azuread logo
Azure Active Directory (Azure AD) v5.36.0, Mar 7 23

azuread.AppRoleAssignment

Manages an app role assignment for a group, user or service principal. Can be used to grant admin consent for application permissions.

API Permissions

The following API permissions are required in order to use this resource.

When authenticated with a service principal, this resource requires one of the following application roles: AppRoleAssignment.ReadWrite.All and Application.Read.All, or AppRoleAssignment.ReadWrite.All and Directory.Read.All, or Application.ReadWrite.All, or Directory.ReadWrite.All

When authenticated with a user principal, this resource requires one of the following directory roles: Application Administrator or Global Administrator

Example Usage

App role assignment for accessing Microsoft Graph

using System.Collections.Generic;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var wellKnown = AzureAD.GetApplicationPublishedAppIds.Invoke();

    var msgraph = new AzureAD.ServicePrincipal("msgraph", new()
    {
        ApplicationId = wellKnown.Apply(getApplicationPublishedAppIdsResult => getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
        UseExisting = true,
    });

    var exampleApplication = new AzureAD.Application("exampleApplication", new()
    {
        DisplayName = "example",
        RequiredResourceAccesses = new[]
        {
            new AzureAD.Inputs.ApplicationRequiredResourceAccessArgs
            {
                ResourceAppId = wellKnown.Apply(getApplicationPublishedAppIdsResult => getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
                ResourceAccesses = new[]
                {
                    new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs
                    {
                        Id = msgraph.AppRoleIds.Apply(appRoleIds => appRoleIds.User_Read_All),
                        Type = "Role",
                    },
                    new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs
                    {
                        Id = msgraph.Oauth2PermissionScopeIds.Apply(oauth2PermissionScopeIds => oauth2PermissionScopeIds.User_ReadWrite),
                        Type = "Scope",
                    },
                },
            },
        },
    });

    var exampleServicePrincipal = new AzureAD.ServicePrincipal("exampleServicePrincipal", new()
    {
        ApplicationId = exampleApplication.ApplicationId,
    });

    var exampleAppRoleAssignment = new AzureAD.AppRoleAssignment("exampleAppRoleAssignment", new()
    {
        AppRoleId = msgraph.AppRoleIds.Apply(appRoleIds => appRoleIds.User_Read_All),
        PrincipalObjectId = exampleServicePrincipal.ObjectId,
        ResourceObjectId = msgraph.ObjectId,
    });

});
package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		wellKnown, err := azuread.GetApplicationPublishedAppIds(ctx, nil, nil)
		if err != nil {
			return err
		}
		msgraph, err := azuread.NewServicePrincipal(ctx, "msgraph", &azuread.ServicePrincipalArgs{
			ApplicationId: *pulumi.String(wellKnown.Result.MicrosoftGraph),
			UseExisting:   pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		exampleApplication, err := azuread.NewApplication(ctx, "exampleApplication", &azuread.ApplicationArgs{
			DisplayName: pulumi.String("example"),
			RequiredResourceAccesses: azuread.ApplicationRequiredResourceAccessArray{
				&azuread.ApplicationRequiredResourceAccessArgs{
					ResourceAppId: *pulumi.String(wellKnown.Result.MicrosoftGraph),
					ResourceAccesses: azuread.ApplicationRequiredResourceAccessResourceAccessArray{
						&azuread.ApplicationRequiredResourceAccessResourceAccessArgs{
							Id: msgraph.AppRoleIds.ApplyT(func(appRoleIds map[string]string) (string, error) {
								return appRoleIds.User.Read.All, nil
							}).(pulumi.StringOutput),
							Type: pulumi.String("Role"),
						},
						&azuread.ApplicationRequiredResourceAccessResourceAccessArgs{
							Id: msgraph.Oauth2PermissionScopeIds.ApplyT(func(oauth2PermissionScopeIds map[string]string) (string, error) {
								return oauth2PermissionScopeIds.User.ReadWrite, nil
							}).(pulumi.StringOutput),
							Type: pulumi.String("Scope"),
						},
					},
				},
			},
		})
		if err != nil {
			return err
		}
		exampleServicePrincipal, err := azuread.NewServicePrincipal(ctx, "exampleServicePrincipal", &azuread.ServicePrincipalArgs{
			ApplicationId: exampleApplication.ApplicationId,
		})
		if err != nil {
			return err
		}
		_, err = azuread.NewAppRoleAssignment(ctx, "exampleAppRoleAssignment", &azuread.AppRoleAssignmentArgs{
			AppRoleId: msgraph.AppRoleIds.ApplyT(func(appRoleIds map[string]string) (string, error) {
				return appRoleIds.User.Read.All, nil
			}).(pulumi.StringOutput),
			PrincipalObjectId: exampleServicePrincipal.ObjectId,
			ResourceObjectId:  msgraph.ObjectId,
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.inputs.ApplicationRequiredResourceAccessArgs;
import com.pulumi.azuread.AppRoleAssignment;
import com.pulumi.azuread.AppRoleAssignmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();

        var msgraph = new ServicePrincipal("msgraph", ServicePrincipalArgs.builder()        
            .applicationId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -> getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))
            .useExisting(true)
            .build());

        var exampleApplication = new Application("exampleApplication", ApplicationArgs.builder()        
            .displayName("example")
            .requiredResourceAccesses(ApplicationRequiredResourceAccessArgs.builder()
                .resourceAppId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -> getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))
                .resourceAccesses(                
                    ApplicationRequiredResourceAccessResourceAccessArgs.builder()
                        .id(msgraph.appRoleIds().applyValue(appRoleIds -> appRoleIds.User.Read.All()))
                        .type("Role")
                        .build(),
                    ApplicationRequiredResourceAccessResourceAccessArgs.builder()
                        .id(msgraph.oauth2PermissionScopeIds().applyValue(oauth2PermissionScopeIds -> oauth2PermissionScopeIds.User.ReadWrite()))
                        .type("Scope")
                        .build())
                .build())
            .build());

        var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()        
            .applicationId(exampleApplication.applicationId())
            .build());

        var exampleAppRoleAssignment = new AppRoleAssignment("exampleAppRoleAssignment", AppRoleAssignmentArgs.builder()        
            .appRoleId(msgraph.appRoleIds().applyValue(appRoleIds -> appRoleIds.User.Read.All()))
            .principalObjectId(exampleServicePrincipal.objectId())
            .resourceObjectId(msgraph.objectId())
            .build());

    }
}

Coming soon!

import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const wellKnown = azuread.getApplicationPublishedAppIds({});
const msgraph = new azuread.ServicePrincipal("msgraph", {
    applicationId: wellKnown.then(wellKnown => wellKnown.result?.MicrosoftGraph),
    useExisting: true,
});
const exampleApplication = new azuread.Application("exampleApplication", {
    displayName: "example",
    requiredResourceAccesses: [{
        resourceAppId: wellKnown.then(wellKnown => wellKnown.result?.MicrosoftGraph),
        resourceAccesses: [
            {
                id: msgraph.appRoleIds["User.Read.All"],
                type: "Role",
            },
            {
                id: msgraph.oauth2PermissionScopeIds["User.ReadWrite"],
                type: "Scope",
            },
        ],
    }],
});
const exampleServicePrincipal = new azuread.ServicePrincipal("exampleServicePrincipal", {applicationId: exampleApplication.applicationId});
const exampleAppRoleAssignment = new azuread.AppRoleAssignment("exampleAppRoleAssignment", {
    appRoleId: msgraph.appRoleIds["User.Read.All"],
    principalObjectId: exampleServicePrincipal.objectId,
    resourceObjectId: msgraph.objectId,
});
resources:
  msgraph:
    type: azuread:ServicePrincipal
    properties:
      applicationId: ${wellKnown.result.MicrosoftGraph}
      useExisting: true
  exampleApplication:
    type: azuread:Application
    properties:
      displayName: example
      requiredResourceAccesses:
        - resourceAppId: ${wellKnown.result.MicrosoftGraph}
          resourceAccesses:
            - id: ${msgraph.appRoleIds"User.Read.All"[%!s(MISSING)]}
              type: Role
            - id: ${msgraph.oauth2PermissionScopeIds"User.ReadWrite"[%!s(MISSING)]}
              type: Scope
  exampleServicePrincipal:
    type: azuread:ServicePrincipal
    properties:
      applicationId: ${exampleApplication.applicationId}
  exampleAppRoleAssignment:
    type: azuread:AppRoleAssignment
    properties:
      appRoleId: ${msgraph.appRoleIds"User.Read.All"[%!s(MISSING)]}
      principalObjectId: ${exampleServicePrincipal.objectId}
      resourceObjectId: ${msgraph.objectId}
variables:
  wellKnown:
    fn::invoke:
      Function: azuread:getApplicationPublishedAppIds
      Arguments: {}

App role assignment for internal application

using System.Collections.Generic;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var internalApplication = new AzureAD.Application("internalApplication", new()
    {
        DisplayName = "internal",
        AppRoles = new[]
        {
            new AzureAD.Inputs.ApplicationAppRoleArgs
            {
                AllowedMemberTypes = new[]
                {
                    "Application",
                },
                Description = "Apps can query the database",
                DisplayName = "Query",
                Enabled = true,
                Id = "00000000-0000-0000-0000-111111111111",
                Value = "Query.All",
            },
        },
    });

    var internalServicePrincipal = new AzureAD.ServicePrincipal("internalServicePrincipal", new()
    {
        ApplicationId = internalApplication.ApplicationId,
    });

    var exampleApplication = new AzureAD.Application("exampleApplication", new()
    {
        DisplayName = "example",
        RequiredResourceAccesses = new[]
        {
            new AzureAD.Inputs.ApplicationRequiredResourceAccessArgs
            {
                ResourceAppId = internalApplication.ApplicationId,
                ResourceAccesses = new[]
                {
                    new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs
                    {
                        Id = internalServicePrincipal.AppRoleIds.Apply(appRoleIds => appRoleIds.Query_All),
                        Type = "Role",
                    },
                },
            },
        },
    });

    var exampleServicePrincipal = new AzureAD.ServicePrincipal("exampleServicePrincipal", new()
    {
        ApplicationId = exampleApplication.ApplicationId,
    });

    var exampleAppRoleAssignment = new AzureAD.AppRoleAssignment("exampleAppRoleAssignment", new()
    {
        AppRoleId = internalServicePrincipal.AppRoleIds.Apply(appRoleIds => appRoleIds.Query_All),
        PrincipalObjectId = exampleServicePrincipal.ObjectId,
        ResourceObjectId = internalServicePrincipal.ObjectId,
    });

});
package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		internalApplication, err := azuread.NewApplication(ctx, "internalApplication", &azuread.ApplicationArgs{
			DisplayName: pulumi.String("internal"),
			AppRoles: azuread.ApplicationAppRoleArray{
				&azuread.ApplicationAppRoleArgs{
					AllowedMemberTypes: pulumi.StringArray{
						pulumi.String("Application"),
					},
					Description: pulumi.String("Apps can query the database"),
					DisplayName: pulumi.String("Query"),
					Enabled:     pulumi.Bool(true),
					Id:          pulumi.String("00000000-0000-0000-0000-111111111111"),
					Value:       pulumi.String("Query.All"),
				},
			},
		})
		if err != nil {
			return err
		}
		internalServicePrincipal, err := azuread.NewServicePrincipal(ctx, "internalServicePrincipal", &azuread.ServicePrincipalArgs{
			ApplicationId: internalApplication.ApplicationId,
		})
		if err != nil {
			return err
		}
		exampleApplication, err := azuread.NewApplication(ctx, "exampleApplication", &azuread.ApplicationArgs{
			DisplayName: pulumi.String("example"),
			RequiredResourceAccesses: azuread.ApplicationRequiredResourceAccessArray{
				&azuread.ApplicationRequiredResourceAccessArgs{
					ResourceAppId: internalApplication.ApplicationId,
					ResourceAccesses: azuread.ApplicationRequiredResourceAccessResourceAccessArray{
						&azuread.ApplicationRequiredResourceAccessResourceAccessArgs{
							Id: internalServicePrincipal.AppRoleIds.ApplyT(func(appRoleIds map[string]string) (string, error) {
								return appRoleIds.Query.All, nil
							}).(pulumi.StringOutput),
							Type: pulumi.String("Role"),
						},
					},
				},
			},
		})
		if err != nil {
			return err
		}
		exampleServicePrincipal, err := azuread.NewServicePrincipal(ctx, "exampleServicePrincipal", &azuread.ServicePrincipalArgs{
			ApplicationId: exampleApplication.ApplicationId,
		})
		if err != nil {
			return err
		}
		_, err = azuread.NewAppRoleAssignment(ctx, "exampleAppRoleAssignment", &azuread.AppRoleAssignmentArgs{
			AppRoleId: internalServicePrincipal.AppRoleIds.ApplyT(func(appRoleIds map[string]string) (string, error) {
				return appRoleIds.Query.All, nil
			}).(pulumi.StringOutput),
			PrincipalObjectId: exampleServicePrincipal.ObjectId,
			ResourceObjectId:  internalServicePrincipal.ObjectId,
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.inputs.ApplicationAppRoleArgs;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import com.pulumi.azuread.inputs.ApplicationRequiredResourceAccessArgs;
import com.pulumi.azuread.AppRoleAssignment;
import com.pulumi.azuread.AppRoleAssignmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var internalApplication = new Application("internalApplication", ApplicationArgs.builder()        
            .displayName("internal")
            .appRoles(ApplicationAppRoleArgs.builder()
                .allowedMemberTypes("Application")
                .description("Apps can query the database")
                .displayName("Query")
                .enabled(true)
                .id("00000000-0000-0000-0000-111111111111")
                .value("Query.All")
                .build())
            .build());

        var internalServicePrincipal = new ServicePrincipal("internalServicePrincipal", ServicePrincipalArgs.builder()        
            .applicationId(internalApplication.applicationId())
            .build());

        var exampleApplication = new Application("exampleApplication", ApplicationArgs.builder()        
            .displayName("example")
            .requiredResourceAccesses(ApplicationRequiredResourceAccessArgs.builder()
                .resourceAppId(internalApplication.applicationId())
                .resourceAccesses(ApplicationRequiredResourceAccessResourceAccessArgs.builder()
                    .id(internalServicePrincipal.appRoleIds().applyValue(appRoleIds -> appRoleIds.Query.All()))
                    .type("Role")
                    .build())
                .build())
            .build());

        var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()        
            .applicationId(exampleApplication.applicationId())
            .build());

        var exampleAppRoleAssignment = new AppRoleAssignment("exampleAppRoleAssignment", AppRoleAssignmentArgs.builder()        
            .appRoleId(internalServicePrincipal.appRoleIds().applyValue(appRoleIds -> appRoleIds.Query.All()))
            .principalObjectId(exampleServicePrincipal.objectId())
            .resourceObjectId(internalServicePrincipal.objectId())
            .build());

    }
}

Coming soon!

import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const internalApplication = new azuread.Application("internalApplication", {
    displayName: "internal",
    appRoles: [{
        allowedMemberTypes: ["Application"],
        description: "Apps can query the database",
        displayName: "Query",
        enabled: true,
        id: "00000000-0000-0000-0000-111111111111",
        value: "Query.All",
    }],
});
const internalServicePrincipal = new azuread.ServicePrincipal("internalServicePrincipal", {applicationId: internalApplication.applicationId});
const exampleApplication = new azuread.Application("exampleApplication", {
    displayName: "example",
    requiredResourceAccesses: [{
        resourceAppId: internalApplication.applicationId,
        resourceAccesses: [{
            id: internalServicePrincipal.appRoleIds["Query.All"],
            type: "Role",
        }],
    }],
});
const exampleServicePrincipal = new azuread.ServicePrincipal("exampleServicePrincipal", {applicationId: exampleApplication.applicationId});
const exampleAppRoleAssignment = new azuread.AppRoleAssignment("exampleAppRoleAssignment", {
    appRoleId: internalServicePrincipal.appRoleIds["Query.All"],
    principalObjectId: exampleServicePrincipal.objectId,
    resourceObjectId: internalServicePrincipal.objectId,
});
resources:
  internalApplication:
    type: azuread:Application
    properties:
      displayName: internal
      appRoles:
        - allowedMemberTypes:
            - Application
          description: Apps can query the database
          displayName: Query
          enabled: true
          id: 00000000-0000-0000-0000-111111111111
          value: Query.All
  internalServicePrincipal:
    type: azuread:ServicePrincipal
    properties:
      applicationId: ${internalApplication.applicationId}
  exampleApplication:
    type: azuread:Application
    properties:
      displayName: example
      requiredResourceAccesses:
        - resourceAppId: ${internalApplication.applicationId}
          resourceAccesses:
            - id: ${internalServicePrincipal.appRoleIds"Query.All"[%!s(MISSING)]}
              type: Role
  exampleServicePrincipal:
    type: azuread:ServicePrincipal
    properties:
      applicationId: ${exampleApplication.applicationId}
  exampleAppRoleAssignment:
    type: azuread:AppRoleAssignment
    properties:
      appRoleId: ${internalServicePrincipal.appRoleIds"Query.All"[%!s(MISSING)]}
      principalObjectId: ${exampleServicePrincipal.objectId}
      resourceObjectId: ${internalServicePrincipal.objectId}

Assign a user and group to an internal application

using System.Collections.Generic;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var exampleDomains = AzureAD.GetDomains.Invoke(new()
    {
        OnlyInitial = true,
    });

    var internalApplication = new AzureAD.Application("internalApplication", new()
    {
        DisplayName = "internal",
        AppRoles = new[]
        {
            new AzureAD.Inputs.ApplicationAppRoleArgs
            {
                AllowedMemberTypes = new[]
                {
                    "Application",
                    "User",
                },
                Description = "Admins can perform all task actions",
                DisplayName = "Admin",
                Enabled = true,
                Id = "00000000-0000-0000-0000-222222222222",
                Value = "Admin.All",
            },
        },
    });

    var internalServicePrincipal = new AzureAD.ServicePrincipal("internalServicePrincipal", new()
    {
        ApplicationId = internalApplication.ApplicationId,
    });

    var exampleGroup = new AzureAD.Group("exampleGroup", new()
    {
        DisplayName = "example",
        SecurityEnabled = true,
    });

    var exampleAppRoleAssignment = new AzureAD.AppRoleAssignment("exampleAppRoleAssignment", new()
    {
        AppRoleId = internalServicePrincipal.AppRoleIds.Apply(appRoleIds => appRoleIds.Admin_All),
        PrincipalObjectId = exampleGroup.ObjectId,
        ResourceObjectId = internalServicePrincipal.ObjectId,
    });

    var exampleUser = new AzureAD.User("exampleUser", new()
    {
        DisplayName = "D. Duck",
        Password = "SecretP@sswd99!",
        UserPrincipalName = $"d.duck@{exampleDomains.Apply(getDomainsResult => getDomainsResult.Domains[0]?.DomainName)}",
    });

    var exampleIndex_appRoleAssignmentAppRoleAssignment = new AzureAD.AppRoleAssignment("exampleIndex/appRoleAssignmentAppRoleAssignment", new()
    {
        AppRoleId = internalServicePrincipal.AppRoleIds.Apply(appRoleIds => appRoleIds.Admin_All),
        PrincipalObjectId = exampleUser.ObjectId,
        ResourceObjectId = internalServicePrincipal.ObjectId,
    });

});
package main

import (
	"fmt"

	"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		exampleDomains, err := azuread.GetDomains(ctx, &azuread.GetDomainsArgs{
			OnlyInitial: pulumi.BoolRef(true),
		}, nil)
		if err != nil {
			return err
		}
		internalApplication, err := azuread.NewApplication(ctx, "internalApplication", &azuread.ApplicationArgs{
			DisplayName: pulumi.String("internal"),
			AppRoles: azuread.ApplicationAppRoleArray{
				&azuread.ApplicationAppRoleArgs{
					AllowedMemberTypes: pulumi.StringArray{
						pulumi.String("Application"),
						pulumi.String("User"),
					},
					Description: pulumi.String("Admins can perform all task actions"),
					DisplayName: pulumi.String("Admin"),
					Enabled:     pulumi.Bool(true),
					Id:          pulumi.String("00000000-0000-0000-0000-222222222222"),
					Value:       pulumi.String("Admin.All"),
				},
			},
		})
		if err != nil {
			return err
		}
		internalServicePrincipal, err := azuread.NewServicePrincipal(ctx, "internalServicePrincipal", &azuread.ServicePrincipalArgs{
			ApplicationId: internalApplication.ApplicationId,
		})
		if err != nil {
			return err
		}
		exampleGroup, err := azuread.NewGroup(ctx, "exampleGroup", &azuread.GroupArgs{
			DisplayName:     pulumi.String("example"),
			SecurityEnabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = azuread.NewAppRoleAssignment(ctx, "exampleAppRoleAssignment", &azuread.AppRoleAssignmentArgs{
			AppRoleId: internalServicePrincipal.AppRoleIds.ApplyT(func(appRoleIds map[string]string) (string, error) {
				return appRoleIds.Admin.All, nil
			}).(pulumi.StringOutput),
			PrincipalObjectId: exampleGroup.ObjectId,
			ResourceObjectId:  internalServicePrincipal.ObjectId,
		})
		if err != nil {
			return err
		}
		exampleUser, err := azuread.NewUser(ctx, "exampleUser", &azuread.UserArgs{
			DisplayName:       pulumi.String("D. Duck"),
			Password:          pulumi.String("SecretP@sswd99!"),
			UserPrincipalName: pulumi.String(fmt.Sprintf("d.duck@%v", exampleDomains.Domains[0].DomainName)),
		})
		if err != nil {
			return err
		}
		_, err = azuread.NewAppRoleAssignment(ctx, "exampleIndex/appRoleAssignmentAppRoleAssignment", &azuread.AppRoleAssignmentArgs{
			AppRoleId: internalServicePrincipal.AppRoleIds.ApplyT(func(appRoleIds map[string]string) (string, error) {
				return appRoleIds.Admin.All, nil
			}).(pulumi.StringOutput),
			PrincipalObjectId: exampleUser.ObjectId,
			ResourceObjectId:  internalServicePrincipal.ObjectId,
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.inputs.GetDomainsArgs;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.inputs.ApplicationAppRoleArgs;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import com.pulumi.azuread.Group;
import com.pulumi.azuread.GroupArgs;
import com.pulumi.azuread.AppRoleAssignment;
import com.pulumi.azuread.AppRoleAssignmentArgs;
import com.pulumi.azuread.User;
import com.pulumi.azuread.UserArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var exampleDomains = AzureadFunctions.getDomains(GetDomainsArgs.builder()
            .onlyInitial(true)
            .build());

        var internalApplication = new Application("internalApplication", ApplicationArgs.builder()        
            .displayName("internal")
            .appRoles(ApplicationAppRoleArgs.builder()
                .allowedMemberTypes(                
                    "Application",
                    "User")
                .description("Admins can perform all task actions")
                .displayName("Admin")
                .enabled(true)
                .id("00000000-0000-0000-0000-222222222222")
                .value("Admin.All")
                .build())
            .build());

        var internalServicePrincipal = new ServicePrincipal("internalServicePrincipal", ServicePrincipalArgs.builder()        
            .applicationId(internalApplication.applicationId())
            .build());

        var exampleGroup = new Group("exampleGroup", GroupArgs.builder()        
            .displayName("example")
            .securityEnabled(true)
            .build());

        var exampleAppRoleAssignment = new AppRoleAssignment("exampleAppRoleAssignment", AppRoleAssignmentArgs.builder()        
            .appRoleId(internalServicePrincipal.appRoleIds().applyValue(appRoleIds -> appRoleIds.Admin.All()))
            .principalObjectId(exampleGroup.objectId())
            .resourceObjectId(internalServicePrincipal.objectId())
            .build());

        var exampleUser = new User("exampleUser", UserArgs.builder()        
            .displayName("D. Duck")
            .password("SecretP@sswd99!")
            .userPrincipalName(String.format("d.duck@%s", exampleDomains.applyValue(getDomainsResult -> getDomainsResult.domains()[0].domainName())))
            .build());

        var exampleIndex_appRoleAssignmentAppRoleAssignment = new AppRoleAssignment("exampleIndex/appRoleAssignmentAppRoleAssignment", AppRoleAssignmentArgs.builder()        
            .appRoleId(internalServicePrincipal.appRoleIds().applyValue(appRoleIds -> appRoleIds.Admin.All()))
            .principalObjectId(exampleUser.objectId())
            .resourceObjectId(internalServicePrincipal.objectId())
            .build());

    }
}

Coming soon!

import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const exampleDomains = azuread.getDomains({
    onlyInitial: true,
});
const internalApplication = new azuread.Application("internalApplication", {
    displayName: "internal",
    appRoles: [{
        allowedMemberTypes: [
            "Application",
            "User",
        ],
        description: "Admins can perform all task actions",
        displayName: "Admin",
        enabled: true,
        id: "00000000-0000-0000-0000-222222222222",
        value: "Admin.All",
    }],
});
const internalServicePrincipal = new azuread.ServicePrincipal("internalServicePrincipal", {applicationId: internalApplication.applicationId});
const exampleGroup = new azuread.Group("exampleGroup", {
    displayName: "example",
    securityEnabled: true,
});
const exampleAppRoleAssignment = new azuread.AppRoleAssignment("exampleAppRoleAssignment", {
    appRoleId: internalServicePrincipal.appRoleIds["Admin.All"],
    principalObjectId: exampleGroup.objectId,
    resourceObjectId: internalServicePrincipal.objectId,
});
const exampleUser = new azuread.User("exampleUser", {
    displayName: "D. Duck",
    password: "SecretP@sswd99!",
    userPrincipalName: exampleDomains.then(exampleDomains => `d.duck@${exampleDomains.domains?.[0]?.domainName}`),
});
const exampleIndex_appRoleAssignmentAppRoleAssignment = new azuread.AppRoleAssignment("exampleIndex/appRoleAssignmentAppRoleAssignment", {
    appRoleId: internalServicePrincipal.appRoleIds["Admin.All"],
    principalObjectId: exampleUser.objectId,
    resourceObjectId: internalServicePrincipal.objectId,
});
resources:
  internalApplication:
    type: azuread:Application
    properties:
      displayName: internal
      appRoles:
        - allowedMemberTypes:
            - Application
            - User
          description: Admins can perform all task actions
          displayName: Admin
          enabled: true
          id: 00000000-0000-0000-0000-222222222222
          value: Admin.All
  internalServicePrincipal:
    type: azuread:ServicePrincipal
    properties:
      applicationId: ${internalApplication.applicationId}
  exampleGroup:
    type: azuread:Group
    properties:
      displayName: example
      securityEnabled: true
  exampleAppRoleAssignment:
    type: azuread:AppRoleAssignment
    properties:
      appRoleId: ${internalServicePrincipal.appRoleIds"Admin.All"[%!s(MISSING)]}
      principalObjectId: ${exampleGroup.objectId}
      resourceObjectId: ${internalServicePrincipal.objectId}
  exampleUser:
    type: azuread:User
    properties:
      displayName: D. Duck
      password: SecretP@sswd99!
      userPrincipalName: d.duck@${exampleDomains.domains[0].domainName}
  exampleIndex/appRoleAssignmentAppRoleAssignment:
    type: azuread:AppRoleAssignment
    properties:
      appRoleId: ${internalServicePrincipal.appRoleIds"Admin.All"[%!s(MISSING)]}
      principalObjectId: ${exampleUser.objectId}
      resourceObjectId: ${internalServicePrincipal.objectId}
variables:
  exampleDomains:
    fn::invoke:
      Function: azuread:getDomains
      Arguments:
        onlyInitial: true

Assign a group to the default app role for an internal application

using System.Collections.Generic;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var internalApplication = new AzureAD.Application("internalApplication", new()
    {
        DisplayName = "internal",
    });

    var internalServicePrincipal = new AzureAD.ServicePrincipal("internalServicePrincipal", new()
    {
        ApplicationId = internalApplication.ApplicationId,
    });

    var exampleGroup = new AzureAD.Group("exampleGroup", new()
    {
        DisplayName = "example",
        SecurityEnabled = true,
    });

    var exampleAppRoleAssignment = new AzureAD.AppRoleAssignment("exampleAppRoleAssignment", new()
    {
        AppRoleId = "00000000-0000-0000-0000-000000000000",
        PrincipalObjectId = exampleGroup.ObjectId,
        ResourceObjectId = internalServicePrincipal.ObjectId,
    });

});
package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		internalApplication, err := azuread.NewApplication(ctx, "internalApplication", &azuread.ApplicationArgs{
			DisplayName: pulumi.String("internal"),
		})
		if err != nil {
			return err
		}
		internalServicePrincipal, err := azuread.NewServicePrincipal(ctx, "internalServicePrincipal", &azuread.ServicePrincipalArgs{
			ApplicationId: internalApplication.ApplicationId,
		})
		if err != nil {
			return err
		}
		exampleGroup, err := azuread.NewGroup(ctx, "exampleGroup", &azuread.GroupArgs{
			DisplayName:     pulumi.String("example"),
			SecurityEnabled: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		_, err = azuread.NewAppRoleAssignment(ctx, "exampleAppRoleAssignment", &azuread.AppRoleAssignmentArgs{
			AppRoleId:         pulumi.String("00000000-0000-0000-0000-000000000000"),
			PrincipalObjectId: exampleGroup.ObjectId,
			ResourceObjectId:  internalServicePrincipal.ObjectId,
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import com.pulumi.azuread.Group;
import com.pulumi.azuread.GroupArgs;
import com.pulumi.azuread.AppRoleAssignment;
import com.pulumi.azuread.AppRoleAssignmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var internalApplication = new Application("internalApplication", ApplicationArgs.builder()        
            .displayName("internal")
            .build());

        var internalServicePrincipal = new ServicePrincipal("internalServicePrincipal", ServicePrincipalArgs.builder()        
            .applicationId(internalApplication.applicationId())
            .build());

        var exampleGroup = new Group("exampleGroup", GroupArgs.builder()        
            .displayName("example")
            .securityEnabled(true)
            .build());

        var exampleAppRoleAssignment = new AppRoleAssignment("exampleAppRoleAssignment", AppRoleAssignmentArgs.builder()        
            .appRoleId("00000000-0000-0000-0000-000000000000")
            .principalObjectId(exampleGroup.objectId())
            .resourceObjectId(internalServicePrincipal.objectId())
            .build());

    }
}
import pulumi
import pulumi_azuread as azuread

internal_application = azuread.Application("internalApplication", display_name="internal")
internal_service_principal = azuread.ServicePrincipal("internalServicePrincipal", application_id=internal_application.application_id)
example_group = azuread.Group("exampleGroup",
    display_name="example",
    security_enabled=True)
example_app_role_assignment = azuread.AppRoleAssignment("exampleAppRoleAssignment",
    app_role_id="00000000-0000-0000-0000-000000000000",
    principal_object_id=example_group.object_id,
    resource_object_id=internal_service_principal.object_id)
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const internalApplication = new azuread.Application("internalApplication", {displayName: "internal"});
const internalServicePrincipal = new azuread.ServicePrincipal("internalServicePrincipal", {applicationId: internalApplication.applicationId});
const exampleGroup = new azuread.Group("exampleGroup", {
    displayName: "example",
    securityEnabled: true,
});
const exampleAppRoleAssignment = new azuread.AppRoleAssignment("exampleAppRoleAssignment", {
    appRoleId: "00000000-0000-0000-0000-000000000000",
    principalObjectId: exampleGroup.objectId,
    resourceObjectId: internalServicePrincipal.objectId,
});
resources:
  internalApplication:
    type: azuread:Application
    properties:
      displayName: internal
  internalServicePrincipal:
    type: azuread:ServicePrincipal
    properties:
      applicationId: ${internalApplication.applicationId}
  exampleGroup:
    type: azuread:Group
    properties:
      displayName: example
      securityEnabled: true
  exampleAppRoleAssignment:
    type: azuread:AppRoleAssignment
    properties:
      appRoleId: 00000000-0000-0000-0000-000000000000
      principalObjectId: ${exampleGroup.objectId}
      resourceObjectId: ${internalServicePrincipal.objectId}

Create AppRoleAssignment Resource

new AppRoleAssignment(name: string, args: AppRoleAssignmentArgs, opts?: CustomResourceOptions);
@overload
def AppRoleAssignment(resource_name: str,
                      opts: Optional[ResourceOptions] = None,
                      app_role_id: Optional[str] = None,
                      principal_object_id: Optional[str] = None,
                      resource_object_id: Optional[str] = None)
@overload
def AppRoleAssignment(resource_name: str,
                      args: AppRoleAssignmentArgs,
                      opts: Optional[ResourceOptions] = None)
func NewAppRoleAssignment(ctx *Context, name string, args AppRoleAssignmentArgs, opts ...ResourceOption) (*AppRoleAssignment, error)
public AppRoleAssignment(string name, AppRoleAssignmentArgs args, CustomResourceOptions? opts = null)
public AppRoleAssignment(String name, AppRoleAssignmentArgs args)
public AppRoleAssignment(String name, AppRoleAssignmentArgs args, CustomResourceOptions options)
type: azuread:AppRoleAssignment
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args AppRoleAssignmentArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args AppRoleAssignmentArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args AppRoleAssignmentArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args AppRoleAssignmentArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args AppRoleAssignmentArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

AppRoleAssignment Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The AppRoleAssignment resource accepts the following input properties:

AppRoleId string

The ID of the app role to be assigned, or the default role ID 00000000-0000-0000-0000-000000000000. Changing this forces a new resource to be created.

PrincipalObjectId string

The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.

ResourceObjectId string

The object ID of the service principal representing the resource. Changing this forces a new resource to be created.

AppRoleId string

The ID of the app role to be assigned, or the default role ID 00000000-0000-0000-0000-000000000000. Changing this forces a new resource to be created.

PrincipalObjectId string

The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.

ResourceObjectId string

The object ID of the service principal representing the resource. Changing this forces a new resource to be created.

appRoleId String

The ID of the app role to be assigned, or the default role ID 00000000-0000-0000-0000-000000000000. Changing this forces a new resource to be created.

principalObjectId String

The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.

resourceObjectId String

The object ID of the service principal representing the resource. Changing this forces a new resource to be created.

appRoleId string

The ID of the app role to be assigned, or the default role ID 00000000-0000-0000-0000-000000000000. Changing this forces a new resource to be created.

principalObjectId string

The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.

resourceObjectId string

The object ID of the service principal representing the resource. Changing this forces a new resource to be created.

app_role_id str

The ID of the app role to be assigned, or the default role ID 00000000-0000-0000-0000-000000000000. Changing this forces a new resource to be created.

principal_object_id str

The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.

resource_object_id str

The object ID of the service principal representing the resource. Changing this forces a new resource to be created.

appRoleId String

The ID of the app role to be assigned, or the default role ID 00000000-0000-0000-0000-000000000000. Changing this forces a new resource to be created.

principalObjectId String

The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.

resourceObjectId String

The object ID of the service principal representing the resource. Changing this forces a new resource to be created.

Outputs

All input properties are implicitly available as output properties. Additionally, the AppRoleAssignment resource produces the following output properties:

Id string

The provider-assigned unique ID for this managed resource.

PrincipalDisplayName string

The display name of the principal to which the app role is assigned.

PrincipalType string

The object type of the principal to which the app role is assigned.

ResourceDisplayName string

The display name of the application representing the resource.

Id string

The provider-assigned unique ID for this managed resource.

PrincipalDisplayName string

The display name of the principal to which the app role is assigned.

PrincipalType string

The object type of the principal to which the app role is assigned.

ResourceDisplayName string

The display name of the application representing the resource.

id String

The provider-assigned unique ID for this managed resource.

principalDisplayName String

The display name of the principal to which the app role is assigned.

principalType String

The object type of the principal to which the app role is assigned.

resourceDisplayName String

The display name of the application representing the resource.

id string

The provider-assigned unique ID for this managed resource.

principalDisplayName string

The display name of the principal to which the app role is assigned.

principalType string

The object type of the principal to which the app role is assigned.

resourceDisplayName string

The display name of the application representing the resource.

id str

The provider-assigned unique ID for this managed resource.

principal_display_name str

The display name of the principal to which the app role is assigned.

principal_type str

The object type of the principal to which the app role is assigned.

resource_display_name str

The display name of the application representing the resource.

id String

The provider-assigned unique ID for this managed resource.

principalDisplayName String

The display name of the principal to which the app role is assigned.

principalType String

The object type of the principal to which the app role is assigned.

resourceDisplayName String

The display name of the application representing the resource.

Look up Existing AppRoleAssignment Resource

Get an existing AppRoleAssignment resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: AppRoleAssignmentState, opts?: CustomResourceOptions): AppRoleAssignment
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        app_role_id: Optional[str] = None,
        principal_display_name: Optional[str] = None,
        principal_object_id: Optional[str] = None,
        principal_type: Optional[str] = None,
        resource_display_name: Optional[str] = None,
        resource_object_id: Optional[str] = None) -> AppRoleAssignment
func GetAppRoleAssignment(ctx *Context, name string, id IDInput, state *AppRoleAssignmentState, opts ...ResourceOption) (*AppRoleAssignment, error)
public static AppRoleAssignment Get(string name, Input<string> id, AppRoleAssignmentState? state, CustomResourceOptions? opts = null)
public static AppRoleAssignment get(String name, Output<String> id, AppRoleAssignmentState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AppRoleId string

The ID of the app role to be assigned, or the default role ID 00000000-0000-0000-0000-000000000000. Changing this forces a new resource to be created.

PrincipalDisplayName string

The display name of the principal to which the app role is assigned.

PrincipalObjectId string

The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.

PrincipalType string

The object type of the principal to which the app role is assigned.

ResourceDisplayName string

The display name of the application representing the resource.

ResourceObjectId string

The object ID of the service principal representing the resource. Changing this forces a new resource to be created.

AppRoleId string

The ID of the app role to be assigned, or the default role ID 00000000-0000-0000-0000-000000000000. Changing this forces a new resource to be created.

PrincipalDisplayName string

The display name of the principal to which the app role is assigned.

PrincipalObjectId string

The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.

PrincipalType string

The object type of the principal to which the app role is assigned.

ResourceDisplayName string

The display name of the application representing the resource.

ResourceObjectId string

The object ID of the service principal representing the resource. Changing this forces a new resource to be created.

appRoleId String

The ID of the app role to be assigned, or the default role ID 00000000-0000-0000-0000-000000000000. Changing this forces a new resource to be created.

principalDisplayName String

The display name of the principal to which the app role is assigned.

principalObjectId String

The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.

principalType String

The object type of the principal to which the app role is assigned.

resourceDisplayName String

The display name of the application representing the resource.

resourceObjectId String

The object ID of the service principal representing the resource. Changing this forces a new resource to be created.

appRoleId string

The ID of the app role to be assigned, or the default role ID 00000000-0000-0000-0000-000000000000. Changing this forces a new resource to be created.

principalDisplayName string

The display name of the principal to which the app role is assigned.

principalObjectId string

The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.

principalType string

The object type of the principal to which the app role is assigned.

resourceDisplayName string

The display name of the application representing the resource.

resourceObjectId string

The object ID of the service principal representing the resource. Changing this forces a new resource to be created.

app_role_id str

The ID of the app role to be assigned, or the default role ID 00000000-0000-0000-0000-000000000000. Changing this forces a new resource to be created.

principal_display_name str

The display name of the principal to which the app role is assigned.

principal_object_id str

The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.

principal_type str

The object type of the principal to which the app role is assigned.

resource_display_name str

The display name of the application representing the resource.

resource_object_id str

The object ID of the service principal representing the resource. Changing this forces a new resource to be created.

appRoleId String

The ID of the app role to be assigned, or the default role ID 00000000-0000-0000-0000-000000000000. Changing this forces a new resource to be created.

principalDisplayName String

The display name of the principal to which the app role is assigned.

principalObjectId String

The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.

principalType String

The object type of the principal to which the app role is assigned.

resourceDisplayName String

The display name of the application representing the resource.

resourceObjectId String

The object ID of the service principal representing the resource. Changing this forces a new resource to be created.

Import

App role assignments can be imported using the object ID of the service principal representing the resource and the ID of the app role assignment (note_not_ the ID of the app role), e.g.

 $ pulumi import azuread:index/appRoleAssignment:AppRoleAssignment example 00000000-0000-0000-0000-000000000000/appRoleAssignment/aaBBcDDeFG6h5JKLMN2PQrrssTTUUvWWxxxxxyyyzzz

-> This ID format is unique to Terraform and is composed of the Resource Service Principal Object ID and the ID of the App Role Assignment in the format {ResourcePrincipalID}/appRoleAssignment/{AppRoleAssignmentID}.

Package Details

Repository
Azure Active Directory (Azure AD) pulumi/pulumi-azuread
License
Apache-2.0
Notes

This Pulumi package is based on the azuread Terraform Provider.