@pulumi/azuread
Version:
A Pulumi package for creating and managing Azure Active Directory (Azure AD) cloud resources.
501 lines • 34.4 kB
TypeScript
import * as pulumi from "@pulumi/pulumi";
import * as inputs from "./types/input";
import * as outputs from "./types/output";
/**
* Manages a group within Azure Active Directory. Does not directly manage or expose members of the group.
*
* ## API Permissions
*
* The following API permissions are required in order to use this resource.
*
* When authenticated with a service principal, this resource requires one of the following application roles: `Group.ReadWrite.All` or `Directory.ReadWrite.All`.
*
* Alternatively, if the authenticated service principal is also an owner of the group being managed, this resource can use the application role: `Group.Create`.
*
* If using the `assignableToRole` property, this resource additionally requires the `RoleManagement.ReadWrite.Directory` application role.
*
* If specifying owners for a group, which are user principals, this resource additionally requires one of the following application roles: `User.Read.All`, `User.ReadWrite.All`, `Directory.Read.All` or `Directory.ReadWrite.All`
*
* When authenticated with a user principal, this resource requires one of the following directory roles: `Groups Administrator`, `User Administrator` or `Global Administrator`
*
* When creating this resource in administrative units exclusively, the directory role `Groups Administrator` is required to be scoped on any administrative unit used. Additionally, it must be possible to read the administrative units being used, which can be granted through the `AdministrativeUnit.Read.All` or `Directory.Read.All` application roles.
*
* The `externalSendersAllowed`, `autoSubscribeNewMembers`, `hideFromAddressLists` and `hideFromOutlookClients` properties can only be configured when authenticating as a user and cannot be configured when authenticating as a service principal. Additionally, the user being used for authentication must be a Member of the tenant where the group is being managed and _not_ a Guest. This is a known API issue; please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) official documentation.
*
* ## Example Usage
*
* *Basic example*
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as azuread from "@pulumi/azuread";
*
* const current = azuread.getClientConfig({});
* const example = new azuread.GroupWithoutMembers("example", {
* displayName: "example",
* owners: [current.then(current => current.objectId)],
* securityEnabled: true,
* });
* ```
*
* *Microsoft 365 group*
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as azuread from "@pulumi/azuread";
*
* const current = azuread.getClientConfig({});
* const groupOwner = new azuread.User("group_owner", {
* userPrincipalName: "example-group-owner@example.com",
* displayName: "Group Owner",
* mailNickname: "example-group-owner",
* password: "SecretP@sswd99!",
* });
* const example = new azuread.GroupWithoutMembers("example", {
* displayName: "example",
* mailEnabled: true,
* mailNickname: "ExampleGroup",
* securityEnabled: true,
* types: ["Unified"],
* owners: [
* current.then(current => current.objectId),
* groupOwner.objectId,
* ],
* });
* ```
*
* *Group with dynamic membership*
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as azuread from "@pulumi/azuread";
*
* const current = azuread.getClientConfig({});
* const example = new azuread.GroupWithoutMembers("example", {
* displayName: "MyGroup",
* owners: [current.then(current => current.objectId)],
* securityEnabled: true,
* types: ["DynamicMembership"],
* dynamicMembership: {
* enabled: true,
* rule: "user.department -eq \"Sales\"",
* },
* });
* ```
*
* ## Import
*
* Groups can be imported using their object ID, e.g.
*
* ```sh
* $ pulumi import azuread:index/groupWithoutMembers:GroupWithoutMembers my_group /groups/00000000-0000-0000-0000-000000000000
* ```
*/
export declare class GroupWithoutMembers extends pulumi.CustomResource {
/**
* Get an existing GroupWithoutMembers resource's state with the given name, ID, and optional extra
* properties used to qualify the lookup.
*
* @param name The _unique_ name of the resulting resource.
* @param id The _unique_ provider ID of the resource to lookup.
* @param state Any extra arguments used during the lookup.
* @param opts Optional settings to control the behavior of the CustomResource.
*/
static get(name: string, id: pulumi.Input<pulumi.ID>, state?: GroupWithoutMembersState, opts?: pulumi.CustomResourceOptions): GroupWithoutMembers;
/**
* Returns true if the given object is an instance of GroupWithoutMembers. This is designed to work even
* when multiple copies of the Pulumi SDK have been loaded into the same process.
*/
static isInstance(obj: any): obj is GroupWithoutMembers;
/**
* The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.
*
* > **Caution** When using the azuread.AdministrativeUnitMember resource, or the `members` property of the azuread.AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an `ignoreChanges = [administrativeUnitIds]` lifecycle meta argument for the `azuread.Group` resource, in order to avoid a persistent diff.
*/
readonly administrativeUnitIds: pulumi.Output<string[] | undefined>;
/**
* Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to `false`. Can only be set to `true` for security-enabled groups. Changing this forces a new resource to be created.
*/
readonly assignableToRole: pulumi.Output<boolean | undefined>;
/**
* Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.
*
* > **Known Permissions Issue** The `autoSubscribeNewMembers` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
*/
readonly autoSubscribeNewMembers: pulumi.Output<boolean>;
/**
* A set of behaviors for a Microsoft 365 group. Possible values are `AllowOnlyMembersToPost`, `HideGroupInOutlook`, `SkipExchangeInstantOn`, `SubscribeMembersToCalendarEventsDisabled`, `SubscribeNewGroupMembers` and `WelcomeEmailDisabled`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for more details. Changing this forces a new resource to be created.
*/
readonly behaviors: pulumi.Output<string[] | undefined>;
/**
* The description for the group.
*/
readonly description: pulumi.Output<string | undefined>;
/**
* The display name for the group.
*/
readonly displayName: pulumi.Output<string>;
/**
* A `dynamicMembership` block as documented below. Required when `types` contains `DynamicMembership`. Cannot be used with the `members` property.
*/
readonly dynamicMembership: pulumi.Output<outputs.GroupWithoutMembersDynamicMembership | undefined>;
/**
* Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.
*
* > **Known Permissions Issue** The `externalSendersAllowed` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
*/
readonly externalSendersAllowed: pulumi.Output<boolean>;
/**
* Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.
*
* > **Known Permissions Issue** The `hideFromAddressLists` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
*/
readonly hideFromAddressLists: pulumi.Output<boolean>;
/**
* Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.
*
* > **Known Permissions Issue** The `hideFromOutlookClients` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
*/
readonly hideFromOutlookClients: pulumi.Output<boolean>;
/**
* The SMTP address for the group.
*/
readonly mail: pulumi.Output<string>;
/**
* Whether the group is a mail enabled, with a shared group mailbox. At least one of `mailEnabled` or `securityEnabled` must be specified. Only Microsoft 365 groups can be mail enabled (see the `types` property).
*/
readonly mailEnabled: pulumi.Output<boolean | undefined>;
/**
* The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
*/
readonly mailNickname: pulumi.Output<string>;
/**
* The object ID of the group.
*/
readonly objectId: pulumi.Output<string>;
/**
* The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
*/
readonly onpremisesDomainName: pulumi.Output<string>;
/**
* The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are `UniversalDistributionGroup`, `UniversalMailEnabledSecurityGroup`, or `UniversalSecurityGroup`.
*/
readonly onpremisesGroupType: pulumi.Output<string>;
/**
* The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
*/
readonly onpremisesNetbiosName: pulumi.Output<string>;
/**
* The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
*/
readonly onpremisesSamAccountName: pulumi.Output<string>;
/**
* The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
*/
readonly onpremisesSecurityIdentifier: pulumi.Output<string>;
/**
* Whether this group is synchronised from an on-premises directory (`true`), no longer synchronised (`false`), or has never been synchronised (`null`).
*/
readonly onpremisesSyncEnabled: pulumi.Output<boolean>;
/**
* A set of object IDs of principals that will be granted ownership of the group. Supported object types are users or service principals. By default, the principal being used to execute Terraform is assigned as the sole owner. Groups cannot be created with no owners or have all their owners removed.
*
* > **Group Ownership** It's recommended to always specify one or more group owners, including the principal being used to execute Terraform, such as in the example above. When removing group owners, if a user principal has been assigned ownership, the last user cannot be removed as an owner. Microsoft 365 groups are required to always have at least one owner which _must be a user_ (i.e. not a service principal).
*/
readonly owners: pulumi.Output<string[]>;
/**
* The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
*/
readonly preferredLanguage: pulumi.Output<string>;
/**
* If `true`, will return an error if an existing group is found with the same name. Defaults to `false`.
*/
readonly preventDuplicateNames: pulumi.Output<boolean | undefined>;
/**
* A set of provisioning options for a Microsoft 365 group. The only supported value is `Team`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for details. Changing this forces a new resource to be created.
*/
readonly provisioningOptions: pulumi.Output<string[] | undefined>;
/**
* List of email addresses for the group that direct to the same group mailbox.
*/
readonly proxyAddresses: pulumi.Output<string[]>;
/**
* Whether the group is a security group for controlling access to in-app resources. At least one of `securityEnabled` or `mailEnabled` must be specified. A Microsoft 365 group can be security enabled _and_ mail enabled (see the `types` property).
*/
readonly securityEnabled: pulumi.Output<boolean | undefined>;
/**
* The colour theme for a Microsoft 365 group. Possible values are `Blue`, `Green`, `Orange`, `Pink`, `Purple`, `Red` or `Teal`. By default, no theme is set.
*/
readonly theme: pulumi.Output<string | undefined>;
/**
* A set of group types to configure for the group. Supported values are `DynamicMembership`, which denotes a group with dynamic membership, and `Unified`, which specifies a Microsoft 365 group. Required when `mailEnabled` is true. Changing this forces a new resource to be created.
*
* > **Supported Group Types** At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.
*/
readonly types: pulumi.Output<string[] | undefined>;
/**
* The group join policy and group content visibility. Possible values are `Private`, `Public`, or `Hiddenmembership`. Only Microsoft 365 groups can have `Hiddenmembership` visibility and this value must be set when the group is created. By default, security groups will receive `Private` visibility and Microsoft 365 groups will receive `Public` visibility.
*
* > **Group Name Uniqueness** Group names are not unique within Azure Active Directory. Use the `preventDuplicateNames` argument to check for existing groups if you want to avoid name collisions.
*/
readonly visibility: pulumi.Output<string>;
/**
* Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
*/
readonly writebackEnabled: pulumi.Output<boolean | undefined>;
/**
* Create a GroupWithoutMembers resource with the given unique name, arguments, and options.
*
* @param name The _unique_ name of the resource.
* @param args The arguments to use to populate this resource's properties.
* @param opts A bag of options that control this resource's behavior.
*/
constructor(name: string, args: GroupWithoutMembersArgs, opts?: pulumi.CustomResourceOptions);
}
/**
* Input properties used for looking up and filtering GroupWithoutMembers resources.
*/
export interface GroupWithoutMembersState {
/**
* The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.
*
* > **Caution** When using the azuread.AdministrativeUnitMember resource, or the `members` property of the azuread.AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an `ignoreChanges = [administrativeUnitIds]` lifecycle meta argument for the `azuread.Group` resource, in order to avoid a persistent diff.
*/
administrativeUnitIds?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to `false`. Can only be set to `true` for security-enabled groups. Changing this forces a new resource to be created.
*/
assignableToRole?: pulumi.Input<boolean | undefined>;
/**
* Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.
*
* > **Known Permissions Issue** The `autoSubscribeNewMembers` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
*/
autoSubscribeNewMembers?: pulumi.Input<boolean | undefined>;
/**
* A set of behaviors for a Microsoft 365 group. Possible values are `AllowOnlyMembersToPost`, `HideGroupInOutlook`, `SkipExchangeInstantOn`, `SubscribeMembersToCalendarEventsDisabled`, `SubscribeNewGroupMembers` and `WelcomeEmailDisabled`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for more details. Changing this forces a new resource to be created.
*/
behaviors?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* The description for the group.
*/
description?: pulumi.Input<string | undefined>;
/**
* The display name for the group.
*/
displayName?: pulumi.Input<string | undefined>;
/**
* A `dynamicMembership` block as documented below. Required when `types` contains `DynamicMembership`. Cannot be used with the `members` property.
*/
dynamicMembership?: pulumi.Input<inputs.GroupWithoutMembersDynamicMembership | undefined>;
/**
* Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.
*
* > **Known Permissions Issue** The `externalSendersAllowed` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
*/
externalSendersAllowed?: pulumi.Input<boolean | undefined>;
/**
* Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.
*
* > **Known Permissions Issue** The `hideFromAddressLists` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
*/
hideFromAddressLists?: pulumi.Input<boolean | undefined>;
/**
* Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.
*
* > **Known Permissions Issue** The `hideFromOutlookClients` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
*/
hideFromOutlookClients?: pulumi.Input<boolean | undefined>;
/**
* The SMTP address for the group.
*/
mail?: pulumi.Input<string | undefined>;
/**
* Whether the group is a mail enabled, with a shared group mailbox. At least one of `mailEnabled` or `securityEnabled` must be specified. Only Microsoft 365 groups can be mail enabled (see the `types` property).
*/
mailEnabled?: pulumi.Input<boolean | undefined>;
/**
* The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
*/
mailNickname?: pulumi.Input<string | undefined>;
/**
* The object ID of the group.
*/
objectId?: pulumi.Input<string | undefined>;
/**
* The on-premises FQDN, also called dnsDomainName, synchronised from the on-premises directory when Azure AD Connect is used.
*/
onpremisesDomainName?: pulumi.Input<string | undefined>;
/**
* The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are `UniversalDistributionGroup`, `UniversalMailEnabledSecurityGroup`, or `UniversalSecurityGroup`.
*/
onpremisesGroupType?: pulumi.Input<string | undefined>;
/**
* The on-premises NetBIOS name, synchronised from the on-premises directory when Azure AD Connect is used.
*/
onpremisesNetbiosName?: pulumi.Input<string | undefined>;
/**
* The on-premises SAM account name, synchronised from the on-premises directory when Azure AD Connect is used.
*/
onpremisesSamAccountName?: pulumi.Input<string | undefined>;
/**
* The on-premises security identifier (SID), synchronised from the on-premises directory when Azure AD Connect is used.
*/
onpremisesSecurityIdentifier?: pulumi.Input<string | undefined>;
/**
* Whether this group is synchronised from an on-premises directory (`true`), no longer synchronised (`false`), or has never been synchronised (`null`).
*/
onpremisesSyncEnabled?: pulumi.Input<boolean | undefined>;
/**
* A set of object IDs of principals that will be granted ownership of the group. Supported object types are users or service principals. By default, the principal being used to execute Terraform is assigned as the sole owner. Groups cannot be created with no owners or have all their owners removed.
*
* > **Group Ownership** It's recommended to always specify one or more group owners, including the principal being used to execute Terraform, such as in the example above. When removing group owners, if a user principal has been assigned ownership, the last user cannot be removed as an owner. Microsoft 365 groups are required to always have at least one owner which _must be a user_ (i.e. not a service principal).
*/
owners?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* The preferred language for a Microsoft 365 group, in ISO 639-1 notation.
*/
preferredLanguage?: pulumi.Input<string | undefined>;
/**
* If `true`, will return an error if an existing group is found with the same name. Defaults to `false`.
*/
preventDuplicateNames?: pulumi.Input<boolean | undefined>;
/**
* A set of provisioning options for a Microsoft 365 group. The only supported value is `Team`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for details. Changing this forces a new resource to be created.
*/
provisioningOptions?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* List of email addresses for the group that direct to the same group mailbox.
*/
proxyAddresses?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* Whether the group is a security group for controlling access to in-app resources. At least one of `securityEnabled` or `mailEnabled` must be specified. A Microsoft 365 group can be security enabled _and_ mail enabled (see the `types` property).
*/
securityEnabled?: pulumi.Input<boolean | undefined>;
/**
* The colour theme for a Microsoft 365 group. Possible values are `Blue`, `Green`, `Orange`, `Pink`, `Purple`, `Red` or `Teal`. By default, no theme is set.
*/
theme?: pulumi.Input<string | undefined>;
/**
* A set of group types to configure for the group. Supported values are `DynamicMembership`, which denotes a group with dynamic membership, and `Unified`, which specifies a Microsoft 365 group. Required when `mailEnabled` is true. Changing this forces a new resource to be created.
*
* > **Supported Group Types** At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.
*/
types?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* The group join policy and group content visibility. Possible values are `Private`, `Public`, or `Hiddenmembership`. Only Microsoft 365 groups can have `Hiddenmembership` visibility and this value must be set when the group is created. By default, security groups will receive `Private` visibility and Microsoft 365 groups will receive `Public` visibility.
*
* > **Group Name Uniqueness** Group names are not unique within Azure Active Directory. Use the `preventDuplicateNames` argument to check for existing groups if you want to avoid name collisions.
*/
visibility?: pulumi.Input<string | undefined>;
/**
* Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
*/
writebackEnabled?: pulumi.Input<boolean | undefined>;
}
/**
* The set of arguments for constructing a GroupWithoutMembers resource.
*/
export interface GroupWithoutMembersArgs {
/**
* The object IDs of administrative units in which the group is a member. If specified, new groups will be created in the scope of the first administrative unit and added to the others. If empty, new groups will be created at the tenant level.
*
* > **Caution** When using the azuread.AdministrativeUnitMember resource, or the `members` property of the azuread.AdministrativeUnit resource, to manage Administrative Unit membership for a group, you will need to use an `ignoreChanges = [administrativeUnitIds]` lifecycle meta argument for the `azuread.Group` resource, in order to avoid a persistent diff.
*/
administrativeUnitIds?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* Indicates whether this group can be assigned to an Azure Active Directory role. Defaults to `false`. Can only be set to `true` for security-enabled groups. Changing this forces a new resource to be created.
*/
assignableToRole?: pulumi.Input<boolean | undefined>;
/**
* Indicates whether new members added to the group will be auto-subscribed to receive email notifications. Can only be set for Unified groups.
*
* > **Known Permissions Issue** The `autoSubscribeNewMembers` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
*/
autoSubscribeNewMembers?: pulumi.Input<boolean | undefined>;
/**
* A set of behaviors for a Microsoft 365 group. Possible values are `AllowOnlyMembersToPost`, `HideGroupInOutlook`, `SkipExchangeInstantOn`, `SubscribeMembersToCalendarEventsDisabled`, `SubscribeNewGroupMembers` and `WelcomeEmailDisabled`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for more details. Changing this forces a new resource to be created.
*/
behaviors?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* The description for the group.
*/
description?: pulumi.Input<string | undefined>;
/**
* The display name for the group.
*/
displayName: pulumi.Input<string>;
/**
* A `dynamicMembership` block as documented below. Required when `types` contains `DynamicMembership`. Cannot be used with the `members` property.
*/
dynamicMembership?: pulumi.Input<inputs.GroupWithoutMembersDynamicMembership | undefined>;
/**
* Indicates whether people external to the organization can send messages to the group. Can only be set for Unified groups.
*
* > **Known Permissions Issue** The `externalSendersAllowed` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
*/
externalSendersAllowed?: pulumi.Input<boolean | undefined>;
/**
* Indicates whether the group is displayed in certain parts of the Outlook user interface: in the Address Book, in address lists for selecting message recipients, and in the Browse Groups dialog for searching groups. Can only be set for Unified groups.
*
* > **Known Permissions Issue** The `hideFromAddressLists` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
*/
hideFromAddressLists?: pulumi.Input<boolean | undefined>;
/**
* Indicates whether the group is displayed in Outlook clients, such as Outlook for Windows and Outlook on the web. Can only be set for Unified groups.
*
* > **Known Permissions Issue** The `hideFromOutlookClients` property can only be set when authenticating as a Member user of the tenant and _not_ when authenticating as a Guest user or as a service principal. Please see the [Microsoft Graph Known Issues](https://docs.microsoft.com/en-us/graph/known-issues#groups) documentation.
*/
hideFromOutlookClients?: pulumi.Input<boolean | undefined>;
/**
* Whether the group is a mail enabled, with a shared group mailbox. At least one of `mailEnabled` or `securityEnabled` must be specified. Only Microsoft 365 groups can be mail enabled (see the `types` property).
*/
mailEnabled?: pulumi.Input<boolean | undefined>;
/**
* The mail alias for the group, unique in the organisation. Required for mail-enabled groups. Changing this forces a new resource to be created.
*/
mailNickname?: pulumi.Input<string | undefined>;
/**
* The on-premises group type that the AAD group will be written as, when writeback is enabled. Possible values are `UniversalDistributionGroup`, `UniversalMailEnabledSecurityGroup`, or `UniversalSecurityGroup`.
*/
onpremisesGroupType?: pulumi.Input<string | undefined>;
/**
* A set of object IDs of principals that will be granted ownership of the group. Supported object types are users or service principals. By default, the principal being used to execute Terraform is assigned as the sole owner. Groups cannot be created with no owners or have all their owners removed.
*
* > **Group Ownership** It's recommended to always specify one or more group owners, including the principal being used to execute Terraform, such as in the example above. When removing group owners, if a user principal has been assigned ownership, the last user cannot be removed as an owner. Microsoft 365 groups are required to always have at least one owner which _must be a user_ (i.e. not a service principal).
*/
owners?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* If `true`, will return an error if an existing group is found with the same name. Defaults to `false`.
*/
preventDuplicateNames?: pulumi.Input<boolean | undefined>;
/**
* A set of provisioning options for a Microsoft 365 group. The only supported value is `Team`. See [official documentation](https://docs.microsoft.com/en-us/graph/group-set-options) for details. Changing this forces a new resource to be created.
*/
provisioningOptions?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* Whether the group is a security group for controlling access to in-app resources. At least one of `securityEnabled` or `mailEnabled` must be specified. A Microsoft 365 group can be security enabled _and_ mail enabled (see the `types` property).
*/
securityEnabled?: pulumi.Input<boolean | undefined>;
/**
* The colour theme for a Microsoft 365 group. Possible values are `Blue`, `Green`, `Orange`, `Pink`, `Purple`, `Red` or `Teal`. By default, no theme is set.
*/
theme?: pulumi.Input<string | undefined>;
/**
* A set of group types to configure for the group. Supported values are `DynamicMembership`, which denotes a group with dynamic membership, and `Unified`, which specifies a Microsoft 365 group. Required when `mailEnabled` is true. Changing this forces a new resource to be created.
*
* > **Supported Group Types** At present, only security groups and Microsoft 365 groups can be created or managed with this resource. Distribution groups and mail-enabled security groups are not supported. Microsoft 365 groups can be security-enabled.
*/
types?: pulumi.Input<pulumi.Input<string>[] | undefined>;
/**
* The group join policy and group content visibility. Possible values are `Private`, `Public`, or `Hiddenmembership`. Only Microsoft 365 groups can have `Hiddenmembership` visibility and this value must be set when the group is created. By default, security groups will receive `Private` visibility and Microsoft 365 groups will receive `Public` visibility.
*
* > **Group Name Uniqueness** Group names are not unique within Azure Active Directory. Use the `preventDuplicateNames` argument to check for existing groups if you want to avoid name collisions.
*/
visibility?: pulumi.Input<string | undefined>;
/**
* Whether the group will be written back to the configured on-premises Active Directory when Azure AD Connect is used.
*/
writebackEnabled?: pulumi.Input<boolean | undefined>;
}
//# sourceMappingURL=groupWithoutMembers.d.ts.map