Feature: Add support for configuring external collaboration settings

[ashtmMSFT]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Add support for configuring [a subset of] external collaboration settings in Entra ID. Without a proper resource to support this, users must instead configure these settings manually or through REST calls to the appropriate Graph APIs.

For example, an organization could have requirements like these:

• Set “Guest invite settings” to “Only users assigned to specific admin roles can invite guest users”
• Set “Guest user access” to “Guest users have limited access to properties and memberships of directory objects”
• Set “Enable guest self-service sign up via user flows” to “No”

Unfortunately, although these settings are presented grouped together in Entra ID's UI, they are actually configured across two Entra policy objects (authenticationFlowsPolicy and authorizationPolicy) rather than through one API dedicated to external collaboration settings.

New or Affected Resource(s)

I am certainly not an expert on how to best map one or more APIs to Terraform resources, but if we wanted to align with how these settings are organized in the Azure portal or Entra admin center, we could use:

• azuread_external_collaboration_settings

Another viable approach would be to simply mirror the policy objects exposed by Graph:

• azuread_authentication_flows_policy
• azuread_authorization_policy

Potential Terraform Configuration

resource "azuread_external_collaboration_settings" "external_collaboration_settings" {
    allow_guest_invites_from = "adminsGuestInvitersAndAllMembers"
    guest_user_access_level = "limited"
    guest_self_service_sign_up = false
}

References

• https://learn.microsoft.com/en-us/graph/api/authenticationflowspolicy-update?view=graph-rest-1.0&tabs=http
• https://learn.microsoft.com/en-us/graph/api/authorizationpolicy-update?view=graph-rest-1.0&tabs=http
• https://learn.microsoft.com/en-us/entra/identity/users/users-restrict-guest-permissions

[ashtmMSFT]

On a second search through the issue list, I see this is highly related to (but not quite the same as) existing issue #1183.