This page documents the language specification for the azuread package. If you're looking for help working with the inputs, outputs, or functions of azuread resources in a Pulumi program, please see the resource documentation for examples and API reference.

Pulumi Azure Active Directory¶

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-azuread repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-azuread repo.

class pulumi_azuread.Application(resource_name, opts=None, app_roles=None, available_to_other_tenants=None, group_membership_claims=None, homepage=None, identifier_uris=None, logout_url=None, name=None, oauth2_allow_implicit_flow=None, oauth2_permissions=None, optional_claims=None, owners=None, public_client=None, reply_urls=None, required_resource_accesses=None, type=None, __props__=None, __name__=None, __opts__=None)¶

Manages an Application within Azure Active Directory.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to both Read and write owned by applications and Sign in and read user profile within the Windows Azure Active Directory API.

import pulumi
import pulumi_azuread as azuread

example = azuread.Application("example",
    app_roles=[{
        "allowedMemberTypes": [
            "User",
            "Application",
        ],
        "description": "Admins can manage roles and perform all task actions",
        "display_name": "Admin",
        "isEnabled": True,
        "value": "Admin",
    }],
    available_to_other_tenants=False,
    homepage="https://homepage",
    identifier_uris=["https://uri"],
    oauth2_allow_implicit_flow=True,
    oauth2_permissions=[
        {
            "adminConsentDescription": "Allow the application to access example on behalf of the signed-in user.",
            "adminConsentDisplayName": "Access example",
            "isEnabled": True,
            "type": "User",
            "userConsentDescription": "Allow the application to access example on your behalf.",
            "userConsentDisplayName": "Access example",
            "value": "user_impersonation",
        },
        {
            "adminConsentDescription": "Administer the example application",
            "adminConsentDisplayName": "Administer",
            "isEnabled": True,
            "type": "Admin",
            "value": "administer",
        },
    ],
    optional_claims={
        "accessToken": [
            {
                "name": "myclaim",
            },
            {
                "name": "otherclaim",
            },
        ],
        "idToken": [{
            "additionalProperties": ["emit_as_roles"],
            "essential": True,
            "name": "userclaim",
            "source": "user",
        }],
    },
    owners=["00000004-0000-0000-c000-000000000000"],
    reply_urls=["https://replyurl"],
    required_resource_accesses=[
        {
            "resourceAccess": [
                {
                    "id": "...",
                    "type": "Role",
                },
                {
                    "id": "...",
                    "type": "Scope",
                },
                {
                    "id": "...",
                    "type": "Scope",
                },
            ],
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
        },
        {
            "resourceAccess": [{
                "id": "...",
                "type": "Scope",
            }],
            "resourceAppId": "00000002-0000-0000-c000-000000000000",
        },
    ],
    type="webapp/api")

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
app_roles (pulumi.Input[list]) – A collection of app_role blocks as documented below. For more information https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles
available_to_other_tenants (pulumi.Input[bool]) – Is this Azure AD Application available to other tenants? Defaults to false.
group_membership_claims (pulumi.Input[str]) – Configures the groups claim issued in a user or OAuth 2.0 access token that the app expects. Defaults to SecurityGroup. Possible values are None, SecurityGroup, DirectoryRole, ApplicationGroup or All.
homepage (pulumi.Input[str]) – The URL to the application’s home page. If no homepage is specified this defaults to https://{name}.
identifier_uris (pulumi.Input[list]) – A list of user-defined URI(s) that uniquely identify a Web application within it’s Azure AD tenant, or within a verified custom domain if the application is multi-tenant.
logout_url (pulumi.Input[str]) – The URL of the logout page.
name (pulumi.Input[str]) – The display name for the application.
oauth2_allow_implicit_flow (pulumi.Input[bool]) – Does this Azure AD Application allow OAuth2.0 implicit flow tokens? Defaults to false.
oauth2_permissions (pulumi.Input[list]) – A collection of OAuth 2.0 permission scopes that the web API (resource) app exposes to client apps. Each permission is covered by oauth2_permissions blocks as documented below.
optional_claims (pulumi.Input[dict]) – A collection of access_token or id_token blocks as documented below which list the optional claims configured for each token type. For more information see https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims
owners (pulumi.Input[list]) – A list of Azure AD Object IDs that will be granted ownership of the application. Defaults to the Object ID of the caller creating the application. If a list is specified the caller Object ID will no longer be included unless explicitly added to the list.
public_client (pulumi.Input[bool]) – Is this Azure AD Application a public client? Defaults to false.
reply_urls (pulumi.Input[list]) – A list of URLs that user tokens are sent to for sign in, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to.
required_resource_accesses (pulumi.Input[list]) – A collection of required_resource_access blocks as documented below.
type (pulumi.Input[str]) – Type of an application: webapp/api or native. Defaults to webapp/api. For native apps type identifier_uris property can not not be set.

The app_roles object supports the following:

allowedMemberTypes (pulumi.Input[list]) - Specifies whether this app role definition can be assigned to users and groups by setting to User, or to other applications (that are accessing this application in daemon service scenarios) by setting to Application, or to both.
description (pulumi.Input[str]) - Permission help text that appears in the admin app assignment and consent experiences.
display_name (pulumi.Input[str]) - Display name for the permission that appears in the admin consent and app assignment experiences.
id (pulumi.Input[str]) - The unique identifier of the app_role.
isEnabled (pulumi.Input[bool]) - Determines if the permission is enabled: defaults to true.
value (pulumi.Input[str]) - The value of the scope claim that the resource application should expect in the OAuth 2.0 access token.

The oauth2_permissions object supports the following:

adminConsentDescription (pulumi.Input[str]) - Permission help text that appears in the admin consent and app assignment experiences.
adminConsentDisplayName (pulumi.Input[str]) - Display name for the permission that appears in the admin consent and app assignment experiences.
id (pulumi.Input[str]) - The unique identifier for one of the OAuth2Permission or AppRole instances that the resource application exposes.
isEnabled (pulumi.Input[bool]) - Determines if the app role is enabled: Defaults to true.
type (pulumi.Input[str]) - Type of an application: webapp/api or native. Defaults to webapp/api. For native apps type identifier_uris property can not not be set.
userConsentDescription (pulumi.Input[str]) - Permission help text that appears in the end user consent experience.
userConsentDisplayName (pulumi.Input[str]) - Display name for the permission that appears in the end user consent experience.
value (pulumi.Input[str]) - Specifies the value of the roles claim that the application should expect in the authentication and access tokens.

The optional_claims object supports the following:

accessTokens (pulumi.Input[list])
- additionalProperties (pulumi.Input[list]) - List of Additional Properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
- essential (pulumi.Input[bool]) - Whether the claim specified by the client is necessary to ensure a smooth authorization experience.
- name (pulumi.Input[str]) - The name of the optional claim.
- source (pulumi.Input[str]) - The source of the claim. If source is absent, the claim is a predefined optional claim. If source is user, the value of name is the extension property from the user object.
idTokens (pulumi.Input[list])
- additionalProperties (pulumi.Input[list]) - List of Additional Properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
- essential (pulumi.Input[bool]) - Whether the claim specified by the client is necessary to ensure a smooth authorization experience.
- name (pulumi.Input[str]) - The display name for the application.
- source (pulumi.Input[str]) - The source of the claim. If source is absent, the claim is a predefined optional claim. If source is user, the value of name is the extension property from the user object.

The required_resource_accesses object supports the following:

resourceAccesses (pulumi.Input[list]) - A collection of resource_access blocks as documented below.
- id (pulumi.Input[str]) - The unique identifier for one of the OAuth2Permission or AppRole instances that the resource application exposes.
- type (pulumi.Input[str]) - Specifies whether the id property references an OAuth2Permission or an AppRole. Possible values are Scope or Role.
resourceAppId (pulumi.Input[str]) - The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application.

app_roles: pulumi.Output[list] = None¶

A collection of app_role blocks as documented below. For more information https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles

allowedMemberTypes (list) - Specifies whether this app role definition can be assigned to users and groups by setting to User, or to other applications (that are accessing this application in daemon service scenarios) by setting to Application, or to both.
description (str) - Permission help text that appears in the admin app assignment and consent experiences.
display_name (str) - Display name for the permission that appears in the admin consent and app assignment experiences.
id (str) - The unique identifier of the app_role.
isEnabled (bool) - Determines if the permission is enabled: defaults to true.
value (str) - The value of the scope claim that the resource application should expect in the OAuth 2.0 access token.

application_id: pulumi.Output[str] = None¶: The Application ID.

available_to_other_tenants: pulumi.Output[bool] = None¶: Is this Azure AD Application available to other tenants? Defaults to false.

group_membership_claims: pulumi.Output[str] = None¶: Configures the groups claim issued in a user or OAuth 2.0 access token that the app expects. Defaults to SecurityGroup. Possible values are None, SecurityGroup, DirectoryRole, ApplicationGroup or All.

homepage: pulumi.Output[str] = None¶: The URL to the application’s home page. If no homepage is specified this defaults to https://{name}.

identifier_uris: pulumi.Output[list] = None¶: A list of user-defined URI(s) that uniquely identify a Web application within it’s Azure AD tenant, or within a verified custom domain if the application is multi-tenant.

logout_url: pulumi.Output[str] = None¶: The URL of the logout page.

name: pulumi.Output[str] = None¶: The display name for the application.

oauth2_allow_implicit_flow: pulumi.Output[bool] = None¶: Does this Azure AD Application allow OAuth2.0 implicit flow tokens? Defaults to false.

oauth2_permissions: pulumi.Output[list] = None¶

A collection of OAuth 2.0 permission scopes that the web API (resource) app exposes to client apps. Each permission is covered by oauth2_permissions blocks as documented below.

adminConsentDescription (str) - Permission help text that appears in the admin consent and app assignment experiences.
adminConsentDisplayName (str) - Display name for the permission that appears in the admin consent and app assignment experiences.
id (str) - The unique identifier for one of the OAuth2Permission or AppRole instances that the resource application exposes.
isEnabled (bool) - Determines if the app role is enabled: Defaults to true.
type (str) - Type of an application: webapp/api or native. Defaults to webapp/api. For native apps type identifier_uris property can not not be set.
userConsentDescription (str) - Permission help text that appears in the end user consent experience.
userConsentDisplayName (str) - Display name for the permission that appears in the end user consent experience.
value (str) - Specifies the value of the roles claim that the application should expect in the authentication and access tokens.

object_id: pulumi.Output[str] = None¶: The Application’s Object ID.

optional_claims: pulumi.Output[dict] = None¶

A collection of access_token or id_token blocks as documented below which list the optional claims configured for each token type. For more information see https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

accessTokens (list)
- additionalProperties (list) - List of Additional Properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
- essential (bool) - Whether the claim specified by the client is necessary to ensure a smooth authorization experience.
- name (str) - The name of the optional claim.
- source (str) - The source of the claim. If source is absent, the claim is a predefined optional claim. If source is user, the value of name is the extension property from the user object.
idTokens (list)
- additionalProperties (list) - List of Additional Properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
- essential (bool) - Whether the claim specified by the client is necessary to ensure a smooth authorization experience.
- name (str) - The display name for the application.
- source (str) - The source of the claim. If source is absent, the claim is a predefined optional claim. If source is user, the value of name is the extension property from the user object.

owners: pulumi.Output[list] = None¶: A list of Azure AD Object IDs that will be granted ownership of the application. Defaults to the Object ID of the caller creating the application. If a list is specified the caller Object ID will no longer be included unless explicitly added to the list.

public_client: pulumi.Output[bool] = None¶: Is this Azure AD Application a public client? Defaults to false.

reply_urls: pulumi.Output[list] = None¶: A list of URLs that user tokens are sent to for sign in, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to.

required_resource_accesses: pulumi.Output[list] = None¶

A collection of required_resource_access blocks as documented below.

resourceAccesses (list) - A collection of resource_access blocks as documented below.
- id (str) - The unique identifier for one of the OAuth2Permission or AppRole instances that the resource application exposes.
- type (str) - Specifies whether the id property references an OAuth2Permission or an AppRole. Possible values are Scope or Role.
resourceAppId (str) - The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application.

type: pulumi.Output[str] = None¶: Type of an application: webapp/api or native. Defaults to webapp/api. For native apps type identifier_uris property can not not be set.

static get(resource_name, id, opts=None, app_roles=None, application_id=None, available_to_other_tenants=None, group_membership_claims=None, homepage=None, identifier_uris=None, logout_url=None, name=None, oauth2_allow_implicit_flow=None, oauth2_permissions=None, object_id=None, optional_claims=None, owners=None, public_client=None, reply_urls=None, required_resource_accesses=None, type=None)¶

Get an existing Application resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
app_roles (pulumi.Input[list]) – A collection of app_role blocks as documented below. For more information https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles
application_id (pulumi.Input[str]) – The Application ID.
available_to_other_tenants (pulumi.Input[bool]) – Is this Azure AD Application available to other tenants? Defaults to false.
group_membership_claims (pulumi.Input[str]) – Configures the groups claim issued in a user or OAuth 2.0 access token that the app expects. Defaults to SecurityGroup. Possible values are None, SecurityGroup, DirectoryRole, ApplicationGroup or All.
homepage (pulumi.Input[str]) – The URL to the application’s home page. If no homepage is specified this defaults to https://{name}.
identifier_uris (pulumi.Input[list]) – A list of user-defined URI(s) that uniquely identify a Web application within it’s Azure AD tenant, or within a verified custom domain if the application is multi-tenant.
logout_url (pulumi.Input[str]) – The URL of the logout page.
name (pulumi.Input[str]) – The display name for the application.
oauth2_allow_implicit_flow (pulumi.Input[bool]) – Does this Azure AD Application allow OAuth2.0 implicit flow tokens? Defaults to false.
oauth2_permissions (pulumi.Input[list]) – A collection of OAuth 2.0 permission scopes that the web API (resource) app exposes to client apps. Each permission is covered by oauth2_permissions blocks as documented below.
object_id (pulumi.Input[str]) – The Application’s Object ID.
optional_claims (pulumi.Input[dict]) – A collection of access_token or id_token blocks as documented below which list the optional claims configured for each token type. For more information see https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims
owners (pulumi.Input[list]) – A list of Azure AD Object IDs that will be granted ownership of the application. Defaults to the Object ID of the caller creating the application. If a list is specified the caller Object ID will no longer be included unless explicitly added to the list.
public_client (pulumi.Input[bool]) – Is this Azure AD Application a public client? Defaults to false.
reply_urls (pulumi.Input[list]) – A list of URLs that user tokens are sent to for sign in, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to.
required_resource_accesses (pulumi.Input[list]) – A collection of required_resource_access blocks as documented below.
type (pulumi.Input[str]) – Type of an application: webapp/api or native. Defaults to webapp/api. For native apps type identifier_uris property can not not be set.

The app_roles object supports the following:

allowedMemberTypes (pulumi.Input[list]) - Specifies whether this app role definition can be assigned to users and groups by setting to User, or to other applications (that are accessing this application in daemon service scenarios) by setting to Application, or to both.
description (pulumi.Input[str]) - Permission help text that appears in the admin app assignment and consent experiences.
display_name (pulumi.Input[str]) - Display name for the permission that appears in the admin consent and app assignment experiences.
id (pulumi.Input[str]) - The unique identifier of the app_role.
isEnabled (pulumi.Input[bool]) - Determines if the permission is enabled: defaults to true.
value (pulumi.Input[str]) - The value of the scope claim that the resource application should expect in the OAuth 2.0 access token.

The oauth2_permissions object supports the following:

adminConsentDescription (pulumi.Input[str]) - Permission help text that appears in the admin consent and app assignment experiences.
adminConsentDisplayName (pulumi.Input[str]) - Display name for the permission that appears in the admin consent and app assignment experiences.
id (pulumi.Input[str]) - The unique identifier for one of the OAuth2Permission or AppRole instances that the resource application exposes.
isEnabled (pulumi.Input[bool]) - Determines if the app role is enabled: Defaults to true.
type (pulumi.Input[str]) - Type of an application: webapp/api or native. Defaults to webapp/api. For native apps type identifier_uris property can not not be set.
userConsentDescription (pulumi.Input[str]) - Permission help text that appears in the end user consent experience.
userConsentDisplayName (pulumi.Input[str]) - Display name for the permission that appears in the end user consent experience.
value (pulumi.Input[str]) - Specifies the value of the roles claim that the application should expect in the authentication and access tokens.

The optional_claims object supports the following:

accessTokens (pulumi.Input[list])
- additionalProperties (pulumi.Input[list]) - List of Additional Properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
- essential (pulumi.Input[bool]) - Whether the claim specified by the client is necessary to ensure a smooth authorization experience.
- name (pulumi.Input[str]) - The name of the optional claim.
- source (pulumi.Input[str]) - The source of the claim. If source is absent, the claim is a predefined optional claim. If source is user, the value of name is the extension property from the user object.
idTokens (pulumi.Input[list])
- additionalProperties (pulumi.Input[list]) - List of Additional Properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
- essential (pulumi.Input[bool]) - Whether the claim specified by the client is necessary to ensure a smooth authorization experience.
- name (pulumi.Input[str]) - The display name for the application.
- source (pulumi.Input[str]) - The source of the claim. If source is absent, the claim is a predefined optional claim. If source is user, the value of name is the extension property from the user object.

The required_resource_accesses object supports the following:

resourceAccesses (pulumi.Input[list]) - A collection of resource_access blocks as documented below.
- id (pulumi.Input[str]) - The unique identifier for one of the OAuth2Permission or AppRole instances that the resource application exposes.
- type (pulumi.Input[str]) - Specifies whether the id property references an OAuth2Permission or an AppRole. Possible values are Scope or Role.
resourceAppId (pulumi.Input[str]) - The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_azuread.ApplicationCertificate(resource_name, opts=None, application_object_id=None, end_date=None, end_date_relative=None, key_id=None, start_date=None, type=None, value=None, __props__=None, __name__=None, __opts__=None)¶

Manages a Certificate associated with an Application within Azure Active Directory.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to both Read and write all applications and Sign in and read user profile within the Windows Azure Active Directory API.

import pulumi
import pulumi_azuread as azuread

example_application = azuread.Application("exampleApplication")
example_application_certificate = azuread.ApplicationCertificate("exampleApplicationCertificate",
    application_object_id=example_application.id,
    end_date="2021-05-01T01:02:03Z",
    type="AsymmetricX509Cert",
    value=(lambda path: open(path).read())("cert.pem"))

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
application_object_id (pulumi.Input[str]) – The Object ID of the Application for which this Certificate should be created. Changing this field forces a new resource to be created.
end_date (pulumi.Input[str]) – The End Date which the Certificate is valid until, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.
end_date_relative (pulumi.Input[str]) – A relative duration for which the Certificate is valid until, for example 240h (10 days) or 2400h30m. Changing this field forces a new resource to be created.
key_id (pulumi.Input[str]) – A GUID used to uniquely identify this Certificate. If not specified a GUID will be created. Changing this field forces a new resource to be created.
start_date (pulumi.Input[str]) – The Start Date which the Certificate is valid from, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). If this isn’t specified, the current date is used. Changing this field forces a new resource to be created.
type (pulumi.Input[str]) – The type of key/certificate. Must be one of AsymmetricX509Cert or Symmetric. Changing this fields forces a new resource to be created.
value (pulumi.Input[str]) – The Certificate for this Service Principal.

application_object_id: pulumi.Output[str] = None¶: The Object ID of the Application for which this Certificate should be created. Changing this field forces a new resource to be created.

end_date: pulumi.Output[str] = None¶: The End Date which the Certificate is valid until, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.

end_date_relative: pulumi.Output[str] = None¶: A relative duration for which the Certificate is valid until, for example 240h (10 days) or 2400h30m. Changing this field forces a new resource to be created.

key_id: pulumi.Output[str] = None¶: A GUID used to uniquely identify this Certificate. If not specified a GUID will be created. Changing this field forces a new resource to be created.

start_date: pulumi.Output[str] = None¶: The Start Date which the Certificate is valid from, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). If this isn’t specified, the current date is used. Changing this field forces a new resource to be created.

type: pulumi.Output[str] = None¶: The type of key/certificate. Must be one of AsymmetricX509Cert or Symmetric. Changing this fields forces a new resource to be created.

value: pulumi.Output[str] = None¶: The Certificate for this Service Principal.

static get(resource_name, id, opts=None, application_object_id=None, end_date=None, end_date_relative=None, key_id=None, start_date=None, type=None, value=None)¶

Get an existing ApplicationCertificate resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
application_object_id (pulumi.Input[str]) – The Object ID of the Application for which this Certificate should be created. Changing this field forces a new resource to be created.
end_date (pulumi.Input[str]) – The End Date which the Certificate is valid until, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.
end_date_relative (pulumi.Input[str]) – A relative duration for which the Certificate is valid until, for example 240h (10 days) or 2400h30m. Changing this field forces a new resource to be created.
key_id (pulumi.Input[str]) – A GUID used to uniquely identify this Certificate. If not specified a GUID will be created. Changing this field forces a new resource to be created.
start_date (pulumi.Input[str]) – The Start Date which the Certificate is valid from, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). If this isn’t specified, the current date is used. Changing this field forces a new resource to be created.
type (pulumi.Input[str]) – The type of key/certificate. Must be one of AsymmetricX509Cert or Symmetric. Changing this fields forces a new resource to be created.
value (pulumi.Input[str]) – The Certificate for this Service Principal.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_azuread.ApplicationPassword(resource_name, opts=None, application_id=None, application_object_id=None, description=None, end_date=None, end_date_relative=None, key_id=None, start_date=None, value=None, __props__=None, __name__=None, __opts__=None)¶

Manages a Password associated with an Application within Azure Active Directory.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to both Read and write all applications and Sign in and read user profile within the Windows Azure Active Directory API.

import pulumi
import pulumi_azuread as azuread

example_application = azuread.Application("exampleApplication",
    available_to_other_tenants=False,
    homepage="http://homepage",
    identifier_uris=["http://uri"],
    oauth2_allow_implicit_flow=True,
    reply_urls=["http://replyurl"])
example_application_password = azuread.ApplicationPassword("exampleApplicationPassword",
    application_object_id=example_application.id,
    description="My managed password",
    end_date="2099-01-01T01:02:03Z",
    value="VT=uSgbTanZhyz@%nL9Hpd+Tfay_MRV#")

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
application_object_id (pulumi.Input[str]) – The Object ID of the Application for which this password should be created. Changing this field forces a new resource to be created.
description (pulumi.Input[str]) – A description for the Password.
end_date (pulumi.Input[str]) – The End Date which the Password is valid until, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.
end_date_relative (pulumi.Input[str]) – A relative duration for which the Password is valid until, for example 240h (10 days) or 2400h30m. Changing this field forces a new resource to be created.
key_id (pulumi.Input[str]) – A GUID used to uniquely identify this Password. If not specified a GUID will be created. Changing this field forces a new resource to be created.
start_date (pulumi.Input[str]) – The Start Date which the Password is valid from, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). If this isn’t specified, the current date is used. Changing this field forces a new resource to be created.
value (pulumi.Input[str]) – The Password for this Application.

application_object_id: pulumi.Output[str] = None¶: The Object ID of the Application for which this password should be created. Changing this field forces a new resource to be created.

description: pulumi.Output[str] = None¶: A description for the Password.

end_date: pulumi.Output[str] = None¶: The End Date which the Password is valid until, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.

end_date_relative: pulumi.Output[str] = None¶: A relative duration for which the Password is valid until, for example 240h (10 days) or 2400h30m. Changing this field forces a new resource to be created.

key_id: pulumi.Output[str] = None¶: A GUID used to uniquely identify this Password. If not specified a GUID will be created. Changing this field forces a new resource to be created.

start_date: pulumi.Output[str] = None¶: The Start Date which the Password is valid from, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). If this isn’t specified, the current date is used. Changing this field forces a new resource to be created.

value: pulumi.Output[str] = None¶: The Password for this Application.

static get(resource_name, id, opts=None, application_id=None, application_object_id=None, description=None, end_date=None, end_date_relative=None, key_id=None, start_date=None, value=None)¶

Get an existing ApplicationPassword resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
application_object_id (pulumi.Input[str]) – The Object ID of the Application for which this password should be created. Changing this field forces a new resource to be created.
description (pulumi.Input[str]) – A description for the Password.
end_date (pulumi.Input[str]) – The End Date which the Password is valid until, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.
end_date_relative (pulumi.Input[str]) – A relative duration for which the Password is valid until, for example 240h (10 days) or 2400h30m. Changing this field forces a new resource to be created.
key_id (pulumi.Input[str]) – A GUID used to uniquely identify this Password. If not specified a GUID will be created. Changing this field forces a new resource to be created.
start_date (pulumi.Input[str]) – The Start Date which the Password is valid from, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). If this isn’t specified, the current date is used. Changing this field forces a new resource to be created.
value (pulumi.Input[str]) – The Password for this Application.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_azuread.AwaitableGetApplicationResult(app_roles=None, application_id=None, available_to_other_tenants=None, group_membership_claims=None, homepage=None, id=None, identifier_uris=None, logout_url=None, name=None, oauth2_allow_implicit_flow=None, oauth2_permissions=None, object_id=None, optional_claims=None, owners=None, reply_urls=None, required_resource_accesses=None, type=None)¶

class pulumi_azuread.AwaitableGetClientConfigResult(client_id=None, id=None, object_id=None, subscription_id=None, tenant_id=None)¶

class pulumi_azuread.AwaitableGetDomainsResult(domains=None, id=None, include_unverified=None, only_default=None, only_initial=None)¶

class pulumi_azuread.AwaitableGetGroupResult(description=None, id=None, members=None, name=None, object_id=None, owners=None)¶

class pulumi_azuread.AwaitableGetGroupsResult(id=None, names=None, object_ids=None)¶

class pulumi_azuread.AwaitableGetServicePrincipalResult(app_roles=None, application_id=None, display_name=None, id=None, oauth2_permissions=None, object_id=None)¶

class pulumi_azuread.AwaitableGetUserResult(account_enabled=None, display_name=None, id=None, immutable_id=None, mail=None, mail_nickname=None, object_id=None, onpremises_sam_account_name=None, onpremises_user_principal_name=None, usage_location=None, user_principal_name=None)¶

class pulumi_azuread.AwaitableGetUsersResult(id=None, mail_nicknames=None, object_ids=None, user_principal_names=None)¶

class pulumi_azuread.GetApplicationResult(app_roles=None, application_id=None, available_to_other_tenants=None, group_membership_claims=None, homepage=None, id=None, identifier_uris=None, logout_url=None, name=None, oauth2_allow_implicit_flow=None, oauth2_permissions=None, object_id=None, optional_claims=None, owners=None, reply_urls=None, required_resource_accesses=None, type=None)¶

A collection of values returned by getApplication.

app_roles = None¶: A collection of app_role blocks as documented below. For more information https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles

application_id = None¶: the Application ID of the Azure Active Directory Application.

available_to_other_tenants = None¶: Is this Azure AD Application available to other tenants?

group_membership_claims = None¶: The groups claim issued in a user or OAuth 2.0 access token that the app expects.

id = None¶: The provider-assigned unique ID for this managed resource.

identifier_uris = None¶: A list of user-defined URI(s) that uniquely identify a Web application within it’s Azure AD tenant, or within a verified custom domain if the application is multi-tenant.

logout_url = None¶: The URL of the logout page.

name = None¶: The name of the optional claim.

oauth2_allow_implicit_flow = None¶: Does this Azure AD Application allow OAuth2.0 implicit flow tokens?

oauth2_permissions = None¶: A collection of OAuth 2.0 permission scopes that the web API (resource) app exposes to client apps. Each permission is covered by a oauth2_permission block as documented below.

object_id = None¶: the Object ID of the Azure Active Directory Application.

optional_claims = None¶: A collection of access_token or id_token blocks as documented below which list the optional claims configured for each token type. For more information see https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

owners = None¶: A list of User Object IDs that are assigned ownership of the application registration.

reply_urls = None¶: A list of URLs that user tokens are sent to for sign in, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to.

required_resource_accesses = None¶: A collection of required_resource_access blocks as documented below.

type = None¶: The type of the permission

class pulumi_azuread.GetClientConfigResult(client_id=None, id=None, object_id=None, subscription_id=None, tenant_id=None)¶

A collection of values returned by getClientConfig.

id = None¶: The provider-assigned unique ID for this managed resource.

class pulumi_azuread.GetDomainsResult(domains=None, id=None, include_unverified=None, only_default=None, only_initial=None)¶

A collection of values returned by getDomains.

domains = None¶: One or more domain blocks as defined below.

id = None¶: The provider-assigned unique ID for this managed resource.

class pulumi_azuread.GetGroupResult(description=None, id=None, members=None, name=None, object_id=None, owners=None)¶

A collection of values returned by getGroup.

description = None¶: The description of the AD Group.

id = None¶: The provider-assigned unique ID for this managed resource.

members = None¶: The Object IDs of the Azure AD Group members.

name = None¶: The name of the Azure AD Group.

owners = None¶: The Object IDs of the Azure AD Group owners.

class pulumi_azuread.GetGroupsResult(id=None, names=None, object_ids=None)¶

A collection of values returned by getGroups.

id = None¶: The provider-assigned unique ID for this managed resource.

names = None¶: The Display Names of the Azure AD Groups.

object_ids = None¶: The Object IDs of the Azure AD Groups.

class pulumi_azuread.GetServicePrincipalResult(app_roles=None, application_id=None, display_name=None, id=None, oauth2_permissions=None, object_id=None)¶

A collection of values returned by getServicePrincipal.

display_name = None¶: Display name for the permission that appears in the admin consent and app assignment experiences.

id = None¶: The provider-assigned unique ID for this managed resource.

class pulumi_azuread.GetUserResult(account_enabled=None, display_name=None, id=None, immutable_id=None, mail=None, mail_nickname=None, object_id=None, onpremises_sam_account_name=None, onpremises_user_principal_name=None, usage_location=None, user_principal_name=None)¶

A collection of values returned by getUser.

account_enabled = None¶: True if the account is enabled; otherwise False.

display_name = None¶: The Display Name of the Azure AD User.

id = None¶: The provider-assigned unique ID for this managed resource.

immutable_id = None¶: The value used to associate an on-premises Active Directory user account with their Azure AD user object.

mail = None¶: The primary email address of the Azure AD User.

mail_nickname = None¶: The email alias of the Azure AD User.

onpremises_sam_account_name = None¶: The on premise sam account name of the Azure AD User.

onpremises_user_principal_name = None¶: The on premise user principal name of the Azure AD User.

usage_location = None¶: The usage location of the Azure AD User.

user_principal_name = None¶: The User Principal Name of the Azure AD User.

class pulumi_azuread.GetUsersResult(id=None, mail_nicknames=None, object_ids=None, user_principal_names=None)¶

A collection of values returned by getUsers.

id = None¶: The provider-assigned unique ID for this managed resource.

mail_nicknames = None¶: The email aliases of the Azure AD Users.

object_ids = None¶: The Object IDs of the Azure AD Users.

user_principal_names = None¶: The User Principal Names of the Azure AD Users.

class pulumi_azuread.Group(resource_name, opts=None, description=None, members=None, name=None, owners=None, __props__=None, __name__=None, __opts__=None)¶

Create a Group resource with the given unique name, props, and options. :param str resource_name: The name of the resource. :param pulumi.ResourceOptions opts: Options for the resource. :param pulumi.Input[str] description: The description for the Group. Changing this forces a new resource to be created. :param pulumi.Input[list] members: A set of members who should be present in this Group. Supported Object types are Users, Groups or Service Principals. :param pulumi.Input[str] name: The display name for the Group. Changing this forces a new resource to be created. :param pulumi.Input[list] owners: A set of owners who own this Group. Supported Object types are Users or Service Principals.

description: pulumi.Output[str] = None¶: The description for the Group. Changing this forces a new resource to be created.

members: pulumi.Output[list] = None¶: A set of members who should be present in this Group. Supported Object types are Users, Groups or Service Principals.

name: pulumi.Output[str] = None¶: The display name for the Group. Changing this forces a new resource to be created.

owners: pulumi.Output[list] = None¶: A set of owners who own this Group. Supported Object types are Users or Service Principals.

static get(resource_name, id, opts=None, description=None, members=None, name=None, object_id=None, owners=None)¶

Get an existing Group resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
description (pulumi.Input[str]) – The description for the Group. Changing this forces a new resource to be created.
members (pulumi.Input[list]) – A set of members who should be present in this Group. Supported Object types are Users, Groups or Service Principals.
name (pulumi.Input[str]) – The display name for the Group. Changing this forces a new resource to be created.
owners (pulumi.Input[list]) – A set of owners who own this Group. Supported Object types are Users or Service Principals.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_azuread.GroupMember(resource_name, opts=None, group_object_id=None, member_object_id=None, __props__=None, __name__=None, __opts__=None)¶

Manages a single Group Membership within Azure Active Directory.

NOTE: Do not use this resource at the same time as azuread_group.members.

import pulumi
import pulumi_azuread as azuread

example_user = azuread.get_user(user_principal_name="jdoe@hashicorp.com")
example_group = azuread.Group("exampleGroup")
example_group_member = azuread.GroupMember("exampleGroupMember",
    group_object_id=example_group.id,
    member_object_id=example_user.id)

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
group_object_id (pulumi.Input[str]) – The Object ID of the Azure AD Group you want to add the Member to. Changing this forces a new resource to be created.
member_object_id (pulumi.Input[str]) – The Object ID of the Azure AD Object you want to add as a Member to the Group. Supported Object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.

group_object_id: pulumi.Output[str] = None¶: The Object ID of the Azure AD Group you want to add the Member to. Changing this forces a new resource to be created.

member_object_id: pulumi.Output[str] = None¶: The Object ID of the Azure AD Object you want to add as a Member to the Group. Supported Object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.

static get(resource_name, id, opts=None, group_object_id=None, member_object_id=None)¶

Get an existing GroupMember resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
group_object_id (pulumi.Input[str]) – The Object ID of the Azure AD Group you want to add the Member to. Changing this forces a new resource to be created.
member_object_id (pulumi.Input[str]) – The Object ID of the Azure AD Object you want to add as a Member to the Group. Supported Object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_azuread.Provider(resource_name, opts=None, client_certificate_password=None, client_certificate_path=None, client_id=None, client_secret=None, environment=None, msi_endpoint=None, subscription_id=None, tenant_id=None, use_msi=None, __props__=None, __name__=None, __opts__=None)¶

The provider type for the azuread package. By default, resources use package-wide configuration settings, however an explicit Provider instance may be created and passed during resource construction to achieve fine-grained programmatic control over provider settings. See the documentation for more information.

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_azuread.ServicePrincipal(resource_name, opts=None, app_role_assignment_required=None, application_id=None, oauth2_permissions=None, tags=None, __props__=None, __name__=None, __opts__=None)¶

Manages a Service Principal associated with an Application within Azure Active Directory.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to both Read and write all applications and Sign in and read user profile within the Windows Azure Active Directory API. Please see The Granting a Service Principal permission to manage AAD for the required steps.

import pulumi
import pulumi_azuread as azuread

example_application = azuread.Application("exampleApplication",
    available_to_other_tenants=False,
    homepage="http://homepage",
    identifier_uris=["http://uri"],
    oauth2_allow_implicit_flow=True,
    reply_urls=["http://replyurl"])
example_service_principal = azuread.ServicePrincipal("exampleServicePrincipal",
    app_role_assignment_required=False,
    application_id=example_application.application_id,
    tags=[
        "example",
        "tags",
        "here",
    ])

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
app_role_assignment_required (pulumi.Input[bool]) – Does this Service Principal require an AppRoleAssignment to a user or group before Azure AD will issue a user or access token to the application? Defaults to false.
application_id (pulumi.Input[str]) – The ID of the Azure AD Application for which to create a Service Principal.
oauth2_permissions (pulumi.Input[list]) – A collection of OAuth 2.0 permissions exposed by the associated application. Each permission is covered by a oauth2_permission block as documented below.
tags (pulumi.Input[list]) – A list of tags to apply to the Service Principal.

The oauth2_permissions object supports the following:

adminConsentDescription (pulumi.Input[str]) - The description of the admin consent.
adminConsentDisplayName (pulumi.Input[str]) - The display name of the admin consent.
id (pulumi.Input[str]) - The unique identifier for one of the OAuth2Permission.
isEnabled (pulumi.Input[bool]) - Is this permission enabled?
type (pulumi.Input[str]) - The type of the permission.
userConsentDescription (pulumi.Input[str]) - The description of the user consent.
userConsentDisplayName (pulumi.Input[str]) - The display name of the user consent.
value (pulumi.Input[str]) - The name of this permission.

app_role_assignment_required: pulumi.Output[bool] = None¶: Does this Service Principal require an AppRoleAssignment to a user or group before Azure AD will issue a user or access token to the application? Defaults to false.

application_id: pulumi.Output[str] = None¶: The ID of the Azure AD Application for which to create a Service Principal.

display_name: pulumi.Output[str] = None¶: The Display Name of the Azure Active Directory Application associated with this Service Principal.

oauth2_permissions: pulumi.Output[list] = None¶

A collection of OAuth 2.0 permissions exposed by the associated application. Each permission is covered by a oauth2_permission block as documented below.

adminConsentDescription (str) - The description of the admin consent.
adminConsentDisplayName (str) - The display name of the admin consent.
id (str) - The unique identifier for one of the OAuth2Permission.
isEnabled (bool) - Is this permission enabled?
type (str) - The type of the permission.
userConsentDescription (str) - The description of the user consent.
userConsentDisplayName (str) - The display name of the user consent.
value (str) - The name of this permission.

object_id: pulumi.Output[str] = None¶: The Service Principal’s Object ID.

tags: pulumi.Output[list] = None¶: A list of tags to apply to the Service Principal.

static get(resource_name, id, opts=None, app_role_assignment_required=None, application_id=None, display_name=None, oauth2_permissions=None, object_id=None, tags=None)¶

Get an existing ServicePrincipal resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
app_role_assignment_required (pulumi.Input[bool]) – Does this Service Principal require an AppRoleAssignment to a user or group before Azure AD will issue a user or access token to the application? Defaults to false.
application_id (pulumi.Input[str]) – The ID of the Azure AD Application for which to create a Service Principal.
display_name (pulumi.Input[str]) – The Display Name of the Azure Active Directory Application associated with this Service Principal.
oauth2_permissions (pulumi.Input[list]) – A collection of OAuth 2.0 permissions exposed by the associated application. Each permission is covered by a oauth2_permission block as documented below.
object_id (pulumi.Input[str]) – The Service Principal’s Object ID.
tags (pulumi.Input[list]) – A list of tags to apply to the Service Principal.

The oauth2_permissions object supports the following:

adminConsentDescription (pulumi.Input[str]) - The description of the admin consent.
adminConsentDisplayName (pulumi.Input[str]) - The display name of the admin consent.
id (pulumi.Input[str]) - The unique identifier for one of the OAuth2Permission.
isEnabled (pulumi.Input[bool]) - Is this permission enabled?
type (pulumi.Input[str]) - The type of the permission.
userConsentDescription (pulumi.Input[str]) - The description of the user consent.
userConsentDisplayName (pulumi.Input[str]) - The display name of the user consent.
value (pulumi.Input[str]) - The name of this permission.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_azuread.ServicePrincipalCertificate(resource_name, opts=None, end_date=None, end_date_relative=None, key_id=None, service_principal_id=None, start_date=None, type=None, value=None, __props__=None, __name__=None, __opts__=None)¶

Manages a Certificate associated with a Service Principal within Azure Active Directory.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to both Read and write all applications and Sign in and read user profile within the Windows Azure Active Directory API.

import pulumi
import pulumi_azuread as azuread

example_application = azuread.Application("exampleApplication")
example_service_principal = azuread.ServicePrincipal("exampleServicePrincipal", application_id=example_application.application_id)
example_service_principal_certificate = azuread.ServicePrincipalCertificate("exampleServicePrincipalCertificate",
    end_date="2021-05-01T01:02:03Z",
    service_principal_id=example_service_principal.id,
    type="AsymmetricX509Cert",
    value=(lambda path: open(path).read())("cert.pem"))

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
end_date (pulumi.Input[str]) – The End Date which the Certificate is valid until, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.
end_date_relative (pulumi.Input[str]) – A relative duration for which the Certificate is valid until, for example 240h (10 days) or 2400h30m. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. Changing this field forces a new resource to be created.
key_id (pulumi.Input[str]) – A GUID used to uniquely identify this Certificate. If not specified a GUID will be created. Changing this field forces a new resource to be created.
service_principal_id (pulumi.Input[str]) – The ID of the Service Principal for which this certificate should be created. Changing this field forces a new resource to be created.
start_date (pulumi.Input[str]) – The Start Date which the Certificate is valid from, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). If this isn’t specified, the current date is used. Changing this field forces a new resource to be created.
type (pulumi.Input[str]) – The type of key/certificate. Must be one of AsymmetricX509Cert or Symmetric. Changing this fields forces a new resource to be created.
value (pulumi.Input[str]) – The Certificate for this Service Principal.

end_date: pulumi.Output[str] = None¶: The End Date which the Certificate is valid until, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.

end_date_relative: pulumi.Output[str] = None¶: A relative duration for which the Certificate is valid until, for example 240h (10 days) or 2400h30m. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. Changing this field forces a new resource to be created.

key_id: pulumi.Output[str] = None¶: A GUID used to uniquely identify this Certificate. If not specified a GUID will be created. Changing this field forces a new resource to be created.

service_principal_id: pulumi.Output[str] = None¶: The ID of the Service Principal for which this certificate should be created. Changing this field forces a new resource to be created.

start_date: pulumi.Output[str] = None¶: The Start Date which the Certificate is valid from, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). If this isn’t specified, the current date is used. Changing this field forces a new resource to be created.

type: pulumi.Output[str] = None¶: The type of key/certificate. Must be one of AsymmetricX509Cert or Symmetric. Changing this fields forces a new resource to be created.

value: pulumi.Output[str] = None¶: The Certificate for this Service Principal.

static get(resource_name, id, opts=None, end_date=None, end_date_relative=None, key_id=None, service_principal_id=None, start_date=None, type=None, value=None)¶

Get an existing ServicePrincipalCertificate resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
end_date (pulumi.Input[str]) – The End Date which the Certificate is valid until, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.
end_date_relative (pulumi.Input[str]) – A relative duration for which the Certificate is valid until, for example 240h (10 days) or 2400h30m. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. Changing this field forces a new resource to be created.
key_id (pulumi.Input[str]) – A GUID used to uniquely identify this Certificate. If not specified a GUID will be created. Changing this field forces a new resource to be created.
service_principal_id (pulumi.Input[str]) – The ID of the Service Principal for which this certificate should be created. Changing this field forces a new resource to be created.
start_date (pulumi.Input[str]) – The Start Date which the Certificate is valid from, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). If this isn’t specified, the current date is used. Changing this field forces a new resource to be created.
type (pulumi.Input[str]) – The type of key/certificate. Must be one of AsymmetricX509Cert or Symmetric. Changing this fields forces a new resource to be created.
value (pulumi.Input[str]) – The Certificate for this Service Principal.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_azuread.ServicePrincipalPassword(resource_name, opts=None, description=None, end_date=None, end_date_relative=None, key_id=None, service_principal_id=None, start_date=None, value=None, __props__=None, __name__=None, __opts__=None)¶

Manages a Password associated with a Service Principal within Azure Active Directory.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to both Read and write all applications and Sign in and read user profile within the Windows Azure Active Directory API.

import pulumi
import pulumi_azuread as azuread

example_application = azuread.Application("exampleApplication",
    available_to_other_tenants=False,
    homepage="http://homepage",
    identifier_uris=["http://uri"],
    oauth2_allow_implicit_flow=True,
    reply_urls=["http://replyurl"])
example_service_principal = azuread.ServicePrincipal("exampleServicePrincipal", application_id=example_application.application_id)
example_service_principal_password = azuread.ServicePrincipalPassword("exampleServicePrincipalPassword",
    description="My managed password",
    end_date="2099-01-01T01:02:03Z",
    service_principal_id=example_service_principal.id,
    value="VT=uSgbTanZhyz@%nL9Hpd+Tfay_MRV#")

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
description (pulumi.Input[str]) – A description for the Password.
end_date (pulumi.Input[str]) – The End Date which the Password is valid until, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.
end_date_relative (pulumi.Input[str]) – A relative duration for which the Password is valid until, for example 240h (10 days) or 2400h30m. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. Changing this field forces a new resource to be created.
key_id (pulumi.Input[str]) – A GUID used to uniquely identify this Key. If not specified a GUID will be created. Changing this field forces a new resource to be created.
service_principal_id (pulumi.Input[str]) – The ID of the Service Principal for which this password should be created. Changing this field forces a new resource to be created.
start_date (pulumi.Input[str]) – The Start Date which the Password is valid from, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). If this isn’t specified, the current date is used. Changing this field forces a new resource to be created.
value (pulumi.Input[str]) – The Password for this Service Principal.

description: pulumi.Output[str] = None¶: A description for the Password.

end_date: pulumi.Output[str] = None¶: The End Date which the Password is valid until, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.

end_date_relative: pulumi.Output[str] = None¶: A relative duration for which the Password is valid until, for example 240h (10 days) or 2400h30m. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. Changing this field forces a new resource to be created.

key_id: pulumi.Output[str] = None¶: A GUID used to uniquely identify this Key. If not specified a GUID will be created. Changing this field forces a new resource to be created.

service_principal_id: pulumi.Output[str] = None¶: The ID of the Service Principal for which this password should be created. Changing this field forces a new resource to be created.

start_date: pulumi.Output[str] = None¶: The Start Date which the Password is valid from, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). If this isn’t specified, the current date is used. Changing this field forces a new resource to be created.

value: pulumi.Output[str] = None¶: The Password for this Service Principal.

static get(resource_name, id, opts=None, description=None, end_date=None, end_date_relative=None, key_id=None, service_principal_id=None, start_date=None, value=None)¶

Get an existing ServicePrincipalPassword resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
description (pulumi.Input[str]) – A description for the Password.
end_date (pulumi.Input[str]) – The End Date which the Password is valid until, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.
end_date_relative (pulumi.Input[str]) – A relative duration for which the Password is valid until, for example 240h (10 days) or 2400h30m. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. Changing this field forces a new resource to be created.
key_id (pulumi.Input[str]) – A GUID used to uniquely identify this Key. If not specified a GUID will be created. Changing this field forces a new resource to be created.
service_principal_id (pulumi.Input[str]) – The ID of the Service Principal for which this password should be created. Changing this field forces a new resource to be created.
start_date (pulumi.Input[str]) – The Start Date which the Password is valid from, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). If this isn’t specified, the current date is used. Changing this field forces a new resource to be created.
value (pulumi.Input[str]) – The Password for this Service Principal.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

class pulumi_azuread.User(resource_name, opts=None, account_enabled=None, display_name=None, force_password_change=None, immutable_id=None, mail_nickname=None, password=None, usage_location=None, user_principal_name=None, __props__=None, __name__=None, __opts__=None)¶

Manages a User within Azure Active Directory.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to Directory.ReadWrite.All within the Windows Azure Active Directory API.

import pulumi
import pulumi_azuread as azuread

example = azuread.User("example",
    display_name="J. Doe",
    mail_nickname="jdoe",
    password="SecretP@sswd99!",
    user_principal_name="jdo@hashicorp.com")

Parameters

resource_name (str) – The name of the resource.
opts (pulumi.ResourceOptions) – Options for the resource.
account_enabled (pulumi.Input[bool]) – true if the account should be enabled, otherwise false. Defaults to true.
display_name (pulumi.Input[str]) – The name to display in the address book for the user.
force_password_change (pulumi.Input[bool]) – true if the User is forced to change the password during the next sign-in. Defaults to false.
immutable_id (pulumi.Input[str]) – The value used to associate an on-premises Active Directory user account with their Azure AD user object. This must be specified if you are using a federated domain for the user’s userPrincipalName (UPN) property when creating a new user account.
mail_nickname (pulumi.Input[str]) – The mail alias for the user. Defaults to the user name part of the User Principal Name.
password (pulumi.Input[str]) – The password for the User. The password must satisfy minimum requirements as specified by the password policy. The maximum length is 256 characters.
usage_location (pulumi.Input[str]) – The usage location of the User. Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. The usage location is a two letter country code (ISO standard 3166). Examples include: NO, JP, and GB. Cannot be reset to null once set.
user_principal_name (pulumi.Input[str]) – The User Principal Name of the Azure AD User.

account_enabled: pulumi.Output[bool] = None¶: true if the account should be enabled, otherwise false. Defaults to true.

display_name: pulumi.Output[str] = None¶: The name to display in the address book for the user.

force_password_change: pulumi.Output[bool] = None¶: true if the User is forced to change the password during the next sign-in. Defaults to false.

immutable_id: pulumi.Output[str] = None¶: The value used to associate an on-premises Active Directory user account with their Azure AD user object. This must be specified if you are using a federated domain for the user’s userPrincipalName (UPN) property when creating a new user account.

mail: pulumi.Output[str] = None¶: The primary email address of the Azure AD User.

mail_nickname: pulumi.Output[str] = None¶: The mail alias for the user. Defaults to the user name part of the User Principal Name.

object_id: pulumi.Output[str] = None¶: The Object ID of the Azure AD User.

onpremises_sam_account_name: pulumi.Output[str] = None¶: The on premise sam account name of the Azure AD User.

onpremises_user_principal_name: pulumi.Output[str] = None¶: The on premise user principal name of the Azure AD User.

password: pulumi.Output[str] = None¶: The password for the User. The password must satisfy minimum requirements as specified by the password policy. The maximum length is 256 characters.

usage_location: pulumi.Output[str] = None¶: The usage location of the User. Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. The usage location is a two letter country code (ISO standard 3166). Examples include: NO, JP, and GB. Cannot be reset to null once set.

user_principal_name: pulumi.Output[str] = None¶: The User Principal Name of the Azure AD User.

static get(resource_name, id, opts=None, account_enabled=None, display_name=None, force_password_change=None, immutable_id=None, mail=None, mail_nickname=None, object_id=None, onpremises_sam_account_name=None, onpremises_user_principal_name=None, password=None, usage_location=None, user_principal_name=None)¶

Get an existing User resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

resource_name (str) – The unique name of the resulting resource.
id (str) – The unique provider ID of the resource to lookup.
opts (pulumi.ResourceOptions) – Options for the resource.
account_enabled (pulumi.Input[bool]) – true if the account should be enabled, otherwise false. Defaults to true.
display_name (pulumi.Input[str]) – The name to display in the address book for the user.
force_password_change (pulumi.Input[bool]) – true if the User is forced to change the password during the next sign-in. Defaults to false.
immutable_id (pulumi.Input[str]) – The value used to associate an on-premises Active Directory user account with their Azure AD user object. This must be specified if you are using a federated domain for the user’s userPrincipalName (UPN) property when creating a new user account.
mail (pulumi.Input[str]) – The primary email address of the Azure AD User.
mail_nickname (pulumi.Input[str]) – The mail alias for the user. Defaults to the user name part of the User Principal Name.
object_id (pulumi.Input[str]) – The Object ID of the Azure AD User.
onpremises_sam_account_name (pulumi.Input[str]) – The on premise sam account name of the Azure AD User.
onpremises_user_principal_name (pulumi.Input[str]) – The on premise user principal name of the Azure AD User.
password (pulumi.Input[str]) – The password for the User. The password must satisfy minimum requirements as specified by the password policy. The maximum length is 256 characters.
usage_location (pulumi.Input[str]) – The usage location of the User. Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. The usage location is a two letter country code (ISO standard 3166). Examples include: NO, JP, and GB. Cannot be reset to null once set.
user_principal_name (pulumi.Input[str]) – The User Principal Name of the Azure AD User.

translate_output_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

translate_input_property(prop)¶

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters: prop (str) – A property name.
Returns: A potentially transformed property name.
Return type: str

pulumi_azuread.get_application(name=None, oauth2_permissions=None, object_id=None, optional_claims=None, opts=None)¶

Use this data source to access information about an existing Application within Azure Active Directory.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to both Read and write all (or owned by) applications and Sign in and read user profile within the Windows Azure Active Directory API.

import pulumi
import pulumi_azuread as azuread

example = azuread.get_application(name="My First AzureAD Application")
pulumi.export("azureAdObjectId", example.id)

Parameters

name (str) – Specifies the name of the Application within Azure Active Directory.
oauth2_permissions (list) – A collection of OAuth 2.0 permission scopes that the web API (resource) app exposes to client apps. Each permission is covered by a oauth2_permission block as documented below.
object_id (str) – Specifies the Object ID of the Application within Azure Active Directory.
optional_claims (dict) – A collection of access_token or id_token blocks as documented below which list the optional claims configured for each token type. For more information see https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

The oauth2_permissions object supports the following:

adminConsentDescription (str) - The description of the admin consent
adminConsentDisplayName (str) - The display name of the admin consent
id (str) - The unique identifier of the app_role.
isEnabled (bool) - Determines if the app role is enabled.
type (str) - The type of the permission
userConsentDescription (str) - The description of the user consent
userConsentDisplayName (str) - The display name of the user consent
value (str) - Specifies the value of the roles claim that the application should expect in the authentication and access tokens.

The optional_claims object supports the following:

accessTokens (list)
- additionalProperties (list) - List of Additional Properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
- essential (bool) - Whether the claim specified by the client is necessary to ensure a smooth authorization experience.
- name (str) - Specifies the name of the Application within Azure Active Directory.
- source (str) - The source of the claim. If source is absent, the claim is a predefined optional claim. If source is user, the value of name is the extension property from the user object.
idTokens (list)
- additionalProperties (list) - List of Additional Properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
- essential (bool) - Whether the claim specified by the client is necessary to ensure a smooth authorization experience.
- name (str) - Specifies the name of the Application within Azure Active Directory.
- source (str) - The source of the claim. If source is absent, the claim is a predefined optional claim. If source is user, the value of name is the extension property from the user object.

pulumi_azuread.get_client_config(opts=None)¶

Use this data source to access the configuration of the AzureRM provider.

import pulumi
import pulumi_azuread as azuread

current = azuread.get_client_config()
pulumi.export("accountId", current.client_id)

pulumi_azuread.get_domains(include_unverified=None, only_default=None, only_initial=None, opts=None)¶

Use this data source to access information about an existing Domains within Azure Active Directory.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to Directory.Read.All within the Windows Azure Active Directory API.

import pulumi
import pulumi_azuread as azuread

aad_domains = azuread.get_domains()
pulumi.export("domains", aad_domains.domains)

Parameters

include_unverified (bool) – Set to true if unverified Azure AD Domains should be included. Defaults to false.
only_default (bool) – Set to true to only return the default domain.
only_initial (bool) – Set to true to only return the initial domain, which is your primary Azure Active Directory tenant domain. Defaults to false.

pulumi_azuread.get_group(name=None, object_id=None, opts=None)¶

Gets information about an Azure Active Directory group.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to Read directory data within the Windows Azure Active Directory API.

import pulumi
import pulumi_azuread as azuread

example = azuread.get_group(name="A-AD-Group")

Parameters

name (str) – The Name of the AD Group we want to lookup.
object_id (str) – Specifies the Object ID of the AD Group within Azure Active Directory.

pulumi_azuread.get_groups(names=None, object_ids=None, opts=None)¶

Gets Object IDs or Display Names for multiple Azure Active Directory groups.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to Read directory data within the Windows Azure Active Directory API.

import pulumi
import pulumi_azuread as azuread

groups = azuread.get_groups(names=[
    "group-a",
    "group-b",
])

Parameters

names (list) – The Display Names of the Azure AD Groups.
object_ids (list) – The Object IDs of the Azure AD Groups.

pulumi_azuread.get_service_principal(application_id=None, display_name=None, oauth2_permissions=None, object_id=None, opts=None)¶

Gets information about an existing Service Principal associated with an Application within Azure Active Directory.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to both Read and write all applications and Sign in and read user profile within the Windows Azure Active Directory API.

import pulumi
import pulumi_azuread as azuread

example = azuread.get_service_principal(display_name="my-awesome-application")

import pulumi
import pulumi_azuread as azuread

example = azuread.get_service_principal(application_id="00000000-0000-0000-0000-000000000000")

import pulumi
import pulumi_azuread as azuread

example = azuread.get_service_principal(object_id="00000000-0000-0000-0000-000000000000")

Parameters

application_id (str) – The ID of the Azure AD Application.
display_name (str) – The Display Name of the Azure AD Application associated with this Service Principal.
oauth2_permissions (list) – A collection of OAuth 2.0 permissions exposed by the associated application. Each permission is covered by a oauth2_permission block as documented below.
object_id (str) – The ID of the Azure AD Service Principal.

The oauth2_permissions object supports the following:

adminConsentDescription (str) - The description of the admin consent
adminConsentDisplayName (str) - The display name of the admin consent
id (str) - The unique identifier of the app_role.
isEnabled (bool) - Determines if the app role is enabled.
type (str) - The type of the permission
userConsentDescription (str) - The description of the user consent
userConsentDisplayName (str) - The display name of the user consent
value (str) - Specifies the value of the roles claim that the application should expect in the authentication and access tokens.

pulumi_azuread.get_user(mail_nickname=None, object_id=None, user_principal_name=None, opts=None)¶

Gets information about an Azure Active Directory user.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to Read directory data within the Windows Azure Active Directory API.

import pulumi
import pulumi_azuread as azuread

example = azuread.get_user(user_principal_name="user@hashicorp.com")

Parameters

mail_nickname (str) – The email alias of the Azure AD User.
object_id (str) – Specifies the Object ID of the Application within Azure Active Directory.
user_principal_name (str) – The User Principal Name of the Azure AD User.

pulumi_azuread.get_users(mail_nicknames=None, object_ids=None, user_principal_names=None, opts=None)¶

Gets Object IDs or UPNs for multiple Azure Active Directory users.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to Read directory data within the Windows Azure Active Directory API.

import pulumi
import pulumi_azuread as azuread

users = azuread.get_users(user_principal_names=[
    "kat@hashicorp.com",
    "byte@hashicorp.com",
])

Parameters

mail_nicknames (list) – The email aliases of the Azure AD Users.
object_ids (list) – The Object IDs of the Azure AD Users.
user_principal_names (list) – The User Principal Names of the Azure AD Users.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud

Pulumi Azure Active Directory¶

On This Page