diff --git a/.drone.yml b/.drone.yml
index fe00746fa5..3e1b047b75 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -47,6 +47,8 @@ steps:
         backend-config:
            - "bucket=remote-state"
            - "prefix=nytimes/dv-sumologic-test"
+      vars:
+        default_role: "2FA - SumoLogic (Test)"
     environment:
       SUMOLOGIC_ACCESSID:
         from_secret: test_access_id
@@ -75,6 +77,8 @@ steps:
         backend-config:
            - "bucket=remote-state"
            - "prefix=nytimes/dv-sumologic-test"
+      vars:
+        default_role: "2FA - SumoLogic (Test)"
     environment:
       SUMOLOGIC_ACCESSID:
         from_secret: test_access_id
@@ -140,6 +144,8 @@ steps:
         backend-config:
           - "bucket=remote-state"
           - "prefix=nytimes/dv-sumologic"
+      vars:
+        default_role: "2FA - SumoLogic"
     environment:
       SUMOLOGIC_ACCESSID:
         from_secret: access_id
@@ -168,6 +174,8 @@ steps:
         backend-config:
           - "bucket=remote-state"
           - "prefix=nytimes/dv-sumologic"
+      vars:
+        default_role: "2FA - SumoLogic"
     environment:
       SUMOLOGIC_ACCESSID:
         from_secret: access_id
diff --git a/terraform/default-roles.tf b/terraform/default-roles.tf
new file mode 100644
index 0000000000..32f566581c
--- /dev/null
+++ b/terraform/default-roles.tf
@@ -0,0 +1,5 @@
+resource "sumologic_role" "default-role" {
+  name             = var.default_role
+  description      = "Default AD Group role for Sumo Logic"
+  filter_predicate = "_sourceCategory=/dev/null"
+}
diff --git a/terraform/variables.tf b/terraform/variables.tf
new file mode 100644
index 0000000000..7b71d57ab6
--- /dev/null
+++ b/terraform/variables.tf
@@ -0,0 +1,4 @@
+variable "default_role" {
+  type        = string
+  description = "The default AD group that users are added to for Azure SAML integration."
+}