SUMMARY

Currently, the modules for AD group manipulation only return membership using the transitive_members property, which collapses nested groups. Additionally, due to a known issue in the graph API, service principals are not returned in queries for any kind of group member. The only way to view service principals is by querying the group object and expanding the members property explicitly.

We should add a flag that forces group_membership return properties to be sourced from the expanded members property, which will properly expose nested groups and service principals. This flag will default to false to preserve compatibility with the existing roles.

ISSUE TYPE

• Feature Idea

COMPONENT NAME

azure_rm_adgroup_info
azure_rm_adgroup

ADDITIONAL INFORMATION

See example invocation below

  azure.azcollection.azure_rm_adgroup_info:
    object_id: "xx-yy-zz"
   return_group_members: true
   raw_membership: true # <-- new flag that specifies the returned members should include service principals and not be transitive