diff --git a/azurerm/import_arm_network_interface_test.go b/azurerm/import_arm_network_interface_test.go
index a80ec97d25dc..193764c236dc 100644
--- a/azurerm/import_arm_network_interface_test.go
+++ b/azurerm/import_arm_network_interface_test.go
@@ -111,3 +111,24 @@ func TestAccAzureRMNetworkInterface_importPublicIP(t *testing.T) {
 		},
 	})
 }
+
+func TestAccAzureRMNetworkInterface_importApplicationSecurityGroup(t *testing.T) {
+	resourceName := "azurerm_network_interface.test"
+	rInt := acctest.RandInt()
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMNetworkInterfaceDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMNetworkInterface_applicationSecurityGroup(rInt, testLocation()),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
diff --git a/azurerm/resource_arm_network_interface.go b/azurerm/resource_arm_network_interface.go
index ddc8f44fadfe..7a65ea890d67 100644
--- a/azurerm/resource_arm_network_interface.go
+++ b/azurerm/resource_arm_network_interface.go
@@ -104,6 +104,14 @@ func resourceArmNetworkInterface() *schema.Resource {
 							Set:      schema.HashString,
 						},
 
+						"application_security_group_ids": {
+							Type:     schema.TypeSet,
+							Optional: true,
+							Computed: true,
+							Elem:     &schema.Schema{Type: schema.TypeString},
+							Set:      schema.HashString,
+						},
+
 						"primary": {
 							Type:     schema.TypeBool,
 							Optional: true,
@@ -329,7 +337,10 @@ func resourceArmNetworkInterfaceRead(d *schema.ResourceData, meta interface{}) e
 	}
 
 	if iface.IPConfigurations != nil {
-		d.Set("ip_configuration", flattenNetworkInterfaceIPConfigurations(iface.IPConfigurations))
+		configs := flattenNetworkInterfaceIPConfigurations(iface.IPConfigurations)
+		if err := d.Set("ip_configuration", configs); err != nil {
+			return fmt.Errorf("Error setting `ip_configuration`: %+v", err)
+		}
 	}
 
 	if iface.VirtualMachine != nil {
@@ -480,6 +491,14 @@ func flattenNetworkInterfaceIPConfigurations(ipConfigs *[]network.InterfaceIPCon
 		}
 		niIPConfig["load_balancer_inbound_nat_rules_ids"] = schema.NewSet(schema.HashString, rules)
 
+		securityGroups := make([]interface{}, 0)
+		if sgs := props.ApplicationSecurityGroups; sgs != nil {
+			for _, sg := range *sgs {
+				securityGroups = append(securityGroups, *sg.ID)
+			}
+		}
+		niIPConfig["application_security_group_ids"] = schema.NewSet(schema.HashString, securityGroups)
+
 		result = append(result, niIPConfig)
 	}
 	return result
@@ -566,6 +585,21 @@ func expandAzureRmNetworkInterfaceIpConfigurations(d *schema.ResourceData) ([]ne
 			properties.LoadBalancerInboundNatRules = &natRules
 		}
 
+		if v, ok := data["application_security_group_ids"]; ok {
+			var securityGroups []network.ApplicationSecurityGroup
+			rules := v.(*schema.Set).List()
+			for _, r := range rules {
+				groupId := r.(string)
+				group := network.ApplicationSecurityGroup{
+					ID: &groupId,
+				}
+
+				securityGroups = append(securityGroups, group)
+			}
+
+			properties.ApplicationSecurityGroups = &securityGroups
+		}
+
 		name := data["name"].(string)
 		ipConfig := network.InterfaceIPConfiguration{
 			Name: &name,
diff --git a/azurerm/resource_arm_network_interface_test.go b/azurerm/resource_arm_network_interface_test.go
index 1caea1568e23..0ad116ee06fb 100644
--- a/azurerm/resource_arm_network_interface_test.go
+++ b/azurerm/resource_arm_network_interface_test.go
@@ -332,6 +332,25 @@ func TestAccAzureRMNetworkInterface_bug7986(t *testing.T) {
 	})
 }
 
+func TestAccAzureRMNetworkInterface_applicationSecurityGroups(t *testing.T) {
+	resourceName := "azurerm_network_interface.test"
+	rInt := acctest.RandInt()
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMNetworkInterfaceDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAzureRMNetworkInterface_applicationSecurityGroup(rInt, testLocation()),
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMNetworkInterfaceExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "ip_configuration.0.application_security_group_ids.#", "1"),
+				),
+			},
+		},
+	})
+}
+
 func testCheckAzureRMNetworkInterfaceExists(name string) resource.TestCheckFunc {
 	return func(s *terraform.State) error {
 		// Ensure we have enough information in state to look up in API
@@ -1012,3 +1031,45 @@ resource "azurerm_network_interface" "test" {
 
 `, rInt, location, rInt, rInt, rInt)
 }
+
+func testAccAzureRMNetworkInterface_applicationSecurityGroup(rInt int, location string) string {
+	return fmt.Sprintf(`
+resource "azurerm_resource_group" "test" {
+  name     = "acctest-rg-%d"
+  location = "%s"
+}
+
+resource "azurerm_virtual_network" "test" {
+  name                = "acctestvn-%d"
+  address_space       = ["10.0.0.0/16"]
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+}
+
+resource "azurerm_subnet" "test" {
+  name                 = "testsubnet"
+  resource_group_name  = "${azurerm_resource_group.test.name}"
+  virtual_network_name = "${azurerm_virtual_network.test.name}"
+  address_prefix       = "10.0.2.0/24"
+}
+
+resource "azurerm_application_security_group" "test" {
+  name                = "acctest-%d"
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+}
+
+resource "azurerm_network_interface" "test" {
+  name                = "acctestnic-%d"
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+
+  ip_configuration {
+    name                           = "testconfiguration1"
+    subnet_id                      = "${azurerm_subnet.test.id}"
+    private_ip_address_allocation  = "dynamic"
+    application_security_group_ids = ["${azurerm_application_security_group.test.id}"]
+  }
+}
+`, rInt, location, rInt, rInt, rInt)
+}
diff --git a/website/docs/r/network_interface.html.markdown b/website/docs/r/network_interface.html.markdown
index 484abc2e40a8..4a6cc8427c8f 100644
--- a/website/docs/r/network_interface.html.markdown
+++ b/website/docs/r/network_interface.html.markdown
@@ -92,6 +92,10 @@ The `ip_configuration` block supports:
 
 * `load_balancer_inbound_nat_rules_ids` - (Optional) List of Load Balancer Inbound Nat Rules IDs involving this NIC
 
+* `application_security_group_ids` - (Optional) List of Application Security Group IDs which should be attached to this NIC
+
+-> **Note:** Application Security Groups are currently in Public Preview on an opt-in basis. [More information, including how you can register for the Preview, and which regions Application Security Groups are available in are available here](https://docs.microsoft.com/en-us/azure/virtual-network/create-network-security-group-preview)
+
 * `primary` - (Optional) Is this the Primary Network Interface? If set to `true` this should be the first `ip_configuration` in the array.
 
 ## Attributes Reference