Pulumi Azure Active Directory

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-azuread repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-azuread repo.

class pulumi_azuread.Application(resource_name, opts=None, app_roles=None, available_to_other_tenants=None, group_membership_claims=None, homepage=None, identifier_uris=None, name=None, oauth2_allow_implicit_flow=None, oauth2_permissions=None, public_client=None, reply_urls=None, required_resource_accesses=None, type=None, __props__=None, __name__=None, __opts__=None)

Manages an Application within Azure Active Directory.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to both Read and write owned by applications and Sign in and read user profile within the Windows Azure Active Directory API.

Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • app_roles (pulumi.Input[list]) – A collection of app_role blocks as documented below. For more information https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles

  • available_to_other_tenants (pulumi.Input[bool]) – Is this Azure AD Application available to other tenants? Defaults to false.

  • group_membership_claims (pulumi.Input[str]) – Configures the groups claim issued in a user or OAuth 2.0 access token that the app expects. Defaults to SecurityGroup. Possible values are None, SecurityGroup or All.

  • homepage (pulumi.Input[str]) – The URL to the application’s home page. If no homepage is specified this defaults to https://{name}.

  • identifier_uris (pulumi.Input[list]) – A list of user-defined URI(s) that uniquely identify a Web application within it’s Azure AD tenant, or within a verified custom domain if the application is multi-tenant.

  • name (pulumi.Input[str]) – The display name for the application.

  • oauth2_allow_implicit_flow (pulumi.Input[bool]) – Does this Azure AD Application allow OAuth2.0 implicit flow tokens? Defaults to false.

  • oauth2_permissions (pulumi.Input[list]) – A collection of OAuth 2.0 permission scopes that the web API (resource) app exposes to client apps. Each permission is covered by a oauth2_permission block as documented below.

  • public_client (pulumi.Input[bool]) – Is this Azure AD Application a public client? Defaults to false.

  • reply_urls (pulumi.Input[list]) – A list of URLs that user tokens are sent to for sign in, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to.

  • required_resource_accesses (pulumi.Input[list]) – A collection of required_resource_access blocks as documented below.

  • type (pulumi.Input[str]) – Specifies whether the id property references an OAuth2Permission or an AppRole. Possible values are Scope or Role.

The app_roles object supports the following:

  • allowedMemberTypes (pulumi.Input[list]) - Specifies whether this app role definition can be assigned to users and groups by setting to User, or to other applications (that are accessing this application in daemon service scenarios) by setting to Application, or to both.

  • description (pulumi.Input[str]) - Permission help text that appears in the admin app assignment and consent experiences.

  • display_name (pulumi.Input[str]) - Display name for the permission that appears in the admin consent and app assignment experiences.

  • id (pulumi.Input[str]) - The unique identifier of the app_role.

  • isEnabled (pulumi.Input[bool]) - Determines if the app role is enabled: Defaults to true.

  • value (pulumi.Input[str]) - Specifies the value of the roles claim that the application should expect in the authentication and access tokens.

The oauth2_permissions object supports the following:

  • adminConsentDescription (pulumi.Input[str]) - The description of the admin consent.

  • adminConsentDisplayName (pulumi.Input[str]) - The display name of the admin consent.

  • id (pulumi.Input[str]) - The unique identifier of the app_role.

  • isEnabled (pulumi.Input[bool]) - Determines if the app role is enabled: Defaults to true.

  • type (pulumi.Input[str]) - Specifies whether the id property references an OAuth2Permission or an AppRole. Possible values are Scope or Role.

  • userConsentDescription (pulumi.Input[str]) - The description of the user consent.

  • userConsentDisplayName (pulumi.Input[str]) - The display name of the user consent.

  • value (pulumi.Input[str]) - Specifies the value of the roles claim that the application should expect in the authentication and access tokens.

The required_resource_accesses object supports the following:

  • resourceAccesses (pulumi.Input[list]) - A collection of resource_access blocks as documented below.

    • id (pulumi.Input[str]) - The unique identifier of the app_role.

    • type (pulumi.Input[str]) - Specifies whether the id property references an OAuth2Permission or an AppRole. Possible values are Scope or Role.

  • resourceAppId (pulumi.Input[str]) - The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application.

app_roles = None

A collection of app_role blocks as documented below. For more information https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles

  • allowedMemberTypes (list) - Specifies whether this app role definition can be assigned to users and groups by setting to User, or to other applications (that are accessing this application in daemon service scenarios) by setting to Application, or to both.

  • description (str) - Permission help text that appears in the admin app assignment and consent experiences.

  • display_name (str) - Display name for the permission that appears in the admin consent and app assignment experiences.

  • id (str) - The unique identifier of the app_role.

  • isEnabled (bool) - Determines if the app role is enabled: Defaults to true.

  • value (str) - Specifies the value of the roles claim that the application should expect in the authentication and access tokens.

application_id = None

The Application ID.

available_to_other_tenants = None

Is this Azure AD Application available to other tenants? Defaults to false.

group_membership_claims = None

Configures the groups claim issued in a user or OAuth 2.0 access token that the app expects. Defaults to SecurityGroup. Possible values are None, SecurityGroup or All.

homepage = None

The URL to the application’s home page. If no homepage is specified this defaults to https://{name}.

identifier_uris = None

A list of user-defined URI(s) that uniquely identify a Web application within it’s Azure AD tenant, or within a verified custom domain if the application is multi-tenant.

name = None

The display name for the application.

oauth2_allow_implicit_flow = None

Does this Azure AD Application allow OAuth2.0 implicit flow tokens? Defaults to false.

oauth2_permissions = None

A collection of OAuth 2.0 permission scopes that the web API (resource) app exposes to client apps. Each permission is covered by a oauth2_permission block as documented below.

  • adminConsentDescription (str) - The description of the admin consent.

  • adminConsentDisplayName (str) - The display name of the admin consent.

  • id (str) - The unique identifier of the app_role.

  • isEnabled (bool) - Determines if the app role is enabled: Defaults to true.

  • type (str) - Specifies whether the id property references an OAuth2Permission or an AppRole. Possible values are Scope or Role.

  • userConsentDescription (str) - The description of the user consent.

  • userConsentDisplayName (str) - The display name of the user consent.

  • value (str) - Specifies the value of the roles claim that the application should expect in the authentication and access tokens.

object_id = None

The Application’s Object ID.

public_client = None

Is this Azure AD Application a public client? Defaults to false.

reply_urls = None

A list of URLs that user tokens are sent to for sign in, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to.

required_resource_accesses = None

A collection of required_resource_access blocks as documented below.

  • resourceAccesses (list) - A collection of resource_access blocks as documented below.

    • id (str) - The unique identifier of the app_role.

    • type (str) - Specifies whether the id property references an OAuth2Permission or an AppRole. Possible values are Scope or Role.

  • resourceAppId (str) - The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application.

type = None

Specifies whether the id property references an OAuth2Permission or an AppRole. Possible values are Scope or Role.

static get(resource_name, id, opts=None, app_roles=None, application_id=None, available_to_other_tenants=None, group_membership_claims=None, homepage=None, identifier_uris=None, name=None, oauth2_allow_implicit_flow=None, oauth2_permissions=None, object_id=None, public_client=None, reply_urls=None, required_resource_accesses=None, type=None)

Get an existing Application resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • app_roles (pulumi.Input[list]) – A collection of app_role blocks as documented below. For more information https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles

  • application_id (pulumi.Input[str]) – The Application ID.

  • available_to_other_tenants (pulumi.Input[bool]) – Is this Azure AD Application available to other tenants? Defaults to false.

  • group_membership_claims (pulumi.Input[str]) – Configures the groups claim issued in a user or OAuth 2.0 access token that the app expects. Defaults to SecurityGroup. Possible values are None, SecurityGroup or All.

  • homepage (pulumi.Input[str]) – The URL to the application’s home page. If no homepage is specified this defaults to https://{name}.

  • identifier_uris (pulumi.Input[list]) – A list of user-defined URI(s) that uniquely identify a Web application within it’s Azure AD tenant, or within a verified custom domain if the application is multi-tenant.

  • name (pulumi.Input[str]) – The display name for the application.

  • oauth2_allow_implicit_flow (pulumi.Input[bool]) – Does this Azure AD Application allow OAuth2.0 implicit flow tokens? Defaults to false.

  • oauth2_permissions (pulumi.Input[list]) – A collection of OAuth 2.0 permission scopes that the web API (resource) app exposes to client apps. Each permission is covered by a oauth2_permission block as documented below.

  • object_id (pulumi.Input[str]) – The Application’s Object ID.

  • public_client (pulumi.Input[bool]) – Is this Azure AD Application a public client? Defaults to false.

  • reply_urls (pulumi.Input[list]) – A list of URLs that user tokens are sent to for sign in, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to.

  • required_resource_accesses (pulumi.Input[list]) – A collection of required_resource_access blocks as documented below.

  • type (pulumi.Input[str]) – Specifies whether the id property references an OAuth2Permission or an AppRole. Possible values are Scope or Role.

The app_roles object supports the following:

  • allowedMemberTypes (pulumi.Input[list]) - Specifies whether this app role definition can be assigned to users and groups by setting to User, or to other applications (that are accessing this application in daemon service scenarios) by setting to Application, or to both.

  • description (pulumi.Input[str]) - Permission help text that appears in the admin app assignment and consent experiences.

  • display_name (pulumi.Input[str]) - Display name for the permission that appears in the admin consent and app assignment experiences.

  • id (pulumi.Input[str]) - The unique identifier of the app_role.

  • isEnabled (pulumi.Input[bool]) - Determines if the app role is enabled: Defaults to true.

  • value (pulumi.Input[str]) - Specifies the value of the roles claim that the application should expect in the authentication and access tokens.

The oauth2_permissions object supports the following:

  • adminConsentDescription (pulumi.Input[str]) - The description of the admin consent.

  • adminConsentDisplayName (pulumi.Input[str]) - The display name of the admin consent.

  • id (pulumi.Input[str]) - The unique identifier of the app_role.

  • isEnabled (pulumi.Input[bool]) - Determines if the app role is enabled: Defaults to true.

  • type (pulumi.Input[str]) - Specifies whether the id property references an OAuth2Permission or an AppRole. Possible values are Scope or Role.

  • userConsentDescription (pulumi.Input[str]) - The description of the user consent.

  • userConsentDisplayName (pulumi.Input[str]) - The display name of the user consent.

  • value (pulumi.Input[str]) - Specifies the value of the roles claim that the application should expect in the authentication and access tokens.

The required_resource_accesses object supports the following:

  • resourceAccesses (pulumi.Input[list]) - A collection of resource_access blocks as documented below.

    • id (pulumi.Input[str]) - The unique identifier of the app_role.

    • type (pulumi.Input[str]) - Specifies whether the id property references an OAuth2Permission or an AppRole. Possible values are Scope or Role.

  • resourceAppId (pulumi.Input[str]) - The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_azuread.ApplicationPassword(resource_name, opts=None, application_id=None, application_object_id=None, end_date=None, end_date_relative=None, key_id=None, start_date=None, value=None, __props__=None, __name__=None, __opts__=None)

Manages a Password associated with an Application within Azure Active Directory.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to both Read and write all applications and Sign in and read user profile within the Windows Azure Active Directory API.

Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • application_object_id (pulumi.Input[str]) – The Object ID of the Application for which this password should be created. Changing this field forces a new resource to be created.

  • end_date (pulumi.Input[str]) – The End Date which the Password is valid until, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.

  • end_date_relative (pulumi.Input[str]) – A relative duration for which the Password is valid until, for example 240h (10 days) or 2400h30m. Changing this field forces a new resource to be created.

  • key_id (pulumi.Input[str]) – A GUID used to uniquely identify this Password. If not specified a GUID will be created. Changing this field forces a new resource to be created.

  • start_date (pulumi.Input[str]) – The Start Date which the Password is valid from, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). If this isn’t specified, the current date is used. Changing this field forces a new resource to be created.

  • value (pulumi.Input[str]) – The Password for this Application .

application_object_id = None

The Object ID of the Application for which this password should be created. Changing this field forces a new resource to be created.

end_date = None

The End Date which the Password is valid until, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.

end_date_relative = None

A relative duration for which the Password is valid until, for example 240h (10 days) or 2400h30m. Changing this field forces a new resource to be created.

key_id = None

A GUID used to uniquely identify this Password. If not specified a GUID will be created. Changing this field forces a new resource to be created.

start_date = None

The Start Date which the Password is valid from, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). If this isn’t specified, the current date is used. Changing this field forces a new resource to be created.

value = None

The Password for this Application .

static get(resource_name, id, opts=None, application_id=None, application_object_id=None, end_date=None, end_date_relative=None, key_id=None, start_date=None, value=None)

Get an existing ApplicationPassword resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • application_object_id (pulumi.Input[str]) – The Object ID of the Application for which this password should be created. Changing this field forces a new resource to be created.

  • end_date (pulumi.Input[str]) – The End Date which the Password is valid until, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.

  • end_date_relative (pulumi.Input[str]) – A relative duration for which the Password is valid until, for example 240h (10 days) or 2400h30m. Changing this field forces a new resource to be created.

  • key_id (pulumi.Input[str]) – A GUID used to uniquely identify this Password. If not specified a GUID will be created. Changing this field forces a new resource to be created.

  • start_date (pulumi.Input[str]) – The Start Date which the Password is valid from, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). If this isn’t specified, the current date is used. Changing this field forces a new resource to be created.

  • value (pulumi.Input[str]) – The Password for this Application .

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_azuread.AwaitableGetApplicationResult(app_roles=None, application_id=None, available_to_other_tenants=None, group_membership_claims=None, homepage=None, identifier_uris=None, name=None, oauth2_allow_implicit_flow=None, oauth2_permissions=None, object_id=None, reply_urls=None, required_resource_accesses=None, type=None, id=None)
class pulumi_azuread.AwaitableGetDomainsResult(domains=None, include_unverified=None, only_default=None, only_initial=None, id=None)
class pulumi_azuread.AwaitableGetGroupResult(members=None, name=None, object_id=None, owners=None, id=None)
class pulumi_azuread.AwaitableGetGroupsResult(names=None, object_ids=None, id=None)
class pulumi_azuread.AwaitableGetServicePrincipalResult(app_roles=None, application_id=None, display_name=None, oauth2_permissions=None, object_id=None, id=None)
class pulumi_azuread.AwaitableGetUserResult(account_enabled=None, display_name=None, mail=None, mail_nickname=None, object_id=None, user_principal_name=None, id=None)
class pulumi_azuread.AwaitableGetUsersResult(object_ids=None, user_principal_names=None, id=None)
class pulumi_azuread.GetApplicationResult(app_roles=None, application_id=None, available_to_other_tenants=None, group_membership_claims=None, homepage=None, identifier_uris=None, name=None, oauth2_allow_implicit_flow=None, oauth2_permissions=None, object_id=None, reply_urls=None, required_resource_accesses=None, type=None, id=None)

A collection of values returned by getApplication.

app_roles = None

A collection of app_role blocks as documented below. For more information https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles

application_id = None

the Application ID of the Azure Active Directory Application.

available_to_other_tenants = None

Is this Azure AD Application available to other tenants?

group_membership_claims = None

The groups claim issued in a user or OAuth 2.0 access token that the app expects.

identifier_uris = None

A list of user-defined URI(s) that uniquely identify a Web application within it’s Azure AD tenant, or within a verified custom domain if the application is multi-tenant.

oauth2_allow_implicit_flow = None

Does this Azure AD Application allow OAuth2.0 implicit flow tokens?

oauth2_permissions = None

A collection of OAuth 2.0 permission scopes that the web API (resource) app exposes to client apps. Each permission is covered by a oauth2_permission block as documented below.

object_id = None

the Object ID of the Azure Active Directory Application.

reply_urls = None

A list of URLs that user tokens are sent to for sign in, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to.

required_resource_accesses = None

A collection of required_resource_access blocks as documented below.

type = None

The type of the permission

id = None

id is the provider-assigned unique ID for this managed resource.

class pulumi_azuread.GetDomainsResult(domains=None, include_unverified=None, only_default=None, only_initial=None, id=None)

A collection of values returned by getDomains.

domains = None

One or more domain blocks as defined below.

id = None

id is the provider-assigned unique ID for this managed resource.

class pulumi_azuread.GetGroupResult(members=None, name=None, object_id=None, owners=None, id=None)

A collection of values returned by getGroup.

id = None

id is the provider-assigned unique ID for this managed resource.

class pulumi_azuread.GetGroupsResult(names=None, object_ids=None, id=None)

A collection of values returned by getGroups.

names = None

The Display Names of the Azure AD Groups.

object_ids = None

The Object IDs of the Azure AD Groups.

id = None

id is the provider-assigned unique ID for this managed resource.

class pulumi_azuread.GetServicePrincipalResult(app_roles=None, application_id=None, display_name=None, oauth2_permissions=None, object_id=None, id=None)

A collection of values returned by getServicePrincipal.

display_name = None

Display name for the permission that appears in the admin consent and app assignment experiences.

id = None

id is the provider-assigned unique ID for this managed resource.

class pulumi_azuread.GetUserResult(account_enabled=None, display_name=None, mail=None, mail_nickname=None, object_id=None, user_principal_name=None, id=None)

A collection of values returned by getUser.

account_enabled = None

True if the account is enabled; otherwise False.

display_name = None

The Display Name of the Azure AD User.

mail = None

The primary email address of the Azure AD User.

mail_nickname = None

The email alias of the Azure AD User.

user_principal_name = None

The User Principal Name of the Azure AD User.

id = None

id is the provider-assigned unique ID for this managed resource.

class pulumi_azuread.GetUsersResult(object_ids=None, user_principal_names=None, id=None)

A collection of values returned by getUsers.

object_ids = None

The Object IDs of the Azure AD Users.

user_principal_names = None

The User Principal Names of the Azure AD Users.

id = None

id is the provider-assigned unique ID for this managed resource.

class pulumi_azuread.Group(resource_name, opts=None, members=None, name=None, owners=None, __props__=None, __name__=None, __opts__=None)

Manages a Group within Azure Active Directory.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to Read and write all groups within the Windows Azure Active Directory API. In addition it must also have either the Company Administrator or User Account Administrator Azure Active Directory roles assigned in order to be able to delete groups. You can assign one of the required Azure Active Directory Roles with the AzureAD PowerShell Module, which is available for Windows PowerShell or in the Azure Cloud Shell. Please refer to this documentation for more details.

Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • members (pulumi.Input[list]) – A set of members who should be present in this Group. Supported Object types are Users, Groups or Service Principals.

  • name (pulumi.Input[str]) – The display name for the Group. Changing this forces a new resource to be created.

  • owners (pulumi.Input[list]) – A set of owners who own this Group. Supported Object types are Users or Service Principals.

members = None

A set of members who should be present in this Group. Supported Object types are Users, Groups or Service Principals.

name = None

The display name for the Group. Changing this forces a new resource to be created.

owners = None

A set of owners who own this Group. Supported Object types are Users or Service Principals.

static get(resource_name, id, opts=None, members=None, name=None, object_id=None, owners=None)

Get an existing Group resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • members (pulumi.Input[list]) – A set of members who should be present in this Group. Supported Object types are Users, Groups or Service Principals.

  • name (pulumi.Input[str]) – The display name for the Group. Changing this forces a new resource to be created.

  • owners (pulumi.Input[list]) – A set of owners who own this Group. Supported Object types are Users or Service Principals.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_azuread.GroupMember(resource_name, opts=None, group_object_id=None, member_object_id=None, __props__=None, __name__=None, __opts__=None)

Manages a single Group Membership within Azure Active Directory.

NOTE: Do not use this resource at the same time as azuread_group.members.

Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • group_object_id (pulumi.Input[str]) – The Object ID of the Azure AD Group you want to add the Member to. Changing this forces a new resource to be created.

  • member_object_id (pulumi.Input[str]) – The Object ID of the Azure AD Object you want to add as a Member to the Group. Supported Object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.

group_object_id = None

The Object ID of the Azure AD Group you want to add the Member to. Changing this forces a new resource to be created.

member_object_id = None

The Object ID of the Azure AD Object you want to add as a Member to the Group. Supported Object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.

static get(resource_name, id, opts=None, group_object_id=None, member_object_id=None)

Get an existing GroupMember resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • group_object_id (pulumi.Input[str]) – The Object ID of the Azure AD Group you want to add the Member to. Changing this forces a new resource to be created.

  • member_object_id (pulumi.Input[str]) – The Object ID of the Azure AD Object you want to add as a Member to the Group. Supported Object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_azuread.Provider(resource_name, opts=None, client_certificate_password=None, client_certificate_path=None, client_id=None, client_secret=None, environment=None, msi_endpoint=None, subscription_id=None, tenant_id=None, use_msi=None, __props__=None, __name__=None, __opts__=None)

The provider type for the azuread package. By default, resources use package-wide configuration settings, however an explicit Provider instance may be created and passed during resource construction to achieve fine-grained programmatic control over provider settings. See the documentation for more information.

Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

static get(resource_name, id, opts=None)

Get an existing Provider resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_azuread.ServicePrincipal(resource_name, opts=None, app_role_assignment_required=None, application_id=None, oauth2_permissions=None, tags=None, __props__=None, __name__=None, __opts__=None)

Manages a Service Principal associated with an Application within Azure Active Directory.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to both Read and write all applications and Sign in and read user profile within the Windows Azure Active Directory API. Please see The Granting a Service Principal permission to manage AAD for the required steps.

Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • app_role_assignment_required (pulumi.Input[bool]) – Does this Service Principal require an AppRoleAssignment to a user or group before Azure AD will issue a user or access token to the application? Defaults to false.

  • application_id (pulumi.Input[str]) – The ID of the Azure AD Application for which to create a Service Principal.

  • oauth2_permissions (pulumi.Input[list]) – A collection of OAuth 2.0 permissions exposed by the associated application. Each permission is covered by a oauth2_permission block as documented below.

  • tags (pulumi.Input[list]) – A list of tags to apply to the Service Principal.

The oauth2_permissions object supports the following:

  • adminConsentDescription (pulumi.Input[str]) - The description of the admin consent.

  • adminConsentDisplayName (pulumi.Input[str]) - The display name of the admin consent.

  • id (pulumi.Input[str]) - The unique identifier for one of the OAuth2Permission.

  • isEnabled (pulumi.Input[bool]) - Is this permission enabled?

  • type (pulumi.Input[str]) - The type of the permission.

  • userConsentDescription (pulumi.Input[str]) - The description of the user consent.

  • userConsentDisplayName (pulumi.Input[str]) - The display name of the user consent.

  • value (pulumi.Input[str]) - The name of this permission.

app_role_assignment_required = None

Does this Service Principal require an AppRoleAssignment to a user or group before Azure AD will issue a user or access token to the application? Defaults to false.

application_id = None

The ID of the Azure AD Application for which to create a Service Principal.

display_name = None

The Display Name of the Azure Active Directory Application associated with this Service Principal.

oauth2_permissions = None

A collection of OAuth 2.0 permissions exposed by the associated application. Each permission is covered by a oauth2_permission block as documented below.

  • adminConsentDescription (str) - The description of the admin consent.

  • adminConsentDisplayName (str) - The display name of the admin consent.

  • id (str) - The unique identifier for one of the OAuth2Permission.

  • isEnabled (bool) - Is this permission enabled?

  • type (str) - The type of the permission.

  • userConsentDescription (str) - The description of the user consent.

  • userConsentDisplayName (str) - The display name of the user consent.

  • value (str) - The name of this permission.

object_id = None

The Service Principal’s Object ID.

tags = None

A list of tags to apply to the Service Principal.

static get(resource_name, id, opts=None, app_role_assignment_required=None, application_id=None, display_name=None, oauth2_permissions=None, object_id=None, tags=None)

Get an existing ServicePrincipal resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • app_role_assignment_required (pulumi.Input[bool]) – Does this Service Principal require an AppRoleAssignment to a user or group before Azure AD will issue a user or access token to the application? Defaults to false.

  • application_id (pulumi.Input[str]) – The ID of the Azure AD Application for which to create a Service Principal.

  • display_name (pulumi.Input[str]) – The Display Name of the Azure Active Directory Application associated with this Service Principal.

  • oauth2_permissions (pulumi.Input[list]) – A collection of OAuth 2.0 permissions exposed by the associated application. Each permission is covered by a oauth2_permission block as documented below.

  • object_id (pulumi.Input[str]) – The Service Principal’s Object ID.

  • tags (pulumi.Input[list]) – A list of tags to apply to the Service Principal.

The oauth2_permissions object supports the following:

  • adminConsentDescription (pulumi.Input[str]) - The description of the admin consent.

  • adminConsentDisplayName (pulumi.Input[str]) - The display name of the admin consent.

  • id (pulumi.Input[str]) - The unique identifier for one of the OAuth2Permission.

  • isEnabled (pulumi.Input[bool]) - Is this permission enabled?

  • type (pulumi.Input[str]) - The type of the permission.

  • userConsentDescription (pulumi.Input[str]) - The description of the user consent.

  • userConsentDisplayName (pulumi.Input[str]) - The display name of the user consent.

  • value (pulumi.Input[str]) - The name of this permission.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_azuread.ServicePrincipalPassword(resource_name, opts=None, end_date=None, end_date_relative=None, key_id=None, service_principal_id=None, start_date=None, value=None, __props__=None, __name__=None, __opts__=None)

Manages a Password associated with a Service Principal within Azure Active Directory.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to both Read and write all applications and Sign in and read user profile within the Windows Azure Active Directory API.

Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • end_date (pulumi.Input[str]) – The End Date which the Password is valid until, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.

  • end_date_relative (pulumi.Input[str]) – A relative duration for which the Password is valid until, for example 240h (10 days) or 2400h30m. Changing this field forces a new resource to be created.

  • key_id (pulumi.Input[str]) – A GUID used to uniquely identify this Key. If not specified a GUID will be created. Changing this field forces a new resource to be created.

  • service_principal_id (pulumi.Input[str]) – The ID of the Service Principal for which this password should be created. Changing this field forces a new resource to be created.

  • start_date (pulumi.Input[str]) – The Start Date which the Password is valid from, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). If this isn’t specified, the current date is used. Changing this field forces a new resource to be created.

  • value (pulumi.Input[str]) – The Password for this Service Principal.

end_date = None

The End Date which the Password is valid until, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.

end_date_relative = None

A relative duration for which the Password is valid until, for example 240h (10 days) or 2400h30m. Changing this field forces a new resource to be created.

key_id = None

A GUID used to uniquely identify this Key. If not specified a GUID will be created. Changing this field forces a new resource to be created.

service_principal_id = None

The ID of the Service Principal for which this password should be created. Changing this field forces a new resource to be created.

start_date = None

The Start Date which the Password is valid from, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). If this isn’t specified, the current date is used. Changing this field forces a new resource to be created.

value = None

The Password for this Service Principal.

static get(resource_name, id, opts=None, end_date=None, end_date_relative=None, key_id=None, service_principal_id=None, start_date=None, value=None)

Get an existing ServicePrincipalPassword resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • end_date (pulumi.Input[str]) – The End Date which the Password is valid until, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). Changing this field forces a new resource to be created.

  • end_date_relative (pulumi.Input[str]) – A relative duration for which the Password is valid until, for example 240h (10 days) or 2400h30m. Changing this field forces a new resource to be created.

  • key_id (pulumi.Input[str]) – A GUID used to uniquely identify this Key. If not specified a GUID will be created. Changing this field forces a new resource to be created.

  • service_principal_id (pulumi.Input[str]) – The ID of the Service Principal for which this password should be created. Changing this field forces a new resource to be created.

  • start_date (pulumi.Input[str]) – The Start Date which the Password is valid from, formatted as a RFC3339 date string (e.g. 2018-01-01T01:02:03Z). If this isn’t specified, the current date is used. Changing this field forces a new resource to be created.

  • value (pulumi.Input[str]) – The Password for this Service Principal.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_azuread.User(resource_name, opts=None, account_enabled=None, display_name=None, force_password_change=None, mail_nickname=None, password=None, user_principal_name=None, __props__=None, __name__=None, __opts__=None)

Manages a User within Azure Active Directory.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to Directory.ReadWrite.All within the Windows Azure Active Directory API.

Parameters
  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • account_enabled (pulumi.Input[bool]) – true if the account should be enabled, otherwise false. Defaults to true.

* `mail_nickname`- (Optional) The mail alias for the user. Defaults to the user name part of the User Principal Name.
Parameters
  • display_name (pulumi.Input[str]) – The name to display in the address book for the user.

  • force_password_change (pulumi.Input[bool]) – true if the User is forced to change the password during the next sign-in. Defaults to false.

  • password (pulumi.Input[str]) – The password for the User. The password must satisfy minimum requirements as specified by the password policy. The maximum length is 256 characters.

  • user_principal_name (pulumi.Input[str]) – The User Principal Name of the Azure AD User.

account_enabled = None

true if the account should be enabled, otherwise false. Defaults to true.

  • mail_nickname- (Optional) The mail alias for the user. Defaults to the user name part of the User Principal Name.

display_name = None

The name to display in the address book for the user.

force_password_change = None

true if the User is forced to change the password during the next sign-in. Defaults to false.

mail = None

The primary email address of the Azure AD User.

object_id = None

The Object ID of the Azure AD User.

password = None

The password for the User. The password must satisfy minimum requirements as specified by the password policy. The maximum length is 256 characters.

user_principal_name = None

The User Principal Name of the Azure AD User.

static get(resource_name, id, opts=None, account_enabled=None, display_name=None, force_password_change=None, mail=None, mail_nickname=None, object_id=None, password=None, user_principal_name=None)

Get an existing User resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters
  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • account_enabled (pulumi.Input[bool]) – true if the account should be enabled, otherwise false. Defaults to true.

* `mail_nickname`- (Optional) The mail alias for the user. Defaults to the user name part of the User Principal Name.
Parameters
  • display_name (pulumi.Input[str]) – The name to display in the address book for the user.

  • force_password_change (pulumi.Input[bool]) – true if the User is forced to change the password during the next sign-in. Defaults to false.

  • mail (pulumi.Input[str]) – The primary email address of the Azure AD User.

  • object_id (pulumi.Input[str]) – The Object ID of the Azure AD User.

  • password (pulumi.Input[str]) – The password for the User. The password must satisfy minimum requirements as specified by the password policy. The maximum length is 256 characters.

  • user_principal_name (pulumi.Input[str]) – The User Principal Name of the Azure AD User.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

pulumi_azuread.get_application(app_roles=None, name=None, oauth2_permissions=None, object_id=None, opts=None)

Use this data source to access information about an existing Application within Azure Active Directory.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to both Read and write all (or owned by) applications and Sign in and read user profile within the Windows Azure Active Directory API.

Parameters
  • name (str) – Specifies the name of the Application within Azure Active Directory.

  • object_id (str) – Specifies the Object ID of the Application within Azure Active Directory.

The app_roles object supports the following:

  • allowedMemberTypes (list) - Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in daemon service scenarios). Possible values are: User and Application, or both.

  • description (str) - Permission help text that appears in the admin app assignment and consent experiences.

  • display_name (str) - Display name for the permission that appears in the admin consent and app assignment experiences.

  • id (str) - The unique identifier of the app_role.

  • isEnabled (bool) - Determines if the app role is enabled.

  • value (str) - Specifies the value of the roles claim that the application should expect in the authentication and access tokens.

The oauth2_permissions object supports the following:

  • adminConsentDescription (str) - The description of the admin consent

  • adminConsentDisplayName (str) - The display name of the admin consent

  • id (str) - The unique identifier of the app_role.

  • isEnabled (bool) - Determines if the app role is enabled.

  • type (str) - The type of the permission

  • userConsentDescription (str) - The description of the user consent

  • userConsentDisplayName (str) - The display name of the user consent

  • value (str) - Specifies the value of the roles claim that the application should expect in the authentication and access tokens.

pulumi_azuread.get_domains(include_unverified=None, only_default=None, only_initial=None, opts=None)

Use this data source to access information about an existing Domains within Azure Active Directory.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to Directory.Read.All within the Windows Azure Active Directory API.

Parameters
  • include_unverified (bool) – Set to true if unverified Azure AD Domains should be included. Defaults to false.

  • only_default (bool) – Set to true to only return the default domain.

  • only_initial (bool) – Set to true to only return the initial domain, which is your primary Azure Active Directory tenant domain. Defaults to false.

pulumi_azuread.get_group(name=None, object_id=None, opts=None)

Gets information about an Azure Active Directory group.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to Read directory data within the Windows Azure Active Directory API.

Parameters
  • name (str) – The Name of the AD Group we want to lookup.

  • object_id (str) – Specifies the Object ID of the AD Group within Azure Active Directory.

pulumi_azuread.get_groups(names=None, object_ids=None, opts=None)

Gets Object IDs or Display Names for multiple Azure Active Directory groups.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to Read directory data within the Windows Azure Active Directory API.

Parameters
  • names (list) – The Display Names of the Azure AD Groups.

  • object_ids (list) – The Object IDs of the Azure AD Groups.

pulumi_azuread.get_service_principal(app_roles=None, application_id=None, display_name=None, oauth2_permissions=None, object_id=None, opts=None)

Gets information about an existing Service Principal associated with an Application within Azure Active Directory.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to both Read and write all applications and Sign in and read user profile within the Windows Azure Active Directory API.

Parameters
  • app_roles (list) – A collection of app_role blocks as documented below. For more information https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles

  • application_id (str) – The ID of the Azure AD Application.

  • display_name (str) – The Display Name of the Azure AD Application associated with this Service Principal.

  • oauth2_permissions (list) – A collection of OAuth 2.0 permissions exposed by the associated application. Each permission is covered by a oauth2_permission block as documented below.

  • object_id (str) – The ID of the Azure AD Service Principal.

The app_roles object supports the following:

  • allowedMemberTypes (list) - Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in daemon service scenarios). Possible values are: User and Application, or both.

  • description (str) - Permission help text that appears in the admin app assignment and consent experiences.

  • display_name (str) - The Display Name of the Azure AD Application associated with this Service Principal.

  • id (str) - The unique identifier of the app_role.

  • isEnabled (bool) - Determines if the app role is enabled.

  • value (str) - Specifies the value of the roles claim that the application should expect in the authentication and access tokens.

The oauth2_permissions object supports the following:

  • adminConsentDescription (str) - The description of the admin consent

  • adminConsentDisplayName (str) - The display name of the admin consent

  • id (str) - The unique identifier of the app_role.

  • isEnabled (bool) - Determines if the app role is enabled.

  • type (str) - The type of the permission

  • userConsentDescription (str) - The description of the user consent

  • userConsentDisplayName (str) - The display name of the user consent

  • value (str) - Specifies the value of the roles claim that the application should expect in the authentication and access tokens.

pulumi_azuread.get_user(object_id=None, user_principal_name=None, opts=None)

Gets information about an Azure Active Directory user.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to Read directory data within the Windows Azure Active Directory API.

Parameters
  • object_id (str) – Specifies the Object ID of the Application within Azure Active Directory.

  • user_principal_name (str) – The User Principal Name of the Azure AD User.

pulumi_azuread.get_users(object_ids=None, user_principal_names=None, opts=None)

Gets Object IDs or UPNs for multiple Azure Active Directory users.

NOTE: If you’re authenticating using a Service Principal then it must have permissions to Read directory data within the Windows Azure Active Directory API.

Parameters
  • object_ids (list) – The Object IDs of the Azure AD Users.

  • user_principal_names (list) – The User Principal Names of the Azure AD Users.