@pulumi/azuread
Version:
A Pulumi package for creating and managing Azure Active Directory (Azure AD) cloud resources.
1,073 lines • 56.4 kB
TypeScript
import * as pulumi from "@pulumi/pulumi";
import * as inputs from "../types/input";
export interface AccessPackageAssignmentPolicyApprovalSettings {
/**
* Whether an approval is required.
*/
approvalRequired?: pulumi.Input<boolean>;
/**
* Whether an approval is required to grant extension. Same approval settings used to approve initial access will apply.
*/
approvalRequiredForExtension?: pulumi.Input<boolean>;
/**
* An `approvalStage` block specifying the process to obtain an approval, as documented below.
*/
approvalStages?: pulumi.Input<pulumi.Input<inputs.AccessPackageAssignmentPolicyApprovalSettingsApprovalStage>[]>;
/**
* Whether a requestor is required to provide a justification to request an access package. Justification is visible to approvers and the requestor.
*/
requestorJustificationRequired?: pulumi.Input<boolean>;
}
export interface AccessPackageAssignmentPolicyApprovalSettingsApprovalStage {
/**
* If no action taken, forward to alternate approvers?
*/
alternativeApprovalEnabled?: pulumi.Input<boolean>;
/**
* If escalation is enabled and the primary approvers do not respond before the escalation time, the escalationApprovers are the users who will be asked to approve requests. This can be a collection of singleUser, groupMembers, requestorManager, internalSponsors and externalSponsors. When creating or updating a policy, if there are no escalation approvers, or escalation approvers are not required for the stage, the value of this property should be an empty collection
*/
alternativeApprovers?: pulumi.Input<pulumi.Input<inputs.AccessPackageAssignmentPolicyApprovalSettingsApprovalStageAlternativeApprover>[]>;
/**
* Decision must be made in how many days? If a request is not approved within this time period after it is made, it will be automatically rejected
*/
approvalTimeoutInDays: pulumi.Input<number>;
/**
* Whether an approver must provide a justification for their decision. Justification is visible to other approvers and the requestor
*/
approverJustificationRequired?: pulumi.Input<boolean>;
/**
* Forward to alternate approver(s) after how many days?
*/
enableAlternativeApprovalInDays?: pulumi.Input<number>;
/**
* The users who will be asked to approve requests. A collection of singleUser, groupMembers, requestorManager, internalSponsors and externalSponsors. When creating or updating a policy, include at least one userSet in this collection
*/
primaryApprovers?: pulumi.Input<pulumi.Input<inputs.AccessPackageAssignmentPolicyApprovalSettingsApprovalStagePrimaryApprover>[]>;
}
export interface AccessPackageAssignmentPolicyApprovalSettingsApprovalStageAlternativeApprover {
/**
* For a user in an approval stage, this property indicates whether the user is a backup fallback approver
*/
backup?: pulumi.Input<boolean>;
/**
* The object ID of the subject
*/
objectId?: pulumi.Input<string>;
/**
* Type of users
*/
subjectType: pulumi.Input<string>;
}
export interface AccessPackageAssignmentPolicyApprovalSettingsApprovalStagePrimaryApprover {
/**
* For a user in an approval stage, this property indicates whether the user is a backup fallback approver
*/
backup?: pulumi.Input<boolean>;
/**
* The object ID of the subject
*/
objectId?: pulumi.Input<string>;
/**
* Type of users
*/
subjectType: pulumi.Input<string>;
}
export interface AccessPackageAssignmentPolicyAssignmentReviewSettings {
/**
* Whether to show the reviewer decision helpers. If enabled, system recommendations based on users' access information will be shown to the reviewers. The reviewer will be recommended to approve the review if the user has signed-in at least once during the last 30 days. The reviewer will be recommended to deny the review if the user has not signed-in during the last 30 days.
*/
accessRecommendationEnabled?: pulumi.Input<boolean>;
/**
* Specifies the actions the system takes if reviewers don't respond in time. Valid values are `keepAccess`, `removeAccess`, or `acceptAccessRecommendation`.
*/
accessReviewTimeoutBehavior?: pulumi.Input<string>;
/**
* Whether a reviewer needs to provide a justification for their decision. Justification is visible to other reviewers and the requestor.
*/
approverJustificationRequired?: pulumi.Input<boolean>;
/**
* How many days each occurrence of the access review series will run.
*/
durationInDays?: pulumi.Input<number>;
/**
* Whether to enable assignment review.
*/
enabled?: pulumi.Input<boolean>;
/**
* This will determine how often the access review campaign runs, valid values are `weekly`, `monthly`, `quarterly`, `halfyearly`, or `annual`.
*/
reviewFrequency?: pulumi.Input<string>;
/**
* Self-review or specific reviewers. Valid values are `Manager`, `Reviewers`, or `Self`.
*/
reviewType?: pulumi.Input<string>;
/**
* One or more `reviewer` blocks to specify the users who will be reviewers (when `reviewType` is `Reviewers`), as documented below.
*/
reviewers?: pulumi.Input<pulumi.Input<inputs.AccessPackageAssignmentPolicyAssignmentReviewSettingsReviewer>[]>;
/**
* This is the date the access review campaign will start on, formatted as an RFC3339 date string in UTC(e.g. 2018-01-01T01:02:03Z), default is now. Once an access review has been created, you cannot update its start date
*/
startingOn?: pulumi.Input<string>;
}
export interface AccessPackageAssignmentPolicyAssignmentReviewSettingsReviewer {
/**
* For a user in an approval stage, this property indicates whether the user is a backup fallback approver
*/
backup?: pulumi.Input<boolean>;
/**
* The object ID of the subject
*/
objectId?: pulumi.Input<string>;
/**
* Type of users
*/
subjectType: pulumi.Input<string>;
}
export interface AccessPackageAssignmentPolicyQuestion {
/**
* One or more blocks configuring a choice to the question, as documented below.
*/
choices?: pulumi.Input<pulumi.Input<inputs.AccessPackageAssignmentPolicyQuestionChoice>[]>;
/**
* Whether this question is required.
*/
required?: pulumi.Input<boolean>;
/**
* The sequence number of this question.
*/
sequence?: pulumi.Input<number>;
/**
* A block describing the content of this question, as documented below.
*/
text: pulumi.Input<inputs.AccessPackageAssignmentPolicyQuestionText>;
}
export interface AccessPackageAssignmentPolicyQuestionChoice {
/**
* The actual value of this choice
*/
actualValue: pulumi.Input<string>;
/**
* The display text of this choice
*/
displayValue: pulumi.Input<inputs.AccessPackageAssignmentPolicyQuestionChoiceDisplayValue>;
}
export interface AccessPackageAssignmentPolicyQuestionChoiceDisplayValue {
/**
* The default text of this question
*/
defaultText: pulumi.Input<string>;
/**
* The localized text of this question
*/
localizedTexts?: pulumi.Input<pulumi.Input<inputs.AccessPackageAssignmentPolicyQuestionChoiceDisplayValueLocalizedText>[]>;
}
export interface AccessPackageAssignmentPolicyQuestionChoiceDisplayValueLocalizedText {
/**
* The localized content of this question
*/
content: pulumi.Input<string>;
/**
* The language code of this question content
*/
languageCode: pulumi.Input<string>;
}
export interface AccessPackageAssignmentPolicyQuestionText {
/**
* The default text of this question
*/
defaultText: pulumi.Input<string>;
/**
* The localized text of this question
*/
localizedTexts?: pulumi.Input<pulumi.Input<inputs.AccessPackageAssignmentPolicyQuestionTextLocalizedText>[]>;
}
export interface AccessPackageAssignmentPolicyQuestionTextLocalizedText {
/**
* The localized content of this question
*/
content: pulumi.Input<string>;
/**
* The language code of this question content
*/
languageCode: pulumi.Input<string>;
}
export interface AccessPackageAssignmentPolicyRequestorSettings {
/**
* A block specifying the users who are allowed to request on this policy, as documented below.
*/
requestors?: pulumi.Input<pulumi.Input<inputs.AccessPackageAssignmentPolicyRequestorSettingsRequestor>[]>;
/**
* Whether to accept requests using this policy. When `false`, no new requests can be made using this policy.
*/
requestsAccepted?: pulumi.Input<boolean>;
/**
* Specifies the scopes of the requestors. Valid values are `AllConfiguredConnectedOrganizationSubjects`, `AllExistingConnectedOrganizationSubjects`, `AllExistingDirectoryMemberUsers`, `AllExistingDirectorySubjects`, `AllExternalSubjects`, `NoSubjects`, `SpecificConnectedOrganizationSubjects`, or `SpecificDirectorySubjects`.
*/
scopeType?: pulumi.Input<string>;
}
export interface AccessPackageAssignmentPolicyRequestorSettingsRequestor {
/**
* For a user in an approval stage, this property indicates whether the user is a backup fallback approver
*/
backup?: pulumi.Input<boolean>;
/**
* The object ID of the subject
*/
objectId?: pulumi.Input<string>;
/**
* Type of users
*/
subjectType: pulumi.Input<string>;
}
export interface ApplicationApi {
/**
* A set of client IDs, used for bundling consent if you have a solution that contains two parts: a client app and a custom web API app.
*/
knownClientApplications?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Allows an application to use claims mapping without specifying a custom signing key. Defaults to `false`.
*/
mappedClaimsEnabled?: pulumi.Input<boolean>;
/**
* One or more `oauth2PermissionScope` blocks as documented below, to describe delegated permissions exposed by the web API represented by this application.
*/
oauth2PermissionScopes?: pulumi.Input<pulumi.Input<inputs.ApplicationApiOauth2PermissionScope>[]>;
/**
* The access token version expected by this resource. Must be one of `1` or `2`, and must be `2` when `signInAudience` is either `AzureADandPersonalMicrosoftAccount` or `PersonalMicrosoftAccount` Defaults to `1`.
*/
requestedAccessTokenVersion?: pulumi.Input<number>;
}
export interface ApplicationApiOauth2PermissionScope {
/**
* Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
*/
adminConsentDescription?: pulumi.Input<string>;
/**
* Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
*/
adminConsentDisplayName?: pulumi.Input<string>;
/**
* Determines if the permission scope is enabled. Defaults to `true`.
*/
enabled?: pulumi.Input<boolean>;
/**
* The unique identifier of the delegated permission. Must be a valid UUID.
*
* > **Tip: Generating a UUID for the `id` field** To generate a value for the `id` field in cases where the actual UUID is not important, you can use the `randomUuid` resource. See the application example in the provider repository.
*/
id: pulumi.Input<string>;
/**
* Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Defaults to `User`. Possible values are `User` or `Admin`.
*/
type?: pulumi.Input<string>;
/**
* Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
*/
userConsentDescription?: pulumi.Input<string>;
/**
* Display name for the delegated permission that appears in the end user consent experience.
*/
userConsentDisplayName?: pulumi.Input<string>;
/**
* The value that is used for the `scp` claim in OAuth 2.0 access tokens
*/
value?: pulumi.Input<string>;
}
export interface ApplicationAppRole {
/**
* Specifies whether this app role definition can be assigned to users and groups by setting to `User`, or to other applications (that are accessing this application in a standalone scenario) by setting to `Application`, or to both.
*/
allowedMemberTypes: pulumi.Input<pulumi.Input<string>[]>;
/**
* Description of the app role that appears when the role is being assigned and, if the role functions as an application permissions, during the consent experiences.
*/
description: pulumi.Input<string>;
/**
* Display name for the app role that appears during app role assignment and in consent experiences.
*/
displayName: pulumi.Input<string>;
/**
* Determines if the app role is enabled. Defaults to `true`.
*/
enabled?: pulumi.Input<boolean>;
/**
* The unique identifier of the app role. Must be a valid UUID.
*
* > **Tip: Generating a UUID for the `id` field** To generate a value for the `id` field in cases where the actual UUID is not important, you can use the `randomUuid` resource. See the application example in the provider repository.
*/
id: pulumi.Input<string>;
/**
* The value that is used for the `roles` claim in ID tokens and OAuth 2.0 access tokens that are authenticating an assigned service or user principal
*/
value?: pulumi.Input<string>;
}
export interface ApplicationFeatureTag {
/**
* Whether this application represents a custom SAML application for linked service principals. Enabling this will assign the `WindowsAzureActiveDirectoryCustomSingleSignOnApplication` tag. Defaults to `false`.
*/
customSingleSignOn?: pulumi.Input<boolean>;
/**
* Whether this application represents an Enterprise Application for linked service principals. Enabling this will assign the `WindowsAzureActiveDirectoryIntegratedApp` tag. Defaults to `false`.
*/
enterprise?: pulumi.Input<boolean>;
/**
* Whether this application represents a gallery application for linked service principals. Enabling this will assign the `WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1` tag. Defaults to `false`.
*/
gallery?: pulumi.Input<boolean>;
/**
* Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the `HideApp` tag. Defaults to `false`.
*/
hide?: pulumi.Input<boolean>;
}
export interface ApplicationOptionalClaims {
/**
* One or more `accessToken` blocks as documented below.
*/
accessTokens?: pulumi.Input<pulumi.Input<inputs.ApplicationOptionalClaimsAccessToken>[]>;
/**
* One or more `idToken` blocks as documented below.
*/
idTokens?: pulumi.Input<pulumi.Input<inputs.ApplicationOptionalClaimsIdToken>[]>;
/**
* One or more `saml2Token` blocks as documented below.
*/
saml2Tokens?: pulumi.Input<pulumi.Input<inputs.ApplicationOptionalClaimsSaml2Token>[]>;
}
export interface ApplicationOptionalClaimsAccessToken {
/**
* List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloudDisplayname`, `dnsDomainAndSamAccountName`, `emitAsRoles`, `includeExternallyAuthenticatedUpnWithoutHash`, `includeExternallyAuthenticatedUpn`, `maxSizeLimit`, `netbiosDomainAndSamAccountName`, `onPremiseSecurityIdentifier`, `samAccountName`, and `useGuid`.
*/
additionalProperties?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Whether the claim specified by the client is necessary to ensure a smooth authorization experience.
*/
essential?: pulumi.Input<boolean>;
/**
* The name of the optional claim.
*/
name: pulumi.Input<string>;
/**
* The source of the claim. If `source` is absent, the claim is a predefined optional claim. If `source` is `user`, the value of `name` is the extension property from the user object.
*/
source?: pulumi.Input<string>;
}
export interface ApplicationOptionalClaimsIdToken {
/**
* List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloudDisplayname`, `dnsDomainAndSamAccountName`, `emitAsRoles`, `includeExternallyAuthenticatedUpnWithoutHash`, `includeExternallyAuthenticatedUpn`, `maxSizeLimit`, `netbiosDomainAndSamAccountName`, `onPremiseSecurityIdentifier`, `samAccountName`, and `useGuid`.
*/
additionalProperties?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Whether the claim specified by the client is necessary to ensure a smooth authorization experience.
*/
essential?: pulumi.Input<boolean>;
/**
* The name of the optional claim.
*/
name: pulumi.Input<string>;
/**
* The source of the claim. If `source` is absent, the claim is a predefined optional claim. If `source` is `user`, the value of `name` is the extension property from the user object.
*/
source?: pulumi.Input<string>;
}
export interface ApplicationOptionalClaimsSaml2Token {
/**
* List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloudDisplayname`, `dnsDomainAndSamAccountName`, `emitAsRoles`, `includeExternallyAuthenticatedUpnWithoutHash`, `includeExternallyAuthenticatedUpn`, `maxSizeLimit`, `netbiosDomainAndSamAccountName`, `onPremiseSecurityIdentifier`, `samAccountName`, and `useGuid`.
*/
additionalProperties?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Whether the claim specified by the client is necessary to ensure a smooth authorization experience.
*/
essential?: pulumi.Input<boolean>;
/**
* The name of the optional claim.
*/
name: pulumi.Input<string>;
/**
* The source of the claim. If `source` is absent, the claim is a predefined optional claim. If `source` is `user`, the value of `name` is the extension property from the user object.
*/
source?: pulumi.Input<string>;
}
export interface ApplicationPassword {
/**
* A display name for the password. Changing this field forces a new resource to be created.
*/
displayName: pulumi.Input<string>;
/**
* The end date until which the password is valid, formatted as an RFC3339 date string (e.g. `2018-01-01T01:02:03Z`). Changing this field forces a new resource to be created.
*/
endDate?: pulumi.Input<string>;
/**
* (Required) The unique key ID for the generated password.
*/
keyId?: pulumi.Input<string>;
/**
* The start date from which the password is valid, formatted as an RFC3339 date string (e.g. `2018-01-01T01:02:03Z`). If this isn't specified, the current date is used. Changing this field forces a new resource to be created.
*/
startDate?: pulumi.Input<string>;
/**
* (Required) The generated password for the application.
*/
value?: pulumi.Input<string>;
}
export interface ApplicationPublicClient {
/**
* A set of URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. Must be a valid `https` or `ms-appx-web` URL.
*/
redirectUris?: pulumi.Input<pulumi.Input<string>[]>;
}
export interface ApplicationRequiredResourceAccess {
/**
* A collection of `resourceAccess` blocks as documented below, describing OAuth2.0 permission scopes and app roles that the application requires from the specified resource.
*/
resourceAccesses: pulumi.Input<pulumi.Input<inputs.ApplicationRequiredResourceAccessResourceAccess>[]>;
/**
* The unique identifier for the resource that the application requires access to. This should be the Application ID of the target application.
*
* > **Note:** Documentation on `resourceAppId` values for Microsoft APIs can be difficult to find, but you can use the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/ad/sp?view=azure-cli-latest#az_ad_sp_list) to find them. (e.g. `az ad sp list --display-name "Microsoft Graph" --query '[].{appDisplayName:appDisplayName, appId:appId}'`)
*/
resourceAppId: pulumi.Input<string>;
}
export interface ApplicationRequiredResourceAccessResourceAccess {
/**
* The unique identifier for an app role or OAuth2 permission scope published by the resource application.
*/
id: pulumi.Input<string>;
/**
* Specifies whether the `id` property references an app role or an OAuth2 permission scope. Possible values are `Role` or `Scope`.
*/
type: pulumi.Input<string>;
}
export interface ApplicationSinglePageApplication {
/**
* A set of URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. Must be a valid `https` URL.
*/
redirectUris?: pulumi.Input<pulumi.Input<string>[]>;
}
export interface ApplicationWeb {
/**
* Home page or landing page of the application.
*/
homepageUrl?: pulumi.Input<string>;
/**
* An `implicitGrant` block as documented above.
*/
implicitGrant?: pulumi.Input<inputs.ApplicationWebImplicitGrant>;
/**
* The URL that will be used by Microsoft's authorization service to sign out a user using front-channel, back-channel or SAML logout protocols.
*/
logoutUrl?: pulumi.Input<string>;
/**
* A set of URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. Must be a valid `http` URL or a URN.
*/
redirectUris?: pulumi.Input<pulumi.Input<string>[]>;
}
export interface ApplicationWebImplicitGrant {
/**
* Whether this web application can request an access token using OAuth 2.0 implicit flow.
*/
accessTokenIssuanceEnabled?: pulumi.Input<boolean>;
/**
* Whether this web application can request an ID token using OAuth 2.0 implicit flow.
*/
idTokenIssuanceEnabled?: pulumi.Input<boolean>;
}
export interface ConditionalAccessPolicyConditions {
/**
* An `applications` block as documented below, which specifies applications and user actions included in and excluded from the policy.
*/
applications: pulumi.Input<inputs.ConditionalAccessPolicyConditionsApplications>;
/**
* A list of authentication flow transfer methods included in the policy. Possible values are: `authenticationTransfer` and `deviceCodeFlow`.
*/
authenticationFlowTransferMethods?: pulumi.Input<pulumi.Input<string>[]>;
/**
* A list of client application types included in the policy. Possible values are: `all`, `browser`, `mobileAppsAndDesktopClients`, `exchangeActiveSync`, `easSupported` and `other`.
*/
clientAppTypes: pulumi.Input<pulumi.Input<string>[]>;
/**
* An `clientApplications` block as documented below, which specifies service principals included in and excluded from the policy.
*/
clientApplications?: pulumi.Input<inputs.ConditionalAccessPolicyConditionsClientApplications>;
/**
* A `devices` block as documented below, which describes devices to be included in and excluded from the policy. A `devices` block can be added to an existing policy, but removing the `devices` block forces a new resource to be created.
*/
devices?: pulumi.Input<inputs.ConditionalAccessPolicyConditionsDevices>;
/**
* The insider risk level in the policy. Possible values are: `minor`, `moderate`, `elevated`, `unknownFutureValue`.
*/
insiderRiskLevels?: pulumi.Input<string>;
/**
* A `locations` block as documented below, which specifies locations included in and excluded from the policy.
*/
locations?: pulumi.Input<inputs.ConditionalAccessPolicyConditionsLocations>;
/**
* A `platforms` block as documented below, which specifies platforms included in and excluded from the policy.
*/
platforms?: pulumi.Input<inputs.ConditionalAccessPolicyConditionsPlatforms>;
/**
* A list of service principal sign-in risk levels included in the policy. Possible values are: `low`, `medium`, `high`, `none`, `unknownFutureValue`.
*/
servicePrincipalRiskLevels?: pulumi.Input<pulumi.Input<string>[]>;
/**
* A list of user sign-in risk levels included in the policy. Possible values are: `low`, `medium`, `high`, `hidden`, `none`, `unknownFutureValue`.
*/
signInRiskLevels?: pulumi.Input<pulumi.Input<string>[]>;
/**
* A list of user risk levels included in the policy. Possible values are: `low`, `medium`, `high`, `hidden`, `none`, `unknownFutureValue`.
*/
userRiskLevels?: pulumi.Input<pulumi.Input<string>[]>;
/**
* A `users` block as documented below, which specifies users, groups, and roles included in and excluded from the policy.
*/
users: pulumi.Input<inputs.ConditionalAccessPolicyConditionsUsers>;
}
export interface ConditionalAccessPolicyConditionsApplications {
/**
* A list of application IDs explicitly excluded from the policy. Can also be set to `Office365`.
*/
excludedApplications?: pulumi.Input<pulumi.Input<string>[]>;
/**
* A list of application IDs the policy applies to, unless explicitly excluded (in `excludedApplications`). Can also be set to `All`, `None` or `Office365`. Cannot be specified with `includedUserActions`. One of `includedApplications` or `includedUserActions` must be specified.
*/
includedApplications?: pulumi.Input<pulumi.Input<string>[]>;
/**
* A list of user actions to include. Supported values are `urn:user:registerdevice` and `urn:user:registersecurityinfo`. Cannot be specified with `includedApplications`. One of `includedApplications` or `includedUserActions` must be specified.
*/
includedUserActions?: pulumi.Input<pulumi.Input<string>[]>;
}
export interface ConditionalAccessPolicyConditionsClientApplications {
/**
* A list of service principal IDs explicitly excluded in the policy.
*/
excludedServicePrincipals?: pulumi.Input<pulumi.Input<string>[]>;
/**
* A `filter` block as documented below.
*
* > **Note:** Specifying `filter` requires the `Attribute Definition Reader` role, this is not included in the `Global Administrator` or other administrator roles and must be separately assigned.
*/
filter?: pulumi.Input<inputs.ConditionalAccessPolicyConditionsClientApplicationsFilter>;
/**
* A list of service principal IDs explicitly included in the policy. Can be set to `ServicePrincipalsInMyTenant` to include all service principals. This is mandatory value when at least one `excludedServicePrincipals` is set.
*/
includedServicePrincipals?: pulumi.Input<pulumi.Input<string>[]>;
}
export interface ConditionalAccessPolicyConditionsClientApplicationsFilter {
/**
* Whether to include in, or exclude from, matching items from the policy. Supported values are `include` or `exclude`.
*/
mode: pulumi.Input<string>;
/**
* Condition filter to match items.
*/
rule: pulumi.Input<string>;
}
export interface ConditionalAccessPolicyConditionsDevices {
/**
* A `filter` block as documented below.
*
* > **Note:** For more information on device filters, see the [official documentation](https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-condition-filters-for-devices#supported-operators-and-device-properties-for-filters).
*/
filter?: pulumi.Input<inputs.ConditionalAccessPolicyConditionsDevicesFilter>;
}
export interface ConditionalAccessPolicyConditionsDevicesFilter {
/**
* Whether to include in, or exclude from, matching items from the policy. Supported values are `include` or `exclude`.
*/
mode: pulumi.Input<string>;
/**
* Condition filter to match items.
*/
rule: pulumi.Input<string>;
}
export interface ConditionalAccessPolicyConditionsLocations {
/**
* A list of location IDs excluded from scope of policy. Can also be set to `AllTrusted`.
*/
excludedLocations?: pulumi.Input<pulumi.Input<string>[]>;
/**
* A list of location IDs in scope of policy unless explicitly excluded. Can also be set to `All`, or `AllTrusted`.
*/
includedLocations: pulumi.Input<pulumi.Input<string>[]>;
}
export interface ConditionalAccessPolicyConditionsPlatforms {
/**
* A list of platforms explicitly excluded from the policy. Possible values are: `all`, `android`, `iOS`, `linux`, `macOS`, `windows`, `windowsPhone` or `unknownFutureValue`.
*/
excludedPlatforms?: pulumi.Input<pulumi.Input<string>[]>;
/**
* A list of platforms the policy applies to, unless explicitly excluded. Possible values are: `all`, `android`, `iOS`, `linux`, `macOS`, `windows`, `windowsPhone` or `unknownFutureValue`.
*/
includedPlatforms: pulumi.Input<pulumi.Input<string>[]>;
}
export interface ConditionalAccessPolicyConditionsUsers {
/**
* A list of group IDs excluded from scope of policy.
*/
excludedGroups?: pulumi.Input<pulumi.Input<string>[]>;
/**
* A `guestsOrExternalUsers` block as documented below, which specifies internal guests and external users excluded from scope of policy.
*/
excludedGuestsOrExternalUsers?: pulumi.Input<pulumi.Input<inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser>[]>;
/**
* A list of role IDs excluded from scope of policy.
*/
excludedRoles?: pulumi.Input<pulumi.Input<string>[]>;
/**
* A list of user IDs excluded from scope of policy and/or `GuestsOrExternalUsers`.
*/
excludedUsers?: pulumi.Input<pulumi.Input<string>[]>;
/**
* A list of group IDs in scope of policy unless explicitly excluded.
*/
includedGroups?: pulumi.Input<pulumi.Input<string>[]>;
/**
* A `guestsOrExternalUsers` block as documented below, which specifies internal guests and external users in scope of policy.
*/
includedGuestsOrExternalUsers?: pulumi.Input<pulumi.Input<inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser>[]>;
/**
* A list of role IDs in scope of policy unless explicitly excluded.
*/
includedRoles?: pulumi.Input<pulumi.Input<string>[]>;
/**
* A list of user IDs in scope of policy unless explicitly excluded, or `None` or `All` or `GuestsOrExternalUsers`.
*
* > At least one of `includedGroups`, `includedGuestsOrExternalUsers`, `includedRoles` or `includedUsers` must be specified.
*/
includedUsers?: pulumi.Input<pulumi.Input<string>[]>;
}
export interface ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser {
/**
* An `externalTenants` block as documented below, which specifies external tenants in a policy scope.
*/
externalTenants?: pulumi.Input<pulumi.Input<inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant>[]>;
/**
* A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
*/
guestOrExternalUserTypes: pulumi.Input<pulumi.Input<string>[]>;
}
export interface ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant {
/**
* A list tenant IDs. Can only be specified if `membershipKind` is `enumerated`.
*/
members?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
*/
membershipKind: pulumi.Input<string>;
}
export interface ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser {
/**
* An `externalTenants` block as documented below, which specifies external tenants in a policy scope.
*/
externalTenants?: pulumi.Input<pulumi.Input<inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant>[]>;
/**
* A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
*/
guestOrExternalUserTypes: pulumi.Input<pulumi.Input<string>[]>;
}
export interface ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant {
/**
* A list tenant IDs. Can only be specified if `membershipKind` is `enumerated`.
*/
members?: pulumi.Input<pulumi.Input<string>[]>;
/**
* The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
*/
membershipKind: pulumi.Input<string>;
}
export interface ConditionalAccessPolicyGrantControls {
/**
* ID of an Authentication Strength Policy to use in this policy. When using a hard-coded ID, the UUID value should be prefixed with: `/policies/authenticationStrengthPolicies/`.
*/
authenticationStrengthPolicyId?: pulumi.Input<string>;
/**
* List of built-in controls required by the policy. Possible values are: `block`, `mfa`, `approvedApplication`, `compliantApplication`, `compliantDevice`, `domainJoinedDevice`, `passwordChange` or `unknownFutureValue`.
*/
builtInControls?: pulumi.Input<pulumi.Input<string>[]>;
/**
* List of custom controls IDs required by the policy.
*/
customAuthenticationFactors?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Defines the relationship of the grant controls. Possible values are: `AND`, `OR`.
*/
operator: pulumi.Input<string>;
/**
* List of terms of use IDs required by the policy.
*
* > At least one of `authenticationStrengthPolicyId`, `builtInControls` or `termsOfUse` must be specified.
*/
termsOfUses?: pulumi.Input<pulumi.Input<string>[]>;
}
export interface ConditionalAccessPolicySessionControls {
/**
* Whether application enforced restrictions are enabled. Defaults to `false`.
*
* > Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
*/
applicationEnforcedRestrictionsEnabled?: pulumi.Input<boolean>;
/**
* Enables cloud app security and specifies the cloud app security policy to use. Possible values are: `blockDownloads`, `mcasConfigured`, `monitorOnly` or `unknownFutureValue`.
*/
cloudAppSecurityPolicy?: pulumi.Input<string>;
/**
* Disables [resilience defaults](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/resilience-defaults). Defaults to `false`.
*/
disableResilienceDefaults?: pulumi.Input<boolean>;
/**
* Session control to define whether to persist cookies. Possible values are: `always` or `never`.
*/
persistentBrowserMode?: pulumi.Input<string>;
/**
* Number of days or hours to enforce sign-in frequency. Required when `signInFrequencyPeriod` is specified.
*/
signInFrequency?: pulumi.Input<number>;
/**
* Authentication type for enforcing sign-in frequency. Possible values are: `primaryAndSecondaryAuthentication` or `secondaryAuthentication`. Defaults to `primaryAndSecondaryAuthentication`.
*/
signInFrequencyAuthenticationType?: pulumi.Input<string>;
/**
* The interval to apply to sign-in frequency control. Possible values are: `timeBased` or `everyTime`. Defaults to `timeBased`.
*/
signInFrequencyInterval?: pulumi.Input<string>;
/**
* The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `signInFrequencyPeriod` is specified.
*/
signInFrequencyPeriod?: pulumi.Input<string>;
}
export interface CustomDirectoryRolePermission {
/**
* A set of tasks that can be performed on a resource. For more information, see the [Permissions Reference](https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference) documentation.
*/
allowedResourceActions: pulumi.Input<pulumi.Input<string>[]>;
}
export interface GroupDynamicMembership {
/**
* Whether rule processing is "On" (true) or "Paused" (false).
*/
enabled: pulumi.Input<boolean>;
/**
* The rule that determines membership of this group. For more information, see official documentation on [membership rules syntax](https://docs.microsoft.com/en-gb/azure/active-directory/enterprise-users/groups-dynamic-membership).
*
* > **Dynamic Group Memberships** Remember to include `DynamicMembership` in the set of `types` for the group when configuring a dynamic membership rule. Dynamic membership is a premium feature which requires an Azure Active Directory P1 or P2 license.
*/
rule: pulumi.Input<string>;
}
export interface GroupRoleManagementPolicyActivationRules {
/**
* An `approvalStage` block as defined below.
*/
approvalStage?: pulumi.Input<inputs.GroupRoleManagementPolicyActivationRulesApprovalStage>;
/**
* The maximum length of time an activated role can be valid, in an ISO8601 Duration format (e.g. `PT8H`). Valid range is `PT30M` to `PT23H30M`, in 30 minute increments, or `PT1D`.
*/
maximumDuration?: pulumi.Input<string>;
/**
* Is approval required for activation. If `true` an `approvalStage` block must be provided.
*/
requireApproval?: pulumi.Input<boolean>;
/**
* Is a justification required during activation of the role.
*/
requireJustification?: pulumi.Input<boolean>;
/**
* Is multi-factor authentication required to activate the role. Conflicts with `requiredConditionalAccessAuthenticationContext`.
*/
requireMultifactorAuthentication?: pulumi.Input<boolean>;
/**
* Is ticket information requrired during activation of the role.
*/
requireTicketInfo?: pulumi.Input<boolean>;
/**
* The Entra ID Conditional Access context that must be present for activation (e.g `c1`). Conflicts with `requireMultifactorAuthentication`.
*/
requiredConditionalAccessAuthenticationContext?: pulumi.Input<string>;
}
export interface GroupRoleManagementPolicyActivationRulesApprovalStage {
/**
* The IDs of the users or groups who can approve the activation
*/
primaryApprovers: pulumi.Input<pulumi.Input<inputs.GroupRoleManagementPolicyActivationRulesApprovalStagePrimaryApprover>[]>;
}
export interface GroupRoleManagementPolicyActivationRulesApprovalStagePrimaryApprover {
/**
* The ID of the object which will act as an approver.
*/
objectId: pulumi.Input<string>;
/**
* The type of object acting as an approver. Possible options are `singleUser` and `groupMembers`.
*/
type?: pulumi.Input<string>;
}
export interface GroupRoleManagementPolicyActiveAssignmentRules {
/**
* Must an assignment have an expiry date. `false` allows permanent assignment.
*/
expirationRequired?: pulumi.Input<boolean>;
/**
* The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: `P15D`, `P30D`, `P90D`, `P180D`, or `P365D`.
*/
expireAfter?: pulumi.Input<string>;
/**
* Is a justification required to create new assignments.
*/
requireJustification?: pulumi.Input<boolean>;
/**
* Is multi-factor authentication required to create new assignments.
*/
requireMultifactorAuthentication?: pulumi.Input<boolean>;
/**
* Is ticket information required to create new assignments.
*
* One of `expirationRequired` or `expireAfter` must be provided.
*/
requireTicketInfo?: pulumi.Input<boolean>;
}
export interface GroupRoleManagementPolicyEligibleAssignmentRules {
/**
* Must an assignment have an expiry date. `false` allows permanent assignment.
*/
expirationRequired?: pulumi.Input<boolean>;
/**
* The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: `P15D`, `P30D`, `P90D`, `P180D`, or `P365D`.
*
* One of `expirationRequired` or `expireAfter` must be provided.
*/
expireAfter?: pulumi.Input<string>;
}
export interface GroupRoleManagementPolicyNotificationRules {
/**
* A `notificationTarget` block as defined below to configure notfications on active role assignments.
*/
activeAssignments?: pulumi.Input<inputs.GroupRoleManagementPolicyNotificationRulesActiveAssignments>;
/**
* A `notificationTarget` block as defined below for configuring notifications on activation of eligible role.
*/
eligibleActivations?: pulumi.Input<inputs.GroupRoleManagementPolicyNotificationRulesEligibleActivations>;
/**
* A `notificationTarget` block as defined below to configure notification on eligible role assignments.
*
* At least one `notificationTarget` block must be provided.
*/
eligibleAssignments?: pulumi.Input<inputs.GroupRoleManagementPolicyNotificationRulesEligibleAssignments>;
}
export interface GroupRoleManagementPolicyNotificationRulesActiveAssignments {
/**
* Admin notification settings
*/
adminNotifications?: pulumi.Input<inputs.GroupRoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotifications>;
/**
* Approver notification settings
*/
approverNotifications?: pulumi.Input<inputs.GroupRoleManagementPolicyNotificationRulesActiveAssignmentsApproverNotifications>;
/**
* Assignee notification settings
*/
assigneeNotifications?: pulumi.Input<inputs.GroupRoleManagementPolicyNotificationRulesActiveAssignmentsAssigneeNotifications>;
}
export interface GroupRoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotifications {
/**
* The additional recipients to notify
*/
additionalRecipients?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Whether the default recipients are notified
*/
defaultRecipients: pulumi.Input<boolean>;
/**
* What level of notifications are sent
*/
notificationLevel: pulumi.Input<string>;
}
export interface GroupRoleManagementPolicyNotificationRulesActiveAssignmentsApproverNotifications {
/**
* The additional recipients to notify
*/
additionalRecipients?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Whether the default recipients are notified
*/
defaultRecipients: pulumi.Input<boolean>;
/**
* What level of notifications are sent
*/
notificationLevel: pulumi.Input<string>;
}
export interface GroupRoleManagementPolicyNotificationRulesActiveAssignmentsAssigneeNotifications {
/**
* The additional recipients to notify
*/
additionalRecipients?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Whether the default recipients are notified
*/
defaultRecipients: pulumi.Input<boolean>;
/**
* What level of notifications are sent
*/
notificationLevel: pulumi.Input<string>;
}
export interface GroupRoleManagementPolicyNotificationRulesEligibleActivations {
/**
* Admin notification settings
*/
adminNotifications?: pulumi.Input<inputs.GroupRoleManagementPolicyNotificationRulesEligibleActivationsAdminNotifications>;
/**
* Approver notification settings
*/
approverNotifications?: pulumi.Input<inputs.GroupRoleManagementPolicyNotificationRulesEligibleActivationsApproverNotifications>;
/**
* Assignee notification settings
*/
assigneeNotifications?: pulumi.Input<inputs.GroupRoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotifications>;
}
export interface GroupRoleManagementPolicyNotificationRulesEligibleActivationsAdminNotifications {
/**
* The additional recipients to notify
*/
additionalRecipients?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Whether the default recipients are notified
*/
defaultRecipients: pulumi.Input<boolean>;
/**
* What level of notifications are sent
*/
notificationLevel: pulumi.Input<string>;
}
export interface GroupRoleManagementPolicyNotificationRulesEligibleActivationsApproverNotifications {
/**
* The additional recipients to notify
*/
additionalRecipients?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Whether the default recipients are notified
*/
defaultRecipients: pulumi.Input<boolean>;
/**
* What level of notifications are sent
*/
notificationLevel: pulumi.Input<string>;
}
export interface GroupRoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotifications {
/**
* The additional recipients to notify
*/
additionalRecipients?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Whether the default recipients are notified
*/
defaultRecipients: pulumi.Input<boolean>;
/**
* What level of notifications are sent
*/
notificationLevel: pulumi.Input<string>;
}
export interface GroupRoleManagementPolicyNotificationRulesEligibleAssignments {
/**
* Admin notification settings
*/
adminNotifications?: pulumi.Input<inputs.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsAdminNotifications>;
/**
* Approver notification settings
*/
approverNotifications?: pulumi.Input<inputs.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotifications>;
/**
* Assignee notification settings
*/
assigneeNotifications?: pulumi.Input<inputs.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsAssigneeNotifications>;
}
export interface GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsAdminNotifications {
/**
* The additional recipients to notify
*/
additionalRecipients?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Whether the default recipients are notified
*/
defaultRecipients: pulumi.Input<boolean>;
/**
* What level of notifications are sent
*/
notificationLevel: pulumi.Input<string>;
}
export interface GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotifications {
/**
* The additional recipients to notify
*/
additionalRecipients?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Whether the default recipients are notified
*/
defaultRecipients: pulumi.Input<boolean>;
/**
* What level of notifications are sent
*/
notificationLevel: pulumi.Input<string>;
}
export interface GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsAssigneeNotifications {
/**
* The additional recipients to notify
*/
additionalRecipients?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Whether the default recipients are notified
*/
defaultRecipients: pulumi.Input<boolean>;
/**
* What level of notifications are sent
*/
notificationLevel: pulumi.Input<string>;
}
export interface GroupWithoutMembersDynamicMembership {
/**
* Whether rule processing is "On" (true) or "Paused" (false).
*/
enabled: pulumi.Input<boolean>;
/**
* The rule that determines membership of this group. For more information, see official documentation on [membership rules syntax](https://docs.microsoft.com/en-gb/azure/active-directory/enterprise-users/groups-dynamic-membership).
*
* > **Dynamic Group Memberships** Remember to include `DynamicMembership` in the set of `types` for the group when configuring a dynamic membership rule. Dynamic membership is a premium feature which requires an Azure Active Directory P1 or P2 license.
*/
rule: pulumi.Input<string>;
}
export interface InvitationMessage {
/**
* Email addresses of additional recipients the invitation message should be sent to. Only 1 additional recipient is currently supported by Azure.
*/
additionalRecipients?: pulumi.Input<string>;
/**
* Customized message body you want to send if you don't want to send the default message. Cannot be specified with `language`.
*/
body?: pulumi.Input<string>;
/**
* The language you want to send the default message in. The value specified must be in ISO 639 format. Defaults to `en-US`. Cannot be specified with `body`.
*/
language?: pulumi.Input<string>;
}
export interface NamedLocationCountry {
/**
* List of countries and/or regions in two-letter format specified by ISO 3166-2.
*/
countriesAndRegions: pulumi.Input<pulumi.Input<string>[]>;
/**
* Method of detecting country the user is located in. Possible values are `clientIpAddress` for IP-based location and `authenticatorAppGps` for Authenticator app GPS-based location. Defaults to `clientIpAddress`.
*/
countryLookupMethod?: pulumi.Input<string>;
/**
* Whether IP addresses that don't map to a country or region should be included in the named location. Defaults to `false`.
*/
includeUnknownCountriesAndRegions?: pulumi.Input<boolean>;
}
export interface NamedLocationIp {
/**
* List of IP address ranges in IPv4 CIDR format (e.g. `1.2.3.4/32`) or any allowable IPv6 format from IETF RFC596. Each CIDR prefix must be `/8` or larger.
*/
ipRanges: pulumi.Input<pulumi.Input<string>[]>;
/**
* Whether the named location is trusted. Defaults to `false`.
*/
trusted?: pulumi.Input<boolean>;
}
export interface ServicePrinc