AD to Azure Migration Using PowerShell and Terraform

πŸ”Ž Overview

Migrating from traditional on-prem Active Directory (AD) to Azure is a strategic step toward a modern, cloud-native identity architecture. Manual migration methods are time-consuming and error-prone, especially at scale. By combining PowerShell, JSON, and Terraform, you can create a repeatable and version-controlled process to export AD users and recreate them in Azure AD using infrastructure as code (IaC).

In this blog, you'll learn how to:

  • Export AD users using PowerShell
  • Automatically structure the export using a dynamic Terraform variable key
  • Feed the JSON data into Terraform using the Azure provider to create users in Azure AD

This approach is clean, auditable, and scalable.
‍

βš™οΈ Step 1: Export Active Directory Users with PowerShell

PowerShell provides native access to AD through the ActiveDirectory module. The following script:

  • Accepts a command-line parameter for the Terraform variable name (e.g., ad_users)
  • Gathers all user accounts and selected attributes
  • Structures the output as a nested object with the Terraform-compatible key
  • Writes the result to terraform_users.json

▢️ Export-AdUsers.ps1

param (
    [Parameter(Mandatory = $true)]
    [string]$TerraformVar
)

# Ensure Active Directory module is loaded
Import-Module ActiveDirectory

# Query AD users and build a dictionary of user data
$users = Get-ADUser -Filter * -Properties DisplayName, EmailAddress, Department | ForEach-Object {
    $key = $_.SamAccountName.ToLower()

    [PSCustomObject]@{
        Key = $key
        Value = @{
            display_name = $_.DisplayName
            email        = $_.EmailAddress
            department   = $_.Department
        }
    }
}

# Build top-level JSON structure
$exportData = @{}
$exportData[$TerraformVar] = @{}

foreach ($user in $users) {
    $exportData[$TerraformVar][$user.Key] = $user.Value
}

# Output to JSON file
$exportData | ConvertTo-Json -Depth 5 | Out-File -Encoding UTF8 "terraform_users.json"

Write-Host "Export complete. JSON written with top-level key '$TerraformVar'"

‍

▢️ Usage

.\Export-AdUsers.ps1 -TerraformVar "ad_users"
Output: terraform_users.json
{
  "ad_users": {
    "jdoe": {
      "display_name": "John Doe",
      "email": "jdoe@example.com",
      "department": "Engineering"
    },
    "asmith": {
      "display_name": "Alice Smith",
      "email": "asmith@example.com",
      "department": "Finance"
    }
  }
}

‍

βš™οΈ Step 2: Use Terraform to Provision Azure AD Users

▢️ main.tf

# Configure Terraform
terraform {
  required_providers {
    azuread = {
      source  = "hashicorp/azuread"
      version = "~> 2.47"
    }
  }
}

# Configure the Azure Active Directory Provider
provider "azuread" {
  tenant_id     = "00000000-0000-0000-0000-000000000000"
  client_id     = "foo"  # For demo purposes only; secure with real logic
  client_secret = "bar"  # For demo purposes only; secure with real logic
}

# Define ad_users as a map of objects
variable "ad_users" {
  description = "Map of AD users to create in Azure AD"
  type = map(object({
    display_name = string
    email        = string
    department   = string
  }))
}

# Create AD Users from json data
resource "azuread_user" "from_ad" {
  for_each            = var.ad_users

  user_principal_name = "${each.key}@yourdomain.com"
  display_name        = each.value.display_name
  mail_nickname       = each.key
  department          = each.value.department
  account_enabled     = true
  password            = "ChangeM3Now!" # For demo purposes only; secure with real logic
  force_password_change = true
}

πŸ“Œ Summary: What This Terraform Module Does

  • πŸ“ Accepts a JSON map of AD users (ad_users) as input.
  • πŸ” Loops over users using for_each to dynamically create each user
  • πŸ‘€ Creates Azure AD users with properties like name, email, department, and login configuration.
  • πŸ”’ Enables password rotation via force_password_change = true.

‍

πŸ§ͺ Deployment Commands

$ terraform init
$ terraform apply -var-file="terraform_users.json"

‍
🧠 Benefits of This Approach

βœ… Cloud-Ready – Migrates AD users directly into Azure
βœ… Repeatable – Export once, reuse and track changes
βœ… Terraform-Compatible – Works with native Azure provider
βœ… Secure & Auditable – Store in version control, review diffs
βœ… Parameter-Driven – Works with any Terraform variable name

‍

πŸ“¦ What’s Next?

This export method can be extended to:

  • Include group memberships
  • Enforce tagging or RBAC based on departments
  • Integrate with CI/CD pipelines to control identity provisioning

For larger environments, this process scales cleanly and avoids error-prone manual entry.
‍

Need Help Migrating AD to Azure?

Hypercumulus specializes in infrastructure automation, Azure migrations, and cost-effective identity modernization. Reach out if you need a tailored solution.

‍