@pulumi/azuread

import * as pulumi from "@pulumi/pulumi"; import * as inputs from "./types/input"; import * as outputs from "./types/output"; /** * ## Example Usage * * ### All users except guests or external users * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azuread from "@pulumi/azuread"; * * const example = new azuread.ConditionalAccessPolicy("example", { * displayName: "example policy", * state: "disabled", * conditions: { * clientAppTypes: ["all"], * signInRiskLevels: ["medium"], * userRiskLevels: ["medium"], * applications: { * includedApplications: ["All"], * excludedApplications: [], * }, * devices: { * filter: { * mode: "exclude", * rule: "device.operatingSystem eq \"Doors\"", * }, * }, * locations: { * includedLocations: ["All"], * excludedLocations: ["AllTrusted"], * }, * platforms: { * includedPlatforms: ["android"], * excludedPlatforms: ["iOS"], * }, * users: { * includedUsers: ["All"], * excludedUsers: ["GuestsOrExternalUsers"], * }, * }, * grantControls: { * operator: "OR", * builtInControls: ["mfa"], * }, * sessionControls: { * applicationEnforcedRestrictionsEnabled: true, * disableResilienceDefaults: false, * signInFrequency: 10, * signInFrequencyPeriod: "hours", * cloudAppSecurityPolicy: "monitorOnly", * }, * }); * ``` * * ### Included client applications / service principals * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azuread from "@pulumi/azuread"; * * const current = azuread.getClientConfig({}); * const example = new azuread.ConditionalAccessPolicy("example", { * displayName: "example policy", * state: "disabled", * conditions: { * clientAppTypes: ["all"], * applications: { * includedApplications: ["All"], * }, * clientApplications: { * includedServicePrincipals: [current.then(current => current.objectId)], * excludedServicePrincipals: [], * }, * users: { * includedUsers: ["None"], * }, * }, * grantControls: { * operator: "OR", * builtInControls: ["block"], * }, * }); * ``` * * ### Excluded client applications / service principals * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azuread from "@pulumi/azuread"; * * const current = azuread.getClientConfig({}); * const example = new azuread.ConditionalAccessPolicy("example", { * displayName: "example policy", * state: "disabled", * conditions: { * clientAppTypes: ["all"], * applications: { * includedApplications: ["All"], * }, * clientApplications: { * includedServicePrincipals: ["ServicePrincipalsInMyTenant"], * excludedServicePrincipals: [current.then(current => current.objectId)], * }, * users: { * includedUsers: ["None"], * }, * }, * grantControls: { * operator: "OR", * builtInControls: ["block"], * }, * }); * ``` * * ## Import * * Conditional Access Policies can be imported using the `id`, e.g. * * ```sh * $ pulumi import azuread:index/conditionalAccessPolicy:ConditionalAccessPolicy my_location /identity/conditionalAccess/policies/00000000-0000-0000-0000-000000000000 * ``` */ export declare class ConditionalAccessPolicy extends pulumi.CustomResource { /** * Get an existing ConditionalAccessPolicy resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: ConditionalAccessPolicyState, opts?: pulumi.CustomResourceOptions): ConditionalAccessPolicy; /** * Returns true if the given object is an instance of ConditionalAccessPolicy. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is ConditionalAccessPolicy; /** * A `conditions` block as documented below, which specifies the rules that must be met for the policy to apply. */ readonly conditions: pulumi.Output<outputs.ConditionalAccessPolicyConditions>; /** * The friendly name for this Conditional Access Policy. */ readonly displayName: pulumi.Output<string>; /** * A `grantControls` block as documented below, which specifies the grant controls that must be fulfilled to pass the policy. */ readonly grantControls: pulumi.Output<outputs.ConditionalAccessPolicyGrantControls | undefined>; /** * The object ID of the policy */ readonly objectId: pulumi.Output<string>; /** * A `sessionControls` block as documented below, which specifies the session controls that are enforced after sign-in. * * > Note: At least one of `grantControls` and/or `sessionControls` blocks must be specified. */ readonly sessionControls: pulumi.Output<outputs.ConditionalAccessPolicySessionControls | undefined>; /** * Specifies the state of the policy object. Possible values are: `enabled`, `disabled` and `enabledForReportingButNotEnforced` */ readonly state: pulumi.Output<string>; /** * Create a ConditionalAccessPolicy resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: ConditionalAccessPolicyArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering ConditionalAccessPolicy resources. */ export interface ConditionalAccessPolicyState { /** * A `conditions` block as documented below, which specifies the rules that must be met for the policy to apply. */ conditions?: pulumi.Input<inputs.ConditionalAccessPolicyConditions>; /** * The friendly name for this Conditional Access Policy. */ displayName?: pulumi.Input<string>; /** * A `grantControls` block as documented below, which specifies the grant controls that must be fulfilled to pass the policy. */ grantControls?: pulumi.Input<inputs.ConditionalAccessPolicyGrantControls>; /** * The object ID of the policy */ objectId?: pulumi.Input<string>; /** * A `sessionControls` block as documented below, which specifies the session controls that are enforced after sign-in. * * > Note: At least one of `grantControls` and/or `sessionControls` blocks must be specified. */ sessionControls?: pulumi.Input<inputs.ConditionalAccessPolicySessionControls>; /** * Specifies the state of the policy object. Possible values are: `enabled`, `disabled` and `enabledForReportingButNotEnforced` */ state?: pulumi.Input<string>; } /** * The set of arguments for constructing a ConditionalAccessPolicy resource. */ export interface ConditionalAccessPolicyArgs { /** * A `conditions` block as documented below, which specifies the rules that must be met for the policy to apply. */ conditions: pulumi.Input<inputs.ConditionalAccessPolicyConditions>; /** * The friendly name for this Conditional Access Policy. */ displayName: pulumi.Input<string>; /** * A `grantControls` block as documented below, which specifies the grant controls that must be fulfilled to pass the policy. */ grantControls?: pulumi.Input<inputs.ConditionalAccessPolicyGrantControls>; /** * A `sessionControls` block as documented below, which specifies the session controls that are enforced after sign-in. * * > Note: At least one of `grantControls` and/or `sessionControls` blocks must be specified. */ sessionControls?: pulumi.Input<inputs.ConditionalAccessPolicySessionControls>; /** * Specifies the state of the policy object. Possible values are: `enabled`, `disabled` and `enabledForReportingButNotEnforced` */ state: pulumi.Input<string>; }