Skip to main content

azure_active_directory_domain_services Resource

[edit on GitHub]

Use the azure_active_directory_domain_services InSpec audit resource to test properties of some or all Azure Active Directory domains within a tenant.

Azure REST API Version, Endpoint, and HTTP Client Parameters

This resource interacts with API versions supported by the resource provider. The api_version can be defined as a resource parameter. If not provided, this resource uses the latest version. For more information, refer to the azure_generic_resource document.

Unless defined, this resource uses the azure_cloud global endpoint and default values for the HTTP client. For more information, refer to the resource pack README.


This resource is available in the Chef InSpec Azure resource pack.

See the Chef InSpec documentation on cloud platforms for information on configuring your Azure environment for InSpec and creating an InSpec profile that uses the InSpec Azure resource pack.


An azure_active_directory_domain_services resource block returns all Azure Active Directory domains contained within the configured tenant and then tests that group of domains.

describe azure_active_directory_domain_services do


The following parameters can be passed for targeting specific domains.

A hash containing the filtering options and their values. The starts_with_ operator can be used for fuzzy string matching. Parameter names are in snake case.

Example: { starts_with_given_name: 'J', starts_with_department: 'Core', country: 'United Kingdom', given_name: John}

OData query string in double quotes, ". Property names are in camel case, refer to Microsoft’s query parameters documentation for more information.

Example: "startswith(displayName,'J') and surname eq 'Doe'" or "userType eq 'Guest'"

It is advised to use these parameters to narrow down the targeted resources at the server side, Azure Graph API, for a more efficient test.


A list of fully qualified names of the domain.

Field: id

A list of the configured authentication types for the domain.

Field: authenticationType

A list of domain entities when verify action is set.

Field: availabilityStatus

A list of admin managed configuration.

Field: isAdminManaged

A list of flags to indicate if they are default domains.

Field: isDefault

A list of flags to indicate if they are initial domains created by Microsoft Online Services.

Field: isInitial

A list of flags to indicate if they are verified root domains.

Field: isRoot

A list of flags to indicate if the domains have completed domain ownership verification.

Field: isVerified

A list of password notification window days.

Field: passwordNotificationWindowInDays

A list of password validity periods in days.

Field: passwordValidityPeriodInDays

A list of capabilities assigned to the domain.

Field: supportedServices

A list of asynchronous operations scheduled.

Field: state


See the documentation on FilterTable for information on using filter criteria on plural resources.


The following examples show how to use this InSpec audit resource.

Check domains with some filtering parameters applied at server side using filter.

describe azure_active_directory_domain_services(filter: {authenticationType: "authenticationType-value"}) do
  it { should exist }

Check domains with some filtering parameters applied at server side using filter_free_text.

describe azure_active_directory_domain_services(filter_free_text: "startswith(authenticationType,'authenticationType-value')") do
  it { should exist }

Ensure there are supported services using client-side filtering.

describe azure_active_directory_domain_services.supportedServices do
  it { should_not exist }


This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.


The control will pass if the filter returns at least one result. Use should_not if you expect zero matches.

describe azure_active_directory_domain_services do
  it { should_not exist }

Azure Permissions

Graph resources require specific privileges granted to your service principal. Please refer to the Microsoft Documentation for information on how to grant these permissions to your application.

Was this page helpful?


Search Results