Azure Active Directory (Azure AD) v6.8.0 published on Wednesday, Dec 24, 2025 by Pulumi
Azure Active Directory (Azure AD) v6.8.0 published on Wednesday, Dec 24, 2025 by Pulumi
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const example = new azuread.ApplicationRegistration("example", {displayName: "example"});
const exampleApplicationFlexibleFederatedIdentityCredential = new azuread.ApplicationFlexibleFederatedIdentityCredential("example", {
applicationId: example.id,
claimsMatchingExpression: "claims['sub'] matches 'repo:contoso/contoso-repo:ref:refs/heads/*' and claims['job_workflow_ref'] matches 'contoso/contoso-prod/.github/workflows/*.yml@refs/heads/main'",
displayName: "my-repo-deploy",
description: "Deployments for my-repo",
audience: "api://AzureADTokenExchange",
issuer: "https://token.actions.githubusercontent.com",
});
import pulumi
import pulumi_azuread as azuread
example = azuread.ApplicationRegistration("example", display_name="example")
example_application_flexible_federated_identity_credential = azuread.ApplicationFlexibleFederatedIdentityCredential("example",
application_id=example.id,
claims_matching_expression="claims['sub'] matches 'repo:contoso/contoso-repo:ref:refs/heads/*' and claims['job_workflow_ref'] matches 'contoso/contoso-prod/.github/workflows/*.yml@refs/heads/main'",
display_name="my-repo-deploy",
description="Deployments for my-repo",
audience="api://AzureADTokenExchange",
issuer="https://token.actions.githubusercontent.com")
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := azuread.NewApplicationRegistration(ctx, "example", &azuread.ApplicationRegistrationArgs{
DisplayName: pulumi.String("example"),
})
if err != nil {
return err
}
_, err = azuread.NewApplicationFlexibleFederatedIdentityCredential(ctx, "example", &azuread.ApplicationFlexibleFederatedIdentityCredentialArgs{
ApplicationId: example.ID(),
ClaimsMatchingExpression: pulumi.String("claims['sub'] matches 'repo:contoso/contoso-repo:ref:refs/heads/*' and claims['job_workflow_ref'] matches 'contoso/contoso-prod/.github/workflows/*.yml@refs/heads/main'"),
DisplayName: pulumi.String("my-repo-deploy"),
Description: pulumi.String("Deployments for my-repo"),
Audience: pulumi.String("api://AzureADTokenExchange"),
Issuer: pulumi.String("https://token.actions.githubusercontent.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var example = new AzureAD.ApplicationRegistration("example", new()
{
DisplayName = "example",
});
var exampleApplicationFlexibleFederatedIdentityCredential = new AzureAD.ApplicationFlexibleFederatedIdentityCredential("example", new()
{
ApplicationId = example.Id,
ClaimsMatchingExpression = "claims['sub'] matches 'repo:contoso/contoso-repo:ref:refs/heads/*' and claims['job_workflow_ref'] matches 'contoso/contoso-prod/.github/workflows/*.yml@refs/heads/main'",
DisplayName = "my-repo-deploy",
Description = "Deployments for my-repo",
Audience = "api://AzureADTokenExchange",
Issuer = "https://token.actions.githubusercontent.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.ApplicationRegistration;
import com.pulumi.azuread.ApplicationRegistrationArgs;
import com.pulumi.azuread.ApplicationFlexibleFederatedIdentityCredential;
import com.pulumi.azuread.ApplicationFlexibleFederatedIdentityCredentialArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new ApplicationRegistration("example", ApplicationRegistrationArgs.builder()
.displayName("example")
.build());
var exampleApplicationFlexibleFederatedIdentityCredential = new ApplicationFlexibleFederatedIdentityCredential("exampleApplicationFlexibleFederatedIdentityCredential", ApplicationFlexibleFederatedIdentityCredentialArgs.builder()
.applicationId(example.id())
.claimsMatchingExpression("claims['sub'] matches 'repo:contoso/contoso-repo:ref:refs/heads/*' and claims['job_workflow_ref'] matches 'contoso/contoso-prod/.github/workflows/*.yml@refs/heads/main'")
.displayName("my-repo-deploy")
.description("Deployments for my-repo")
.audience("api://AzureADTokenExchange")
.issuer("https://token.actions.githubusercontent.com")
.build());
}
}
resources:
example:
type: azuread:ApplicationRegistration
properties:
displayName: example
exampleApplicationFlexibleFederatedIdentityCredential:
type: azuread:ApplicationFlexibleFederatedIdentityCredential
name: example
properties:
applicationId: ${example.id}
claimsMatchingExpression: claims['sub'] matches 'repo:contoso/contoso-repo:ref:refs/heads/*' and claims['job_workflow_ref'] matches 'contoso/contoso-prod/.github/workflows/*.yml@refs/heads/main'
displayName: my-repo-deploy
description: Deployments for my-repo
audience: api://AzureADTokenExchange
issuer: https://token.actions.githubusercontent.com
Create ApplicationFlexibleFederatedIdentityCredential Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ApplicationFlexibleFederatedIdentityCredential(name: string, args: ApplicationFlexibleFederatedIdentityCredentialArgs, opts?: CustomResourceOptions);@overload
def ApplicationFlexibleFederatedIdentityCredential(resource_name: str,
args: ApplicationFlexibleFederatedIdentityCredentialArgs,
opts: Optional[ResourceOptions] = None)
@overload
def ApplicationFlexibleFederatedIdentityCredential(resource_name: str,
opts: Optional[ResourceOptions] = None,
application_id: Optional[str] = None,
audience: Optional[str] = None,
claims_matching_expression: Optional[str] = None,
display_name: Optional[str] = None,
issuer: Optional[str] = None,
description: Optional[str] = None)func NewApplicationFlexibleFederatedIdentityCredential(ctx *Context, name string, args ApplicationFlexibleFederatedIdentityCredentialArgs, opts ...ResourceOption) (*ApplicationFlexibleFederatedIdentityCredential, error)public ApplicationFlexibleFederatedIdentityCredential(string name, ApplicationFlexibleFederatedIdentityCredentialArgs args, CustomResourceOptions? opts = null)
public ApplicationFlexibleFederatedIdentityCredential(String name, ApplicationFlexibleFederatedIdentityCredentialArgs args)
public ApplicationFlexibleFederatedIdentityCredential(String name, ApplicationFlexibleFederatedIdentityCredentialArgs args, CustomResourceOptions options)
type: azuread:ApplicationFlexibleFederatedIdentityCredential
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ApplicationFlexibleFederatedIdentityCredentialArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ApplicationFlexibleFederatedIdentityCredentialArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ApplicationFlexibleFederatedIdentityCredentialArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ApplicationFlexibleFederatedIdentityCredentialArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ApplicationFlexibleFederatedIdentityCredentialArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var applicationFlexibleFederatedIdentityCredentialResource = new AzureAD.ApplicationFlexibleFederatedIdentityCredential("applicationFlexibleFederatedIdentityCredentialResource", new()
{
ApplicationId = "string",
Audience = "string",
ClaimsMatchingExpression = "string",
DisplayName = "string",
Issuer = "string",
Description = "string",
});
example, err := azuread.NewApplicationFlexibleFederatedIdentityCredential(ctx, "applicationFlexibleFederatedIdentityCredentialResource", &azuread.ApplicationFlexibleFederatedIdentityCredentialArgs{
ApplicationId: pulumi.String("string"),
Audience: pulumi.String("string"),
ClaimsMatchingExpression: pulumi.String("string"),
DisplayName: pulumi.String("string"),
Issuer: pulumi.String("string"),
Description: pulumi.String("string"),
})
var applicationFlexibleFederatedIdentityCredentialResource = new ApplicationFlexibleFederatedIdentityCredential("applicationFlexibleFederatedIdentityCredentialResource", ApplicationFlexibleFederatedIdentityCredentialArgs.builder()
.applicationId("string")
.audience("string")
.claimsMatchingExpression("string")
.displayName("string")
.issuer("string")
.description("string")
.build());
application_flexible_federated_identity_credential_resource = azuread.ApplicationFlexibleFederatedIdentityCredential("applicationFlexibleFederatedIdentityCredentialResource",
application_id="string",
audience="string",
claims_matching_expression="string",
display_name="string",
issuer="string",
description="string")
const applicationFlexibleFederatedIdentityCredentialResource = new azuread.ApplicationFlexibleFederatedIdentityCredential("applicationFlexibleFederatedIdentityCredentialResource", {
applicationId: "string",
audience: "string",
claimsMatchingExpression: "string",
displayName: "string",
issuer: "string",
description: "string",
});
type: azuread:ApplicationFlexibleFederatedIdentityCredential
properties:
applicationId: string
audience: string
claimsMatchingExpression: string
description: string
displayName: string
issuer: string
ApplicationFlexibleFederatedIdentityCredential Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The ApplicationFlexibleFederatedIdentityCredential resource accepts the following input properties:
- Application
Id string - The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
- Audience string
- The audience that can appear in the external token. This specifies what should be accepted in the
audclaim of incoming tokens. - Claims
Matching stringExpression - The expression to match for claims. See the Preview Documentation for more information.
- Display
Name string - A unique display name for the federated identity credential. Changing this forces a new resource to be created.
- Issuer string
- The URL of the external identity provider, which must match the issuer claim of the external token being exchanged.
- Description string
- A description for the federated identity credential.
- Application
Id string - The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
- Audience string
- The audience that can appear in the external token. This specifies what should be accepted in the
audclaim of incoming tokens. - Claims
Matching stringExpression - The expression to match for claims. See the Preview Documentation for more information.
- Display
Name string - A unique display name for the federated identity credential. Changing this forces a new resource to be created.
- Issuer string
- The URL of the external identity provider, which must match the issuer claim of the external token being exchanged.
- Description string
- A description for the federated identity credential.
- application
Id String - The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
- audience String
- The audience that can appear in the external token. This specifies what should be accepted in the
audclaim of incoming tokens. - claims
Matching StringExpression - The expression to match for claims. See the Preview Documentation for more information.
- display
Name String - A unique display name for the federated identity credential. Changing this forces a new resource to be created.
- issuer String
- The URL of the external identity provider, which must match the issuer claim of the external token being exchanged.
- description String
- A description for the federated identity credential.
- application
Id string - The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
- audience string
- The audience that can appear in the external token. This specifies what should be accepted in the
audclaim of incoming tokens. - claims
Matching stringExpression - The expression to match for claims. See the Preview Documentation for more information.
- display
Name string - A unique display name for the federated identity credential. Changing this forces a new resource to be created.
- issuer string
- The URL of the external identity provider, which must match the issuer claim of the external token being exchanged.
- description string
- A description for the federated identity credential.
- application_
id str - The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
- audience str
- The audience that can appear in the external token. This specifies what should be accepted in the
audclaim of incoming tokens. - claims_
matching_ strexpression - The expression to match for claims. See the Preview Documentation for more information.
- display_
name str - A unique display name for the federated identity credential. Changing this forces a new resource to be created.
- issuer str
- The URL of the external identity provider, which must match the issuer claim of the external token being exchanged.
- description str
- A description for the federated identity credential.
- application
Id String - The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
- audience String
- The audience that can appear in the external token. This specifies what should be accepted in the
audclaim of incoming tokens. - claims
Matching StringExpression - The expression to match for claims. See the Preview Documentation for more information.
- display
Name String - A unique display name for the federated identity credential. Changing this forces a new resource to be created.
- issuer String
- The URL of the external identity provider, which must match the issuer claim of the external token being exchanged.
- description String
- A description for the federated identity credential.
Outputs
All input properties are implicitly available as output properties. Additionally, the ApplicationFlexibleFederatedIdentityCredential resource produces the following output properties:
- Credential
Id string - A UUID used to uniquely identify this federated identity credential.
- Id string
- The provider-assigned unique ID for this managed resource.
- Credential
Id string - A UUID used to uniquely identify this federated identity credential.
- Id string
- The provider-assigned unique ID for this managed resource.
- credential
Id String - A UUID used to uniquely identify this federated identity credential.
- id String
- The provider-assigned unique ID for this managed resource.
- credential
Id string - A UUID used to uniquely identify this federated identity credential.
- id string
- The provider-assigned unique ID for this managed resource.
- credential_
id str - A UUID used to uniquely identify this federated identity credential.
- id str
- The provider-assigned unique ID for this managed resource.
- credential
Id String - A UUID used to uniquely identify this federated identity credential.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing ApplicationFlexibleFederatedIdentityCredential Resource
Get an existing ApplicationFlexibleFederatedIdentityCredential resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ApplicationFlexibleFederatedIdentityCredentialState, opts?: CustomResourceOptions): ApplicationFlexibleFederatedIdentityCredential@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
application_id: Optional[str] = None,
audience: Optional[str] = None,
claims_matching_expression: Optional[str] = None,
credential_id: Optional[str] = None,
description: Optional[str] = None,
display_name: Optional[str] = None,
issuer: Optional[str] = None) -> ApplicationFlexibleFederatedIdentityCredentialfunc GetApplicationFlexibleFederatedIdentityCredential(ctx *Context, name string, id IDInput, state *ApplicationFlexibleFederatedIdentityCredentialState, opts ...ResourceOption) (*ApplicationFlexibleFederatedIdentityCredential, error)public static ApplicationFlexibleFederatedIdentityCredential Get(string name, Input<string> id, ApplicationFlexibleFederatedIdentityCredentialState? state, CustomResourceOptions? opts = null)public static ApplicationFlexibleFederatedIdentityCredential get(String name, Output<String> id, ApplicationFlexibleFederatedIdentityCredentialState state, CustomResourceOptions options)resources: _: type: azuread:ApplicationFlexibleFederatedIdentityCredential get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Application
Id string - The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
- Audience string
- The audience that can appear in the external token. This specifies what should be accepted in the
audclaim of incoming tokens. - Claims
Matching stringExpression - The expression to match for claims. See the Preview Documentation for more information.
- Credential
Id string - A UUID used to uniquely identify this federated identity credential.
- Description string
- A description for the federated identity credential.
- Display
Name string - A unique display name for the federated identity credential. Changing this forces a new resource to be created.
- Issuer string
- The URL of the external identity provider, which must match the issuer claim of the external token being exchanged.
- Application
Id string - The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
- Audience string
- The audience that can appear in the external token. This specifies what should be accepted in the
audclaim of incoming tokens. - Claims
Matching stringExpression - The expression to match for claims. See the Preview Documentation for more information.
- Credential
Id string - A UUID used to uniquely identify this federated identity credential.
- Description string
- A description for the federated identity credential.
- Display
Name string - A unique display name for the federated identity credential. Changing this forces a new resource to be created.
- Issuer string
- The URL of the external identity provider, which must match the issuer claim of the external token being exchanged.
- application
Id String - The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
- audience String
- The audience that can appear in the external token. This specifies what should be accepted in the
audclaim of incoming tokens. - claims
Matching StringExpression - The expression to match for claims. See the Preview Documentation for more information.
- credential
Id String - A UUID used to uniquely identify this federated identity credential.
- description String
- A description for the federated identity credential.
- display
Name String - A unique display name for the federated identity credential. Changing this forces a new resource to be created.
- issuer String
- The URL of the external identity provider, which must match the issuer claim of the external token being exchanged.
- application
Id string - The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
- audience string
- The audience that can appear in the external token. This specifies what should be accepted in the
audclaim of incoming tokens. - claims
Matching stringExpression - The expression to match for claims. See the Preview Documentation for more information.
- credential
Id string - A UUID used to uniquely identify this federated identity credential.
- description string
- A description for the federated identity credential.
- display
Name string - A unique display name for the federated identity credential. Changing this forces a new resource to be created.
- issuer string
- The URL of the external identity provider, which must match the issuer claim of the external token being exchanged.
- application_
id str - The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
- audience str
- The audience that can appear in the external token. This specifies what should be accepted in the
audclaim of incoming tokens. - claims_
matching_ strexpression - The expression to match for claims. See the Preview Documentation for more information.
- credential_
id str - A UUID used to uniquely identify this federated identity credential.
- description str
- A description for the federated identity credential.
- display_
name str - A unique display name for the federated identity credential. Changing this forces a new resource to be created.
- issuer str
- The URL of the external identity provider, which must match the issuer claim of the external token being exchanged.
- application
Id String - The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
- audience String
- The audience that can appear in the external token. This specifies what should be accepted in the
audclaim of incoming tokens. - claims
Matching StringExpression - The expression to match for claims. See the Preview Documentation for more information.
- credential
Id String - A UUID used to uniquely identify this federated identity credential.
- description String
- A description for the federated identity credential.
- display
Name String - A unique display name for the federated identity credential. Changing this forces a new resource to be created.
- issuer String
- The URL of the external identity provider, which must match the issuer claim of the external token being exchanged.
Import
Flexible Federated Identity Credentials can be imported using the object ID of the associated application and the ID of the flexible federated identity credential, e.g.
$ pulumi import azuread:index/applicationFlexibleFederatedIdentityCredential:ApplicationFlexibleFederatedIdentityCredential example 00000000-0000-0000-0000-000000000000/federatedIdentityCredential/11111111-1111-1111-1111-111111111111
-> This ID format is unique to Terraform and is composed of the application’s object ID, the string “federatedIdentityCredential” and the credential ID in the format {ObjectId}/federatedIdentityCredential/{CredentialId}.
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Azure Active Directory (Azure AD) pulumi/pulumi-azuread
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
azureadTerraform Provider.
Azure Active Directory (Azure AD) v6.8.0 published on Wednesday, Dec 24, 2025 by Pulumi
