Skip to main content

azurerm_ad_users resource


This resource will be deprecated when version 2 of the inspec-azure resource pack is released.

Use the azurerm_ad_users InSpec audit resource to test properties of some or all Azure Active Directory users within a Tenant.

Azure REST API version

This resource interacts with version 1.6 of the Azure Graph API. For more information see the official Azure documentation.

I don’t see a way to select the version of the API in the Azure documents. If you notice a newer version being referenced in the official documentation please open an issue or submit a pull request using the updated version.



This resource is available in the inspec-azure resource pack. To use it, add the following to your inspec.yml in your top-level profile:

  - name: inspec-azure

You’ll also need to setup your Azure credentials; see the resource pack README.


This resource first became available in 1.1.0 of the inspec-azure resource pack.


An azurerm_ad_users resource block returns all Azure Active Directory user accounts for the contained within the configured Tenant and then tests that group group of users.

describe azurerm_ad_users do


The following examples show how to use this InSpec audit resource.

Check Users are present

describe azurerm_ad_users do
  it { should exist }

Ensure there are no Guest accounts active

describe azurerm_ad_users.guest_accounts
  it { should_not exist }

Filter Criteria

  • names


Filters the results to include only those Users that match the given name. This is a string value.

describe azurerm_ad_users.where{ displayName.eql?('Haris Shefu') } do
  it { should exist }


  • object_ids
  • display_names
  • mails
  • user_types


The azureIds property provides a list of all User’s Azure IDs.

its('azure_ids') { should include '44211066-f292-4546-8ced-2ab0e0911f44' }


The displayNames property provides a list of all the User display names.

its('display_names') { should include 'Azure Admin Account' }


The mails property provides a list of all the User email addresses, where present.

its('mails') { should include '' }


The userTypes property provides a list of all User Types for all users.

its('user_types') { should include 'Member' }


For a full list of available matchers, see our Universal Matchers page.

This resource has the following special matchers.


The control will pass if the filter returns at least one result. Use should_not if you expect zero matches.

describe azurerm_ad_users do
  it { should exist }

Azure Permissions

The Client/Active Directory Application you have configured InSpec Azure to use (AZURE_CLIENT_ID) must have permissions to read User data from the Azure Graph RBAC API.

Please refer to the Microsoft Documentation for information on how to grant these permissions to your application.

Note: An Azure Admin must grant your application these permissions.

Edit this page on GitHub

Thank you for your feedback!


Search Results