diff --git a/README.md b/README.md
index adf482a..0518b32 100644
--- a/README.md
+++ b/README.md
@@ -37,9 +37,11 @@ No modules.
 | [vault_approle_auth_backend_role_secret_id.extra_roles](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource |
 | [vault_approle_auth_backend_role_secret_id.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource |
 | [vault_auth_backend.approle](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/auth_backend) | resource |
-| [vault_identity_entity.extra_roles](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
+| [vault_identity_entity.admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
+| [vault_identity_entity.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
+| [vault_identity_entity_alias.admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity_alias) | resource |
+| [vault_identity_entity_alias.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity_alias) | resource |
 | [vault_identity_group.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group) | resource |
-| [vault_identity_group_alias.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group_alias) | resource |
 | [vault_policy.extra_policies](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
 | [vault_policy.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
 
diff --git a/admin_role.tf b/admin_role.tf
index 95169e4..b71aab1 100644
--- a/admin_role.tf
+++ b/admin_role.tf
@@ -16,3 +16,13 @@ resource "vault_policy" "tenant_admin" {
   name   = "${var.tenant_name}-admin"
   policy = var.tenant_admin_policy_file == null ? templatefile("${path.module}/policies/tenant-admins.policy.hcl", { tenant_prefix = var.tenant_prefix }) : file(var.tenant_admin_policy_file)
 }
+
+resource "vault_identity_entity" "admin" {
+  name = "${var.tenant_prefix}-admin"
+}
+
+resource "vault_identity_entity_alias" "admin" {
+  name           = vault_approle_auth_backend_role.tenant_admin.role_id
+  mount_accessor = vault_auth_backend.approle.accessor
+  canonical_id   = vault_identity_entity.admin.id
+}
diff --git a/approle_auth.tf b/approle_auth.tf
index eace7eb..66e33a8 100644
--- a/approle_auth.tf
+++ b/approle_auth.tf
@@ -9,15 +9,9 @@ resource "vault_auth_backend" "approle" {
 
 resource "vault_identity_group" "this" {
   name = var.tenant_name
-  type = "external"
+  type = "internal"
   metadata = {
     tenant = var.tenant_name
     prefix = var.tenant_prefix
   }
 }
-
-resource "vault_identity_group_alias" "this" {
-  name           = var.tenant_name
-  mount_accessor = vault_auth_backend.approle.accessor
-  canonical_id   = vault_identity_group.this.id
-}
diff --git a/extra_policies.tf b/extra_policies.tf
index 4ed68d0..7f1be1b 100644
--- a/extra_policies.tf
+++ b/extra_policies.tf
@@ -16,19 +16,23 @@ resource "vault_approle_auth_backend_role_secret_id" "extra_roles" {
   secret_id = random_uuid.extra_roles_secret_id[each.key].result
 }
 
-resource "vault_identity_entity" "extra_roles" {
-  for_each = var.tenant_additional_roles
-
-  name = "${var.tenant_prefix}-${each.key}"
-  metadata = {
-    tenant = var.tenant_name
-    prefix = var.tenant_prefix
-  }
-}
-
 resource "vault_policy" "extra_policies" {
   for_each = var.tenant_additional_roles
 
   name   = "${var.tenant_prefix}-${each.key}"
   policy = file(each.value.policy_file)
 }
+
+resource "vault_identity_entity" "extra" {
+  for_each = var.tenant_additional_roles
+
+  name = "${var.tenant_prefix}-${each.key}"
+}
+
+resource "vault_identity_entity_alias" "extra" {
+  for_each = var.tenant_additional_roles
+
+  name           = vault_approle_auth_backend_role.extra_roles[each.key].role_id
+  mount_accessor = vault_auth_backend.approle.accessor
+  canonical_id   = vault_identity_entity.extra[each.key].id
+}