azurerm_ad_user

Use the azurerm_ad_user InSpec audit resource to test properties of an Azure Active Directory user within a Tenant.


Azure REST API version

This resource interacts with version 1.6 of the Azure Graph API. For more information see the official Azure documentation.

At the moment, there doesn’t appear to be a way to select the version of the Azure API docs. If you notice a newer version being referenced in the official documentation please open an issue or submit a pull request using the updated version.

Availability

Installation

This resource is available in the inspec-azure resource pack. To use it, add the following to your inspec.yml in your top-level profile:

depends:
  inspec-azure:
    git: https://github.com/inspec/inspec-azure.git

You’ll also need to setup your Azure credentials; see the resource pack README.

Version

This resource first became available in 1.1.0 of the inspec-azure resource pack.

Syntax

The user_id must be given as a parameter.

describe azurerm_ad_user(user_id: 'someUserId') do
  it { should exist }
end


Examples

If an Active Directory user account is referenced with a valid ID

describe azurerm_ad_user(user_id: 'someValidId')
  it { should exist }
end

If an Active Directory user account is referenced with an invalid ID

describe azurerm_ad_user(user_id: 'someInvalidId')
  it { should_not exist }
end


Parameters

  • user_id

Parameter Examples

# user_id is a required parameter
describe azurerm_ad_user(user_id: 'MyUserId') do
    ...
end

Attributes

  • object_id
  • account_enabled
  • city
  • country
  • department
  • displayName
  • facsimile_telephone_number
  • given_name
  • job_title
  • mail
  • mail_nickname
  • mobile
  • password_policies
  • password_profile
  • postal_code
  • state
  • street_address
  • surname
  • telephone_number
  • usage_location
  • user_principal_name
  • user_type

object_id

The user’s object ID.

account_enabled

Whether the account is enabled.

city

The user’s city.

country

The user’s country.

department

The user’s department.

displayName

The display name of the user.

facsimile_telephone_number

the user’s facsimile (fax) number.

given_name

the given name for the user.

job_title

the user’s job title.

mail

the primary email address of the user.

mail_nickname

The mail alias for the user.

mobile

The user’s mobile (cell) phone number.

password_policies

The password policies for the user.

password_profile

The password profile for the user.

postal_code

The user’s postal (ZIP) code.

state

The user’s state.

street_address

The user’s street address.

surname

The user’s surname (family name or last name).

telephone_number

The user’s telephone number.

usage_location

A two letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. Examples include: “US”, “JP”, and “GB”.

user_principal_name

The principal name of the user.

user_type

A string value that can be used to classify user types in your directory, such as ‘Member’ and ‘Guest’.

Other Attributes

There are additional attributes that may be accessed that we have not documented. Please take a look at the Azure documentation. Any attribute in the response may be accessed with the key names separated by dots (.). Given the example response in their documentation:

...
  "preferredLanguage": "en-US",
  "provisionedPlans": [
    {
      "capabilityStatus": "Enabled",
      "provisioningStatus": "Success",
      "service": "exchange"
    },
...

We may access provisioningStatus with:

its('provisionedPlants.first.provisioningStatus') { should eq "Success" }

The API may not always return keys that do not have any associated data. There may be cases where the deeply nested property may not have the desired attribute along your call chain. If you find yourself writing tests against properties that may be nil, fork this resource pack and add an accessor to the resource. Within that accessor you’ll be able to guard against nil keys. Pull requests are always welcome.

Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.

exists

describe azurerm_ad_user(user_id: 'someUserId') do
  it { should exist }
end

Azure Permissions

The Client/Active Directory Application you have configured Inspec Azure to use (AZURE_CLIENT_ID) must have permissions to read User data from the Azure Graph RBAC API.

Please refer to the Microsoft Documentation for information on how to grant these permissions to your application.


Note: An Azure Admin must grant your application these permissions.