Skip to main content

Microsoft 365 Terraform Provider

Manage your Microsoft 365, Intune, Teams, and Defender environments using Infrastructure as Code. Version control your configurations, enable GitOps workflows, and detect drift across your entire tenant.

Get StartedExplore Resources

Get Started in Minutes

Configure your first Microsoft 365 resource with Terraform in just a few steps

1

Install the Provider

Add the Microsoft 365 provider to your Terraform configuration. The provider is published to the Terraform Registry.
terraform
terraform {
  required_providers {
    microsoft365 = {
      source  = "deploymenttheory/microsoft365"
      version = "~> 0.40.0"
    }
  }
}
2

Configure Authentication

Set up authentication using one of 11 supported methods. For local development, we recommend using Azure CLI authentication:
az login
export M365_TENANT_ID="your-tenant-id"
export M365_AUTH_METHOD="azure_cli"
The provider supports multiple authentication methods for different deployment scenarios:
  • Client Secret - Service principal with secret
  • Client Certificate - Service principal with certificate
  • Managed Identity - Azure-hosted workloads
  • Workload Identity - Kubernetes pods
  • OIDC (GitHub Actions) - GitHub workflows
  • OIDC (Azure DevOps) - Azure Pipelines
  • Azure CLI - Local development
  • Azure Developer CLI - Local development
  • Device Code - Interactive CLI flows
  • Interactive Browser - Local development
  • Username/Password - Legacy scenarios
See the Authentication Guide for detailed configuration.
3

Create Your First Resource

Define a conditional access policy to require MFA for administrators:
terraform
provider "microsoft365" {
  tenant_id   = var.tenant_id
  auth_method = "azure_cli"
}

resource "microsoft365_graph_beta_identity_and_access_conditional_access_policy" "require_mfa" {
  display_name = "Require MFA for Administrators"
  state        = "enabled"
  
  conditions {
    users {
      include_roles = ["62e90394-69f5-4237-9190-012177145e10"] # Global Administrator
    }
    applications {
      include_applications = ["All"]
    }
  }
  
  grant_controls {
    operator          = "OR"
    built_in_controls = ["mfa"]
  }
}
4

Apply Your Configuration

Run Terraform to create the resource in your Microsoft 365 tenant:
terraform init
terraform plan
terraform apply
The provider will authenticate using your configured method and create the conditional access policy in your tenant. You can view the policy in the Azure Portal under Microsoft Entra ID → Security → Conditional Access.

Explore by Resource Type

Manage every aspect of your Microsoft 365 environment with 135+ resources

Device & App Management

Manage mobile apps, app configurations, and assignments across iOS, Android, macOS, and Windows platforms.

View Resources

Device Management

Configure device compliance policies, configuration profiles, Windows updates, and enrollment settings.

View Resources

Identity & Access

Manage conditional access policies, authentication strength, named locations, and custom security attributes.

View Resources

Applications

Create and manage app registrations, service principals, and federated identity credentials.

View Resources

Groups & Users

Manage Microsoft Entra ID groups, users, and group membership assignments.

View Resources

Microsoft Teams

Configure Teams, channels, policies, and collaboration settings for your organization.

View Resources

Why Microsoft 365 Terraform Provider?

Built for enterprises managing complex Microsoft 365 environments at scale

135+ Resources

Comprehensive coverage across Intune, Microsoft 365, Teams, and Defender services.

Multi-Cloud Support

Works with public, GCC, GCC High, DoD, China, and sovereign cloud environments.

Flexible Authentication

11 authentication methods including managed identity, OIDC, and certificate-based auth.

Dual API Support

Access both Microsoft Graph v1.0 and beta endpoints for stable and preview features.

Enterprise Security

Proxy support, workload identity, and secure credential management for production deployments.

GitOps Ready

Version control, drift detection, and automated deployments through CI/CD pipelines.

Ready to Get Started?

Join the community and start managing your Microsoft 365 environment as code. Get support from contributors and other users on our Discord server.

Start BuildingJoin Discord