@pulumi/azuread

import * as outputs from "../types/output"; export interface AccessPackageAssignmentPolicyApprovalSettings { /** * Whether an approval is required. */ approvalRequired?: boolean; /** * Whether an approval is required to grant extension. Same approval settings used to approve initial access will apply. */ approvalRequiredForExtension?: boolean; /** * An `approvalStage` block specifying the process to obtain an approval, as documented below. */ approvalStages?: outputs.AccessPackageAssignmentPolicyApprovalSettingsApprovalStage[]; /** * Whether a requestor is required to provide a justification to request an access package. Justification is visible to approvers and the requestor. */ requestorJustificationRequired?: boolean; } export interface AccessPackageAssignmentPolicyApprovalSettingsApprovalStage { /** * If no action taken, forward to alternate approvers? */ alternativeApprovalEnabled?: boolean; /** * If escalation is enabled and the primary approvers do not respond before the escalation time, the escalationApprovers are the users who will be asked to approve requests. This can be a collection of singleUser, groupMembers, requestorManager, internalSponsors and externalSponsors. When creating or updating a policy, if there are no escalation approvers, or escalation approvers are not required for the stage, the value of this property should be an empty collection */ alternativeApprovers?: outputs.AccessPackageAssignmentPolicyApprovalSettingsApprovalStageAlternativeApprover[]; /** * Decision must be made in how many days? If a request is not approved within this time period after it is made, it will be automatically rejected */ approvalTimeoutInDays: number; /** * Whether an approver must provide a justification for their decision. Justification is visible to other approvers and the requestor */ approverJustificationRequired?: boolean; /** * Forward to alternate approver(s) after how many days? */ enableAlternativeApprovalInDays?: number; /** * The users who will be asked to approve requests. A collection of singleUser, groupMembers, requestorManager, internalSponsors and externalSponsors. When creating or updating a policy, include at least one userSet in this collection */ primaryApprovers?: outputs.AccessPackageAssignmentPolicyApprovalSettingsApprovalStagePrimaryApprover[]; } export interface AccessPackageAssignmentPolicyApprovalSettingsApprovalStageAlternativeApprover { /** * For a user in an approval stage, this property indicates whether the user is a backup fallback approver */ backup?: boolean; /** * The object ID of the subject */ objectId?: string; /** * Type of users */ subjectType: string; } export interface AccessPackageAssignmentPolicyApprovalSettingsApprovalStagePrimaryApprover { /** * For a user in an approval stage, this property indicates whether the user is a backup fallback approver */ backup?: boolean; /** * The object ID of the subject */ objectId?: string; /** * Type of users */ subjectType: string; } export interface AccessPackageAssignmentPolicyAssignmentReviewSettings { /** * Whether to show the reviewer decision helpers. If enabled, system recommendations based on users' access information will be shown to the reviewers. The reviewer will be recommended to approve the review if the user has signed-in at least once during the last 30 days. The reviewer will be recommended to deny the review if the user has not signed-in during the last 30 days. */ accessRecommendationEnabled?: boolean; /** * Specifies the actions the system takes if reviewers don't respond in time. Valid values are `keepAccess`, `removeAccess`, or `acceptAccessRecommendation`. */ accessReviewTimeoutBehavior?: string; /** * Whether a reviewer needs to provide a justification for their decision. Justification is visible to other reviewers and the requestor. */ approverJustificationRequired?: boolean; /** * How many days each occurrence of the access review series will run. */ durationInDays?: number; /** * Whether to enable assignment review. */ enabled?: boolean; /** * This will determine how often the access review campaign runs, valid values are `weekly`, `monthly`, `quarterly`, `halfyearly`, or `annual`. */ reviewFrequency?: string; /** * Self-review or specific reviewers. Valid values are `Manager`, `Reviewers`, or `Self`. */ reviewType?: string; /** * One or more `reviewer` blocks to specify the users who will be reviewers (when `reviewType` is `Reviewers`), as documented below. */ reviewers?: outputs.AccessPackageAssignmentPolicyAssignmentReviewSettingsReviewer[]; /** * This is the date the access review campaign will start on, formatted as an RFC3339 date string in UTC(e.g. 2018-01-01T01:02:03Z), default is now. Once an access review has been created, you cannot update its start date */ startingOn?: string; } export interface AccessPackageAssignmentPolicyAssignmentReviewSettingsReviewer { /** * For a user in an approval stage, this property indicates whether the user is a backup fallback approver */ backup?: boolean; /** * The object ID of the subject */ objectId?: string; /** * Type of users */ subjectType: string; } export interface AccessPackageAssignmentPolicyQuestion { /** * One or more blocks configuring a choice to the question, as documented below. */ choices?: outputs.AccessPackageAssignmentPolicyQuestionChoice[]; /** * Whether this question is required. */ required?: boolean; /** * The sequence number of this question. */ sequence?: number; /** * A block describing the content of this question, as documented below. */ text: outputs.AccessPackageAssignmentPolicyQuestionText; } export interface AccessPackageAssignmentPolicyQuestionChoice { /** * The actual value of this choice */ actualValue: string; /** * The display text of this choice */ displayValue: outputs.AccessPackageAssignmentPolicyQuestionChoiceDisplayValue; } export interface AccessPackageAssignmentPolicyQuestionChoiceDisplayValue { /** * The default text of this question */ defaultText: string; /** * The localized text of this question */ localizedTexts?: outputs.AccessPackageAssignmentPolicyQuestionChoiceDisplayValueLocalizedText[]; } export interface AccessPackageAssignmentPolicyQuestionChoiceDisplayValueLocalizedText { /** * The localized content of this question */ content: string; /** * The language code of this question content */ languageCode: string; } export interface AccessPackageAssignmentPolicyQuestionText { /** * The default text of this question */ defaultText: string; /** * The localized text of this question */ localizedTexts?: outputs.AccessPackageAssignmentPolicyQuestionTextLocalizedText[]; } export interface AccessPackageAssignmentPolicyQuestionTextLocalizedText { /** * The localized content of this question */ content: string; /** * The language code of this question content */ languageCode: string; } export interface AccessPackageAssignmentPolicyRequestorSettings { /** * A block specifying the users who are allowed to request on this policy, as documented below. */ requestors?: outputs.AccessPackageAssignmentPolicyRequestorSettingsRequestor[]; /** * Whether to accept requests using this policy. When `false`, no new requests can be made using this policy. */ requestsAccepted?: boolean; /** * Specifies the scopes of the requestors. Valid values are `AllConfiguredConnectedOrganizationSubjects`, `AllExistingConnectedOrganizationSubjects`, `AllExistingDirectoryMemberUsers`, `AllExistingDirectorySubjects`, `AllExternalSubjects`, `NoSubjects`, `SpecificConnectedOrganizationSubjects`, or `SpecificDirectorySubjects`. */ scopeType?: string; } export interface AccessPackageAssignmentPolicyRequestorSettingsRequestor { /** * For a user in an approval stage, this property indicates whether the user is a backup fallback approver */ backup?: boolean; /** * The object ID of the subject */ objectId?: string; /** * Type of users */ subjectType: string; } export interface ApplicationApi { /** * A set of client IDs, used for bundling consent if you have a solution that contains two parts: a client app and a custom web API app. */ knownClientApplications?: string[]; /** * Allows an application to use claims mapping without specifying a custom signing key. Defaults to `false`. */ mappedClaimsEnabled?: boolean; /** * One or more `oauth2PermissionScope` blocks as documented below, to describe delegated permissions exposed by the web API represented by this application. */ oauth2PermissionScopes?: outputs.ApplicationApiOauth2PermissionScope[]; /** * The access token version expected by this resource. Must be one of `1` or `2`, and must be `2` when `signInAudience` is either `AzureADandPersonalMicrosoftAccount` or `PersonalMicrosoftAccount` Defaults to `1`. */ requestedAccessTokenVersion?: number; } export interface ApplicationApiOauth2PermissionScope { /** * Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users. */ adminConsentDescription?: string; /** * Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users. */ adminConsentDisplayName?: string; /** * Determines if the permission scope is enabled. Defaults to `true`. */ enabled?: boolean; /** * The unique identifier of the delegated permission. Must be a valid UUID. * * > **Tip: Generating a UUID for the `id` field** To generate a value for the `id` field in cases where the actual UUID is not important, you can use the `randomUuid` resource. See the application example in the provider repository. */ id: string; /** * Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Defaults to `User`. Possible values are `User` or `Admin`. */ type?: string; /** * Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf. */ userConsentDescription?: string; /** * Display name for the delegated permission that appears in the end user consent experience. */ userConsentDisplayName?: string; /** * The value that is used for the `scp` claim in OAuth 2.0 access tokens */ value?: string; } export interface ApplicationAppRole { /** * Specifies whether this app role definition can be assigned to users and groups by setting to `User`, or to other applications (that are accessing this application in a standalone scenario) by setting to `Application`, or to both. */ allowedMemberTypes: string[]; /** * Description of the app role that appears when the role is being assigned and, if the role functions as an application permissions, during the consent experiences. */ description: string; /** * Display name for the app role that appears during app role assignment and in consent experiences. */ displayName: string; /** * Determines if the app role is enabled. Defaults to `true`. */ enabled?: boolean; /** * The unique identifier of the app role. Must be a valid UUID. * * > **Tip: Generating a UUID for the `id` field** To generate a value for the `id` field in cases where the actual UUID is not important, you can use the `randomUuid` resource. See the application example in the provider repository. */ id: string; /** * The value that is used for the `roles` claim in ID tokens and OAuth 2.0 access tokens that are authenticating an assigned service or user principal */ value?: string; } export interface ApplicationFeatureTag { /** * Whether this application represents a custom SAML application for linked service principals. Enabling this will assign the `WindowsAzureActiveDirectoryCustomSingleSignOnApplication` tag. Defaults to `false`. */ customSingleSignOn?: boolean; /** * Whether this application represents an Enterprise Application for linked service principals. Enabling this will assign the `WindowsAzureActiveDirectoryIntegratedApp` tag. Defaults to `false`. */ enterprise?: boolean; /** * Whether this application represents a gallery application for linked service principals. Enabling this will assign the `WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1` tag. Defaults to `false`. */ gallery?: boolean; /** * Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the `HideApp` tag. Defaults to `false`. */ hide?: boolean; } export interface ApplicationOptionalClaims { /** * One or more `accessToken` blocks as documented below. */ accessTokens?: outputs.ApplicationOptionalClaimsAccessToken[]; /** * One or more `idToken` blocks as documented below. */ idTokens?: outputs.ApplicationOptionalClaimsIdToken[]; /** * One or more `saml2Token` blocks as documented below. */ saml2Tokens?: outputs.ApplicationOptionalClaimsSaml2Token[]; } export interface ApplicationOptionalClaimsAccessToken { /** * List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloudDisplayname`, `dnsDomainAndSamAccountName`, `emitAsRoles`, `includeExternallyAuthenticatedUpnWithoutHash`, `includeExternallyAuthenticatedUpn`, `maxSizeLimit`, `netbiosDomainAndSamAccountName`, `onPremiseSecurityIdentifier`, `samAccountName`, and `useGuid`. */ additionalProperties?: string[]; /** * Whether the claim specified by the client is necessary to ensure a smooth authorization experience. */ essential?: boolean; /** * The name of the optional claim. */ name: string; /** * The source of the claim. If `source` is absent, the claim is a predefined optional claim. If `source` is `user`, the value of `name` is the extension property from the user object. */ source?: string; } export interface ApplicationOptionalClaimsIdToken { /** * List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloudDisplayname`, `dnsDomainAndSamAccountName`, `emitAsRoles`, `includeExternallyAuthenticatedUpnWithoutHash`, `includeExternallyAuthenticatedUpn`, `maxSizeLimit`, `netbiosDomainAndSamAccountName`, `onPremiseSecurityIdentifier`, `samAccountName`, and `useGuid`. */ additionalProperties?: string[]; /** * Whether the claim specified by the client is necessary to ensure a smooth authorization experience. */ essential?: boolean; /** * The name of the optional claim. */ name: string; /** * The source of the claim. If `source` is absent, the claim is a predefined optional claim. If `source` is `user`, the value of `name` is the extension property from the user object. */ source?: string; } export interface ApplicationOptionalClaimsSaml2Token { /** * List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloudDisplayname`, `dnsDomainAndSamAccountName`, `emitAsRoles`, `includeExternallyAuthenticatedUpnWithoutHash`, `includeExternallyAuthenticatedUpn`, `maxSizeLimit`, `netbiosDomainAndSamAccountName`, `onPremiseSecurityIdentifier`, `samAccountName`, and `useGuid`. */ additionalProperties?: string[]; /** * Whether the claim specified by the client is necessary to ensure a smooth authorization experience. */ essential?: boolean; /** * The name of the optional claim. */ name: string; /** * The source of the claim. If `source` is absent, the claim is a predefined optional claim. If `source` is `user`, the value of `name` is the extension property from the user object. */ source?: string; } export interface ApplicationPassword { /** * A display name for the password. Changing this field forces a new resource to be created. */ displayName: string; /** * The end date until which the password is valid, formatted as an RFC3339 date string (e.g. `2018-01-01T01:02:03Z`). Changing this field forces a new resource to be created. */ endDate: string; /** * (Required) The unique key ID for the generated password. */ keyId: string; /** * The start date from which the password is valid, formatted as an RFC3339 date string (e.g. `2018-01-01T01:02:03Z`). If this isn't specified, the current date is used. Changing this field forces a new resource to be created. */ startDate: string; /** * (Required) The generated password for the application. */ value: string; } export interface ApplicationPublicClient { /** * A set of URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. Must be a valid `https` or `ms-appx-web` URL. */ redirectUris?: string[]; } export interface ApplicationRequiredResourceAccess { /** * A collection of `resourceAccess` blocks as documented below, describing OAuth2.0 permission scopes and app roles that the application requires from the specified resource. */ resourceAccesses: outputs.ApplicationRequiredResourceAccessResourceAccess[]; /** * The unique identifier for the resource that the application requires access to. This should be the Application ID of the target application. * * > **Note:** Documentation on `resourceAppId` values for Microsoft APIs can be difficult to find, but you can use the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az_ad_sp_list) to find them. (e.g. `az ad sp list --display-name "Microsoft Graph" --query '[].{appDisplayName:appDisplayName, appId:appId}'`) */ resourceAppId: string; } export interface ApplicationRequiredResourceAccessResourceAccess { /** * The unique identifier for an app role or OAuth2 permission scope published by the resource application. */ id: string; /** * Specifies whether the `id` property references an app role or an OAuth2 permission scope. Possible values are `Role` or `Scope`. */ type: string; } export interface ApplicationSinglePageApplication { /** * A set of URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. Must be a valid `https` URL. */ redirectUris?: string[]; } export interface ApplicationWeb { /** * Home page or landing page of the application. */ homepageUrl?: string; /** * An `implicitGrant` block as documented above. */ implicitGrant?: outputs.ApplicationWebImplicitGrant; /** * The URL that will be used by Microsoft's authorization service to sign out a user using front-channel, back-channel or SAML logout protocols. */ logoutUrl?: string; /** * A set of URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. Must be a valid `http` URL or a URN. */ redirectUris?: string[]; } export interface ApplicationWebImplicitGrant { /** * Whether this web application can request an access token using OAuth 2.0 implicit flow. */ accessTokenIssuanceEnabled?: boolean; /** * Whether this web application can request an ID token using OAuth 2.0 implicit flow. */ idTokenIssuanceEnabled?: boolean; } export interface ConditionalAccessPolicyConditions { /** * An `applications` block as documented below, which specifies applications and user actions included in and excluded from the policy. */ applications: outputs.ConditionalAccessPolicyConditionsApplications; /** * A list of client application types included in the policy. Possible values are: `all`, `browser`, `mobileAppsAndDesktopClients`, `exchangeActiveSync`, `easSupported` and `other`. */ clientAppTypes: string[]; /** * An `clientApplications` block as documented below, which specifies service principals included in and excluded from the policy. */ clientApplications?: outputs.ConditionalAccessPolicyConditionsClientApplications; /** * A `devices` block as documented below, which describes devices to be included in and excluded from the policy. A `devices` block can be added to an existing policy, but removing the `devices` block forces a new resource to be created. */ devices?: outputs.ConditionalAccessPolicyConditionsDevices; /** * The insider risk level in the policy. Possible values are: `minor`, `moderate`, `elevated`, `unknownFutureValue`. */ insiderRiskLevels: string; /** * A `locations` block as documented below, which specifies locations included in and excluded from the policy. */ locations?: outputs.ConditionalAccessPolicyConditionsLocations; /** * A `platforms` block as documented below, which specifies platforms included in and excluded from the policy. */ platforms?: outputs.ConditionalAccessPolicyConditionsPlatforms; /** * A list of service principal sign-in risk levels included in the policy. Possible values are: `low`, `medium`, `high`, `none`, `unknownFutureValue`. */ servicePrincipalRiskLevels?: string[]; /** * A list of user sign-in risk levels included in the policy. Possible values are: `low`, `medium`, `high`, `hidden`, `none`, `unknownFutureValue`. */ signInRiskLevels?: string[]; /** * A list of user risk levels included in the policy. Possible values are: `low`, `medium`, `high`, `hidden`, `none`, `unknownFutureValue`. */ userRiskLevels?: string[]; /** * A `users` block as documented below, which specifies users, groups, and roles included in and excluded from the policy. */ users: outputs.ConditionalAccessPolicyConditionsUsers; } export interface ConditionalAccessPolicyConditionsApplications { /** * A list of application IDs explicitly excluded from the policy. Can also be set to `Office365`. */ excludedApplications?: string[]; /** * A list of application IDs the policy applies to, unless explicitly excluded (in `excludedApplications`). Can also be set to `All`, `None` or `Office365`. Cannot be specified with `includedUserActions`. One of `includedApplications` or `includedUserActions` must be specified. */ includedApplications?: string[]; /** * A list of user actions to include. Supported values are `urn:user:registerdevice` and `urn:user:registersecurityinfo`. Cannot be specified with `includedApplications`. One of `includedApplications` or `includedUserActions` must be specified. */ includedUserActions?: string[]; } export interface ConditionalAccessPolicyConditionsClientApplications { /** * A list of service principal IDs explicitly excluded in the policy. */ excludedServicePrincipals?: string[]; /** * A list of service principal IDs explicitly included in the policy. Can be set to `ServicePrincipalsInMyTenant` to include all service principals. This is mandatory value when at least one `excludedServicePrincipals` is set. */ includedServicePrincipals?: string[]; } export interface ConditionalAccessPolicyConditionsDevices { /** * A `filter` block as described below. */ filter?: outputs.ConditionalAccessPolicyConditionsDevicesFilter; } export interface ConditionalAccessPolicyConditionsDevicesFilter { /** * Whether to include in, or exclude from, matching devices from the policy. Supported values are `include` or `exclude`. */ mode: string; /** * Condition filter to match devices. For more information, see [official documentation](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-condition-filters-for-devices#supported-operators-and-device-properties-for-filters). */ rule: string; } export interface ConditionalAccessPolicyConditionsLocations { /** * A list of location IDs excluded from scope of policy. Can also be set to `AllTrusted`. */ excludedLocations?: string[]; /** * A list of location IDs in scope of policy unless explicitly excluded. Can also be set to `All`, or `AllTrusted`. */ includedLocations: string[]; } export interface ConditionalAccessPolicyConditionsPlatforms { /** * A list of platforms explicitly excluded from the policy. Possible values are: `all`, `android`, `iOS`, `linux`, `macOS`, `windows`, `windowsPhone` or `unknownFutureValue`. */ excludedPlatforms?: string[]; /** * A list of platforms the policy applies to, unless explicitly excluded. Possible values are: `all`, `android`, `iOS`, `linux`, `macOS`, `windows`, `windowsPhone` or `unknownFutureValue`. */ includedPlatforms: string[]; } export interface ConditionalAccessPolicyConditionsUsers { /** * A list of group IDs excluded from scope of policy. */ excludedGroups?: string[]; /** * A `guestsOrExternalUsers` block as documented below, which specifies internal guests and external users excluded from scope of policy. */ excludedGuestsOrExternalUsers?: outputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser[]; /** * A list of role IDs excluded from scope of policy. */ excludedRoles?: string[]; /** * A list of user IDs excluded from scope of policy and/or `GuestsOrExternalUsers`. */ excludedUsers?: string[]; /** * A list of group IDs in scope of policy unless explicitly excluded. */ includedGroups?: string[]; /** * A `guestsOrExternalUsers` block as documented below, which specifies internal guests and external users in scope of policy. */ includedGuestsOrExternalUsers?: outputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser[]; /** * A list of role IDs in scope of policy unless explicitly excluded. */ includedRoles?: string[]; /** * A list of user IDs in scope of policy unless explicitly excluded, or `None` or `All` or `GuestsOrExternalUsers`. * * > At least one of `includedGroups`, `includedGuestsOrExternalUsers`, `includedRoles` or `includedUsers` must be specified. */ includedUsers?: string[]; } export interface ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser { /** * An `externalTenants` block as documented below, which specifies external tenants in a policy scope. */ externalTenants?: outputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant[]; /** * A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`. */ guestOrExternalUserTypes: string[]; } export interface ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant { /** * A list tenant IDs. Can only be specified if `membershipKind` is `enumerated`. */ members?: string[]; /** * The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`. */ membershipKind: string; } export interface ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser { /** * An `externalTenants` block as documented below, which specifies external tenants in a policy scope. */ externalTenants?: outputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant[]; /** * A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`. */ guestOrExternalUserTypes: string[]; } export interface ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant { /** * A list tenant IDs. Can only be specified if `membershipKind` is `enumerated`. */ members?: string[]; /** * The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`. */ membershipKind: string; } export interface ConditionalAccessPolicyGrantControls { /** * ID of an Authentication Strength Policy to use in this policy. When using a hard-coded ID, the UUID value should be prefixed with: `/policies/authenticationStrengthPolicies/`. */ authenticationStrengthPolicyId?: string; /** * List of built-in controls required by the policy. Possible values are: `block`, `mfa`, `approvedApplication`, `compliantApplication`, `compliantDevice`, `domainJoinedDevice`, `passwordChange` or `unknownFutureValue`. */ builtInControls?: string[]; /** * List of custom controls IDs required by the policy. */ customAuthenticationFactors?: string[]; /** * Defines the relationship of the grant controls. Possible values are: `AND`, `OR`. */ operator: string; /** * List of terms of use IDs required by the policy. * * > At least one of `authenticationStrengthPolicyId`, `builtInControls` or `termsOfUse` must be specified. */ termsOfUses?: string[]; } export interface ConditionalAccessPolicySessionControls { /** * Whether application enforced restrictions are enabled. Defaults to `false`. * * > Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions. */ applicationEnforcedRestrictionsEnabled?: boolean; /** * Enables cloud app security and specifies the cloud app security policy to use. Possible values are: `blockDownloads`, `mcasConfigured`, `monitorOnly` or `unknownFutureValue`. */ cloudAppSecurityPolicy?: string; /** * Disables [resilience defaults](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/resilience-defaults). Defaults to `false`. */ disableResilienceDefaults?: boolean; /** * Session control to define whether to persist cookies. Possible values are: `always` or `never`. */ persistentBrowserMode?: string; /** * Number of days or hours to enforce sign-in frequency. Required when `signInFrequencyPeriod` is specified. */ signInFrequency?: number; /** * Authentication type for enforcing sign-in frequency. Possible values are: `primaryAndSecondaryAuthentication` or `secondaryAuthentication`. Defaults to `primaryAndSecondaryAuthentication`. */ signInFrequencyAuthenticationType: string; /** * The interval to apply to sign-in frequency control. Possible values are: `timeBased` or `everyTime`. Defaults to `timeBased`. */ signInFrequencyInterval: string; /** * The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `signInFrequencyPeriod` is specified. */ signInFrequencyPeriod?: string; } export interface CustomDirectoryRolePermission { /** * A set of tasks that can be performed on a resource. For more information, see the [Permissions Reference](https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference) documentation. */ allowedResourceActions: string[]; } export interface GetApplicationApi { /** * A set of application IDs (client IDs), used for bundling consent if you have a solution that contains two parts: a client app and a custom web API app. */ knownClientApplications: string[]; /** * Allows an application to use claims mapping without specifying a custom signing key. */ mappedClaimsEnabled: boolean; /** * One or more `oauth2PermissionScope` blocks as documented below, to describe delegated permissions exposed by the web API represented by this application. */ oauth2PermissionScopes: outputs.GetApplicationApiOauth2PermissionScope[]; /** * The access token version expected by this resource. Possible values are `1` or `2`. */ requestedAccessTokenVersion: number; } export interface GetApplicationApiOauth2PermissionScope { /** * Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users. */ adminConsentDescription: string; /** * Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users. */ adminConsentDisplayName: string; /** * Determines if the app role is enabled. */ enabled: boolean; /** * The unique identifier for an app role or OAuth2 permission scope published by the resource application. */ id: string; /** * Specifies whether the `id` property references an app role or an OAuth2 permission scope. Possible values are `Role` or `Scope`. */ type: string; /** * Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf. */ userConsentDescription: string; /** * Display name for the delegated permission that appears in the end user consent experience. */ userConsentDisplayName: string; /** * The value that is used for the `roles` claim in ID tokens and OAuth 2.0 access tokens that are authenticating an assigned service or user principal. */ value: string; } export interface GetApplicationAppRole { /** * Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are `User` or `Application`, or both. */ allowedMemberTypes: string[]; /** * Description of the app role that appears when the role is being assigned and, if the role functions as an application permissions, during the consent experiences. */ description: string; /** * Specifies the display name of the application. */ displayName: string; /** * Determines if the app role is enabled. */ enabled: boolean; /** * The unique identifier for an app role or OAuth2 permission scope published by the resource application. */ id: string; /** * The value that is used for the `roles` claim in ID tokens and OAuth 2.0 access tokens that are authenticating an assigned service or user principal. */ value: string; } export interface GetApplicationFeatureTag { /** * Whether this application represents a custom SAML application for linked service principals. */ customSingleSignOn?: boolean; /** * Whether this application represents an Enterprise Application for linked service principals. */ enterprise?: boolean; /** * Whether this application represents a gallery application for linked service principals. */ gallery?: boolean; /** * Whether this app is visible to users in My Apps and Office 365 Launcher. */ hide?: boolean; } export interface GetApplicationOptionalClaim { /** * One or more `accessToken` blocks as documented below. */ accessTokens?: outputs.GetApplicationOptionalClaimAccessToken[]; /** * One or more `idToken` blocks as documented below. */ idTokens?: outputs.GetApplicationOptionalClaimIdToken[]; /** * One or more `saml2Token` blocks as documented below. */ saml2Tokens?: outputs.GetApplicationOptionalClaimSaml2Token[]; } export interface GetApplicationOptionalClaimAccessToken { /** * List of Additional Properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. */ additionalProperties?: string[]; /** * Whether the claim specified by the client is necessary to ensure a smooth authorization experience. */ essential?: boolean; /** * The name of the optional claim. */ name: string; /** * The source of the claim. If `source` is absent, the claim is a predefined optional claim. If `source` is `user`, the value of `name` is the extension property from the user object. */ source?: string; } export interface GetApplicationOptionalClaimIdToken { /** * List of Additional Properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. */ additionalProperties?: string[]; /** * Whether the claim specified by the client is necessary to ensure a smooth authorization experience. */ essential?: boolean; /** * The name of the optional claim. */ name: string; /** * The source of the claim. If `source` is absent, the claim is a predefined optional claim. If `source` is `user`, the value of `name` is the extension property from the user object. */ source?: string; } export interface GetApplicationOptionalClaimSaml2Token { /** * List of Additional Properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. */ additionalProperties?: string[]; /** * Whether the claim specified by the client is necessary to ensure a smooth authorization experience. */ essential?: boolean; /** * The name of the optional claim. */ name: string; /** * The source of the claim. If `source` is absent, the claim is a predefined optional claim. If `source` is `user`, the value of `name` is the extension property from the user object. */ source?: string; } export interface GetApplicationPublicClient { /** * A list of URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. */ redirectUris: string[]; } export interface GetApplicationRequiredResourceAccess { /** * A collection of `resourceAccess` blocks as documented below, describing OAuth2.0 permission scopes and app roles that the application requires from the specified resource. */ resourceAccesses: outputs.GetApplicationRequiredResourceAccessResourceAccess[]; /** * The unique identifier for the resource that the application requires access to. This is the Application ID of the target application. */ resourceAppId: string; } export interface GetApplicationRequiredResourceAccessResourceAccess { /** * The unique identifier for an app role or OAuth2 permission scope published by the resource application. */ id: string; /** * Specifies whether the `id` property references an app role or an OAuth2 permission scope. Possible values are `Role` or `Scope`. */ type: string; } export interface GetApplicationSinglePageApplication { /** * A list of URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. */ redirectUris: string[]; } export interface GetApplicationWeb { /** * Home page or landing page of the application. */ homepageUrl: string; /** * An `implicitGrant` block as documented above. */ implicitGrants: outputs.GetApplicationWebImplicitGrant[]; /** * The URL that will be used by Microsoft's authorization service to sign out a user using front-channel, back-channel or SAML logout protocols. */ logoutUrl: string; /** * A list of URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. */ redirectUris: string[]; } export interface GetApplicationWebImplicitGrant { /** * Whether this web application can request an access token using OAuth 2.0 implicit flow. */ accessTokenIssuanceEnabled: boolean; /** * Whether this web application can request an ID token using OAuth 2.0 implicit flow. */ idTokenIssuanceEnabled: boolean; } export interface GetDirectoryRoleTemplatesRoleTemplate { /** * The description of the directory role template. */ description: string; /** * The display name of the directory role template. */ displayName: string; /** * The object ID of the directory role template. */ objectId: string; } export interface GetDirectoryRolesRole { /** * The description of the directory role. */ description: string; /** * The display name of the directory role. */ displayName: string; /** * The object ID of the directory role. */ objectId: string; /** * The template ID of the directory role. */ templateId: string; } export interface GetDomainsDomain { /** * Set to `true` to only return domains whose DNS is managed by Microsoft 365. Defaults to `false`. */ adminManaged: boolean; /** * The authentication type of the domain. Possible values include `Managed` or `Federated`. */ authenticationType: string; /** * Whether this is the default domain that is used for user creation. */ default: boolean; /** * The name of the domain. */ domainName: string; /** * Whether this is the initial domain created by Azure Active Directory. */ initial: boolean; /** * Whether the domain is a verified root domain (not a subdomain). */ root: boolean; /** * A list of capabilities / services supported by the domain. Possible values include `Email`, `Sharepoint`, `EmailInternalRelayOnly`, `OfficeCommunicationsOnline`, `SharePointDefaultDomain`, `FullRedelegation`, `SharePointPublic`, `OrgIdAuthentication`, `Yammer` and `Intune`. */ supportedServices: string[]; /** * Whether the domain has completed domain ownership verification. */ verified: boolean; } export interface GetGroupDynamicMembership { /** * Whether rule processing is "On" (true) or "Paused" (false). */ enabled: boolean; /** * The rule that determines membership of this group. */ rule: string; } export interface GetNamedLocationCountry { countriesAndRegions: string[]; countryLookupMethod: string; includeUnknownCountriesAndRegions: boolean; } export interface GetNamedLocationIp { ipRanges: string[]; trusted: boolean; } export interface GetServicePrincipalAppRole { /** * Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in daemon service scenarios). Possible values are: `User` and `Application`, or both. */ allowedMemberTypes: string[]; /** * Permission help text that appears in the admin app assignment and consent experiences. */ description: string; /** * The display name of the application associated with this service principal. */ displayName: string; /** * Determines if the permission scope is enabled. */ enabled: boolean; /** * The unique identifier of the delegated permission. Must be a valid UUID. */ id: string; /** * The value that is used for the `scp` claim in OAuth 2.0 access tokens. */ value: string; } export interface GetServicePrincipalFeature { /** * Whether this service principal represents a custom SAML application. */ customSingleSignOnApp: boolean; /** * Whether this service principal represents an Enterprise Application. */ enterpriseApplication: boolean; /** * Whether this service principal represents a gallery application. */ galleryApplication: boolean; /** * Whether this app is visible to users in My Apps and Office 365 Launcher. */ visibleToUsers: boolean; } export interface GetServicePrincipalFeatureTag { /** * Whether this service principal represents a custom SAML application */ customSingleSignOn: boolean; /** * Whether this service principal represents an Enterprise Application */ enterprise: boolean; /** * Whether this service principal represents a gallery application */ gallery: boolean; /** * Whether this app is invisible to users in My Apps and Office 365 Launcher */ hide: boolean; } export interface GetServicePrincipalOauth2PermissionScope { /** * Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users. */ adminConsentDescription: string; /** * Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users. */ adminConsentDisplayName: string; /** * Determines if the permission scope is enabled. */ enabled: boolean; /** * The unique identifier of the delegated permission. Must be a valid UUID. */ id: string; /** * Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are `User` or `Admin`. */ type: string; /** * Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf. */ userConsentDescription: string; /** * Display name for the delegated permission that appears in the end user consent experience. */ userConsentDisplayName: string; /** * The value that is used for the `scp` claim in OAuth 2.0 access tokens. */ value: string; } export interface GetServicePrincipalSamlSingleSignOn { /** * The relative URI the service provider would redirect to after completion of the single sign-on flow. */ relayState: string; } export interface GetServicePrincipalsServicePrincipal { /** * Whether the service principal account is enabled. */ accountEnabled: boolean; /** * Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. */ appRoleAssignmentRequired: boolean; /** * The tenant ID where the associated application is registered. */ applicationTenantId: string; /** * The application ID (client ID) for the associated application */ clientId: string; /** * The display name of the application associated with this service principal. */ displayName: string; /** * The object ID of the service principal. */ objectId: string; /** * The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. */ preferredSingleSignOnMode: string; /** * The URL where the service exposes SAML metadata for federation. */ samlMetadataUrl: string; /** * A list of identifier URI(s), copied over from the associated application. */ servicePrincipalNames: string[]; /** * The Microsoft account types that are supported for the associated application. Possible values include `AzureADMyOrg`, `AzureADMultipleOrgs`, `AzureADandPersonalMicrosoftAccount` or `PersonalMicrosoftAccount`. */ signInAudience: string; /** * A list of tags applied to the service principal. */ tags: string[]; /** * Identifies whether the service principal represents an application or a managed identity. Possible values include `Application` or `ManagedIdentity`. */ type: string; } export interface GetUsersUser { /** * Whether the account is enabled. */ accountEnabled: boolean; /** * The display name of the user. */ displayName: string; /** * The employee identifier assigned to the user by the organisation. */ employeeId: string; /** * The SMTP email address of the user. */ mail: string; /** * The email alias of the user. */ mailNickname: string; /** * The object ID of the user. */ objectId: string; /** * The value used to associate an