do assign-role)
azuread_named_location / azuread_named_location_country / azuread_named_location_ip	weave entra list named-locations / snapshot named-locations (snapshot+diff only — bodies are per-type)
azuread_conditional_access_policy	weave entra list conditional-access-policies / snapshot conditional-access-policies (snapshot+diff only — write API is gnarly)
azuread_device	weave entra list devices / show device / snapshot devices + do disable-device / enable-device / delete-device
(sign-in / audit log tail)	weave entra list signin-logs --since=24h --user=<upn> / list audit-logs --since=24h --activity=<name> Operational verbs unique to weave — no Terraform equivalent.
azuread_synchronization_job / azuread_synchronization_secret	Not exposed — cross-tenant / B2B sync needs Premium licensing and a separate provisioning flow Future work — Premium P2 only, low operator demand.
azuread_invitation	Not exposed — B2B invitation requires interactive redemption flow Future work — flow-driven, not state-friendly.
azuread_user_flow_attribute	Not exposed — Azure AD B2C-specific resource Out of scope — B2C is a separate product surface.
azuread_access_package / azuread_access_package_assignment_policy / azuread_access_package_catalog_*	Not exposed — Identity Governance is Premium P2 with low operator-CLI traffic Future work — covered by Microsoft Entra portal until demand surfaces.

Troubleshooting & source

Missing credentials

Run weave doctor — it reports which env vars (including AZURE_TENANT_ID) are set and which are blank.

Unexpected behaviour from a state apply

Re-run weave entra diff <kind> to confirm the controller's current state, then re-snapshot before the next apply. The driver always re-snapshots before diffing.

Open the source

The module lives at https://github.com/andy-broyles/weavewhatever/tree/main/src/weave/modules/entra. File a bug or feature request at https://github.com/andy-broyles/weavewhatever/issues.