On this page
azurerm_ad_users resource
Use the azurerm_ad_users InSpec audit resource to test properties of some or all Azure Active Directory users within a Tenant.
Azure REST API version
This resource interacts with version 1.6 of the Azure Graph API. For more information see the official Azure documentation.
I don’t see a way to select the version of the API in the Azure documents. If you notice a newer version being referenced in the official documentation please open an issue or submit a pull request using the updated version.
Availability
Installation
This resource is available in the inspec-azure resource pack. To use it, add the following to your inspec.yml in your top-level profile:
depends:
  - name: inspec-azure
    git: https://github.com/inspec/inspec-azure.git
You’ll also need to setup your Azure credentials; see the resource pack README.
Version
This resource first became available in 1.1.0 of the inspec-azure resource pack.
Syntax
An azurerm_ad_users resource block returns all Azure Active Directory user accounts for the contained within the configured Tenant and then tests that group group of users.
describe azurerm_ad_users do
  ...
end
Examples
The following examples show how to use this InSpec audit resource.
Check Users are present
describe azurerm_ad_users do
  it { should exist }
end
Ensure there are no Guest accounts active
describe azurerm_ad_users.guest_accounts
  it { should_not exist }
end
Filter Criteria
- names
names
Filters the results to include only those Users that match the given name. This is a string value.
describe azurerm_ad_users.where{ displayName.eql?('Joe Bloggs') } do
  it { should exist }
end
Properties
- object_ids
- display_names
- mails
- user_types
object_ids
The azureIds property provides a list of all User’s Azure IDs.
its('azure_ids') { should include '44211066-f292-4546-8ced-2ab0e0911f44' }
display_names
The displayNames property provides a list of all the User display names.
its('display_names') { should include 'Azure Admin Account' }
mails
The mails property provides a list of all the User email addresses, where present.
its('mails') { should include 'admin@example.com' }
user_types
The userTypes property provides a list of all User Types for all users.
its('user_types') { should include 'Member' }
Matchers
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.
exists
The control will pass if the filter returns at least one result. Use should_not if you expect zero matches.
describe azurerm_ad_users do
  it { should exist }
end
Azure Permissions
The Client/Active Directory Application you have configured Inspec Azure to use (AZURE_CLIENT_ID) must have permissions to read User data from the Azure Graph RBAC API.
Please refer to the Microsoft Documentation for information on how to grant these permissions to your application.
Note: An Azure Admin must grant your application these permissions.
© Chef Software, Inc.
Licensed under the Creative Commons Attribution 3.0 Unported License.
The Chef™ Mark and Chef Logo are either registered trademarks/service marks or trademarks/servicemarks of Chef, in the United States and other countries and are used with Chef Inc's permission.
We are not affiliated with, endorsed or sponsored by Chef Inc.
 https://docs.chef.io/inspec/resources/azurerm_ad_users/