UNPKG

@pulumi/azuread

Version:

A Pulumi package for creating and managing Azure Active Directory (Azure AD) cloud resources.

226 lines • 8.99 kB
"use strict"; // *** WARNING: this file was generated by pulumi-language-nodejs. *** // *** Do not edit by hand unless you're certain you know what you are doing! *** var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { if (k2 === undefined) k2 = k; var desc = Object.getOwnPropertyDescriptor(m, k); if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { desc = { enumerable: true, get: function() { return m[k]; } }; } Object.defineProperty(o, k2, desc); }) : (function(o, m, k, k2) { if (k2 === undefined) k2 = k; o[k2] = m[k]; })); var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { Object.defineProperty(o, "default", { enumerable: true, value: v }); }) : function(o, v) { o["default"] = v; }); var __importStar = (this && this.__importStar) || function (mod) { if (mod && mod.__esModule) return mod; var result = {}; if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); __setModuleDefault(result, mod); return result; }; Object.defineProperty(exports, "__esModule", { value: true }); exports.ConditionalAccessPolicy = void 0; const pulumi = __importStar(require("@pulumi/pulumi")); const utilities = __importStar(require("./utilities")); /** * Manages a Conditional Access Policy within Azure Active Directory. * * > **Licensing Requirements** Specifying `clientApplications` property requires the activation of Microsoft Entra on your tenant and the availability of sufficient Workload Identities Premium licences (one per service principal managed by a conditional access). * * > **API Limits** This resource is subject to a restrictive API request limit of 1 request/second. Whilst Terraform will automatically back-off and retry throttled requests, if you have a large number of resource changes to make, you may wish to reduce parallelism or specify extended custom resource timeouts. * * ## API Permissions * * The following API permissions are required in order to use this resource. * * When authenticated with a service principal, this resource requires the following application roles: `Policy.ReadWrite.ConditionalAccess` and `Policy.Read.All` * * When authenticated with a user principal, this resource requires one of the following directory roles: `Conditional Access Administrator` or `Global Administrator` * * ## Example Usage * * ### All users except guests or external users * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azuread from "@pulumi/azuread"; * * const example = new azuread.ConditionalAccessPolicy("example", { * displayName: "example policy", * state: "disabled", * conditions: { * clientAppTypes: ["all"], * signInRiskLevels: ["medium"], * userRiskLevels: ["medium"], * applications: { * includedApplications: ["All"], * excludedApplications: [], * }, * devices: { * filter: { * mode: "exclude", * rule: "device.operatingSystem eq \"Doors\"", * }, * }, * locations: { * includedLocations: ["All"], * excludedLocations: ["AllTrusted"], * }, * platforms: { * includedPlatforms: ["android"], * excludedPlatforms: ["iOS"], * }, * users: { * includedUsers: ["All"], * excludedUsers: ["GuestsOrExternalUsers"], * }, * }, * grantControls: { * operator: "OR", * builtInControls: ["mfa"], * }, * sessionControls: { * applicationEnforcedRestrictionsEnabled: true, * disableResilienceDefaults: false, * signInFrequency: 10, * signInFrequencyPeriod: "hours", * cloudAppSecurityPolicy: "monitorOnly", * }, * }); * ``` * * ### Included client applications / service principals * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azuread from "@pulumi/azuread"; * * const current = azuread.getClientConfig({}); * const example = new azuread.ConditionalAccessPolicy("example", { * displayName: "example policy", * state: "disabled", * conditions: { * clientAppTypes: ["all"], * applications: { * includedApplications: ["All"], * }, * clientApplications: { * includedServicePrincipals: [current.then(current => current.objectId)], * excludedServicePrincipals: [], * }, * users: { * includedUsers: ["None"], * }, * }, * grantControls: { * operator: "OR", * builtInControls: ["block"], * }, * }); * ``` * * ### Excluded client applications / service principals * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azuread from "@pulumi/azuread"; * * const current = azuread.getClientConfig({}); * const example = new azuread.ConditionalAccessPolicy("example", { * displayName: "example policy", * state: "disabled", * conditions: { * clientAppTypes: ["all"], * applications: { * includedApplications: ["All"], * }, * clientApplications: { * includedServicePrincipals: ["ServicePrincipalsInMyTenant"], * excludedServicePrincipals: [current.then(current => current.objectId)], * }, * users: { * includedUsers: ["None"], * }, * }, * grantControls: { * operator: "OR", * builtInControls: ["block"], * }, * }); * ``` * * ## Import * * Conditional Access Policies can be imported using the `id`, e.g. * * ```sh * $ pulumi import azuread:index/conditionalAccessPolicy:ConditionalAccessPolicy my_location /identity/conditionalAccess/policies/00000000-0000-0000-0000-000000000000 * ``` */ class ConditionalAccessPolicy extends pulumi.CustomResource { /** * Get an existing ConditionalAccessPolicy resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name, id, state, opts) { return new ConditionalAccessPolicy(name, state, { ...opts, id: id }); } /** @internal */ static __pulumiType = 'azuread:index/conditionalAccessPolicy:ConditionalAccessPolicy'; /** * Returns true if the given object is an instance of ConditionalAccessPolicy. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj) { if (obj === undefined || obj === null) { return false; } return obj['__pulumiType'] === ConditionalAccessPolicy.__pulumiType; } constructor(name, argsOrState, opts) { let resourceInputs = {}; opts = opts || {}; if (opts.id) { const state = argsOrState; resourceInputs["conditions"] = state?.conditions; resourceInputs["displayName"] = state?.displayName; resourceInputs["grantControls"] = state?.grantControls; resourceInputs["objectId"] = state?.objectId; resourceInputs["sessionControls"] = state?.sessionControls; resourceInputs["state"] = state?.state; } else { const args = argsOrState; if (args?.conditions === undefined && !opts.urn) { throw new Error("Missing required property 'conditions'"); } if (args?.displayName === undefined && !opts.urn) { throw new Error("Missing required property 'displayName'"); } if (args?.state === undefined && !opts.urn) { throw new Error("Missing required property 'state'"); } resourceInputs["conditions"] = args?.conditions; resourceInputs["displayName"] = args?.displayName; resourceInputs["grantControls"] = args?.grantControls; resourceInputs["sessionControls"] = args?.sessionControls; resourceInputs["state"] = args?.state; resourceInputs["objectId"] = undefined /*out*/; } opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); super(ConditionalAccessPolicy.__pulumiType, name, resourceInputs, opts); } } exports.ConditionalAccessPolicy = ConditionalAccessPolicy; //# sourceMappingURL=conditionalAccessPolicy.js.map