UNPKG

@pulumi/azuread

Version:

A Pulumi package for creating and managing Azure Active Directory (Azure AD) cloud resources.

pulumi.io

pulumi/pulumi-azuread

440 lines (439 loc) • 23.6 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
import * as pulumi from "@pulumi/pulumi"; import * as inputs from "./types/input"; import * as outputs from "./types/output"; /** * ## Example Usage * * *Create a service principal for an application* * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azuread from "@pulumi/azuread"; * * const current = azuread.getClientConfig({}); * const example = new azuread.Application("example", { * displayName: "example", * owners: [current.then(current => current.objectId)], * }); * const exampleServicePrincipal = new azuread.ServicePrincipal("example", { * clientId: example.clientId, * appRoleAssignmentRequired: false, * owners: [current.then(current => current.objectId)], * }); * ``` * * *Create a service principal for an enterprise application* * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azuread from "@pulumi/azuread"; * * const current = azuread.getClientConfig({}); * const example = new azuread.Application("example", { * displayName: "example", * owners: [current.then(current => current.objectId)], * }); * const exampleServicePrincipal = new azuread.ServicePrincipal("example", { * clientId: example.clientId, * appRoleAssignmentRequired: false, * owners: [current.then(current => current.objectId)], * featureTags: [{ * enterprise: true, * gallery: true, * }], * }); * ``` * * *Manage a service principal for a first-party Microsoft application* * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azuread from "@pulumi/azuread"; * * const wellKnown = azuread.getApplicationPublishedAppIds({}); * const msgraph = new azuread.ServicePrincipal("msgraph", { * clientId: wellKnown.then(wellKnown => wellKnown.result?.microsoftGraph), * useExisting: true, * }); * ``` * * *Create a service principal for an application created from a gallery template* * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azuread from "@pulumi/azuread"; * * const example = azuread.getApplicationTemplate({ * displayName: "Marketo", * }); * const exampleApplication = new azuread.Application("example", { * displayName: "example", * templateId: example.then(example => example.templateId), * }); * const exampleServicePrincipal = new azuread.ServicePrincipal("example", { * clientId: exampleApplication.clientId, * useExisting: true, * }); * ``` * * ## Import * * Service principals can be imported using their object ID, e.g. * * ```sh * $ pulumi import azuread:index/servicePrincipal:ServicePrincipal example /servicePrincipals/00000000-0000-0000-0000-000000000000 * ``` */ export declare class ServicePrincipal extends pulumi.CustomResource { /** * Get an existing ServicePrincipal resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: ServicePrincipalState, opts?: pulumi.CustomResourceOptions): ServicePrincipal; /** * Returns true if the given object is an instance of ServicePrincipal. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is ServicePrincipal; /** * Whether or not the service principal account is enabled. Defaults to `true`. */ readonly accountEnabled: pulumi.Output<boolean | undefined>; /** * A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities. */ readonly alternativeNames: pulumi.Output<string[] | undefined>; /** * Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to `false`. */ readonly appRoleAssignmentRequired: pulumi.Output<boolean | undefined>; /** * A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration. */ readonly appRoleIds: pulumi.Output<{ [key: string]: string; }>; /** * A list of app roles published by the associated application, as documented below. For more information [official documentation](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles). */ readonly appRoles: pulumi.Output<outputs.ServicePrincipalAppRole[]>; /** * The tenant ID where the associated application is registered. */ readonly applicationTenantId: pulumi.Output<string>; /** * The client ID of the application for which to create a service principal. */ readonly clientId: pulumi.Output<string>; /** * A description of the service principal provided for internal end-users. */ readonly description: pulumi.Output<string | undefined>; /** * Display name for the app role that appears during app role assignment and in consent experiences. */ readonly displayName: pulumi.Output<string>; /** * A `featureTags` block as described below. Cannot be used together with the `tags` property. * * > **Features and Tags** Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure `featureTags` and `tags` for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the `tags` property instead. Any tags configured for the linked application will propagate to this service principal. */ readonly featureTags: pulumi.Output<outputs.ServicePrincipalFeatureTag[]>; /** * Block of features to configure for this service principal using tags * * @deprecated This block has been renamed to `featureTags` and will be removed in version 3.0 of the provider */ readonly features: pulumi.Output<outputs.ServicePrincipalFeature[]>; /** * Home page or landing page of the associated application. */ readonly homepageUrl: pulumi.Output<string>; /** * The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on. */ readonly loginUrl: pulumi.Output<string | undefined>; /** * The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application. */ readonly logoutUrl: pulumi.Output<string>; /** * A free text field to capture information about the service principal, typically used for operational purposes. */ readonly notes: pulumi.Output<string | undefined>; /** * A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications. */ readonly notificationEmailAddresses: pulumi.Output<string[] | undefined>; /** * A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration. */ readonly oauth2PermissionScopeIds: pulumi.Output<{ [key: string]: string; }>; /** * A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below. */ readonly oauth2PermissionScopes: pulumi.Output<outputs.ServicePrincipalOauth2PermissionScope[]>; /** * The object ID of the service principal. */ readonly objectId: pulumi.Output<string>; /** * A list of object IDs of principals that will be granted ownership of the service principal */ readonly owners: pulumi.Output<string[] | undefined>; /** * The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are `oidc`, `password`, `saml` or `notSupported`. Omit this property or specify a blank string to unset. */ readonly preferredSingleSignOnMode: pulumi.Output<string | undefined>; /** * A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application. */ readonly redirectUris: pulumi.Output<string[]>; /** * The URL where the service exposes SAML metadata for federation. */ readonly samlMetadataUrl: pulumi.Output<string>; /** * A `samlSingleSignOn` block as documented below. */ readonly samlSingleSignOn: pulumi.Output<outputs.ServicePrincipalSamlSingleSignOn | undefined>; /** * A list of identifier URI(s), copied over from the associated application. */ readonly servicePrincipalNames: pulumi.Output<string[]>; /** * The Microsoft account types that are supported for the associated application. Possible values include `AzureADMyOrg`, `AzureADMultipleOrgs`, `AzureADandPersonalMicrosoftAccount` or `PersonalMicrosoftAccount`. */ readonly signInAudience: pulumi.Output<string>; /** * A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the `featureTags` block. * * > **Tags and Features** Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the `tags` property or with the `featureTags` block. If you need to set any custom tag values not supported by the `featureTags` block, it's recommended to use the `tags` property. Tag values set for the linked application will also propagate to this service principal. */ readonly tags: pulumi.Output<string[]>; /** * Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are `User` or `Admin`. */ readonly type: pulumi.Output<string>; /** * When true, the resource will return an existing service principal instead of failing with an error */ readonly useExisting: pulumi.Output<boolean | undefined>; /** * Create a ServicePrincipal resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: ServicePrincipalArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering ServicePrincipal resources. */ export interface ServicePrincipalState { /** * Whether or not the service principal account is enabled. Defaults to `true`. */ accountEnabled?: pulumi.Input<boolean>; /** * A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities. */ alternativeNames?: pulumi.Input<pulumi.Input<string>[]>; /** * Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to `false`. */ appRoleAssignmentRequired?: pulumi.Input<boolean>; /** * A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration. */ appRoleIds?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * A list of app roles published by the associated application, as documented below. For more information [official documentation](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles). */ appRoles?: pulumi.Input<pulumi.Input<inputs.ServicePrincipalAppRole>[]>; /** * The tenant ID where the associated application is registered. */ applicationTenantId?: pulumi.Input<string>; /** * The client ID of the application for which to create a service principal. */ clientId?: pulumi.Input<string>; /** * A description of the service principal provided for internal end-users. */ description?: pulumi.Input<string>; /** * Display name for the app role that appears during app role assignment and in consent experiences. */ displayName?: pulumi.Input<string>; /** * A `featureTags` block as described below. Cannot be used together with the `tags` property. * * > **Features and Tags** Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure `featureTags` and `tags` for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the `tags` property instead. Any tags configured for the linked application will propagate to this service principal. */ featureTags?: pulumi.Input<pulumi.Input<inputs.ServicePrincipalFeatureTag>[]>; /** * Block of features to configure for this service principal using tags * * @deprecated This block has been renamed to `featureTags` and will be removed in version 3.0 of the provider */ features?: pulumi.Input<pulumi.Input<inputs.ServicePrincipalFeature>[]>; /** * Home page or landing page of the associated application. */ homepageUrl?: pulumi.Input<string>; /** * The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on. */ loginUrl?: pulumi.Input<string>; /** * The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application. */ logoutUrl?: pulumi.Input<string>; /** * A free text field to capture information about the service principal, typically used for operational purposes. */ notes?: pulumi.Input<string>; /** * A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications. */ notificationEmailAddresses?: pulumi.Input<pulumi.Input<string>[]>; /** * A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration. */ oauth2PermissionScopeIds?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below. */ oauth2PermissionScopes?: pulumi.Input<pulumi.Input<inputs.ServicePrincipalOauth2PermissionScope>[]>; /** * The object ID of the service principal. */ objectId?: pulumi.Input<string>; /** * A list of object IDs of principals that will be granted ownership of the service principal */ owners?: pulumi.Input<pulumi.Input<string>[]>; /** * The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are `oidc`, `password`, `saml` or `notSupported`. Omit this property or specify a blank string to unset. */ preferredSingleSignOnMode?: pulumi.Input<string>; /** * A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application. */ redirectUris?: pulumi.Input<pulumi.Input<string>[]>; /** * The URL where the service exposes SAML metadata for federation. */ samlMetadataUrl?: pulumi.Input<string>; /** * A `samlSingleSignOn` block as documented below. */ samlSingleSignOn?: pulumi.Input<inputs.ServicePrincipalSamlSingleSignOn>; /** * A list of identifier URI(s), copied over from the associated application. */ servicePrincipalNames?: pulumi.Input<pulumi.Input<string>[]>; /** * The Microsoft account types that are supported for the associated application. Possible values include `AzureADMyOrg`, `AzureADMultipleOrgs`, `AzureADandPersonalMicrosoftAccount` or `PersonalMicrosoftAccount`. */ signInAudience?: pulumi.Input<string>; /** * A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the `featureTags` block. * * > **Tags and Features** Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the `tags` property or with the `featureTags` block. If you need to set any custom tag values not supported by the `featureTags` block, it's recommended to use the `tags` property. Tag values set for the linked application will also propagate to this service principal. */ tags?: pulumi.Input<pulumi.Input<string>[]>; /** * Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are `User` or `Admin`. */ type?: pulumi.Input<string>; /** * When true, the resource will return an existing service principal instead of failing with an error */ useExisting?: pulumi.Input<boolean>; } /** * The set of arguments for constructing a ServicePrincipal resource. */ export interface ServicePrincipalArgs { /** * Whether or not the service principal account is enabled. Defaults to `true`. */ accountEnabled?: pulumi.Input<boolean>; /** * A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities. */ alternativeNames?: pulumi.Input<pulumi.Input<string>[]>; /** * Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to `false`. */ appRoleAssignmentRequired?: pulumi.Input<boolean>; /** * The client ID of the application for which to create a service principal. */ clientId: pulumi.Input<string>; /** * A description of the service principal provided for internal end-users. */ description?: pulumi.Input<string>; /** * A `featureTags` block as described below. Cannot be used together with the `tags` property. * * > **Features and Tags** Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure `featureTags` and `tags` for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the `tags` property instead. Any tags configured for the linked application will propagate to this service principal. */ featureTags?: pulumi.Input<pulumi.Input<inputs.ServicePrincipalFeatureTag>[]>; /** * Block of features to configure for this service principal using tags * * @deprecated This block has been renamed to `featureTags` and will be removed in version 3.0 of the provider */ features?: pulumi.Input<pulumi.Input<inputs.ServicePrincipalFeature>[]>; /** * The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on. */ loginUrl?: pulumi.Input<string>; /** * A free text field to capture information about the service principal, typically used for operational purposes. */ notes?: pulumi.Input<string>; /** * A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications. */ notificationEmailAddresses?: pulumi.Input<pulumi.Input<string>[]>; /** * A list of object IDs of principals that will be granted ownership of the service principal */ owners?: pulumi.Input<pulumi.Input<string>[]>; /** * The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are `oidc`, `password`, `saml` or `notSupported`. Omit this property or specify a blank string to unset. */ preferredSingleSignOnMode?: pulumi.Input<string>; /** * A `samlSingleSignOn` block as documented below. */ samlSingleSignOn?: pulumi.Input<inputs.ServicePrincipalSamlSingleSignOn>; /** * A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the `featureTags` block. * * > **Tags and Features** Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the `tags` property or with the `featureTags` block. If you need to set any custom tag values not supported by the `featureTags` block, it's recommended to use the `tags` property. Tag values set for the linked application will also propagate to this service principal. */ tags?: pulumi.Input<pulumi.Input<string>[]>; /** * When true, the resource will return an existing service principal instead of failing with an error */ useExisting?: pulumi.Input<boolean>; }