pulumi-azuread 5.48.0a1706744699__py3-none-any.whl → 6.8.0a1766208344__py3-none-any.whl

pulumi_azuread/group.py

@@ -1,12 +1,17 @@
 # coding=utf-8
-# *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+# *** WARNING: this file was generated by pulumi-language-python. ***
 # *** Do not edit by hand unless you're certain you know what you are doing! ***
 
-import copy
+import builtins as _builtins
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from . import _utilities
 from . import outputs
 from ._inputs import *
@@ -16,68 +21,68 @@ __all__ = ['GroupArgs', 'Group']
 @pulumi.input_type
 class GroupArgs:
     def __init__(__self__, *,
-                 display_name: pulumi.Input[str],
-                 administrative_unit_ids: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 assignable_to_role: Optional[pulumi.Input[bool]] = None,
-                 auto_subscribe_new_members: Optional[pulumi.Input[bool]] = None,
-                 behaviors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 description: Optional[pulumi.Input[str]] = None,
+                 display_name: pulumi.Input[_builtins.str],
+                 administrative_unit_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 assignable_to_role: Optional[pulumi.Input[_builtins.bool]] = None,
+                 auto_subscribe_new_members: Optional[pulumi.Input[_builtins.bool]] = None,
+                 behaviors: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 description: Optional[pulumi.Input[_builtins.str]] = None,
                  dynamic_membership: Optional[pulumi.Input['GroupDynamicMembershipArgs']] = None,
-                 external_senders_allowed: Optional[pulumi.Input[bool]] = None,
-                 hide_from_address_lists: Optional[pulumi.Input[bool]] = None,
-                 hide_from_outlook_clients: Optional[pulumi.Input[bool]] = None,
-                 mail_enabled: Optional[pulumi.Input[bool]] = None,
-                 mail_nickname: Optional[pulumi.Input[str]] = None,
-                 members: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 onpremises_group_type: Optional[pulumi.Input[str]] = None,
-                 owners: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 prevent_duplicate_names: Optional[pulumi.Input[bool]] = None,
-                 provisioning_options: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 security_enabled: Optional[pulumi.Input[bool]] = None,
-                 theme: Optional[pulumi.Input[str]] = None,
-                 types: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 visibility: Optional[pulumi.Input[str]] = None,
-                 writeback_enabled: Optional[pulumi.Input[bool]] = None):
+                 external_senders_allowed: Optional[pulumi.Input[_builtins.bool]] = None,
+                 hide_from_address_lists: Optional[pulumi.Input[_builtins.bool]] = None,
+                 hide_from_outlook_clients: Optional[pulumi.Input[_builtins.bool]] = None,
+                 mail_enabled: Optional[pulumi.Input[_builtins.bool]] = None,
+                 mail_nickname: Optional[pulumi.Input[_builtins.str]] = None,
+                 members: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 onpremises_group_type: Optional[pulumi.Input[_builtins.str]] = None,
+                 owners: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 prevent_duplicate_names: Optional[pulumi.Input[_builtins.bool]] = None,
+                 provisioning_options: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 security_enabled: Optional[pulumi.Input[_builtins.bool]] = None,
+                 theme: Optional[pulumi.Input[_builtins.str]] = None,
+                 types: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 visibility: Optional[pulumi.Input[_builtins.str]] = None,
+                 writeback_enabled: Optional[pulumi.Input[_builtins.bool]] = None):
         """
         The set of arguments for constructing a Group resource.
-        :param pulumi.Input[str] display_name: The display name for the group.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] administrative_unit_ids: The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.
+        :param pulumi.Input[_builtins.str] display_name: The display name for the group.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] administrative_unit_ids: The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.
                
-               !> **Warning** Do not use the `administrative_unit_ids` property at the same time as the AdministrativeUnitMember resource, _for the same group_. Doing so will cause a conflict and administrative unit members will be removed.
-        :param pulumi.Input[bool] assignable_to_role: Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to `false`. Can only be set to `true` for security-enabled groups. Changing this forces a new resource to be created.
-        :param pulumi.Input[bool] auto_subscribe_new_members: Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.
+               > **Caution** When using the AdministrativeUnitMember resource, or the `members` property of the AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an `ignore_changes = [administrative_unit_ids]` lifecycle meta argument for the `Group` resource, in order to avoid a persistent diff.
+        :param pulumi.Input[_builtins.bool] assignable_to_role: Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to `false`. Can only be set to `true` for security-enabled groups. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.bool] auto_subscribe_new_members: Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.
                
                > **Known Permissions Issue** The `auto_subscribe_new_members` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] behaviors: A set of behaviors for a Microsoft 365 group. Possible values are `AllowOnlyMembersToPost`, `HideGroupInOutlook`, `SubscribeMembersToCalendarEventsDisabled`, `SubscribeNewGroupMembers` and `WelcomeEmailDisabled`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for more details. Changing this forces a new resource to be created.
-        :param pulumi.Input[str] description: The description for the group.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] behaviors: A set of behaviors for a Microsoft 365 group. Possible values are `AllowOnlyMembersToPost`, `HideGroupInOutlook`, `SkipExchangeInstantOn`, `SubscribeMembersToCalendarEventsDisabled`, `SubscribeNewGroupMembers` and `WelcomeEmailDisabled`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for more details. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.str] description: The description for the group.
         :param pulumi.Input['GroupDynamicMembershipArgs'] dynamic_membership: A `dynamic_membership` block as documented below. Required when `types` contains `DynamicMembership`. Cannot be used with the `members` property.
-        :param pulumi.Input[bool] external_senders_allowed: Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.
+        :param pulumi.Input[_builtins.bool] external_senders_allowed: Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.
                
                > **Known Permissions Issue** The `external_senders_allowed` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
-        :param pulumi.Input[bool] hide_from_address_lists: Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.
+        :param pulumi.Input[_builtins.bool] hide_from_address_lists: Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.
                
                > **Known Permissions Issue** The `hide_from_address_lists` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
-        :param pulumi.Input[bool] hide_from_outlook_clients: Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.
+        :param pulumi.Input[_builtins.bool] hide_from_outlook_clients: Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.
                
                > **Known Permissions Issue** The `hide_from_outlook_clients` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
-        :param pulumi.Input[bool] mail_enabled: Whether the group is a mail enabled, with a shared group mailbox. At least one of `mail_enabled` or `security_enabled` must be specified. Only Microsoft 365 groups can be mail enabled (see the `types` property).
-        :param pulumi.Input[str] mail_nickname: The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] members: A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the `dynamic_membership` block.
+        :param pulumi.Input[_builtins.bool] mail_enabled: Whether the group is a mail enabled, with a shared group mailbox. At least one of `mail_enabled` or `security_enabled` must be specified. Only Microsoft 365 groups can be mail enabled (see the `types` property).
+        :param pulumi.Input[_builtins.str] mail_nickname: The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] members: A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the `dynamic_membership` block.
                
                !> **Warning** Do not use the `members` property at the same time as the GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.
-        :param pulumi.Input[str] onpremises_group_type: The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are `UniversalDistributionGroup`, `UniversalMailEnabledSecurityGroup`, or `UniversalSecurityGroup`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] owners: A set of owners who own this group. Supported object types are Users or Service Principals
-        :param pulumi.Input[bool] prevent_duplicate_names: If `true`, will return an error if an existing group is found with the same name. Defaults to `false`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] provisioning_options: A set of provisioning options for a Microsoft 365 group. The only supported value is `Team`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for details. Changing this forces a new resource to be created.
-        :param pulumi.Input[bool] security_enabled: Whether the group is a security group for controlling access to in-app resources. At least one of `security_enabled` or `mail_enabled` must be specified. A Microsoft 365 group can be security enabled _and_ mail enabled (see the `types` property).
-        :param pulumi.Input[str] theme: The colour theme for a Microsoft 365 group. Possible values are `Blue`, `Green`, `Orange`, `Pink`, `Purple`, `Red` or `Teal`. By default, no theme is set.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] types: A set of group types to configure for the group. Supported values are `DynamicMembership`, which denotes a group with dynamic membership, and `Unified`, which specifies a Microsoft 365 group. Required when `mail_enabled` is true. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.str] onpremises_group_type: The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are `UniversalDistributionGroup`, `UniversalMailEnabledSecurityGroup`, or `UniversalSecurityGroup`.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] owners: A set of owners who own this group. Supported object types are Users or Service Principals
+        :param pulumi.Input[_builtins.bool] prevent_duplicate_names: If `true`, will return an error if an existing group is found with the same name. Defaults to `false`.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] provisioning_options: A set of provisioning options for a Microsoft 365 group. The only supported value is `Team`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for details. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.bool] security_enabled: Whether the group is a security group for controlling access to in-app resources. At least one of `security_enabled` or `mail_enabled` must be specified. A Microsoft 365 group can be security enabled _and_ mail enabled (see the `types` property).
+        :param pulumi.Input[_builtins.str] theme: The colour theme for a Microsoft 365 group. Possible values are `Blue`, `Green`, `Orange`, `Pink`, `Purple`, `Red` or `Teal`. By default, no theme is set.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] types: A set of group types to configure for the group. Supported values are `DynamicMembership`, which denotes a group with dynamic membership, and `Unified`, which specifies a Microsoft 365 group. Required when `mail_enabled` is true. Changing this forces a new resource to be created.
                
                > **Supported Group Types** At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.
-        :param pulumi.Input[str] visibility: The group join policy and group content visibility. Possible values are `Private`, `Public`, or `Hiddenmembership`. Only Microsoft 365 groups can have `Hiddenmembership` visibility and this value must be set when the group is created. By default, security groups will receive `Private` visibility and Microsoft 365 groups will receive `Public` visibility.
+        :param pulumi.Input[_builtins.str] visibility: The group join policy and group content visibility. Possible values are `Private`, `Public`, or `Hiddenmembership`. Only Microsoft 365 groups can have `Hiddenmembership` visibility and this value must be set when the group is created. By default, security groups will receive `Private` visibility and Microsoft 365 groups will receive `Public` visibility.
                
                > **Group Name Uniqueness** Group names are not unique within Azure Active Directory. Use the `prevent_duplicate_names` argument to check for existing groups if you want to avoid name collisions.
-        :param pulumi.Input[bool] writeback_enabled: Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
+        :param pulumi.Input[_builtins.bool] writeback_enabled: Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
         """
         pulumi.set(__self__, "display_name", display_name)
         if administrative_unit_ids is not None:
@@ -123,47 +128,47 @@ class GroupArgs:
         if writeback_enabled is not None:
             pulumi.set(__self__, "writeback_enabled", writeback_enabled)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="displayName")
-    def display_name(self) -> pulumi.Input[str]:
+    def display_name(self) -> pulumi.Input[_builtins.str]:
         """
         The display name for the group.
         """
         return pulumi.get(self, "display_name")
 
     @display_name.setter
-    def display_name(self, value: pulumi.Input[str]):
+    def display_name(self, value: pulumi.Input[_builtins.str]):
         pulumi.set(self, "display_name", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="administrativeUnitIds")
-    def administrative_unit_ids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def administrative_unit_ids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
         """
         The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.
 
-        !> **Warning** Do not use the `administrative_unit_ids` property at the same time as the AdministrativeUnitMember resource, _for the same group_. Doing so will cause a conflict and administrative unit members will be removed.
+        > **Caution** When using the AdministrativeUnitMember resource, or the `members` property of the AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an `ignore_changes = [administrative_unit_ids]` lifecycle meta argument for the `Group` resource, in order to avoid a persistent diff.
         """
         return pulumi.get(self, "administrative_unit_ids")
 
     @administrative_unit_ids.setter
-    def administrative_unit_ids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def administrative_unit_ids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
         pulumi.set(self, "administrative_unit_ids", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="assignableToRole")
-    def assignable_to_role(self) -> Optional[pulumi.Input[bool]]:
+    def assignable_to_role(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to `false`. Can only be set to `true` for security-enabled groups. Changing this forces a new resource to be created.
         """
         return pulumi.get(self, "assignable_to_role")
 
     @assignable_to_role.setter
-    def assignable_to_role(self, value: Optional[pulumi.Input[bool]]):
+    def assignable_to_role(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "assignable_to_role", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="autoSubscribeNewMembers")
-    def auto_subscribe_new_members(self) -> Optional[pulumi.Input[bool]]:
+    def auto_subscribe_new_members(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.
 
@@ -172,34 +177,34 @@ class GroupArgs:
         return pulumi.get(self, "auto_subscribe_new_members")
 
     @auto_subscribe_new_members.setter
-    def auto_subscribe_new_members(self, value: Optional[pulumi.Input[bool]]):
+    def auto_subscribe_new_members(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "auto_subscribe_new_members", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def behaviors(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def behaviors(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
         """
-        A set of behaviors for a Microsoft 365 group. Possible values are `AllowOnlyMembersToPost`, `HideGroupInOutlook`, `SubscribeMembersToCalendarEventsDisabled`, `SubscribeNewGroupMembers` and `WelcomeEmailDisabled`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for more details. Changing this forces a new resource to be created.
+        A set of behaviors for a Microsoft 365 group. Possible values are `AllowOnlyMembersToPost`, `HideGroupInOutlook`, `SkipExchangeInstantOn`, `SubscribeMembersToCalendarEventsDisabled`, `SubscribeNewGroupMembers` and `WelcomeEmailDisabled`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for more details. Changing this forces a new resource to be created.
         """
         return pulumi.get(self, "behaviors")
 
     @behaviors.setter
-    def behaviors(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def behaviors(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
         pulumi.set(self, "behaviors", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def description(self) -> Optional[pulumi.Input[str]]:
+    def description(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The description for the group.
         """
         return pulumi.get(self, "description")
 
     @description.setter
-    def description(self, value: Optional[pulumi.Input[str]]):
+    def description(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "description", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="dynamicMembership")
     def dynamic_membership(self) -> Optional[pulumi.Input['GroupDynamicMembershipArgs']]:
         """
@@ -211,9 +216,9 @@ class GroupArgs:
     def dynamic_membership(self, value: Optional[pulumi.Input['GroupDynamicMembershipArgs']]):
         pulumi.set(self, "dynamic_membership", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="externalSendersAllowed")
-    def external_senders_allowed(self) -> Optional[pulumi.Input[bool]]:
+    def external_senders_allowed(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.
 
@@ -222,12 +227,12 @@ class GroupArgs:
         return pulumi.get(self, "external_senders_allowed")
 
     @external_senders_allowed.setter
-    def external_senders_allowed(self, value: Optional[pulumi.Input[bool]]):
+    def external_senders_allowed(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "external_senders_allowed", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="hideFromAddressLists")
-    def hide_from_address_lists(self) -> Optional[pulumi.Input[bool]]:
+    def hide_from_address_lists(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.
 
@@ -236,12 +241,12 @@ class GroupArgs:
         return pulumi.get(self, "hide_from_address_lists")
 
     @hide_from_address_lists.setter
-    def hide_from_address_lists(self, value: Optional[pulumi.Input[bool]]):
+    def hide_from_address_lists(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "hide_from_address_lists", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="hideFromOutlookClients")
-    def hide_from_outlook_clients(self) -> Optional[pulumi.Input[bool]]:
+    def hide_from_outlook_clients(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.
 
@@ -250,36 +255,36 @@ class GroupArgs:
         return pulumi.get(self, "hide_from_outlook_clients")
 
     @hide_from_outlook_clients.setter
-    def hide_from_outlook_clients(self, value: Optional[pulumi.Input[bool]]):
+    def hide_from_outlook_clients(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "hide_from_outlook_clients", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="mailEnabled")
-    def mail_enabled(self) -> Optional[pulumi.Input[bool]]:
+    def mail_enabled(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         Whether the group is a mail enabled, with a shared group mailbox. At least one of `mail_enabled` or `security_enabled` must be specified. Only Microsoft 365 groups can be mail enabled (see the `types` property).
         """
         return pulumi.get(self, "mail_enabled")
 
     @mail_enabled.setter
-    def mail_enabled(self, value: Optional[pulumi.Input[bool]]):
+    def mail_enabled(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "mail_enabled", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="mailNickname")
-    def mail_nickname(self) -> Optional[pulumi.Input[str]]:
+    def mail_nickname(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
         """
         return pulumi.get(self, "mail_nickname")
 
     @mail_nickname.setter
-    def mail_nickname(self, value: Optional[pulumi.Input[str]]):
+    def mail_nickname(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "mail_nickname", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def members(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def members(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
         """
         A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the `dynamic_membership` block.
 
@@ -288,84 +293,84 @@ class GroupArgs:
         return pulumi.get(self, "members")
 
     @members.setter
-    def members(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def members(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
         pulumi.set(self, "members", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="onpremisesGroupType")
-    def onpremises_group_type(self) -> Optional[pulumi.Input[str]]:
+    def onpremises_group_type(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are `UniversalDistributionGroup`, `UniversalMailEnabledSecurityGroup`, or `UniversalSecurityGroup`.
         """
         return pulumi.get(self, "onpremises_group_type")
 
     @onpremises_group_type.setter
-    def onpremises_group_type(self, value: Optional[pulumi.Input[str]]):
+    def onpremises_group_type(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "onpremises_group_type", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def owners(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def owners(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
         """
         A set of owners who own this group. Supported object types are Users or Service Principals
         """
         return pulumi.get(self, "owners")
 
     @owners.setter
-    def owners(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def owners(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
         pulumi.set(self, "owners", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="preventDuplicateNames")
-    def prevent_duplicate_names(self) -> Optional[pulumi.Input[bool]]:
+    def prevent_duplicate_names(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         If `true`, will return an error if an existing group is found with the same name. Defaults to `false`.
         """
         return pulumi.get(self, "prevent_duplicate_names")
 
     @prevent_duplicate_names.setter
-    def prevent_duplicate_names(self, value: Optional[pulumi.Input[bool]]):
+    def prevent_duplicate_names(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "prevent_duplicate_names", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="provisioningOptions")
-    def provisioning_options(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def provisioning_options(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
         """
         A set of provisioning options for a Microsoft 365 group. The only supported value is `Team`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for details. Changing this forces a new resource to be created.
         """
         return pulumi.get(self, "provisioning_options")
 
     @provisioning_options.setter
-    def provisioning_options(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def provisioning_options(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
         pulumi.set(self, "provisioning_options", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="securityEnabled")
-    def security_enabled(self) -> Optional[pulumi.Input[bool]]:
+    def security_enabled(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         Whether the group is a security group for controlling access to in-app resources. At least one of `security_enabled` or `mail_enabled` must be specified. A Microsoft 365 group can be security enabled _and_ mail enabled (see the `types` property).
         """
         return pulumi.get(self, "security_enabled")
 
     @security_enabled.setter
-    def security_enabled(self, value: Optional[pulumi.Input[bool]]):
+    def security_enabled(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "security_enabled", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def theme(self) -> Optional[pulumi.Input[str]]:
+    def theme(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The colour theme for a Microsoft 365 group. Possible values are `Blue`, `Green`, `Orange`, `Pink`, `Purple`, `Red` or `Teal`. By default, no theme is set.
         """
         return pulumi.get(self, "theme")
 
     @theme.setter
-    def theme(self, value: Optional[pulumi.Input[str]]):
+    def theme(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "theme", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def types(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def types(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
         """
         A set of group types to configure for the group. Supported values are `DynamicMembership`, which denotes a group with dynamic membership, and `Unified`, which specifies a Microsoft 365 group. Required when `mail_enabled` is true. Changing this forces a new resource to be created.
 
@@ -374,12 +379,12 @@ class GroupArgs:
         return pulumi.get(self, "types")
 
     @types.setter
-    def types(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def types(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
         pulumi.set(self, "types", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def visibility(self) -> Optional[pulumi.Input[str]]:
+    def visibility(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The group join policy and group content visibility. Possible values are `Private`, `Public`, or `Hiddenmembership`. Only Microsoft 365 groups can have `Hiddenmembership` visibility and this value must be set when the group is created. By default, security groups will receive `Private` visibility and Microsoft 365 groups will receive `Public` visibility.
 
@@ -388,105 +393,105 @@ class GroupArgs:
         return pulumi.get(self, "visibility")
 
     @visibility.setter
-    def visibility(self, value: Optional[pulumi.Input[str]]):
+    def visibility(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "visibility", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="writebackEnabled")
-    def writeback_enabled(self) -> Optional[pulumi.Input[bool]]:
+    def writeback_enabled(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
         """
         return pulumi.get(self, "writeback_enabled")
 
     @writeback_enabled.setter
-    def writeback_enabled(self, value: Optional[pulumi.Input[bool]]):
+    def writeback_enabled(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "writeback_enabled", value)
 
 
 @pulumi.input_type
 class _GroupState:
     def __init__(__self__, *,
-                 administrative_unit_ids: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 assignable_to_role: Optional[pulumi.Input[bool]] = None,
-                 auto_subscribe_new_members: Optional[pulumi.Input[bool]] = None,
-                 behaviors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 description: Optional[pulumi.Input[str]] = None,
-                 display_name: Optional[pulumi.Input[str]] = None,
+                 administrative_unit_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 assignable_to_role: Optional[pulumi.Input[_builtins.bool]] = None,
+                 auto_subscribe_new_members: Optional[pulumi.Input[_builtins.bool]] = None,
+                 behaviors: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 description: Optional[pulumi.Input[_builtins.str]] = None,
+                 display_name: Optional[pulumi.Input[_builtins.str]] = None,
                  dynamic_membership: Optional[pulumi.Input['GroupDynamicMembershipArgs']] = None,
-                 external_senders_allowed: Optional[pulumi.Input[bool]] = None,
-                 hide_from_address_lists: Optional[pulumi.Input[bool]] = None,
-                 hide_from_outlook_clients: Optional[pulumi.Input[bool]] = None,
-                 mail: Optional[pulumi.Input[str]] = None,
-                 mail_enabled: Optional[pulumi.Input[bool]] = None,
-                 mail_nickname: Optional[pulumi.Input[str]] = None,
-                 members: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 object_id: Optional[pulumi.Input[str]] = None,
-                 onpremises_domain_name: Optional[pulumi.Input[str]] = None,
-                 onpremises_group_type: Optional[pulumi.Input[str]] = None,
-                 onpremises_netbios_name: Optional[pulumi.Input[str]] = None,
-                 onpremises_sam_account_name: Optional[pulumi.Input[str]] = None,
-                 onpremises_security_identifier: Optional[pulumi.Input[str]] = None,
-                 onpremises_sync_enabled: Optional[pulumi.Input[bool]] = None,
-                 owners: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 preferred_language: Optional[pulumi.Input[str]] = None,
-                 prevent_duplicate_names: Optional[pulumi.Input[bool]] = None,
-                 provisioning_options: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 proxy_addresses: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 security_enabled: Optional[pulumi.Input[bool]] = None,
-                 theme: Optional[pulumi.Input[str]] = None,
-                 types: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 visibility: Optional[pulumi.Input[str]] = None,
-                 writeback_enabled: Optional[pulumi.Input[bool]] = None):
+                 external_senders_allowed: Optional[pulumi.Input[_builtins.bool]] = None,
+                 hide_from_address_lists: Optional[pulumi.Input[_builtins.bool]] = None,
+                 hide_from_outlook_clients: Optional[pulumi.Input[_builtins.bool]] = None,
+                 mail: Optional[pulumi.Input[_builtins.str]] = None,
+                 mail_enabled: Optional[pulumi.Input[_builtins.bool]] = None,
+                 mail_nickname: Optional[pulumi.Input[_builtins.str]] = None,
+                 members: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 object_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 onpremises_domain_name: Optional[pulumi.Input[_builtins.str]] = None,
+                 onpremises_group_type: Optional[pulumi.Input[_builtins.str]] = None,
+                 onpremises_netbios_name: Optional[pulumi.Input[_builtins.str]] = None,
+                 onpremises_sam_account_name: Optional[pulumi.Input[_builtins.str]] = None,
+                 onpremises_security_identifier: Optional[pulumi.Input[_builtins.str]] = None,
+                 onpremises_sync_enabled: Optional[pulumi.Input[_builtins.bool]] = None,
+                 owners: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 preferred_language: Optional[pulumi.Input[_builtins.str]] = None,
+                 prevent_duplicate_names: Optional[pulumi.Input[_builtins.bool]] = None,
+                 provisioning_options: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 proxy_addresses: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 security_enabled: Optional[pulumi.Input[_builtins.bool]] = None,
+                 theme: Optional[pulumi.Input[_builtins.str]] = None,
+                 types: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 visibility: Optional[pulumi.Input[_builtins.str]] = None,
+                 writeback_enabled: Optional[pulumi.Input[_builtins.bool]] = None):
         """
         Input properties used for looking up and filtering Group resources.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] administrative_unit_ids: The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] administrative_unit_ids: The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.
                
-               !> **Warning** Do not use the `administrative_unit_ids` property at the same time as the AdministrativeUnitMember resource, _for the same group_. Doing so will cause a conflict and administrative unit members will be removed.
-        :param pulumi.Input[bool] assignable_to_role: Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to `false`. Can only be set to `true` for security-enabled groups. Changing this forces a new resource to be created.
-        :param pulumi.Input[bool] auto_subscribe_new_members: Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.
+               > **Caution** When using the AdministrativeUnitMember resource, or the `members` property of the AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an `ignore_changes = [administrative_unit_ids]` lifecycle meta argument for the `Group` resource, in order to avoid a persistent diff.
+        :param pulumi.Input[_builtins.bool] assignable_to_role: Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to `false`. Can only be set to `true` for security-enabled groups. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.bool] auto_subscribe_new_members: Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.
                
                > **Known Permissions Issue** The `auto_subscribe_new_members` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] behaviors: A set of behaviors for a Microsoft 365 group. Possible values are `AllowOnlyMembersToPost`, `HideGroupInOutlook`, `SubscribeMembersToCalendarEventsDisabled`, `SubscribeNewGroupMembers` and `WelcomeEmailDisabled`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for more details. Changing this forces a new resource to be created.
-        :param pulumi.Input[str] description: The description for the group.
-        :param pulumi.Input[str] display_name: The display name for the group.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] behaviors: A set of behaviors for a Microsoft 365 group. Possible values are `AllowOnlyMembersToPost`, `HideGroupInOutlook`, `SkipExchangeInstantOn`, `SubscribeMembersToCalendarEventsDisabled`, `SubscribeNewGroupMembers` and `WelcomeEmailDisabled`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for more details. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.str] description: The description for the group.
+        :param pulumi.Input[_builtins.str] display_name: The display name for the group.
         :param pulumi.Input['GroupDynamicMembershipArgs'] dynamic_membership: A `dynamic_membership` block as documented below. Required when `types` contains `DynamicMembership`. Cannot be used with the `members` property.
-        :param pulumi.Input[bool] external_senders_allowed: Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.
+        :param pulumi.Input[_builtins.bool] external_senders_allowed: Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.
                
                > **Known Permissions Issue** The `external_senders_allowed` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
-        :param pulumi.Input[bool] hide_from_address_lists: Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.
+        :param pulumi.Input[_builtins.bool] hide_from_address_lists: Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.
                
                > **Known Permissions Issue** The `hide_from_address_lists` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
-        :param pulumi.Input[bool] hide_from_outlook_clients: Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.
+        :param pulumi.Input[_builtins.bool] hide_from_outlook_clients: Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.
                
                > **Known Permissions Issue** The `hide_from_outlook_clients` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
-        :param pulumi.Input[str] mail: The SMTP address for the group.
-        :param pulumi.Input[bool] mail_enabled: Whether the group is a mail enabled, with a shared group mailbox. At least one of `mail_enabled` or `security_enabled` must be specified. Only Microsoft 365 groups can be mail enabled (see the `types` property).
-        :param pulumi.Input[str] mail_nickname: The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] members: A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the `dynamic_membership` block.
+        :param pulumi.Input[_builtins.str] mail: The SMTP address for the group.
+        :param pulumi.Input[_builtins.bool] mail_enabled: Whether the group is a mail enabled, with a shared group mailbox. At least one of `mail_enabled` or `security_enabled` must be specified. Only Microsoft 365 groups can be mail enabled (see the `types` property).
+        :param pulumi.Input[_builtins.str] mail_nickname: The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] members: A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the `dynamic_membership` block.
                
                !> **Warning** Do not use the `members` property at the same time as the GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.
-        :param pulumi.Input[str] object_id: The object ID of the group.
-        :param pulumi.Input[str] onpremises_domain_name: The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
-        :param pulumi.Input[str] onpremises_group_type: The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are `UniversalDistributionGroup`, `UniversalMailEnabledSecurityGroup`, or `UniversalSecurityGroup`.
-        :param pulumi.Input[str] onpremises_netbios_name: The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
-        :param pulumi.Input[str] onpremises_sam_account_name: The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
-        :param pulumi.Input[str] onpremises_security_identifier: The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
-        :param pulumi.Input[bool] onpremises_sync_enabled: Whether this group is synchronised from an on-premises directory (`true`), no longer synchronised (`false`), or has never been synchronised (`null`).
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] owners: A set of owners who own this group. Supported object types are Users or Service Principals
-        :param pulumi.Input[str] preferred_language: The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
-        :param pulumi.Input[bool] prevent_duplicate_names: If `true`, will return an error if an existing group is found with the same name. Defaults to `false`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] provisioning_options: A set of provisioning options for a Microsoft 365 group. The only supported value is `Team`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for details. Changing this forces a new resource to be created.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] proxy_addresses: List of email addresses for the group that direct to the same group mailbox.
-        :param pulumi.Input[bool] security_enabled: Whether the group is a security group for controlling access to in-app resources. At least one of `security_enabled` or `mail_enabled` must be specified. A Microsoft 365 group can be security enabled _and_ mail enabled (see the `types` property).
-        :param pulumi.Input[str] theme: The colour theme for a Microsoft 365 group. Possible values are `Blue`, `Green`, `Orange`, `Pink`, `Purple`, `Red` or `Teal`. By default, no theme is set.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] types: A set of group types to configure for the group. Supported values are `DynamicMembership`, which denotes a group with dynamic membership, and `Unified`, which specifies a Microsoft 365 group. Required when `mail_enabled` is true. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.str] object_id: The object ID of the group.
+        :param pulumi.Input[_builtins.str] onpremises_domain_name: The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
+        :param pulumi.Input[_builtins.str] onpremises_group_type: The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are `UniversalDistributionGroup`, `UniversalMailEnabledSecurityGroup`, or `UniversalSecurityGroup`.
+        :param pulumi.Input[_builtins.str] onpremises_netbios_name: The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
+        :param pulumi.Input[_builtins.str] onpremises_sam_account_name: The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
+        :param pulumi.Input[_builtins.str] onpremises_security_identifier: The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
+        :param pulumi.Input[_builtins.bool] onpremises_sync_enabled: Whether this group is synchronised from an on-premises directory (`true`), no longer synchronised (`false`), or has never been synchronised (`null`).
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] owners: A set of owners who own this group. Supported object types are Users or Service Principals
+        :param pulumi.Input[_builtins.str] preferred_language: The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
+        :param pulumi.Input[_builtins.bool] prevent_duplicate_names: If `true`, will return an error if an existing group is found with the same name. Defaults to `false`.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] provisioning_options: A set of provisioning options for a Microsoft 365 group. The only supported value is `Team`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for details. Changing this forces a new resource to be created.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] proxy_addresses: List of email addresses for the group that direct to the same group mailbox.
+        :param pulumi.Input[_builtins.bool] security_enabled: Whether the group is a security group for controlling access to in-app resources. At least one of `security_enabled` or `mail_enabled` must be specified. A Microsoft 365 group can be security enabled _and_ mail enabled (see the `types` property).
+        :param pulumi.Input[_builtins.str] theme: The colour theme for a Microsoft 365 group. Possible values are `Blue`, `Green`, `Orange`, `Pink`, `Purple`, `Red` or `Teal`. By default, no theme is set.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] types: A set of group types to configure for the group. Supported values are `DynamicMembership`, which denotes a group with dynamic membership, and `Unified`, which specifies a Microsoft 365 group. Required when `mail_enabled` is true. Changing this forces a new resource to be created.
                
                > **Supported Group Types** At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.
-        :param pulumi.Input[str] visibility: The group join policy and group content visibility. Possible values are `Private`, `Public`, or `Hiddenmembership`. Only Microsoft 365 groups can have `Hiddenmembership` visibility and this value must be set when the group is created. By default, security groups will receive `Private` visibility and Microsoft 365 groups will receive `Public` visibility.
+        :param pulumi.Input[_builtins.str] visibility: The group join policy and group content visibility. Possible values are `Private`, `Public`, or `Hiddenmembership`. Only Microsoft 365 groups can have `Hiddenmembership` visibility and this value must be set when the group is created. By default, security groups will receive `Private` visibility and Microsoft 365 groups will receive `Public` visibility.
                
                > **Group Name Uniqueness** Group names are not unique within Azure Active Directory. Use the `prevent_duplicate_names` argument to check for existing groups if you want to avoid name collisions.
-        :param pulumi.Input[bool] writeback_enabled: Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
+        :param pulumi.Input[_builtins.bool] writeback_enabled: Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
         """
         if administrative_unit_ids is not None:
             pulumi.set(__self__, "administrative_unit_ids", administrative_unit_ids)
@@ -551,35 +556,35 @@ class _GroupState:
         if writeback_enabled is not None:
             pulumi.set(__self__, "writeback_enabled", writeback_enabled)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="administrativeUnitIds")
-    def administrative_unit_ids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def administrative_unit_ids(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
         """
         The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.
 
-        !> **Warning** Do not use the `administrative_unit_ids` property at the same time as the AdministrativeUnitMember resource, _for the same group_. Doing so will cause a conflict and administrative unit members will be removed.
+        > **Caution** When using the AdministrativeUnitMember resource, or the `members` property of the AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an `ignore_changes = [administrative_unit_ids]` lifecycle meta argument for the `Group` resource, in order to avoid a persistent diff.
         """
         return pulumi.get(self, "administrative_unit_ids")
 
     @administrative_unit_ids.setter
-    def administrative_unit_ids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def administrative_unit_ids(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
         pulumi.set(self, "administrative_unit_ids", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="assignableToRole")
-    def assignable_to_role(self) -> Optional[pulumi.Input[bool]]:
+    def assignable_to_role(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to `false`. Can only be set to `true` for security-enabled groups. Changing this forces a new resource to be created.
         """
         return pulumi.get(self, "assignable_to_role")
 
     @assignable_to_role.setter
-    def assignable_to_role(self, value: Optional[pulumi.Input[bool]]):
+    def assignable_to_role(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "assignable_to_role", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="autoSubscribeNewMembers")
-    def auto_subscribe_new_members(self) -> Optional[pulumi.Input[bool]]:
+    def auto_subscribe_new_members(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.
 
@@ -588,46 +593,46 @@ class _GroupState:
         return pulumi.get(self, "auto_subscribe_new_members")
 
     @auto_subscribe_new_members.setter
-    def auto_subscribe_new_members(self, value: Optional[pulumi.Input[bool]]):
+    def auto_subscribe_new_members(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "auto_subscribe_new_members", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def behaviors(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def behaviors(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
         """
-        A set of behaviors for a Microsoft 365 group. Possible values are `AllowOnlyMembersToPost`, `HideGroupInOutlook`, `SubscribeMembersToCalendarEventsDisabled`, `SubscribeNewGroupMembers` and `WelcomeEmailDisabled`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for more details. Changing this forces a new resource to be created.
+        A set of behaviors for a Microsoft 365 group. Possible values are `AllowOnlyMembersToPost`, `HideGroupInOutlook`, `SkipExchangeInstantOn`, `SubscribeMembersToCalendarEventsDisabled`, `SubscribeNewGroupMembers` and `WelcomeEmailDisabled`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for more details. Changing this forces a new resource to be created.
         """
         return pulumi.get(self, "behaviors")
 
     @behaviors.setter
-    def behaviors(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def behaviors(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
         pulumi.set(self, "behaviors", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def description(self) -> Optional[pulumi.Input[str]]:
+    def description(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The description for the group.
         """
         return pulumi.get(self, "description")
 
     @description.setter
-    def description(self, value: Optional[pulumi.Input[str]]):
+    def description(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "description", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="displayName")
-    def display_name(self) -> Optional[pulumi.Input[str]]:
+    def display_name(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The display name for the group.
         """
         return pulumi.get(self, "display_name")
 
     @display_name.setter
-    def display_name(self, value: Optional[pulumi.Input[str]]):
+    def display_name(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "display_name", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="dynamicMembership")
     def dynamic_membership(self) -> Optional[pulumi.Input['GroupDynamicMembershipArgs']]:
         """
@@ -639,9 +644,9 @@ class _GroupState:
     def dynamic_membership(self, value: Optional[pulumi.Input['GroupDynamicMembershipArgs']]):
         pulumi.set(self, "dynamic_membership", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="externalSendersAllowed")
-    def external_senders_allowed(self) -> Optional[pulumi.Input[bool]]:
+    def external_senders_allowed(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.
 
@@ -650,12 +655,12 @@ class _GroupState:
         return pulumi.get(self, "external_senders_allowed")
 
     @external_senders_allowed.setter
-    def external_senders_allowed(self, value: Optional[pulumi.Input[bool]]):
+    def external_senders_allowed(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "external_senders_allowed", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="hideFromAddressLists")
-    def hide_from_address_lists(self) -> Optional[pulumi.Input[bool]]:
+    def hide_from_address_lists(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.
 
@@ -664,12 +669,12 @@ class _GroupState:
         return pulumi.get(self, "hide_from_address_lists")
 
     @hide_from_address_lists.setter
-    def hide_from_address_lists(self, value: Optional[pulumi.Input[bool]]):
+    def hide_from_address_lists(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "hide_from_address_lists", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="hideFromOutlookClients")
-    def hide_from_outlook_clients(self) -> Optional[pulumi.Input[bool]]:
+    def hide_from_outlook_clients(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.
 
@@ -678,48 +683,48 @@ class _GroupState:
         return pulumi.get(self, "hide_from_outlook_clients")
 
     @hide_from_outlook_clients.setter
-    def hide_from_outlook_clients(self, value: Optional[pulumi.Input[bool]]):
+    def hide_from_outlook_clients(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "hide_from_outlook_clients", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def mail(self) -> Optional[pulumi.Input[str]]:
+    def mail(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The SMTP address for the group.
         """
         return pulumi.get(self, "mail")
 
     @mail.setter
-    def mail(self, value: Optional[pulumi.Input[str]]):
+    def mail(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "mail", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="mailEnabled")
-    def mail_enabled(self) -> Optional[pulumi.Input[bool]]:
+    def mail_enabled(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         Whether the group is a mail enabled, with a shared group mailbox. At least one of `mail_enabled` or `security_enabled` must be specified. Only Microsoft 365 groups can be mail enabled (see the `types` property).
         """
         return pulumi.get(self, "mail_enabled")
 
     @mail_enabled.setter
-    def mail_enabled(self, value: Optional[pulumi.Input[bool]]):
+    def mail_enabled(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "mail_enabled", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="mailNickname")
-    def mail_nickname(self) -> Optional[pulumi.Input[str]]:
+    def mail_nickname(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
         """
         return pulumi.get(self, "mail_nickname")
 
     @mail_nickname.setter
-    def mail_nickname(self, value: Optional[pulumi.Input[str]]):
+    def mail_nickname(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "mail_nickname", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def members(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def members(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
         """
         A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the `dynamic_membership` block.
 
@@ -728,180 +733,180 @@ class _GroupState:
         return pulumi.get(self, "members")
 
     @members.setter
-    def members(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def members(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
         pulumi.set(self, "members", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="objectId")
-    def object_id(self) -> Optional[pulumi.Input[str]]:
+    def object_id(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The object ID of the group.
         """
         return pulumi.get(self, "object_id")
 
     @object_id.setter
-    def object_id(self, value: Optional[pulumi.Input[str]]):
+    def object_id(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "object_id", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="onpremisesDomainName")
-    def onpremises_domain_name(self) -> Optional[pulumi.Input[str]]:
+    def onpremises_domain_name(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
         """
         return pulumi.get(self, "onpremises_domain_name")
 
     @onpremises_domain_name.setter
-    def onpremises_domain_name(self, value: Optional[pulumi.Input[str]]):
+    def onpremises_domain_name(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "onpremises_domain_name", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="onpremisesGroupType")
-    def onpremises_group_type(self) -> Optional[pulumi.Input[str]]:
+    def onpremises_group_type(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are `UniversalDistributionGroup`, `UniversalMailEnabledSecurityGroup`, or `UniversalSecurityGroup`.
         """
         return pulumi.get(self, "onpremises_group_type")
 
     @onpremises_group_type.setter
-    def onpremises_group_type(self, value: Optional[pulumi.Input[str]]):
+    def onpremises_group_type(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "onpremises_group_type", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="onpremisesNetbiosName")
-    def onpremises_netbios_name(self) -> Optional[pulumi.Input[str]]:
+    def onpremises_netbios_name(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
         """
         return pulumi.get(self, "onpremises_netbios_name")
 
     @onpremises_netbios_name.setter
-    def onpremises_netbios_name(self, value: Optional[pulumi.Input[str]]):
+    def onpremises_netbios_name(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "onpremises_netbios_name", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="onpremisesSamAccountName")
-    def onpremises_sam_account_name(self) -> Optional[pulumi.Input[str]]:
+    def onpremises_sam_account_name(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
         """
         return pulumi.get(self, "onpremises_sam_account_name")
 
     @onpremises_sam_account_name.setter
-    def onpremises_sam_account_name(self, value: Optional[pulumi.Input[str]]):
+    def onpremises_sam_account_name(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "onpremises_sam_account_name", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="onpremisesSecurityIdentifier")
-    def onpremises_security_identifier(self) -> Optional[pulumi.Input[str]]:
+    def onpremises_security_identifier(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
         """
         return pulumi.get(self, "onpremises_security_identifier")
 
     @onpremises_security_identifier.setter
-    def onpremises_security_identifier(self, value: Optional[pulumi.Input[str]]):
+    def onpremises_security_identifier(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "onpremises_security_identifier", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="onpremisesSyncEnabled")
-    def onpremises_sync_enabled(self) -> Optional[pulumi.Input[bool]]:
+    def onpremises_sync_enabled(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         Whether this group is synchronised from an on-premises directory (`true`), no longer synchronised (`false`), or has never been synchronised (`null`).
         """
         return pulumi.get(self, "onpremises_sync_enabled")
 
     @onpremises_sync_enabled.setter
-    def onpremises_sync_enabled(self, value: Optional[pulumi.Input[bool]]):
+    def onpremises_sync_enabled(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "onpremises_sync_enabled", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def owners(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def owners(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
         """
         A set of owners who own this group. Supported object types are Users or Service Principals
         """
         return pulumi.get(self, "owners")
 
     @owners.setter
-    def owners(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def owners(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
         pulumi.set(self, "owners", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="preferredLanguage")
-    def preferred_language(self) -> Optional[pulumi.Input[str]]:
+    def preferred_language(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
         """
         return pulumi.get(self, "preferred_language")
 
     @preferred_language.setter
-    def preferred_language(self, value: Optional[pulumi.Input[str]]):
+    def preferred_language(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "preferred_language", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="preventDuplicateNames")
-    def prevent_duplicate_names(self) -> Optional[pulumi.Input[bool]]:
+    def prevent_duplicate_names(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         If `true`, will return an error if an existing group is found with the same name. Defaults to `false`.
         """
         return pulumi.get(self, "prevent_duplicate_names")
 
     @prevent_duplicate_names.setter
-    def prevent_duplicate_names(self, value: Optional[pulumi.Input[bool]]):
+    def prevent_duplicate_names(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "prevent_duplicate_names", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="provisioningOptions")
-    def provisioning_options(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def provisioning_options(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
         """
         A set of provisioning options for a Microsoft 365 group. The only supported value is `Team`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for details. Changing this forces a new resource to be created.
         """
         return pulumi.get(self, "provisioning_options")
 
     @provisioning_options.setter
-    def provisioning_options(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def provisioning_options(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
         pulumi.set(self, "provisioning_options", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="proxyAddresses")
-    def proxy_addresses(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def proxy_addresses(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
         """
         List of email addresses for the group that direct to the same group mailbox.
         """
         return pulumi.get(self, "proxy_addresses")
 
     @proxy_addresses.setter
-    def proxy_addresses(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def proxy_addresses(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
         pulumi.set(self, "proxy_addresses", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="securityEnabled")
-    def security_enabled(self) -> Optional[pulumi.Input[bool]]:
+    def security_enabled(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         Whether the group is a security group for controlling access to in-app resources. At least one of `security_enabled` or `mail_enabled` must be specified. A Microsoft 365 group can be security enabled _and_ mail enabled (see the `types` property).
         """
         return pulumi.get(self, "security_enabled")
 
     @security_enabled.setter
-    def security_enabled(self, value: Optional[pulumi.Input[bool]]):
+    def security_enabled(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "security_enabled", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def theme(self) -> Optional[pulumi.Input[str]]:
+    def theme(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The colour theme for a Microsoft 365 group. Possible values are `Blue`, `Green`, `Orange`, `Pink`, `Purple`, `Red` or `Teal`. By default, no theme is set.
         """
         return pulumi.get(self, "theme")
 
     @theme.setter
-    def theme(self, value: Optional[pulumi.Input[str]]):
+    def theme(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "theme", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def types(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+    def types(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
         """
         A set of group types to configure for the group. Supported values are `DynamicMembership`, which denotes a group with dynamic membership, and `Unified`, which specifies a Microsoft 365 group. Required when `mail_enabled` is true. Changing this forces a new resource to be created.
 
@@ -910,12 +915,12 @@ class _GroupState:
         return pulumi.get(self, "types")
 
     @types.setter
-    def types(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+    def types(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
         pulumi.set(self, "types", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def visibility(self) -> Optional[pulumi.Input[str]]:
+    def visibility(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The group join policy and group content visibility. Possible values are `Private`, `Public`, or `Hiddenmembership`. Only Microsoft 365 groups can have `Hiddenmembership` visibility and this value must be set when the group is created. By default, security groups will receive `Private` visibility and Microsoft 365 groups will receive `Public` visibility.
 
@@ -924,49 +929,50 @@ class _GroupState:
         return pulumi.get(self, "visibility")
 
     @visibility.setter
-    def visibility(self, value: Optional[pulumi.Input[str]]):
+    def visibility(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "visibility", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="writebackEnabled")
-    def writeback_enabled(self) -> Optional[pulumi.Input[bool]]:
+    def writeback_enabled(self) -> Optional[pulumi.Input[_builtins.bool]]:
         """
         Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
         """
         return pulumi.get(self, "writeback_enabled")
 
     @writeback_enabled.setter
-    def writeback_enabled(self, value: Optional[pulumi.Input[bool]]):
+    def writeback_enabled(self, value: Optional[pulumi.Input[_builtins.bool]]):
         pulumi.set(self, "writeback_enabled", value)
 
 
+@pulumi.type_token("azuread:index/group:Group")
 class Group(pulumi.CustomResource):
     @overload
     def __init__(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
-                 administrative_unit_ids: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 assignable_to_role: Optional[pulumi.Input[bool]] = None,
-                 auto_subscribe_new_members: Optional[pulumi.Input[bool]] = None,
-                 behaviors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 description: Optional[pulumi.Input[str]] = None,
-                 display_name: Optional[pulumi.Input[str]] = None,
-                 dynamic_membership: Optional[pulumi.Input[pulumi.InputType['GroupDynamicMembershipArgs']]] = None,
-                 external_senders_allowed: Optional[pulumi.Input[bool]] = None,
-                 hide_from_address_lists: Optional[pulumi.Input[bool]] = None,
-                 hide_from_outlook_clients: Optional[pulumi.Input[bool]] = None,
-                 mail_enabled: Optional[pulumi.Input[bool]] = None,
-                 mail_nickname: Optional[pulumi.Input[str]] = None,
-                 members: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 onpremises_group_type: Optional[pulumi.Input[str]] = None,
-                 owners: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 prevent_duplicate_names: Optional[pulumi.Input[bool]] = None,
-                 provisioning_options: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 security_enabled: Optional[pulumi.Input[bool]] = None,
-                 theme: Optional[pulumi.Input[str]] = None,
-                 types: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 visibility: Optional[pulumi.Input[str]] = None,
-                 writeback_enabled: Optional[pulumi.Input[bool]] = None,
+                 administrative_unit_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 assignable_to_role: Optional[pulumi.Input[_builtins.bool]] = None,
+                 auto_subscribe_new_members: Optional[pulumi.Input[_builtins.bool]] = None,
+                 behaviors: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 description: Optional[pulumi.Input[_builtins.str]] = None,
+                 display_name: Optional[pulumi.Input[_builtins.str]] = None,
+                 dynamic_membership: Optional[pulumi.Input[Union['GroupDynamicMembershipArgs', 'GroupDynamicMembershipArgsDict']]] = None,
+                 external_senders_allowed: Optional[pulumi.Input[_builtins.bool]] = None,
+                 hide_from_address_lists: Optional[pulumi.Input[_builtins.bool]] = None,
+                 hide_from_outlook_clients: Optional[pulumi.Input[_builtins.bool]] = None,
+                 mail_enabled: Optional[pulumi.Input[_builtins.bool]] = None,
+                 mail_nickname: Optional[pulumi.Input[_builtins.str]] = None,
+                 members: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 onpremises_group_type: Optional[pulumi.Input[_builtins.str]] = None,
+                 owners: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 prevent_duplicate_names: Optional[pulumi.Input[_builtins.bool]] = None,
+                 provisioning_options: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 security_enabled: Optional[pulumi.Input[_builtins.bool]] = None,
+                 theme: Optional[pulumi.Input[_builtins.str]] = None,
+                 types: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 visibility: Optional[pulumi.Input[_builtins.str]] = None,
+                 writeback_enabled: Optional[pulumi.Input[_builtins.bool]] = None,
                  __props__=None):
         """
         Manages a group within Azure Active Directory.
@@ -979,64 +985,140 @@ class Group(pulumi.CustomResource):
 
         Alternatively, if the authenticated service principal is also an owner of the group being managed, this resource can use the application role: `Group.Create`.
 
-        If using the `assignable_to_role` property, this resource additionally requires one of the following application roles: `RoleManagement.ReadWrite.Directory` or `Directory.ReadWrite.All`
+        If using the `assignable_to_role` property, this resource additionally requires the `RoleManagement.ReadWrite.Directory` application role.
 
         If specifying owners for a group, which are user principals, this resource additionally requires one of the following application roles: `User.Read.All`, `User.ReadWrite.All`, `Directory.Read.All` or `Directory.ReadWrite.All`
 
         When authenticated with a user principal, this resource requires one of the following directory roles: `Groups Administrator`, `User Administrator` or `Global Administrator`
 
-        When creating this resource in administrative units exclusively, the role `Groups Administrator` is required to be scoped on any administrative unit used.
+        When creating this resource in administrative units exclusively, the directory role `Groups Administrator` is required to be scoped on any administrative unit used. Additionally, it must be possible to read the administrative units being used, which can be granted through the `AdministrativeUnit.Read.All` or `Directory.Read.All` application roles.
 
         The `external_senders_allowed`, `auto_subscribe_new_members`, `hide_from_address_lists` and `hide_from_outlook_clients` properties can only be configured when authenticating as a user and cannot be configured when authenticating as a service principal. Additionally, the user being used for authentication must be a Member of the tenant where the group is being managed and _not_ a Guest. This is a known API issue; please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) official documentation.
 
+        ## Example Usage
+
+        *Basic example*
+
+        ```python
+        import pulumi
+        import pulumi_azuread as azuread
+
+        current = azuread.get_client_config()
+        example = azuread.Group("example",
+            display_name="example",
+            owners=[current.object_id],
+            security_enabled=True)
+        ```
+
+        *Microsoft 365 group*
+
+        ```python
+        import pulumi
+        import pulumi_azuread as azuread
+
+        current = azuread.get_client_config()
+        group_owner = azuread.User("group_owner",
+            user_principal_name="example-group-owner@example.com",
+            display_name="Group Owner",
+            mail_nickname="example-group-owner",
+            password="SecretP@sswd99!")
+        example = azuread.Group("example",
+            display_name="example",
+            mail_enabled=True,
+            mail_nickname="ExampleGroup",
+            security_enabled=True,
+            types=["Unified"],
+            owners=[
+                current.object_id,
+                group_owner.object_id,
+            ])
+        ```
+
+        *Group with members*
+
+        ```python
+        import pulumi
+        import pulumi_azuread as azuread
+
+        current = azuread.get_client_config()
+        example = azuread.User("example",
+            display_name="J Doe",
+            owners=[current.object_id],
+            password="notSecure123",
+            user_principal_name="jdoe@example.com")
+        example_group = azuread.Group("example",
+            display_name="MyGroup",
+            owners=[current.object_id],
+            security_enabled=True,
+            members=[example.object_id])
+        ```
+
+        *Group with dynamic membership*
+
+        ```python
+        import pulumi
+        import pulumi_azuread as azuread
+
+        current = azuread.get_client_config()
+        example = azuread.Group("example",
+            display_name="MyGroup",
+            owners=[current.object_id],
+            security_enabled=True,
+            types=["DynamicMembership"],
+            dynamic_membership={
+                "enabled": True,
+                "rule": "user.department -eq \\"Sales\\"",
+            })
+        ```
+
         ## Import
 
         Groups can be imported using their object ID, e.g.
 
         ```sh
-         $ pulumi import azuread:index/group:Group my_group 00000000-0000-0000-0000-000000000000
+        $ pulumi import azuread:index/group:Group my_group /groups/00000000-0000-0000-0000-000000000000
         ```
 
         :param str resource_name: The name of the resource.
         :param pulumi.ResourceOptions opts: Options for the resource.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] administrative_unit_ids: The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] administrative_unit_ids: The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.
                
-               !> **Warning** Do not use the `administrative_unit_ids` property at the same time as the AdministrativeUnitMember resource, _for the same group_. Doing so will cause a conflict and administrative unit members will be removed.
-        :param pulumi.Input[bool] assignable_to_role: Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to `false`. Can only be set to `true` for security-enabled groups. Changing this forces a new resource to be created.
-        :param pulumi.Input[bool] auto_subscribe_new_members: Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.
+               > **Caution** When using the AdministrativeUnitMember resource, or the `members` property of the AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an `ignore_changes = [administrative_unit_ids]` lifecycle meta argument for the `Group` resource, in order to avoid a persistent diff.
+        :param pulumi.Input[_builtins.bool] assignable_to_role: Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to `false`. Can only be set to `true` for security-enabled groups. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.bool] auto_subscribe_new_members: Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.
                
                > **Known Permissions Issue** The `auto_subscribe_new_members` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] behaviors: A set of behaviors for a Microsoft 365 group. Possible values are `AllowOnlyMembersToPost`, `HideGroupInOutlook`, `SubscribeMembersToCalendarEventsDisabled`, `SubscribeNewGroupMembers` and `WelcomeEmailDisabled`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for more details. Changing this forces a new resource to be created.
-        :param pulumi.Input[str] description: The description for the group.
-        :param pulumi.Input[str] display_name: The display name for the group.
-        :param pulumi.Input[pulumi.InputType['GroupDynamicMembershipArgs']] dynamic_membership: A `dynamic_membership` block as documented below. Required when `types` contains `DynamicMembership`. Cannot be used with the `members` property.
-        :param pulumi.Input[bool] external_senders_allowed: Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] behaviors: A set of behaviors for a Microsoft 365 group. Possible values are `AllowOnlyMembersToPost`, `HideGroupInOutlook`, `SkipExchangeInstantOn`, `SubscribeMembersToCalendarEventsDisabled`, `SubscribeNewGroupMembers` and `WelcomeEmailDisabled`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for more details. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.str] description: The description for the group.
+        :param pulumi.Input[_builtins.str] display_name: The display name for the group.
+        :param pulumi.Input[Union['GroupDynamicMembershipArgs', 'GroupDynamicMembershipArgsDict']] dynamic_membership: A `dynamic_membership` block as documented below. Required when `types` contains `DynamicMembership`. Cannot be used with the `members` property.
+        :param pulumi.Input[_builtins.bool] external_senders_allowed: Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.
                
                > **Known Permissions Issue** The `external_senders_allowed` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
-        :param pulumi.Input[bool] hide_from_address_lists: Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.
+        :param pulumi.Input[_builtins.bool] hide_from_address_lists: Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.
                
                > **Known Permissions Issue** The `hide_from_address_lists` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
-        :param pulumi.Input[bool] hide_from_outlook_clients: Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.
+        :param pulumi.Input[_builtins.bool] hide_from_outlook_clients: Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.
                
                > **Known Permissions Issue** The `hide_from_outlook_clients` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
-        :param pulumi.Input[bool] mail_enabled: Whether the group is a mail enabled, with a shared group mailbox. At least one of `mail_enabled` or `security_enabled` must be specified. Only Microsoft 365 groups can be mail enabled (see the `types` property).
-        :param pulumi.Input[str] mail_nickname: The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] members: A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the `dynamic_membership` block.
+        :param pulumi.Input[_builtins.bool] mail_enabled: Whether the group is a mail enabled, with a shared group mailbox. At least one of `mail_enabled` or `security_enabled` must be specified. Only Microsoft 365 groups can be mail enabled (see the `types` property).
+        :param pulumi.Input[_builtins.str] mail_nickname: The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] members: A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the `dynamic_membership` block.
                
                !> **Warning** Do not use the `members` property at the same time as the GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.
-        :param pulumi.Input[str] onpremises_group_type: The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are `UniversalDistributionGroup`, `UniversalMailEnabledSecurityGroup`, or `UniversalSecurityGroup`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] owners: A set of owners who own this group. Supported object types are Users or Service Principals
-        :param pulumi.Input[bool] prevent_duplicate_names: If `true`, will return an error if an existing group is found with the same name. Defaults to `false`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] provisioning_options: A set of provisioning options for a Microsoft 365 group. The only supported value is `Team`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for details. Changing this forces a new resource to be created.
-        :param pulumi.Input[bool] security_enabled: Whether the group is a security group for controlling access to in-app resources. At least one of `security_enabled` or `mail_enabled` must be specified. A Microsoft 365 group can be security enabled _and_ mail enabled (see the `types` property).
-        :param pulumi.Input[str] theme: The colour theme for a Microsoft 365 group. Possible values are `Blue`, `Green`, `Orange`, `Pink`, `Purple`, `Red` or `Teal`. By default, no theme is set.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] types: A set of group types to configure for the group. Supported values are `DynamicMembership`, which denotes a group with dynamic membership, and `Unified`, which specifies a Microsoft 365 group. Required when `mail_enabled` is true. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.str] onpremises_group_type: The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are `UniversalDistributionGroup`, `UniversalMailEnabledSecurityGroup`, or `UniversalSecurityGroup`.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] owners: A set of owners who own this group. Supported object types are Users or Service Principals
+        :param pulumi.Input[_builtins.bool] prevent_duplicate_names: If `true`, will return an error if an existing group is found with the same name. Defaults to `false`.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] provisioning_options: A set of provisioning options for a Microsoft 365 group. The only supported value is `Team`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for details. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.bool] security_enabled: Whether the group is a security group for controlling access to in-app resources. At least one of `security_enabled` or `mail_enabled` must be specified. A Microsoft 365 group can be security enabled _and_ mail enabled (see the `types` property).
+        :param pulumi.Input[_builtins.str] theme: The colour theme for a Microsoft 365 group. Possible values are `Blue`, `Green`, `Orange`, `Pink`, `Purple`, `Red` or `Teal`. By default, no theme is set.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] types: A set of group types to configure for the group. Supported values are `DynamicMembership`, which denotes a group with dynamic membership, and `Unified`, which specifies a Microsoft 365 group. Required when `mail_enabled` is true. Changing this forces a new resource to be created.
                
                > **Supported Group Types** At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.
-        :param pulumi.Input[str] visibility: The group join policy and group content visibility. Possible values are `Private`, `Public`, or `Hiddenmembership`. Only Microsoft 365 groups can have `Hiddenmembership` visibility and this value must be set when the group is created. By default, security groups will receive `Private` visibility and Microsoft 365 groups will receive `Public` visibility.
+        :param pulumi.Input[_builtins.str] visibility: The group join policy and group content visibility. Possible values are `Private`, `Public`, or `Hiddenmembership`. Only Microsoft 365 groups can have `Hiddenmembership` visibility and this value must be set when the group is created. By default, security groups will receive `Private` visibility and Microsoft 365 groups will receive `Public` visibility.
                
                > **Group Name Uniqueness** Group names are not unique within Azure Active Directory. Use the `prevent_duplicate_names` argument to check for existing groups if you want to avoid name collisions.
-        :param pulumi.Input[bool] writeback_enabled: Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
+        :param pulumi.Input[_builtins.bool] writeback_enabled: Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
         """
         ...
     @overload
@@ -1055,22 +1137,98 @@ class Group(pulumi.CustomResource):
 
         Alternatively, if the authenticated service principal is also an owner of the group being managed, this resource can use the application role: `Group.Create`.
 
-        If using the `assignable_to_role` property, this resource additionally requires one of the following application roles: `RoleManagement.ReadWrite.Directory` or `Directory.ReadWrite.All`
+        If using the `assignable_to_role` property, this resource additionally requires the `RoleManagement.ReadWrite.Directory` application role.
 
         If specifying owners for a group, which are user principals, this resource additionally requires one of the following application roles: `User.Read.All`, `User.ReadWrite.All`, `Directory.Read.All` or `Directory.ReadWrite.All`
 
         When authenticated with a user principal, this resource requires one of the following directory roles: `Groups Administrator`, `User Administrator` or `Global Administrator`
 
-        When creating this resource in administrative units exclusively, the role `Groups Administrator` is required to be scoped on any administrative unit used.
+        When creating this resource in administrative units exclusively, the directory role `Groups Administrator` is required to be scoped on any administrative unit used. Additionally, it must be possible to read the administrative units being used, which can be granted through the `AdministrativeUnit.Read.All` or `Directory.Read.All` application roles.
 
         The `external_senders_allowed`, `auto_subscribe_new_members`, `hide_from_address_lists` and `hide_from_outlook_clients` properties can only be configured when authenticating as a user and cannot be configured when authenticating as a service principal. Additionally, the user being used for authentication must be a Member of the tenant where the group is being managed and _not_ a Guest. This is a known API issue; please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) official documentation.
 
+        ## Example Usage
+
+        *Basic example*
+
+        ```python
+        import pulumi
+        import pulumi_azuread as azuread
+
+        current = azuread.get_client_config()
+        example = azuread.Group("example",
+            display_name="example",
+            owners=[current.object_id],
+            security_enabled=True)
+        ```
+
+        *Microsoft 365 group*
+
+        ```python
+        import pulumi
+        import pulumi_azuread as azuread
+
+        current = azuread.get_client_config()
+        group_owner = azuread.User("group_owner",
+            user_principal_name="example-group-owner@example.com",
+            display_name="Group Owner",
+            mail_nickname="example-group-owner",
+            password="SecretP@sswd99!")
+        example = azuread.Group("example",
+            display_name="example",
+            mail_enabled=True,
+            mail_nickname="ExampleGroup",
+            security_enabled=True,
+            types=["Unified"],
+            owners=[
+                current.object_id,
+                group_owner.object_id,
+            ])
+        ```
+
+        *Group with members*
+
+        ```python
+        import pulumi
+        import pulumi_azuread as azuread
+
+        current = azuread.get_client_config()
+        example = azuread.User("example",
+            display_name="J Doe",
+            owners=[current.object_id],
+            password="notSecure123",
+            user_principal_name="jdoe@example.com")
+        example_group = azuread.Group("example",
+            display_name="MyGroup",
+            owners=[current.object_id],
+            security_enabled=True,
+            members=[example.object_id])
+        ```
+
+        *Group with dynamic membership*
+
+        ```python
+        import pulumi
+        import pulumi_azuread as azuread
+
+        current = azuread.get_client_config()
+        example = azuread.Group("example",
+            display_name="MyGroup",
+            owners=[current.object_id],
+            security_enabled=True,
+            types=["DynamicMembership"],
+            dynamic_membership={
+                "enabled": True,
+                "rule": "user.department -eq \\"Sales\\"",
+            })
+        ```
+
         ## Import
 
         Groups can be imported using their object ID, e.g.
 
         ```sh
-         $ pulumi import azuread:index/group:Group my_group 00000000-0000-0000-0000-000000000000
+        $ pulumi import azuread:index/group:Group my_group /groups/00000000-0000-0000-0000-000000000000
         ```
 
         :param str resource_name: The name of the resource.
@@ -1088,28 +1246,28 @@ class Group(pulumi.CustomResource):
     def _internal_init(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
-                 administrative_unit_ids: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 assignable_to_role: Optional[pulumi.Input[bool]] = None,
-                 auto_subscribe_new_members: Optional[pulumi.Input[bool]] = None,
-                 behaviors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 description: Optional[pulumi.Input[str]] = None,
-                 display_name: Optional[pulumi.Input[str]] = None,
-                 dynamic_membership: Optional[pulumi.Input[pulumi.InputType['GroupDynamicMembershipArgs']]] = None,
-                 external_senders_allowed: Optional[pulumi.Input[bool]] = None,
-                 hide_from_address_lists: Optional[pulumi.Input[bool]] = None,
-                 hide_from_outlook_clients: Optional[pulumi.Input[bool]] = None,
-                 mail_enabled: Optional[pulumi.Input[bool]] = None,
-                 mail_nickname: Optional[pulumi.Input[str]] = None,
-                 members: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 onpremises_group_type: Optional[pulumi.Input[str]] = None,
-                 owners: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 prevent_duplicate_names: Optional[pulumi.Input[bool]] = None,
-                 provisioning_options: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 security_enabled: Optional[pulumi.Input[bool]] = None,
-                 theme: Optional[pulumi.Input[str]] = None,
-                 types: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-                 visibility: Optional[pulumi.Input[str]] = None,
-                 writeback_enabled: Optional[pulumi.Input[bool]] = None,
+                 administrative_unit_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 assignable_to_role: Optional[pulumi.Input[_builtins.bool]] = None,
+                 auto_subscribe_new_members: Optional[pulumi.Input[_builtins.bool]] = None,
+                 behaviors: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 description: Optional[pulumi.Input[_builtins.str]] = None,
+                 display_name: Optional[pulumi.Input[_builtins.str]] = None,
+                 dynamic_membership: Optional[pulumi.Input[Union['GroupDynamicMembershipArgs', 'GroupDynamicMembershipArgsDict']]] = None,
+                 external_senders_allowed: Optional[pulumi.Input[_builtins.bool]] = None,
+                 hide_from_address_lists: Optional[pulumi.Input[_builtins.bool]] = None,
+                 hide_from_outlook_clients: Optional[pulumi.Input[_builtins.bool]] = None,
+                 mail_enabled: Optional[pulumi.Input[_builtins.bool]] = None,
+                 mail_nickname: Optional[pulumi.Input[_builtins.str]] = None,
+                 members: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 onpremises_group_type: Optional[pulumi.Input[_builtins.str]] = None,
+                 owners: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 prevent_duplicate_names: Optional[pulumi.Input[_builtins.bool]] = None,
+                 provisioning_options: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 security_enabled: Optional[pulumi.Input[_builtins.bool]] = None,
+                 theme: Optional[pulumi.Input[_builtins.str]] = None,
+                 types: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+                 visibility: Optional[pulumi.Input[_builtins.str]] = None,
+                 writeback_enabled: Optional[pulumi.Input[_builtins.bool]] = None,
                  __props__=None):
         opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
         if not isinstance(opts, pulumi.ResourceOptions):
@@ -1162,37 +1320,37 @@ class Group(pulumi.CustomResource):
     def get(resource_name: str,
             id: pulumi.Input[str],
             opts: Optional[pulumi.ResourceOptions] = None,
-            administrative_unit_ids: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            assignable_to_role: Optional[pulumi.Input[bool]] = None,
-            auto_subscribe_new_members: Optional[pulumi.Input[bool]] = None,
-            behaviors: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            description: Optional[pulumi.Input[str]] = None,
-            display_name: Optional[pulumi.Input[str]] = None,
-            dynamic_membership: Optional[pulumi.Input[pulumi.InputType['GroupDynamicMembershipArgs']]] = None,
-            external_senders_allowed: Optional[pulumi.Input[bool]] = None,
-            hide_from_address_lists: Optional[pulumi.Input[bool]] = None,
-            hide_from_outlook_clients: Optional[pulumi.Input[bool]] = None,
-            mail: Optional[pulumi.Input[str]] = None,
-            mail_enabled: Optional[pulumi.Input[bool]] = None,
-            mail_nickname: Optional[pulumi.Input[str]] = None,
-            members: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            object_id: Optional[pulumi.Input[str]] = None,
-            onpremises_domain_name: Optional[pulumi.Input[str]] = None,
-            onpremises_group_type: Optional[pulumi.Input[str]] = None,
-            onpremises_netbios_name: Optional[pulumi.Input[str]] = None,
-            onpremises_sam_account_name: Optional[pulumi.Input[str]] = None,
-            onpremises_security_identifier: Optional[pulumi.Input[str]] = None,
-            onpremises_sync_enabled: Optional[pulumi.Input[bool]] = None,
-            owners: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            preferred_language: Optional[pulumi.Input[str]] = None,
-            prevent_duplicate_names: Optional[pulumi.Input[bool]] = None,
-            provisioning_options: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            proxy_addresses: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            security_enabled: Optional[pulumi.Input[bool]] = None,
-            theme: Optional[pulumi.Input[str]] = None,
-            types: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
-            visibility: Optional[pulumi.Input[str]] = None,
-            writeback_enabled: Optional[pulumi.Input[bool]] = None) -> 'Group':
+            administrative_unit_ids: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+            assignable_to_role: Optional[pulumi.Input[_builtins.bool]] = None,
+            auto_subscribe_new_members: Optional[pulumi.Input[_builtins.bool]] = None,
+            behaviors: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+            description: Optional[pulumi.Input[_builtins.str]] = None,
+            display_name: Optional[pulumi.Input[_builtins.str]] = None,
+            dynamic_membership: Optional[pulumi.Input[Union['GroupDynamicMembershipArgs', 'GroupDynamicMembershipArgsDict']]] = None,
+            external_senders_allowed: Optional[pulumi.Input[_builtins.bool]] = None,
+            hide_from_address_lists: Optional[pulumi.Input[_builtins.bool]] = None,
+            hide_from_outlook_clients: Optional[pulumi.Input[_builtins.bool]] = None,
+            mail: Optional[pulumi.Input[_builtins.str]] = None,
+            mail_enabled: Optional[pulumi.Input[_builtins.bool]] = None,
+            mail_nickname: Optional[pulumi.Input[_builtins.str]] = None,
+            members: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+            object_id: Optional[pulumi.Input[_builtins.str]] = None,
+            onpremises_domain_name: Optional[pulumi.Input[_builtins.str]] = None,
+            onpremises_group_type: Optional[pulumi.Input[_builtins.str]] = None,
+            onpremises_netbios_name: Optional[pulumi.Input[_builtins.str]] = None,
+            onpremises_sam_account_name: Optional[pulumi.Input[_builtins.str]] = None,
+            onpremises_security_identifier: Optional[pulumi.Input[_builtins.str]] = None,
+            onpremises_sync_enabled: Optional[pulumi.Input[_builtins.bool]] = None,
+            owners: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+            preferred_language: Optional[pulumi.Input[_builtins.str]] = None,
+            prevent_duplicate_names: Optional[pulumi.Input[_builtins.bool]] = None,
+            provisioning_options: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+            proxy_addresses: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+            security_enabled: Optional[pulumi.Input[_builtins.bool]] = None,
+            theme: Optional[pulumi.Input[_builtins.str]] = None,
+            types: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
+            visibility: Optional[pulumi.Input[_builtins.str]] = None,
+            writeback_enabled: Optional[pulumi.Input[_builtins.bool]] = None) -> 'Group':
         """
         Get an existing Group resource's state with the given name, id, and optional extra
         properties used to qualify the lookup.
@@ -1200,53 +1358,53 @@ class Group(pulumi.CustomResource):
         :param str resource_name: The unique name of the resulting resource.
         :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
         :param pulumi.ResourceOptions opts: Options for the resource.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] administrative_unit_ids: The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] administrative_unit_ids: The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.
                
-               !> **Warning** Do not use the `administrative_unit_ids` property at the same time as the AdministrativeUnitMember resource, _for the same group_. Doing so will cause a conflict and administrative unit members will be removed.
-        :param pulumi.Input[bool] assignable_to_role: Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to `false`. Can only be set to `true` for security-enabled groups. Changing this forces a new resource to be created.
-        :param pulumi.Input[bool] auto_subscribe_new_members: Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.
+               > **Caution** When using the AdministrativeUnitMember resource, or the `members` property of the AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an `ignore_changes = [administrative_unit_ids]` lifecycle meta argument for the `Group` resource, in order to avoid a persistent diff.
+        :param pulumi.Input[_builtins.bool] assignable_to_role: Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to `false`. Can only be set to `true` for security-enabled groups. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.bool] auto_subscribe_new_members: Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.
                
                > **Known Permissions Issue** The `auto_subscribe_new_members` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] behaviors: A set of behaviors for a Microsoft 365 group. Possible values are `AllowOnlyMembersToPost`, `HideGroupInOutlook`, `SubscribeMembersToCalendarEventsDisabled`, `SubscribeNewGroupMembers` and `WelcomeEmailDisabled`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for more details. Changing this forces a new resource to be created.
-        :param pulumi.Input[str] description: The description for the group.
-        :param pulumi.Input[str] display_name: The display name for the group.
-        :param pulumi.Input[pulumi.InputType['GroupDynamicMembershipArgs']] dynamic_membership: A `dynamic_membership` block as documented below. Required when `types` contains `DynamicMembership`. Cannot be used with the `members` property.
-        :param pulumi.Input[bool] external_senders_allowed: Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] behaviors: A set of behaviors for a Microsoft 365 group. Possible values are `AllowOnlyMembersToPost`, `HideGroupInOutlook`, `SkipExchangeInstantOn`, `SubscribeMembersToCalendarEventsDisabled`, `SubscribeNewGroupMembers` and `WelcomeEmailDisabled`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for more details. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.str] description: The description for the group.
+        :param pulumi.Input[_builtins.str] display_name: The display name for the group.
+        :param pulumi.Input[Union['GroupDynamicMembershipArgs', 'GroupDynamicMembershipArgsDict']] dynamic_membership: A `dynamic_membership` block as documented below. Required when `types` contains `DynamicMembership`. Cannot be used with the `members` property.
+        :param pulumi.Input[_builtins.bool] external_senders_allowed: Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.
                
                > **Known Permissions Issue** The `external_senders_allowed` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
-        :param pulumi.Input[bool] hide_from_address_lists: Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.
+        :param pulumi.Input[_builtins.bool] hide_from_address_lists: Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.
                
                > **Known Permissions Issue** The `hide_from_address_lists` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
-        :param pulumi.Input[bool] hide_from_outlook_clients: Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.
+        :param pulumi.Input[_builtins.bool] hide_from_outlook_clients: Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.
                
                > **Known Permissions Issue** The `hide_from_outlook_clients` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
-        :param pulumi.Input[str] mail: The SMTP address for the group.
-        :param pulumi.Input[bool] mail_enabled: Whether the group is a mail enabled, with a shared group mailbox. At least one of `mail_enabled` or `security_enabled` must be specified. Only Microsoft 365 groups can be mail enabled (see the `types` property).
-        :param pulumi.Input[str] mail_nickname: The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] members: A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the `dynamic_membership` block.
+        :param pulumi.Input[_builtins.str] mail: The SMTP address for the group.
+        :param pulumi.Input[_builtins.bool] mail_enabled: Whether the group is a mail enabled, with a shared group mailbox. At least one of `mail_enabled` or `security_enabled` must be specified. Only Microsoft 365 groups can be mail enabled (see the `types` property).
+        :param pulumi.Input[_builtins.str] mail_nickname: The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] members: A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the `dynamic_membership` block.
                
                !> **Warning** Do not use the `members` property at the same time as the GroupMember resource for the same group. Doing so will cause a conflict and group members will be removed.
-        :param pulumi.Input[str] object_id: The object ID of the group.
-        :param pulumi.Input[str] onpremises_domain_name: The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
-        :param pulumi.Input[str] onpremises_group_type: The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are `UniversalDistributionGroup`, `UniversalMailEnabledSecurityGroup`, or `UniversalSecurityGroup`.
-        :param pulumi.Input[str] onpremises_netbios_name: The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
-        :param pulumi.Input[str] onpremises_sam_account_name: The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
-        :param pulumi.Input[str] onpremises_security_identifier: The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
-        :param pulumi.Input[bool] onpremises_sync_enabled: Whether this group is synchronised from an on-premises directory (`true`), no longer synchronised (`false`), or has never been synchronised (`null`).
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] owners: A set of owners who own this group. Supported object types are Users or Service Principals
-        :param pulumi.Input[str] preferred_language: The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
-        :param pulumi.Input[bool] prevent_duplicate_names: If `true`, will return an error if an existing group is found with the same name. Defaults to `false`.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] provisioning_options: A set of provisioning options for a Microsoft 365 group. The only supported value is `Team`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for details. Changing this forces a new resource to be created.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] proxy_addresses: List of email addresses for the group that direct to the same group mailbox.
-        :param pulumi.Input[bool] security_enabled: Whether the group is a security group for controlling access to in-app resources. At least one of `security_enabled` or `mail_enabled` must be specified. A Microsoft 365 group can be security enabled _and_ mail enabled (see the `types` property).
-        :param pulumi.Input[str] theme: The colour theme for a Microsoft 365 group. Possible values are `Blue`, `Green`, `Orange`, `Pink`, `Purple`, `Red` or `Teal`. By default, no theme is set.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] types: A set of group types to configure for the group. Supported values are `DynamicMembership`, which denotes a group with dynamic membership, and `Unified`, which specifies a Microsoft 365 group. Required when `mail_enabled` is true. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.str] object_id: The object ID of the group.
+        :param pulumi.Input[_builtins.str] onpremises_domain_name: The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
+        :param pulumi.Input[_builtins.str] onpremises_group_type: The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are `UniversalDistributionGroup`, `UniversalMailEnabledSecurityGroup`, or `UniversalSecurityGroup`.
+        :param pulumi.Input[_builtins.str] onpremises_netbios_name: The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
+        :param pulumi.Input[_builtins.str] onpremises_sam_account_name: The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
+        :param pulumi.Input[_builtins.str] onpremises_security_identifier: The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
+        :param pulumi.Input[_builtins.bool] onpremises_sync_enabled: Whether this group is synchronised from an on-premises directory (`true`), no longer synchronised (`false`), or has never been synchronised (`null`).
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] owners: A set of owners who own this group. Supported object types are Users or Service Principals
+        :param pulumi.Input[_builtins.str] preferred_language: The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
+        :param pulumi.Input[_builtins.bool] prevent_duplicate_names: If `true`, will return an error if an existing group is found with the same name. Defaults to `false`.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] provisioning_options: A set of provisioning options for a Microsoft 365 group. The only supported value is `Team`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for details. Changing this forces a new resource to be created.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] proxy_addresses: List of email addresses for the group that direct to the same group mailbox.
+        :param pulumi.Input[_builtins.bool] security_enabled: Whether the group is a security group for controlling access to in-app resources. At least one of `security_enabled` or `mail_enabled` must be specified. A Microsoft 365 group can be security enabled _and_ mail enabled (see the `types` property).
+        :param pulumi.Input[_builtins.str] theme: The colour theme for a Microsoft 365 group. Possible values are `Blue`, `Green`, `Orange`, `Pink`, `Purple`, `Red` or `Teal`. By default, no theme is set.
+        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] types: A set of group types to configure for the group. Supported values are `DynamicMembership`, which denotes a group with dynamic membership, and `Unified`, which specifies a Microsoft 365 group. Required when `mail_enabled` is true. Changing this forces a new resource to be created.
                
                > **Supported Group Types** At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.
-        :param pulumi.Input[str] visibility: The group join policy and group content visibility. Possible values are `Private`, `Public`, or `Hiddenmembership`. Only Microsoft 365 groups can have `Hiddenmembership` visibility and this value must be set when the group is created. By default, security groups will receive `Private` visibility and Microsoft 365 groups will receive `Public` visibility.
+        :param pulumi.Input[_builtins.str] visibility: The group join policy and group content visibility. Possible values are `Private`, `Public`, or `Hiddenmembership`. Only Microsoft 365 groups can have `Hiddenmembership` visibility and this value must be set when the group is created. By default, security groups will receive `Private` visibility and Microsoft 365 groups will receive `Public` visibility.
                
                > **Group Name Uniqueness** Group names are not unique within Azure Active Directory. Use the `prevent_duplicate_names` argument to check for existing groups if you want to avoid name collisions.
-        :param pulumi.Input[bool] writeback_enabled: Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
+        :param pulumi.Input[_builtins.bool] writeback_enabled: Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
         """
         opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
 
@@ -1285,27 +1443,27 @@ class Group(pulumi.CustomResource):
         __props__.__dict__["writeback_enabled"] = writeback_enabled
         return Group(resource_name, opts=opts, __props__=__props__)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="administrativeUnitIds")
-    def administrative_unit_ids(self) -> pulumi.Output[Optional[Sequence[str]]]:
+    def administrative_unit_ids(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
         """
         The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.
 
-        !> **Warning** Do not use the `administrative_unit_ids` property at the same time as the AdministrativeUnitMember resource, _for the same group_. Doing so will cause a conflict and administrative unit members will be removed.
+        > **Caution** When using the AdministrativeUnitMember resource, or the `members` property of the AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an `ignore_changes = [administrative_unit_ids]` lifecycle meta argument for the `Group` resource, in order to avoid a persistent diff.
         """
         return pulumi.get(self, "administrative_unit_ids")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="assignableToRole")
-    def assignable_to_role(self) -> pulumi.Output[Optional[bool]]:
+    def assignable_to_role(self) -> pulumi.Output[Optional[_builtins.bool]]:
         """
         Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to `false`. Can only be set to `true` for security-enabled groups. Changing this forces a new resource to be created.
         """
         return pulumi.get(self, "assignable_to_role")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="autoSubscribeNewMembers")
-    def auto_subscribe_new_members(self) -> pulumi.Output[bool]:
+    def auto_subscribe_new_members(self) -> pulumi.Output[_builtins.bool]:
         """
         Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.
 
@@ -1313,31 +1471,31 @@ class Group(pulumi.CustomResource):
         """
         return pulumi.get(self, "auto_subscribe_new_members")
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def behaviors(self) -> pulumi.Output[Optional[Sequence[str]]]:
+    def behaviors(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
         """
-        A set of behaviors for a Microsoft 365 group. Possible values are `AllowOnlyMembersToPost`, `HideGroupInOutlook`, `SubscribeMembersToCalendarEventsDisabled`, `SubscribeNewGroupMembers` and `WelcomeEmailDisabled`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for more details. Changing this forces a new resource to be created.
+        A set of behaviors for a Microsoft 365 group. Possible values are `AllowOnlyMembersToPost`, `HideGroupInOutlook`, `SkipExchangeInstantOn`, `SubscribeMembersToCalendarEventsDisabled`, `SubscribeNewGroupMembers` and `WelcomeEmailDisabled`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for more details. Changing this forces a new resource to be created.
         """
         return pulumi.get(self, "behaviors")
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def description(self) -> pulumi.Output[Optional[str]]:
+    def description(self) -> pulumi.Output[Optional[_builtins.str]]:
         """
         The description for the group.
         """
         return pulumi.get(self, "description")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="displayName")
-    def display_name(self) -> pulumi.Output[str]:
+    def display_name(self) -> pulumi.Output[_builtins.str]:
         """
         The display name for the group.
         """
         return pulumi.get(self, "display_name")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="dynamicMembership")
     def dynamic_membership(self) -> pulumi.Output[Optional['outputs.GroupDynamicMembership']]:
         """
@@ -1345,9 +1503,9 @@ class Group(pulumi.CustomResource):
         """
         return pulumi.get(self, "dynamic_membership")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="externalSendersAllowed")
-    def external_senders_allowed(self) -> pulumi.Output[bool]:
+    def external_senders_allowed(self) -> pulumi.Output[_builtins.bool]:
         """
         Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.
 
@@ -1355,9 +1513,9 @@ class Group(pulumi.CustomResource):
         """
         return pulumi.get(self, "external_senders_allowed")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="hideFromAddressLists")
-    def hide_from_address_lists(self) -> pulumi.Output[bool]:
+    def hide_from_address_lists(self) -> pulumi.Output[_builtins.bool]:
         """
         Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.
 
@@ -1365,9 +1523,9 @@ class Group(pulumi.CustomResource):
         """
         return pulumi.get(self, "hide_from_address_lists")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="hideFromOutlookClients")
-    def hide_from_outlook_clients(self) -> pulumi.Output[bool]:
+    def hide_from_outlook_clients(self) -> pulumi.Output[_builtins.bool]:
         """
         Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.
 
@@ -1375,33 +1533,33 @@ class Group(pulumi.CustomResource):
         """
         return pulumi.get(self, "hide_from_outlook_clients")
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def mail(self) -> pulumi.Output[str]:
+    def mail(self) -> pulumi.Output[_builtins.str]:
         """
         The SMTP address for the group.
         """
         return pulumi.get(self, "mail")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="mailEnabled")
-    def mail_enabled(self) -> pulumi.Output[Optional[bool]]:
+    def mail_enabled(self) -> pulumi.Output[Optional[_builtins.bool]]:
         """
         Whether the group is a mail enabled, with a shared group mailbox. At least one of `mail_enabled` or `security_enabled` must be specified. Only Microsoft 365 groups can be mail enabled (see the `types` property).
         """
         return pulumi.get(self, "mail_enabled")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="mailNickname")
-    def mail_nickname(self) -> pulumi.Output[str]:
+    def mail_nickname(self) -> pulumi.Output[_builtins.str]:
         """
         The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
         """
         return pulumi.get(self, "mail_nickname")
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def members(self) -> pulumi.Output[Sequence[str]]:
+    def members(self) -> pulumi.Output[Sequence[_builtins.str]]:
         """
         A set of members who should be present in this group. Supported object types are Users, Groups or Service Principals. Cannot be used with the `dynamic_membership` block.
 
@@ -1409,121 +1567,121 @@ class Group(pulumi.CustomResource):
         """
         return pulumi.get(self, "members")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="objectId")
-    def object_id(self) -> pulumi.Output[str]:
+    def object_id(self) -> pulumi.Output[_builtins.str]:
         """
         The object ID of the group.
         """
         return pulumi.get(self, "object_id")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="onpremisesDomainName")
-    def onpremises_domain_name(self) -> pulumi.Output[str]:
+    def onpremises_domain_name(self) -> pulumi.Output[_builtins.str]:
         """
         The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
         """
         return pulumi.get(self, "onpremises_domain_name")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="onpremisesGroupType")
-    def onpremises_group_type(self) -> pulumi.Output[str]:
+    def onpremises_group_type(self) -> pulumi.Output[_builtins.str]:
         """
         The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are `UniversalDistributionGroup`, `UniversalMailEnabledSecurityGroup`, or `UniversalSecurityGroup`.
         """
         return pulumi.get(self, "onpremises_group_type")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="onpremisesNetbiosName")
-    def onpremises_netbios_name(self) -> pulumi.Output[str]:
+    def onpremises_netbios_name(self) -> pulumi.Output[_builtins.str]:
         """
         The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
         """
         return pulumi.get(self, "onpremises_netbios_name")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="onpremisesSamAccountName")
-    def onpremises_sam_account_name(self) -> pulumi.Output[str]:
+    def onpremises_sam_account_name(self) -> pulumi.Output[_builtins.str]:
         """
         The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
         """
         return pulumi.get(self, "onpremises_sam_account_name")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="onpremisesSecurityIdentifier")
-    def onpremises_security_identifier(self) -> pulumi.Output[str]:
+    def onpremises_security_identifier(self) -> pulumi.Output[_builtins.str]:
         """
         The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
         """
         return pulumi.get(self, "onpremises_security_identifier")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="onpremisesSyncEnabled")
-    def onpremises_sync_enabled(self) -> pulumi.Output[bool]:
+    def onpremises_sync_enabled(self) -> pulumi.Output[_builtins.bool]:
         """
         Whether this group is synchronised from an on-premises directory (`true`), no longer synchronised (`false`), or has never been synchronised (`null`).
         """
         return pulumi.get(self, "onpremises_sync_enabled")
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def owners(self) -> pulumi.Output[Sequence[str]]:
+    def owners(self) -> pulumi.Output[Sequence[_builtins.str]]:
         """
         A set of owners who own this group. Supported object types are Users or Service Principals
         """
         return pulumi.get(self, "owners")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="preferredLanguage")
-    def preferred_language(self) -> pulumi.Output[str]:
+    def preferred_language(self) -> pulumi.Output[_builtins.str]:
         """
         The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
         """
         return pulumi.get(self, "preferred_language")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="preventDuplicateNames")
-    def prevent_duplicate_names(self) -> pulumi.Output[Optional[bool]]:
+    def prevent_duplicate_names(self) -> pulumi.Output[Optional[_builtins.bool]]:
         """
         If `true`, will return an error if an existing group is found with the same name. Defaults to `false`.
         """
         return pulumi.get(self, "prevent_duplicate_names")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="provisioningOptions")
-    def provisioning_options(self) -> pulumi.Output[Optional[Sequence[str]]]:
+    def provisioning_options(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
         """
         A set of provisioning options for a Microsoft 365 group. The only supported value is `Team`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for details. Changing this forces a new resource to be created.
         """
         return pulumi.get(self, "provisioning_options")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="proxyAddresses")
-    def proxy_addresses(self) -> pulumi.Output[Sequence[str]]:
+    def proxy_addresses(self) -> pulumi.Output[Sequence[_builtins.str]]:
         """
         List of email addresses for the group that direct to the same group mailbox.
         """
         return pulumi.get(self, "proxy_addresses")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="securityEnabled")
-    def security_enabled(self) -> pulumi.Output[Optional[bool]]:
+    def security_enabled(self) -> pulumi.Output[Optional[_builtins.bool]]:
         """
         Whether the group is a security group for controlling access to in-app resources. At least one of `security_enabled` or `mail_enabled` must be specified. A Microsoft 365 group can be security enabled _and_ mail enabled (see the `types` property).
         """
         return pulumi.get(self, "security_enabled")
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def theme(self) -> pulumi.Output[Optional[str]]:
+    def theme(self) -> pulumi.Output[Optional[_builtins.str]]:
         """
         The colour theme for a Microsoft 365 group. Possible values are `Blue`, `Green`, `Orange`, `Pink`, `Purple`, `Red` or `Teal`. By default, no theme is set.
         """
         return pulumi.get(self, "theme")
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def types(self) -> pulumi.Output[Optional[Sequence[str]]]:
+    def types(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
         """
         A set of group types to configure for the group. Supported values are `DynamicMembership`, which denotes a group with dynamic membership, and `Unified`, which specifies a Microsoft 365 group. Required when `mail_enabled` is true. Changing this forces a new resource to be created.
 
@@ -1531,9 +1689,9 @@ class Group(pulumi.CustomResource):
         """
         return pulumi.get(self, "types")
 
-    @property
+    @_builtins.property
     @pulumi.getter
-    def visibility(self) -> pulumi.Output[str]:
+    def visibility(self) -> pulumi.Output[_builtins.str]:
         """
         The group join policy and group content visibility. Possible values are `Private`, `Public`, or `Hiddenmembership`. Only Microsoft 365 groups can have `Hiddenmembership` visibility and this value must be set when the group is created. By default, security groups will receive `Private` visibility and Microsoft 365 groups will receive `Public` visibility.
 
@@ -1541,9 +1699,9 @@ class Group(pulumi.CustomResource):
         """
         return pulumi.get(self, "visibility")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="writebackEnabled")
-    def writeback_enabled(self) -> pulumi.Output[Optional[bool]]:
+    def writeback_enabled(self) -> pulumi.Output[Optional[_builtins.bool]]:
         """
         Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
         """