Merge branch 'hashicorp:main' into insider-risk-levels

.github/workflows/depscheck.yaml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: .go-version
       - run: bash scripts/gogetcookie.sh

.github/workflows/docs-lint.yaml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: .go-version
       - run: bash scripts/gogetcookie.sh

.github/workflows/gencheck.yaml

@@ -20,7 +20,7 @@ jobs:
     runs-on: custom-linux-large
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: ./.go-version
       - run: bash scripts/gogetcookie.sh

.github/workflows/golint.yaml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: .go-version
       - uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0

.github/workflows/link-milestone.yaml

@@ -15,7 +15,7 @@ jobs:
       pull-requests: write
       issues: write
     steps:
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: ./.go-version
 

.github/workflows/provider-test.yaml

@@ -39,7 +39,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Install Go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: ./.go-version
 

.github/workflows/pull-request-reviewed.yaml

@@ -32,7 +32,7 @@ jobs:
           echo ${{ github.event.pull_request.number }} > wr_actions/prnumber.txt
           echo "remove-waiting-response" > wr_actions/action.txt                
 
-      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+      - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: artifact
           path: wr_actions

.github/workflows/release.yaml

@@ -20,7 +20,7 @@ jobs:
       - name: Generate Release Notes
         run: sed -n -e "1{/# /d;}" -e "2{/^$/d;}" -e "/# $(git describe --abbrev=0 --exclude="$(git describe --abbrev=0 --match='v*.*.*' --tags)" --match='v*.*.*' --tags | tr -d v)/q;p" CHANGELOG.md > release-notes.txt
 
-      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+      - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: release-notes
           path: release-notes.txt

.github/workflows/save-artifacts.yaml

@@ -14,7 +14,7 @@ jobs:
           echo ${{ github.repository_owner }} > wr_actions/ghowner.txt
           echo ${{ github.event.repository.name }} > wr_actions/ghrepo.txt
           echo ${{ github.event.pull_request.number }} > wr_actions/prnumber.txt
-      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+      - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: artifact
           path: wr_actions

.github/workflows/teamcity-test.yaml

@@ -22,12 +22,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
+      - uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0
         with:
           distribution: zulu
           java-version: 17
           java-package: jdk
-      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+      - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}

.github/workflows/tflint.yaml

@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: ./.go-version
       - run: bash scripts/gogetcookie.sh

.github/workflows/thirty-two-bit.yaml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: ./.go-version
       - run: bash scripts/gogetcookie.sh

.github/workflows/unit-test.yaml

@@ -22,7 +22,7 @@ jobs:
     runs-on: custom-linux-large
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: ./.go-version
       - run: bash scripts/gogetcookie.sh

.github/workflows/validate-examples.yaml

@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version-file: ./.go-version
       - run: bash scripts/gogetcookie.sh

docs/data-sources/user.md

@@ -50,6 +50,7 @@ The following attributes are exported:
 * `department` - The name for the department in which the user works.
 * `display_name` - The display name of the user.
 * `division` - The name of the division in which the user works.
+* `employee_hire_date` - The hire date of the user, formatted as an RFC3339 date string (e.g. `2018-01-01T01:02:03Z`).
 * `employee_id` - The employee identifier assigned to the user by the organisation.
 * `employee_type` - Captures enterprise worker type. For example, Employee, Contractor, Consultant, or Vendor.
 * `external_user_state` - For an external user invited to the tenant, this property represents the invited user's invitation status. Possible values are `PendingAcceptance` or `Accepted`.

docs/resources/administrative_unit.md

@@ -58,5 +58,5 @@ The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/l
 Administrative units can be imported using their object ID, e.g.
 
 ```shell
-terraform import azuread_administrative_unit.example 00000000-0000-0000-0000-000000000000
+terraform import azuread_administrative_unit.example /directory/administrativeUnits/00000000-0000-0000-0000-000000000000
 ```

docs/resources/administrative_unit_member.md

@@ -62,7 +62,5 @@ The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/l
 Administrative unit members can be imported using the object ID of the administrative unit and the object ID of the member, e.g.
 
 ```shell
-terraform import azuread_administrative_unit_member.example 00000000-0000-0000-0000-000000000000/member/11111111-1111-1111-1111-111111111111
-```
-
--> This ID format is unique to Terraform and is composed of the Administrative Unit Object ID and the target Member Object ID in the format `{AdministrativeUnitObjectID}/member/{MemberObjectID}`.
+terraform import azuread_administrative_unit_member.example /directory/administrativeUnits/00000000-0000-0000-0000-000000000000/members/11111111-1111-1111-1111-111111111111
+```

docs/resources/administrative_unit_role_member.md

@@ -64,7 +64,6 @@ The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/l
 Administrative unit role members can be imported using the object ID of the administrative unit and the unique ID of the role assignment, e.g.
 
 ```shell
-terraform import azuread_administrative_unit_role_member.example 00000000-0000-0000-0000-000000000000/roleMember/zX37MRLyF0uvE-xf2WH4B7x-6CPLfudNnxFGj800htpBXqkxW7bITqGb6Rj4kuTuS
-```
-
--> This ID format is unique to Terraform and is composed of the Administrative Unit Object ID and the role assignment ID in the format `{AdministrativeUnitObjectID}/roleMember/{RoleAssignmentID}`.
+terraform import azuread_administrative_unit_role_member.example 
+/directory/administrativeUnits/00000000-0000-0000-0000-000000000000/scopedRoleMembers/zX37MRLyF0uvE-xf2WH4B7x-6CPLfudNnxFGj800htpBXqkxW7bITqGb6Rj4kuTuS
+```

docs/resources/app_role_assignment.md

@@ -199,7 +199,7 @@ The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/l
 App role assignments can be imported using the object ID of the service principal representing the resource and the ID of the app role assignment (note: _not_ the ID of the app role), e.g.
 
 ```shell
-terraform import azuread_app_role_assignment.example 00000000-0000-0000-0000-000000000000/appRoleAssignment/aaBBcDDeFG6h5JKLMN2PQrrssTTUUvWWxxxxxyyyzzz
+terraform import azuread_app_role_assignment.example /servicePrincipals/00000000-0000-0000-0000-000000000000/appRoleAssignedTo/aaBBcDDeFG6h5JKLMN2PQrrssTTUUvWWxxxxxyyyzzz
 ```
 
--> This ID format is unique to Terraform and is composed of the Resource Service Principal Object ID and the ID of the App Role Assignment in the format `{ResourcePrincipalID}/appRoleAssignment/{AppRoleAssignmentID}`.
+-> This ID format is unique to Terraform and is composed of the Resource Service Principal Object ID and the ID of the App Role Assignment in the format `/servicePrincipals/{ResourcePrincipalID}/appRoleAssignedTo/{AppRoleAssignmentID}`.

docs/resources/application.md

@@ -380,7 +380,6 @@ In addition to all arguments above, the following attributes are exported:
 * `object_id` - The application's object ID.
 * `password` - A `password` block as documented below. Note that this block is a set rather than a list, and you will need to convert or iterate it to address its attributes (see the usage example above).
 * `publisher_domain` - The verified publisher domain for the application.
-* `publisher_domain` - The verified publisher domain for the application.
 
 ---
 

docs/resources/authentication_strength_policy.md

@@ -83,5 +83,5 @@ The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/l
 Authentication Strength Policies can be imported using the `id`, e.g.
 
 ```shell
-terraform import azuread_authentication_strength_policy.my_policy 00000000-0000-0000-0000-000000000000
+terraform import azuread_authentication_strength_policy.my_policy /policies/authenticationStrengthPolicies/00000000-0000-0000-0000-000000000000
 ```

docs/resources/conditional_access_policy.md

@@ -246,7 +246,7 @@ The following arguments are supported:
 
 `grant_controls` block supports the following:
 
-* `authentication_strength_policy_id` - (Optional) ID of an Authentication Strength Policy to use in this policy.
+* `authentication_strength_policy_id` - (Optional) ID of an Authentication Strength Policy to use in this policy. When using a hard-coded ID, the UUID value should be prefixed with: `/policies/authenticationStrengthPolicies/`.
 * `built_in_controls` - (Optional) List of built-in controls required by the policy. Possible values are: `block`, `mfa`, `approvedApplication`, `compliantApplication`, `compliantDevice`, `domainJoinedDevice`, `passwordChange` or `unknownFutureValue`.
 * `custom_authentication_factors` - (Optional) List of custom controls IDs required by the policy.
 * `operator` - (Required) Defines the relationship of the grant controls. Possible values are: `AND`, `OR`.
@@ -292,5 +292,5 @@ The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/l
 Conditional Access Policies can be imported using the `id`, e.g.
 
 ```shell
-terraform import azuread_conditional_access_policy.my_location 00000000-0000-0000-0000-000000000000
+terraform import azuread_conditional_access_policy.my_location /identity/conditionalAccess/policies/00000000-0000-0000-0000-000000000000
 ```

docs/resources/group.md

@@ -20,7 +20,7 @@ If specifying owners for a group, which are user principals, this resource addit
 
 When authenticated with a user principal, this resource requires one of the following directory roles: `Groups Administrator`, `User Administrator` or `Global Administrator`
 
-When creating this resource in administrative units exclusively, the role `Groups Administrator` is required to be scoped on any administrative unit used.
+When creating this resource in administrative units exclusively, the directory role `Groups Administrator` is required to be scoped on any administrative unit used. Additionally, it must be possible to read the administrative units being used, which can be granted through the `AdministrativeUnit.Read.All` or `Directory.Read.All` application roles.
 
 The `external_senders_allowed`, `auto_subscribe_new_members`, `hide_from_address_lists` and `hide_from_outlook_clients` properties can only be configured when authenticating as a user and cannot be configured when authenticating as a service principal. Additionally, the user being used for authentication must be a Member of the tenant where the group is being managed and _not_ a Guest. This is a known API issue; please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) official documentation.
 

docs/resources/group_member.md

@@ -32,8 +32,8 @@ resource "azuread_group" "example" {
 }
 
 resource "azuread_group_member" "example" {
-  group_object_id  = azuread_group.example.id
-  member_object_id = data.azuread_user.example.id
+  group_object_id  = azuread_group.example.object_id
+  member_object_id = data.azuread_user.example.object_id
 }
 ```
 

docs/resources/named_location.md

@@ -58,6 +58,7 @@ The following arguments are supported:
 
 * `countries_and_regions` - (Required) List of countries and/or regions in two-letter format specified by ISO 3166-2. 
 * `include_unknown_countries_and_regions` - (Optional) Whether IP addresses that don't map to a country or region should be included in the named location. Defaults to `false`.
+* `country_lookup_method` - (Optional) Method of detecting country the user is located in. Possible values are `clientIpAddress` for IP-based location and `authenticatorAppGps` for Authenticator app GPS-based location.  Defaults to `clientIpAddress`.
 
 ---
 
@@ -89,5 +90,5 @@ The `timeouts` block allows you to specify [timeouts](https://www.terraform.io/l
 Named Locations can be imported using the `id`, e.g.
 
 ```shell
-terraform import azuread_named_location.my_location 00000000-0000-0000-0000-000000000000
+terraform import azuread_named_location.my_location /identity/conditionalAccess/namedLocations/00000000-0000-0000-0000-000000000000
 ```

docs/resources/user.md

@@ -42,6 +42,7 @@ The following arguments are supported:
 * `disable_strong_password` - (Optional) Whether the user is allowed weaker passwords than the default policy to be specified. Defaults to `false`.
 * `display_name` - (Required) The name to display in the address book for the user.
 * `division` - (Optional) The name of the division in which the user works.
+* `employee_hire_date` - (Optional) The hire date of the user, formatted as an RFC3339 date string (e.g. `2018-01-01T01:02:03Z`).
 * `employee_id` - (Optional) The employee identifier assigned to the user by the organisation.
 * `employee_type` - (Optional) Captures enterprise worker type. For example, Employee, Contractor, Consultant, or Vendor.
 * `fax_number` - (Optional) The fax number of the user.

internal/services/conditionalaccess/conditional_access_policy_resource_test.go

@@ -297,6 +297,24 @@ func TestAccConditionalAccessPolicy_authenticationStrength(t *testing.T) {
 	})
 }
 
+func TestAccConditionalAccessPolicy_authenticationStrengthHardcoded(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azuread_conditional_access_policy", "test")
+	r := ConditionalAccessPolicyResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.authenticationStrengthPolicyHardcoded(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+				check.That(data.ResourceName).Key("id").Exists(),
+				check.That(data.ResourceName).Key("display_name").HasValue(fmt.Sprintf("acctest-CONPOLICY-%d", data.RandomInteger)),
+				check.That(data.ResourceName).Key("grant_controls.0.authentication_strength_policy_id").HasValue("/policies/authenticationStrengthPolicies/00000000-0000-0000-0000-000000000004"),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
 func TestAccConditionalAccessPolicy_guestsOrExternalUsers(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azuread_conditional_access_policy", "test")
 	r := ConditionalAccessPolicyResource{}
@@ -809,6 +827,36 @@ resource "azuread_conditional_access_policy" "test" {
 `, data.RandomInteger)
 }
 
+func (ConditionalAccessPolicyResource) authenticationStrengthPolicyHardcoded(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azuread" {}
+
+resource "azuread_conditional_access_policy" "test" {
+  display_name = "acctest-CONPOLICY-%[1]d"
+  state        = "disabled"
+
+  conditions {
+    client_app_types = ["browser"]
+
+    applications {
+      included_applications = ["None"]
+    }
+
+    users {
+      included_users = ["All"]
+      excluded_users = ["GuestsOrExternalUsers"]
+    }
+  }
+
+  # Hard-code the Phishing resistant MFA policy
+  grant_controls {
+    operator                          = "OR"
+    authentication_strength_policy_id = "/policies/authenticationStrengthPolicies/00000000-0000-0000-0000-000000000004"
+  }
+}
+`, data.RandomInteger)
+}
+
 func (ConditionalAccessPolicyResource) guestsOrExternalUsersAllServiceProvidersIncluded(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 resource "azuread_conditional_access_policy" "test" {

internal/services/conditionalaccess/conditionalaccess.go

@@ -284,10 +284,16 @@ func flattenCountryNamedLocation(in *stable.CountryNamedLocation) []interface{}
 		includeUnknown = *in.IncludeUnknownCountriesAndRegions
 	}
 
+	countryLookupMethod := stable.CountryLookupMethodType_ClientIPAddress
+	if in.CountryLookupMethod != nil {
+		countryLookupMethod = *in.CountryLookupMethod
+	}
+
 	return []interface{}{
 		map[string]interface{}{
 			"countries_and_regions":                 tf.FlattenStringSlice(in.CountriesAndRegions),
 			"include_unknown_countries_and_regions": includeUnknown,
+			"country_lookup_method":                 countryLookupMethod,
 		},
 	}
 }
@@ -404,6 +410,10 @@ func expandConditionalAccessClientApplications(in []interface{}) *stable.Conditi
 
 func expandConditionalAccessApplications(in []interface{}) stable.ConditionalAccessApplications {
 	result := stable.ConditionalAccessApplications{}
+	if len(in) == 0 || in[0] == nil {
+		return result
+	}
+
 	config := in[0].(map[string]interface{})
 
 	includeApplications := config["included_applications"].([]interface{})
@@ -669,6 +679,10 @@ func expandCountryNamedLocation(in []interface{}) *stable.CountryNamedLocation {
 	result.CountriesAndRegions = tf.ExpandStringSlice(countriesAndRegions)
 	result.IncludeUnknownCountriesAndRegions = pointer.To(includeUnknown.(bool))
 
+	if countryLookupMethodType, ok := config["country_lookup_method"]; ok && countryLookupMethodType.(string) != "" {
+		result.CountryLookupMethod = pointer.To(stable.CountryLookupMethodType(countryLookupMethodType.(string)))
+	}
+
 	return &result
 }
 

internal/services/conditionalaccess/named_location_data_source.go

@@ -73,6 +73,11 @@ func namedLocationDataSource() *pluginsdk.Resource {
 							Type:     pluginsdk.TypeBool,
 							Computed: true,
 						},
+
+						"country_lookup_method": {
+							Type:     pluginsdk.TypeString,
+							Computed: true,
+						},
 					},
 				},
 			},