@pulumi/azuread
Version:
A Pulumi package for creating and managing Azure Active Directory (Azure AD) cloud resources.
495 lines (494 loc) • 31.8 kB
TypeScript
import * as pulumi from "@pulumi/pulumi";
import * as inputs from "./types/input";
import * as outputs from "./types/output";
/**
* Manages a group within Azure Active Directory. Does not directly manage or expose members of the group.
*
* ## API Permissions
*
* The following API permissions are required in order to use this resource.
*
* When authenticated with a service principal, this resource requires one of the following application roles: `Group.ReadWrite.All` or `Directory.ReadWrite.All`.
*
* Alternatively, if the authenticated service principal is also an owner of the group being managed, this resource can use the application role: `Group.Create`.
*
* If using the `assignableToRole` property, this resource additionally requires the `RoleManagement.ReadWrite.Directory` application role.
*
* If specifying owners for a group, which are user principals, this resource additionally requires one of the following application roles: `User.Read.All`, `User.ReadWrite.All`, `Directory.Read.All` or `Directory.ReadWrite.All`
*
* When authenticated with a user principal, this resource requires one of the following directory roles: `Groups Administrator`, `User Administrator` or `Global Administrator`
*
* When creating this resource in administrative units exclusively, the directory role `Groups Administrator` is required to be scoped on any administrative unit used. Additionally, it must be possible to read the administrative units being used, which can be granted through the `AdministrativeUnit.Read.All` or `Directory.Read.All` application roles.
*
* The `externalSendersAllowed`, `autoSubscribeNewMembers`, `hideFromAddressLists` and `hideFromOutlookClients` properties can only be configured when authenticating as a user and cannot be configured when authenticating as a service principal. Additionally, the user being used for authentication must be a Member of the tenant where the group is being managed and _not_ a Guest. This is a known API issue; please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) official documentation.
*
* ## Example Usage
*
* *Basic example*
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as azuread from "@pulumi/azuread";
*
* const current = azuread.getClientConfig({});
* const example = new azuread.GroupWithoutMembers("example", {
* displayName: "example",
* owners: [current.then(current => current.objectId)],
* securityEnabled: true,
* });
* ```
*
* *Microsoft 365 group*
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as azuread from "@pulumi/azuread";
*
* const current = azuread.getClientConfig({});
* const groupOwner = new azuread.User("group_owner", {
* userPrincipalName: "example-group-owner@example.com",
* displayName: "Group Owner",
* mailNickname: "example-group-owner",
* password: "SecretP@sswd99!",
* });
* const example = new azuread.GroupWithoutMembers("example", {
* displayName: "example",
* mailEnabled: true,
* mailNickname: "ExampleGroup",
* securityEnabled: true,
* types: ["Unified"],
* owners: [
* current.then(current => current.objectId),
* groupOwner.objectId,
* ],
* });
* ```
*
* *Group with dynamic membership*
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as azuread from "@pulumi/azuread";
*
* const current = azuread.getClientConfig({});
* const example = new azuread.GroupWithoutMembers("example", {
* displayName: "MyGroup",
* owners: [current.then(current => current.objectId)],
* securityEnabled: true,
* types: ["DynamicMembership"],
* dynamicMembership: {
* enabled: true,
* rule: "user.department -eq \"Sales\"",
* },
* });
* ```
*
* ## Import
*
* Groups can be imported using their object ID, e.g.
*
* ```sh
* $ pulumi import azuread:index/groupWithoutMembers:GroupWithoutMembers my_group /groups/00000000-0000-0000-0000-000000000000
* ```
*/
export declare class GroupWithoutMembers extends pulumi.CustomResource {
/**
* Get an existing GroupWithoutMembers resource's state with the given name, ID, and optional extra
* properties used to qualify the lookup.
*
* @param name The _unique_ name of the resulting resource.
* @param id The _unique_ provider ID of the resource to lookup.
* @param state Any extra arguments used during the lookup.
* @param opts Optional settings to control the behavior of the CustomResource.
*/
static get(name: string, id: pulumi.Input<pulumi.ID>, state?: GroupWithoutMembersState, opts?: pulumi.CustomResourceOptions): GroupWithoutMembers;
/**
* Returns true if the given object is an instance of GroupWithoutMembers. This is designed to work even
* when multiple copies of the Pulumi SDK have been loaded into the same process.
*/
static isInstance(obj: any): obj is GroupWithoutMembers;
/**
* The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.
*
* > **Caution** When using the azuread.AdministrativeUnitMember resource, or the `members` property of the azuread.AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an `ignoreChanges = [administrativeUnitIds]` lifecycle meta argument for the `azuread.Group` resource, in order to avoid a persistent diff.
*/
readonly administrativeUnitIds: pulumi.Output<string[] | undefined>;
/**
* Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to `false`. Can only be set to `true` for security-enabled groups. Changing this forces a new resource to be created.
*/
readonly assignableToRole: pulumi.Output<boolean | undefined>;
/**
* Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.
*
* > **Known Permissions Issue** The `autoSubscribeNewMembers` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
*/
readonly autoSubscribeNewMembers: pulumi.Output<boolean>;
/**
* A set of behaviors for a Microsoft 365 group. Possible values are `AllowOnlyMembersToPost`, `HideGroupInOutlook`, `SkipExchangeInstantOn`, `SubscribeMembersToCalendarEventsDisabled`, `SubscribeNewGroupMembers` and `WelcomeEmailDisabled`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for more details. Changing this forces a new resource to be created.
*/
readonly behaviors: pulumi.Output<string[] | undefined>;
/**
* The description for the group.
*/
readonly description: pulumi.Output<string | undefined>;
/**
* The display name for the group.
*/
readonly displayName: pulumi.Output<string>;
/**
* A `dynamicMembership` block as documented below. Required when `types` contains `DynamicMembership`. Cannot be used with the `members` property.
*/
readonly dynamicMembership: pulumi.Output<outputs.GroupWithoutMembersDynamicMembership | undefined>;
/**
* Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.
*
* > **Known Permissions Issue** The `externalSendersAllowed` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
*/
readonly externalSendersAllowed: pulumi.Output<boolean>;
/**
* Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.
*
* > **Known Permissions Issue** The `hideFromAddressLists` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
*/
readonly hideFromAddressLists: pulumi.Output<boolean>;
/**
* Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.
*
* > **Known Permissions Issue** The `hideFromOutlookClients` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
*/
readonly hideFromOutlookClients: pulumi.Output<boolean>;
/**
* The SMTP address for the group.
*/
readonly mail: pulumi.Output<string>;
/**
* Whether the group is a mail enabled, with a shared group mailbox. At least one of `mailEnabled` or `securityEnabled` must be specified. Only Microsoft 365 groups can be mail enabled (see the `types` property).
*/
readonly mailEnabled: pulumi.Output<boolean | undefined>;
/**
* The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
*/
readonly mailNickname: pulumi.Output<string>;
/**
* The object ID of the group.
*/
readonly objectId: pulumi.Output<string>;
/**
* The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
*/
readonly onpremisesDomainName: pulumi.Output<string>;
/**
* The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are `UniversalDistributionGroup`, `UniversalMailEnabledSecurityGroup`, or `UniversalSecurityGroup`.
*/
readonly onpremisesGroupType: pulumi.Output<string>;
/**
* The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
*/
readonly onpremisesNetbiosName: pulumi.Output<string>;
/**
* The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
*/
readonly onpremisesSamAccountName: pulumi.Output<string>;
/**
* The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
*/
readonly onpremisesSecurityIdentifier: pulumi.Output<string>;
/**
* Whether this group is synchronised from an on-premises directory (`true`), no longer synchronised (`false`), or has never been synchronised (`null`).
*/
readonly onpremisesSyncEnabled: pulumi.Output<boolean>;
/**
* A set of owners who own this group. Supported object types are Users or Service Principals
*/
readonly owners: pulumi.Output<string[]>;
/**
* The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
*/
readonly preferredLanguage: pulumi.Output<string>;
/**
* If `true`, will return an error if an existing group is found with the same name. Defaults to `false`.
*/
readonly preventDuplicateNames: pulumi.Output<boolean | undefined>;
/**
* A set of provisioning options for a Microsoft 365 group. The only supported value is `Team`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for details. Changing this forces a new resource to be created.
*/
readonly provisioningOptions: pulumi.Output<string[] | undefined>;
/**
* List of email addresses for the group that direct to the same group mailbox.
*/
readonly proxyAddresses: pulumi.Output<string[]>;
/**
* Whether the group is a security group for controlling access to in-app resources. At least one of `securityEnabled` or `mailEnabled` must be specified. A Microsoft 365 group can be security enabled _and_ mail enabled (see the `types` property).
*/
readonly securityEnabled: pulumi.Output<boolean | undefined>;
/**
* The colour theme for a Microsoft 365 group. Possible values are `Blue`, `Green`, `Orange`, `Pink`, `Purple`, `Red` or `Teal`. By default, no theme is set.
*/
readonly theme: pulumi.Output<string | undefined>;
/**
* A set of group types to configure for the group. Supported values are `DynamicMembership`, which denotes a group with dynamic membership, and `Unified`, which specifies a Microsoft 365 group. Required when `mailEnabled` is true. Changing this forces a new resource to be created.
*
* > **Supported Group Types** At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.
*/
readonly types: pulumi.Output<string[] | undefined>;
/**
* The group join policy and group content visibility. Possible values are `Private`, `Public`, or `Hiddenmembership`. Only Microsoft 365 groups can have `Hiddenmembership` visibility and this value must be set when the group is created. By default, security groups will receive `Private` visibility and Microsoft 365 groups will receive `Public` visibility.
*
* > **Group Name Uniqueness** Group names are not unique within Azure Active Directory. Use the `preventDuplicateNames` argument to check for existing groups if you want to avoid name collisions.
*/
readonly visibility: pulumi.Output<string>;
/**
* Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
*/
readonly writebackEnabled: pulumi.Output<boolean | undefined>;
/**
* Create a GroupWithoutMembers resource with the given unique name, arguments, and options.
*
* @param name The _unique_ name of the resource.
* @param args The arguments to use to populate this resource's properties.
* @param opts A bag of options that control this resource's behavior.
*/
constructor(name: string, args: GroupWithoutMembersArgs, opts?: pulumi.CustomResourceOptions);
}
/**
* Input properties used for looking up and filtering GroupWithoutMembers resources.
*/
export interface GroupWithoutMembersState {
/**
* The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.
*
* > **Caution** When using the azuread.AdministrativeUnitMember resource, or the `members` property of the azuread.AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an `ignoreChanges = [administrativeUnitIds]` lifecycle meta argument for the `azuread.Group` resource, in order to avoid a persistent diff.
*/
administrativeUnitIds?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to `false`. Can only be set to `true` for security-enabled groups. Changing this forces a new resource to be created.
*/
assignableToRole?: pulumi.Input<boolean>;
/**
* Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.
*
* > **Known Permissions Issue** The `autoSubscribeNewMembers` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
*/
autoSubscribeNewMembers?: pulumi.Input<boolean>;
/**
* A set of behaviors for a Microsoft 365 group. Possible values are `AllowOnlyMembersToPost`, `HideGroupInOutlook`, `SkipExchangeInstantOn`, `SubscribeMembersToCalendarEventsDisabled`, `SubscribeNewGroupMembers` and `WelcomeEmailDisabled`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for more details. Changing this forces a new resource to be created.
*/
behaviors?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The description for the group.
*/
description?: pulumi.Input<string>;
/**
* The display name for the group.
*/
displayName?: pulumi.Input<string>;
/**
* A `dynamicMembership` block as documented below. Required when `types` contains `DynamicMembership`. Cannot be used with the `members` property.
*/
dynamicMembership?: pulumi.Input<inputs.GroupWithoutMembersDynamicMembership>;
/**
* Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.
*
* > **Known Permissions Issue** The `externalSendersAllowed` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
*/
externalSendersAllowed?: pulumi.Input<boolean>;
/**
* Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.
*
* > **Known Permissions Issue** The `hideFromAddressLists` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
*/
hideFromAddressLists?: pulumi.Input<boolean>;
/**
* Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.
*
* > **Known Permissions Issue** The `hideFromOutlookClients` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
*/
hideFromOutlookClients?: pulumi.Input<boolean>;
/**
* The SMTP address for the group.
*/
mail?: pulumi.Input<string>;
/**
* Whether the group is a mail enabled, with a shared group mailbox. At least one of `mailEnabled` or `securityEnabled` must be specified. Only Microsoft 365 groups can be mail enabled (see the `types` property).
*/
mailEnabled?: pulumi.Input<boolean>;
/**
* The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
*/
mailNickname?: pulumi.Input<string>;
/**
* The object ID of the group.
*/
objectId?: pulumi.Input<string>;
/**
* The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
*/
onpremisesDomainName?: pulumi.Input<string>;
/**
* The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are `UniversalDistributionGroup`, `UniversalMailEnabledSecurityGroup`, or `UniversalSecurityGroup`.
*/
onpremisesGroupType?: pulumi.Input<string>;
/**
* The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
*/
onpremisesNetbiosName?: pulumi.Input<string>;
/**
* The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
*/
onpremisesSamAccountName?: pulumi.Input<string>;
/**
* The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
*/
onpremisesSecurityIdentifier?: pulumi.Input<string>;
/**
* Whether this group is synchronised from an on-premises directory (`true`), no longer synchronised (`false`), or has never been synchronised (`null`).
*/
onpremisesSyncEnabled?: pulumi.Input<boolean>;
/**
* A set of owners who own this group. Supported object types are Users or Service Principals
*/
owners?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
*/
preferredLanguage?: pulumi.Input<string>;
/**
* If `true`, will return an error if an existing group is found with the same name. Defaults to `false`.
*/
preventDuplicateNames?: pulumi.Input<boolean>;
/**
* A set of provisioning options for a Microsoft 365 group. The only supported value is `Team`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for details. Changing this forces a new resource to be created.
*/
provisioningOptions?: pulumi.Input<pulumi.Input<string>[]>;
/**
* List of email addresses for the group that direct to the same group mailbox.
*/
proxyAddresses?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Whether the group is a security group for controlling access to in-app resources. At least one of `securityEnabled` or `mailEnabled` must be specified. A Microsoft 365 group can be security enabled _and_ mail enabled (see the `types` property).
*/
securityEnabled?: pulumi.Input<boolean>;
/**
* The colour theme for a Microsoft 365 group. Possible values are `Blue`, `Green`, `Orange`, `Pink`, `Purple`, `Red` or `Teal`. By default, no theme is set.
*/
theme?: pulumi.Input<string>;
/**
* A set of group types to configure for the group. Supported values are `DynamicMembership`, which denotes a group with dynamic membership, and `Unified`, which specifies a Microsoft 365 group. Required when `mailEnabled` is true. Changing this forces a new resource to be created.
*
* > **Supported Group Types** At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.
*/
types?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The group join policy and group content visibility. Possible values are `Private`, `Public`, or `Hiddenmembership`. Only Microsoft 365 groups can have `Hiddenmembership` visibility and this value must be set when the group is created. By default, security groups will receive `Private` visibility and Microsoft 365 groups will receive `Public` visibility.
*
* > **Group Name Uniqueness** Group names are not unique within Azure Active Directory. Use the `preventDuplicateNames` argument to check for existing groups if you want to avoid name collisions.
*/
visibility?: pulumi.Input<string>;
/**
* Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
*/
writebackEnabled?: pulumi.Input<boolean>;
}
/**
* The set of arguments for constructing a GroupWithoutMembers resource.
*/
export interface GroupWithoutMembersArgs {
/**
* The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.
*
* > **Caution** When using the azuread.AdministrativeUnitMember resource, or the `members` property of the azuread.AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an `ignoreChanges = [administrativeUnitIds]` lifecycle meta argument for the `azuread.Group` resource, in order to avoid a persistent diff.
*/
administrativeUnitIds?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to `false`. Can only be set to `true` for security-enabled groups. Changing this forces a new resource to be created.
*/
assignableToRole?: pulumi.Input<boolean>;
/**
* Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.
*
* > **Known Permissions Issue** The `autoSubscribeNewMembers` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
*/
autoSubscribeNewMembers?: pulumi.Input<boolean>;
/**
* A set of behaviors for a Microsoft 365 group. Possible values are `AllowOnlyMembersToPost`, `HideGroupInOutlook`, `SkipExchangeInstantOn`, `SubscribeMembersToCalendarEventsDisabled`, `SubscribeNewGroupMembers` and `WelcomeEmailDisabled`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for more details. Changing this forces a new resource to be created.
*/
behaviors?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The description for the group.
*/
description?: pulumi.Input<string>;
/**
* The display name for the group.
*/
displayName: pulumi.Input<string>;
/**
* A `dynamicMembership` block as documented below. Required when `types` contains `DynamicMembership`. Cannot be used with the `members` property.
*/
dynamicMembership?: pulumi.Input<inputs.GroupWithoutMembersDynamicMembership>;
/**
* Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.
*
* > **Known Permissions Issue** The `externalSendersAllowed` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
*/
externalSendersAllowed?: pulumi.Input<boolean>;
/**
* Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.
*
* > **Known Permissions Issue** The `hideFromAddressLists` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
*/
hideFromAddressLists?: pulumi.Input<boolean>;
/**
* Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.
*
* > **Known Permissions Issue** The `hideFromOutlookClients` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
*/
hideFromOutlookClients?: pulumi.Input<boolean>;
/**
* Whether the group is a mail enabled, with a shared group mailbox. At least one of `mailEnabled` or `securityEnabled` must be specified. Only Microsoft 365 groups can be mail enabled (see the `types` property).
*/
mailEnabled?: pulumi.Input<boolean>;
/**
* The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
*/
mailNickname?: pulumi.Input<string>;
/**
* The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are `UniversalDistributionGroup`, `UniversalMailEnabledSecurityGroup`, or `UniversalSecurityGroup`.
*/
onpremisesGroupType?: pulumi.Input<string>;
/**
* A set of owners who own this group. Supported object types are Users or Service Principals
*/
owners?: pulumi.Input<pulumi.Input<string>[]>;
/**
* If `true`, will return an error if an existing group is found with the same name. Defaults to `false`.
*/
preventDuplicateNames?: pulumi.Input<boolean>;
/**
* A set of provisioning options for a Microsoft 365 group. The only supported value is `Team`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for details. Changing this forces a new resource to be created.
*/
provisioningOptions?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Whether the group is a security group for controlling access to in-app resources. At least one of `securityEnabled` or `mailEnabled` must be specified. A Microsoft 365 group can be security enabled _and_ mail enabled (see the `types` property).
*/
securityEnabled?: pulumi.Input<boolean>;
/**
* The colour theme for a Microsoft 365 group. Possible values are `Blue`, `Green`, `Orange`, `Pink`, `Purple`, `Red` or `Teal`. By default, no theme is set.
*/
theme?: pulumi.Input<string>;
/**
* A set of group types to configure for the group. Supported values are `DynamicMembership`, which denotes a group with dynamic membership, and `Unified`, which specifies a Microsoft 365 group. Required when `mailEnabled` is true. Changing this forces a new resource to be created.
*
* > **Supported Group Types** At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.
*/
types?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The group join policy and group content visibility. Possible values are `Private`, `Public`, or `Hiddenmembership`. Only Microsoft 365 groups can have `Hiddenmembership` visibility and this value must be set when the group is created. By default, security groups will receive `Private` visibility and Microsoft 365 groups will receive `Public` visibility.
*
* > **Group Name Uniqueness** Group names are not unique within Azure Active Directory. Use the `preventDuplicateNames` argument to check for existing groups if you want to avoid name collisions.
*/
visibility?: pulumi.Input<string>;
/**
* Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
*/
writebackEnabled?: pulumi.Input<boolean>;
}