Azure Active Directory (Azure AD) v6.7.0 published on Wednesday, Nov 5, 2025 by Pulumi
Azure Active Directory (Azure AD) v6.7.0 published on Wednesday, Nov 5, 2025 by Pulumi
Gets Object IDs or Display Names for multiple Azure Active Directory groups.
API Permissions
The following API permissions are required in order to use this data source.
When authenticated with a service principal, this data source requires one of the following application roles: Group.Read.All or Directory.Read.All
When authenticated with a user principal, this data source does not require any additional roles.
Example Usage
Look up by group name
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const example = azuread.getGroups({
displayNames: [
"group-a",
"group-b",
],
});
import pulumi
import pulumi_azuread as azuread
example = azuread.get_groups(display_names=[
"group-a",
"group-b",
])
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := azuread.GetGroups(ctx, &azuread.GetGroupsArgs{
DisplayNames: []string{
"group-a",
"group-b",
},
}, nil)
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var example = AzureAD.GetGroups.Invoke(new()
{
DisplayNames = new[]
{
"group-a",
"group-b",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.inputs.GetGroupsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var example = AzureadFunctions.getGroups(GetGroupsArgs.builder()
.displayNames(
"group-a",
"group-b")
.build());
}
}
variables:
example:
fn::invoke:
function: azuread:getGroups
arguments:
displayNames:
- group-a
- group-b
Look up by display name prefix
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const sales = azuread.getGroups({
displayNamePrefix: "sales-",
});
import pulumi
import pulumi_azuread as azuread
sales = azuread.get_groups(display_name_prefix="sales-")
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := azuread.GetGroups(ctx, &azuread.GetGroupsArgs{
DisplayNamePrefix: pulumi.StringRef("sales-"),
}, nil)
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var sales = AzureAD.GetGroups.Invoke(new()
{
DisplayNamePrefix = "sales-",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.inputs.GetGroupsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var sales = AzureadFunctions.getGroups(GetGroupsArgs.builder()
.displayNamePrefix("sales-")
.build());
}
}
variables:
sales:
fn::invoke:
function: azuread:getGroups
arguments:
displayNamePrefix: sales-
Look up all groups
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const all = azuread.getGroups({
returnAll: true,
});
import pulumi
import pulumi_azuread as azuread
all = azuread.get_groups(return_all=True)
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := azuread.GetGroups(ctx, &azuread.GetGroupsArgs{
ReturnAll: pulumi.BoolRef(true),
}, nil)
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var all = AzureAD.GetGroups.Invoke(new()
{
ReturnAll = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.inputs.GetGroupsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var all = AzureadFunctions.getGroups(GetGroupsArgs.builder()
.returnAll(true)
.build());
}
}
variables:
all:
fn::invoke:
function: azuread:getGroups
arguments:
returnAll: true
Look up all mail-enabled groups
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const mailEnabled = azuread.getGroups({
mailEnabled: true,
returnAll: true,
});
import pulumi
import pulumi_azuread as azuread
mail_enabled = azuread.get_groups(mail_enabled=True,
return_all=True)
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := azuread.GetGroups(ctx, &azuread.GetGroupsArgs{
MailEnabled: pulumi.BoolRef(true),
ReturnAll: pulumi.BoolRef(true),
}, nil)
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var mailEnabled = AzureAD.GetGroups.Invoke(new()
{
MailEnabled = true,
ReturnAll = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.inputs.GetGroupsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var mailEnabled = AzureadFunctions.getGroups(GetGroupsArgs.builder()
.mailEnabled(true)
.returnAll(true)
.build());
}
}
variables:
mailEnabled:
fn::invoke:
function: azuread:getGroups
arguments:
mailEnabled: true
returnAll: true
Look up all security-enabled groups that are not mail-enabled
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const securityOnly = azuread.getGroups({
mailEnabled: false,
returnAll: true,
securityEnabled: true,
});
import pulumi
import pulumi_azuread as azuread
security_only = azuread.get_groups(mail_enabled=False,
return_all=True,
security_enabled=True)
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := azuread.GetGroups(ctx, &azuread.GetGroupsArgs{
MailEnabled: pulumi.BoolRef(false),
ReturnAll: pulumi.BoolRef(true),
SecurityEnabled: pulumi.BoolRef(true),
}, nil)
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var securityOnly = AzureAD.GetGroups.Invoke(new()
{
MailEnabled = false,
ReturnAll = true,
SecurityEnabled = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.inputs.GetGroupsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var securityOnly = AzureadFunctions.getGroups(GetGroupsArgs.builder()
.mailEnabled(false)
.returnAll(true)
.securityEnabled(true)
.build());
}
}
variables:
securityOnly:
fn::invoke:
function: azuread:getGroups
arguments:
mailEnabled: false
returnAll: true
securityEnabled: true
Using getGroups
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getGroups(args: GetGroupsArgs, opts?: InvokeOptions): Promise<GetGroupsResult>
function getGroupsOutput(args: GetGroupsOutputArgs, opts?: InvokeOptions): Output<GetGroupsResult>def get_groups(display_name_prefix: Optional[str] = None,
display_names: Optional[Sequence[str]] = None,
ignore_missing: Optional[bool] = None,
mail_enabled: Optional[bool] = None,
object_ids: Optional[Sequence[str]] = None,
return_all: Optional[bool] = None,
security_enabled: Optional[bool] = None,
opts: Optional[InvokeOptions] = None) -> GetGroupsResult
def get_groups_output(display_name_prefix: Optional[pulumi.Input[str]] = None,
display_names: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
ignore_missing: Optional[pulumi.Input[bool]] = None,
mail_enabled: Optional[pulumi.Input[bool]] = None,
object_ids: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
return_all: Optional[pulumi.Input[bool]] = None,
security_enabled: Optional[pulumi.Input[bool]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetGroupsResult]func GetGroups(ctx *Context, args *GetGroupsArgs, opts ...InvokeOption) (*GetGroupsResult, error)
func GetGroupsOutput(ctx *Context, args *GetGroupsOutputArgs, opts ...InvokeOption) GetGroupsResultOutput> Note: This function is named GetGroups in the Go SDK.
public static class GetGroups
{
public static Task<GetGroupsResult> InvokeAsync(GetGroupsArgs args, InvokeOptions? opts = null)
public static Output<GetGroupsResult> Invoke(GetGroupsInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetGroupsResult> getGroups(GetGroupsArgs args, InvokeOptions options)
public static Output<GetGroupsResult> getGroups(GetGroupsArgs args, InvokeOptions options)
fn::invoke:
function: azuread:index/getGroups:getGroups
arguments:
# arguments dictionaryThe following arguments are supported:
- Display
Name stringPrefix - A common display name prefix to match when returning groups.
- Display
Names List<string> - The display names of the groups.
- Ignore
Missing bool - Ignore missing groups and return groups that were found. The data source will still fail if no groups are found. Cannot be specified with
return_all. Defaults tofalse. - Mail
Enabled bool - Whether the returned groups should be mail-enabled. By itself this does not exclude security-enabled groups. Setting this to
trueensures all groups are mail-enabled, and setting tofalseensures that all groups are not mail-enabled. To ignore this filter, omit the property or set it to null. Cannot be specified together withobject_ids. - Object
Ids List<string> - The object IDs of the groups.
- Return
All bool - A flag to denote if all groups should be fetched and returned. Cannot be specified wth
ignore_missing. Defaults tofalse. - Security
Enabled bool Whether the returned groups should be security-enabled. By itself this does not exclude mail-enabled groups. Setting this to
trueensures all groups are security-enabled, and setting tofalseensures that all groups are not security-enabled. To ignore this filter, omit the property or set it to null. Cannot be specified together withobject_ids.One of
display_names,display_name_prefix,object_idsorreturn_allshould be specified. Eitherdisplay_nameorobject_idsmay be specified as an empty list, in which case no results will be returned.
- Display
Name stringPrefix - A common display name prefix to match when returning groups.
- Display
Names []string - The display names of the groups.
- Ignore
Missing bool - Ignore missing groups and return groups that were found. The data source will still fail if no groups are found. Cannot be specified with
return_all. Defaults tofalse. - Mail
Enabled bool - Whether the returned groups should be mail-enabled. By itself this does not exclude security-enabled groups. Setting this to
trueensures all groups are mail-enabled, and setting tofalseensures that all groups are not mail-enabled. To ignore this filter, omit the property or set it to null. Cannot be specified together withobject_ids. - Object
Ids []string - The object IDs of the groups.
- Return
All bool - A flag to denote if all groups should be fetched and returned. Cannot be specified wth
ignore_missing. Defaults tofalse. - Security
Enabled bool Whether the returned groups should be security-enabled. By itself this does not exclude mail-enabled groups. Setting this to
trueensures all groups are security-enabled, and setting tofalseensures that all groups are not security-enabled. To ignore this filter, omit the property or set it to null. Cannot be specified together withobject_ids.One of
display_names,display_name_prefix,object_idsorreturn_allshould be specified. Eitherdisplay_nameorobject_idsmay be specified as an empty list, in which case no results will be returned.
- display
Name StringPrefix - A common display name prefix to match when returning groups.
- display
Names List<String> - The display names of the groups.
- ignore
Missing Boolean - Ignore missing groups and return groups that were found. The data source will still fail if no groups are found. Cannot be specified with
return_all. Defaults tofalse. - mail
Enabled Boolean - Whether the returned groups should be mail-enabled. By itself this does not exclude security-enabled groups. Setting this to
trueensures all groups are mail-enabled, and setting tofalseensures that all groups are not mail-enabled. To ignore this filter, omit the property or set it to null. Cannot be specified together withobject_ids. - object
Ids List<String> - The object IDs of the groups.
- return
All Boolean - A flag to denote if all groups should be fetched and returned. Cannot be specified wth
ignore_missing. Defaults tofalse. - security
Enabled Boolean Whether the returned groups should be security-enabled. By itself this does not exclude mail-enabled groups. Setting this to
trueensures all groups are security-enabled, and setting tofalseensures that all groups are not security-enabled. To ignore this filter, omit the property or set it to null. Cannot be specified together withobject_ids.One of
display_names,display_name_prefix,object_idsorreturn_allshould be specified. Eitherdisplay_nameorobject_idsmay be specified as an empty list, in which case no results will be returned.
- display
Name stringPrefix - A common display name prefix to match when returning groups.
- display
Names string[] - The display names of the groups.
- ignore
Missing boolean - Ignore missing groups and return groups that were found. The data source will still fail if no groups are found. Cannot be specified with
return_all. Defaults tofalse. - mail
Enabled boolean - Whether the returned groups should be mail-enabled. By itself this does not exclude security-enabled groups. Setting this to
trueensures all groups are mail-enabled, and setting tofalseensures that all groups are not mail-enabled. To ignore this filter, omit the property or set it to null. Cannot be specified together withobject_ids. - object
Ids string[] - The object IDs of the groups.
- return
All boolean - A flag to denote if all groups should be fetched and returned. Cannot be specified wth
ignore_missing. Defaults tofalse. - security
Enabled boolean Whether the returned groups should be security-enabled. By itself this does not exclude mail-enabled groups. Setting this to
trueensures all groups are security-enabled, and setting tofalseensures that all groups are not security-enabled. To ignore this filter, omit the property or set it to null. Cannot be specified together withobject_ids.One of
display_names,display_name_prefix,object_idsorreturn_allshould be specified. Eitherdisplay_nameorobject_idsmay be specified as an empty list, in which case no results will be returned.
- display_
name_ strprefix - A common display name prefix to match when returning groups.
- display_
names Sequence[str] - The display names of the groups.
- ignore_
missing bool - Ignore missing groups and return groups that were found. The data source will still fail if no groups are found. Cannot be specified with
return_all. Defaults tofalse. - mail_
enabled bool - Whether the returned groups should be mail-enabled. By itself this does not exclude security-enabled groups. Setting this to
trueensures all groups are mail-enabled, and setting tofalseensures that all groups are not mail-enabled. To ignore this filter, omit the property or set it to null. Cannot be specified together withobject_ids. - object_
ids Sequence[str] - The object IDs of the groups.
- return_
all bool - A flag to denote if all groups should be fetched and returned. Cannot be specified wth
ignore_missing. Defaults tofalse. - security_
enabled bool Whether the returned groups should be security-enabled. By itself this does not exclude mail-enabled groups. Setting this to
trueensures all groups are security-enabled, and setting tofalseensures that all groups are not security-enabled. To ignore this filter, omit the property or set it to null. Cannot be specified together withobject_ids.One of
display_names,display_name_prefix,object_idsorreturn_allshould be specified. Eitherdisplay_nameorobject_idsmay be specified as an empty list, in which case no results will be returned.
- display
Name StringPrefix - A common display name prefix to match when returning groups.
- display
Names List<String> - The display names of the groups.
- ignore
Missing Boolean - Ignore missing groups and return groups that were found. The data source will still fail if no groups are found. Cannot be specified with
return_all. Defaults tofalse. - mail
Enabled Boolean - Whether the returned groups should be mail-enabled. By itself this does not exclude security-enabled groups. Setting this to
trueensures all groups are mail-enabled, and setting tofalseensures that all groups are not mail-enabled. To ignore this filter, omit the property or set it to null. Cannot be specified together withobject_ids. - object
Ids List<String> - The object IDs of the groups.
- return
All Boolean - A flag to denote if all groups should be fetched and returned. Cannot be specified wth
ignore_missing. Defaults tofalse. - security
Enabled Boolean Whether the returned groups should be security-enabled. By itself this does not exclude mail-enabled groups. Setting this to
trueensures all groups are security-enabled, and setting tofalseensures that all groups are not security-enabled. To ignore this filter, omit the property or set it to null. Cannot be specified together withobject_ids.One of
display_names,display_name_prefix,object_idsorreturn_allshould be specified. Eitherdisplay_nameorobject_idsmay be specified as an empty list, in which case no results will be returned.
getGroups Result
The following output properties are available:
- Display
Name stringPrefix - Display
Names List<string> - The display names of the groups.
- Id string
- The provider-assigned unique ID for this managed resource.
- Mail
Enabled bool - Object
Ids List<string> - The object IDs of the groups.
- Security
Enabled bool - Ignore
Missing bool - Return
All bool
- Display
Name stringPrefix - Display
Names []string - The display names of the groups.
- Id string
- The provider-assigned unique ID for this managed resource.
- Mail
Enabled bool - Object
Ids []string - The object IDs of the groups.
- Security
Enabled bool - Ignore
Missing bool - Return
All bool
- display
Name StringPrefix - display
Names List<String> - The display names of the groups.
- id String
- The provider-assigned unique ID for this managed resource.
- mail
Enabled Boolean - object
Ids List<String> - The object IDs of the groups.
- security
Enabled Boolean - ignore
Missing Boolean - return
All Boolean
- display
Name stringPrefix - display
Names string[] - The display names of the groups.
- id string
- The provider-assigned unique ID for this managed resource.
- mail
Enabled boolean - object
Ids string[] - The object IDs of the groups.
- security
Enabled boolean - ignore
Missing boolean - return
All boolean
- display_
name_ strprefix - display_
names Sequence[str] - The display names of the groups.
- id str
- The provider-assigned unique ID for this managed resource.
- mail_
enabled bool - object_
ids Sequence[str] - The object IDs of the groups.
- security_
enabled bool - ignore_
missing bool - return_
all bool
- display
Name StringPrefix - display
Names List<String> - The display names of the groups.
- id String
- The provider-assigned unique ID for this managed resource.
- mail
Enabled Boolean - object
Ids List<String> - The object IDs of the groups.
- security
Enabled Boolean - ignore
Missing Boolean - return
All Boolean
Package Details
- Repository
- Azure Active Directory (Azure AD) pulumi/pulumi-azuread
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
azureadTerraform Provider.
Azure Active Directory (Azure AD) v6.7.0 published on Wednesday, Nov 5, 2025 by Pulumi
