AppRoleAssignment
Manages an app role assignment for a group, user or service principal. Can be used to grant admin consent for application permissions.
API Permissions
The following API permissions are required in order to use this resource.
When authenticated with a service principal, this resource requires one of the following application roles: AppRoleAssignment.ReadWrite.All and Application.Read.All, or AppRoleAssignment.ReadWrite.All and Directory.Read.All, or Application.ReadWrite.All, or Directory.ReadWrite.All
When authenticated with a user principal, this resource requires one of the following directory roles: Application Administrator or Global Administrator
Example Usage
App role assignment for accessing Microsoft Graph
using System.Collections.Generic;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var wellKnown = AzureAD.GetApplicationPublishedAppIds.Invoke();
var msgraph = new AzureAD.ServicePrincipal("msgraph", new()
{
ApplicationId = wellKnown.Apply(getApplicationPublishedAppIdsResult => getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
UseExisting = true,
});
var exampleApplication = new AzureAD.Application("exampleApplication", new()
{
DisplayName = "example",
RequiredResourceAccesses = new[]
{
new AzureAD.Inputs.ApplicationRequiredResourceAccessArgs
{
ResourceAppId = wellKnown.Apply(getApplicationPublishedAppIdsResult => getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
ResourceAccesses = new[]
{
new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs
{
Id = msgraph.AppRoleIds.Apply(appRoleIds => appRoleIds.User_Read_All),
Type = "Role",
},
new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs
{
Id = msgraph.Oauth2PermissionScopeIds.Apply(oauth2PermissionScopeIds => oauth2PermissionScopeIds.User_ReadWrite),
Type = "Scope",
},
},
},
},
});
var exampleServicePrincipal = new AzureAD.ServicePrincipal("exampleServicePrincipal", new()
{
ApplicationId = exampleApplication.ApplicationId,
});
var exampleAppRoleAssignment = new AzureAD.AppRoleAssignment("exampleAppRoleAssignment", new()
{
AppRoleId = msgraph.AppRoleIds.Apply(appRoleIds => appRoleIds.User_Read_All),
PrincipalObjectId = exampleServicePrincipal.ObjectId,
ResourceObjectId = msgraph.ObjectId,
});
});
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
wellKnown, err := azuread.GetApplicationPublishedAppIds(ctx, nil, nil)
if err != nil {
return err
}
msgraph, err := azuread.NewServicePrincipal(ctx, "msgraph", &azuread.ServicePrincipalArgs{
ApplicationId: pulumi.String(wellKnown.Result.MicrosoftGraph),
UseExisting: pulumi.Bool(true),
})
if err != nil {
return err
}
exampleApplication, err := azuread.NewApplication(ctx, "exampleApplication", &azuread.ApplicationArgs{
DisplayName: pulumi.String("example"),
RequiredResourceAccesses: ApplicationRequiredResourceAccessArray{
&ApplicationRequiredResourceAccessArgs{
ResourceAppId: pulumi.String(wellKnown.Result.MicrosoftGraph),
ResourceAccesses: ApplicationRequiredResourceAccessResourceAccessArray{
&ApplicationRequiredResourceAccessResourceAccessArgs{
Id: msgraph.AppRoleIds.ApplyT(func(appRoleIds map[string]string) (string, error) {
return appRoleIds.User.Read.All, nil
}).(pulumi.StringOutput),
Type: pulumi.String("Role"),
},
&ApplicationRequiredResourceAccessResourceAccessArgs{
Id: msgraph.Oauth2PermissionScopeIds.ApplyT(func(oauth2PermissionScopeIds map[string]string) (string, error) {
return oauth2PermissionScopeIds.User.ReadWrite, nil
}).(pulumi.StringOutput),
Type: pulumi.String("Scope"),
},
},
},
},
})
if err != nil {
return err
}
exampleServicePrincipal, err := azuread.NewServicePrincipal(ctx, "exampleServicePrincipal", &azuread.ServicePrincipalArgs{
ApplicationId: exampleApplication.ApplicationId,
})
if err != nil {
return err
}
_, err = azuread.NewAppRoleAssignment(ctx, "exampleAppRoleAssignment", &azuread.AppRoleAssignmentArgs{
AppRoleId: msgraph.AppRoleIds.ApplyT(func(appRoleIds map[string]string) (string, error) {
return appRoleIds.User.Read.All, nil
}).(pulumi.StringOutput),
PrincipalObjectId: exampleServicePrincipal.ObjectId,
ResourceObjectId: msgraph.ObjectId,
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.inputs.ApplicationRequiredResourceAccessArgs;
import com.pulumi.azuread.AppRoleAssignment;
import com.pulumi.azuread.AppRoleAssignmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();
var msgraph = new ServicePrincipal("msgraph", ServicePrincipalArgs.builder()
.applicationId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -> getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))
.useExisting(true)
.build());
var exampleApplication = new Application("exampleApplication", ApplicationArgs.builder()
.displayName("example")
.requiredResourceAccesses(ApplicationRequiredResourceAccessArgs.builder()
.resourceAppId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -> getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))
.resourceAccesses(
ApplicationRequiredResourceAccessResourceAccessArgs.builder()
.id(msgraph.appRoleIds().applyValue(appRoleIds -> appRoleIds.User.Read.All()))
.type("Role")
.build(),
ApplicationRequiredResourceAccessResourceAccessArgs.builder()
.id(msgraph.oauth2PermissionScopeIds().applyValue(oauth2PermissionScopeIds -> oauth2PermissionScopeIds.User.ReadWrite()))
.type("Scope")
.build())
.build())
.build());
var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()
.applicationId(exampleApplication.applicationId())
.build());
var exampleAppRoleAssignment = new AppRoleAssignment("exampleAppRoleAssignment", AppRoleAssignmentArgs.builder()
.appRoleId(msgraph.appRoleIds().applyValue(appRoleIds -> appRoleIds.User.Read.All()))
.principalObjectId(exampleServicePrincipal.objectId())
.resourceObjectId(msgraph.objectId())
.build());
}
}
Coming soon!
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const wellKnown = azuread.getApplicationPublishedAppIds({});
const msgraph = new azuread.ServicePrincipal("msgraph", {
applicationId: wellKnown.then(wellKnown => wellKnown.result?.MicrosoftGraph),
useExisting: true,
});
const exampleApplication = new azuread.Application("exampleApplication", {
displayName: "example",
requiredResourceAccesses: [{
resourceAppId: wellKnown.then(wellKnown => wellKnown.result?.MicrosoftGraph),
resourceAccesses: [
{
id: msgraph.appRoleIds["User.Read.All"],
type: "Role",
},
{
id: msgraph.oauth2PermissionScopeIds["User.ReadWrite"],
type: "Scope",
},
],
}],
});
const exampleServicePrincipal = new azuread.ServicePrincipal("exampleServicePrincipal", {applicationId: exampleApplication.applicationId});
const exampleAppRoleAssignment = new azuread.AppRoleAssignment("exampleAppRoleAssignment", {
appRoleId: msgraph.appRoleIds["User.Read.All"],
principalObjectId: exampleServicePrincipal.objectId,
resourceObjectId: msgraph.objectId,
});
resources:
msgraph:
type: azuread:ServicePrincipal
properties:
applicationId: ${wellKnown.result.MicrosoftGraph}
useExisting: true
exampleApplication:
type: azuread:Application
properties:
displayName: example
requiredResourceAccesses:
- resourceAppId: ${wellKnown.result.MicrosoftGraph}
resourceAccesses:
- id: ${msgraph.appRoleIds"User.Read.All"[%!s(MISSING)]}
type: Role
- id: ${msgraph.oauth2PermissionScopeIds"User.ReadWrite"[%!s(MISSING)]}
type: Scope
exampleServicePrincipal:
type: azuread:ServicePrincipal
properties:
applicationId: ${exampleApplication.applicationId}
exampleAppRoleAssignment:
type: azuread:AppRoleAssignment
properties:
appRoleId: ${msgraph.appRoleIds"User.Read.All"[%!s(MISSING)]}
principalObjectId: ${exampleServicePrincipal.objectId}
resourceObjectId: ${msgraph.objectId}
variables:
wellKnown:
Fn::Invoke:
Function: azuread:getApplicationPublishedAppIds
Arguments: {}
App role assignment for internal application
using System.Collections.Generic;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var internalApplication = new AzureAD.Application("internalApplication", new()
{
DisplayName = "internal",
AppRoles = new[]
{
new AzureAD.Inputs.ApplicationAppRoleArgs
{
AllowedMemberTypes = new[]
{
"Application",
},
Description = "Apps can query the database",
DisplayName = "Query",
Enabled = true,
Id = "00000000-0000-0000-0000-111111111111",
Value = "Query.All",
},
},
});
var internalServicePrincipal = new AzureAD.ServicePrincipal("internalServicePrincipal", new()
{
ApplicationId = internalApplication.ApplicationId,
});
var exampleApplication = new AzureAD.Application("exampleApplication", new()
{
DisplayName = "example",
RequiredResourceAccesses = new[]
{
new AzureAD.Inputs.ApplicationRequiredResourceAccessArgs
{
ResourceAppId = internalApplication.ApplicationId,
ResourceAccesses = new[]
{
new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs
{
Id = internalServicePrincipal.AppRoleIds.Apply(appRoleIds => appRoleIds.Query_All),
Type = "Role",
},
},
},
},
});
var exampleServicePrincipal = new AzureAD.ServicePrincipal("exampleServicePrincipal", new()
{
ApplicationId = exampleApplication.ApplicationId,
});
var exampleAppRoleAssignment = new AzureAD.AppRoleAssignment("exampleAppRoleAssignment", new()
{
AppRoleId = internalServicePrincipal.AppRoleIds.Apply(appRoleIds => appRoleIds.Query_All),
PrincipalObjectId = exampleServicePrincipal.ObjectId,
ResourceObjectId = internalServicePrincipal.ObjectId,
});
});
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
internalApplication, err := azuread.NewApplication(ctx, "internalApplication", &azuread.ApplicationArgs{
DisplayName: pulumi.String("internal"),
AppRoles: ApplicationAppRoleArray{
&ApplicationAppRoleArgs{
AllowedMemberTypes: pulumi.StringArray{
pulumi.String("Application"),
},
Description: pulumi.String("Apps can query the database"),
DisplayName: pulumi.String("Query"),
Enabled: pulumi.Bool(true),
Id: pulumi.String("00000000-0000-0000-0000-111111111111"),
Value: pulumi.String("Query.All"),
},
},
})
if err != nil {
return err
}
internalServicePrincipal, err := azuread.NewServicePrincipal(ctx, "internalServicePrincipal", &azuread.ServicePrincipalArgs{
ApplicationId: internalApplication.ApplicationId,
})
if err != nil {
return err
}
exampleApplication, err := azuread.NewApplication(ctx, "exampleApplication", &azuread.ApplicationArgs{
DisplayName: pulumi.String("example"),
RequiredResourceAccesses: ApplicationRequiredResourceAccessArray{
&ApplicationRequiredResourceAccessArgs{
ResourceAppId: internalApplication.ApplicationId,
ResourceAccesses: ApplicationRequiredResourceAccessResourceAccessArray{
&ApplicationRequiredResourceAccessResourceAccessArgs{
Id: internalServicePrincipal.AppRoleIds.ApplyT(func(appRoleIds map[string]string) (string, error) {
return appRoleIds.Query.All, nil
}).(pulumi.StringOutput),
Type: pulumi.String("Role"),
},
},
},
},
})
if err != nil {
return err
}
exampleServicePrincipal, err := azuread.NewServicePrincipal(ctx, "exampleServicePrincipal", &azuread.ServicePrincipalArgs{
ApplicationId: exampleApplication.ApplicationId,
})
if err != nil {
return err
}
_, err = azuread.NewAppRoleAssignment(ctx, "exampleAppRoleAssignment", &azuread.AppRoleAssignmentArgs{
AppRoleId: internalServicePrincipal.AppRoleIds.ApplyT(func(appRoleIds map[string]string) (string, error) {
return appRoleIds.Query.All, nil
}).(pulumi.StringOutput),
PrincipalObjectId: exampleServicePrincipal.ObjectId,
ResourceObjectId: internalServicePrincipal.ObjectId,
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.inputs.ApplicationAppRoleArgs;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import com.pulumi.azuread.inputs.ApplicationRequiredResourceAccessArgs;
import com.pulumi.azuread.AppRoleAssignment;
import com.pulumi.azuread.AppRoleAssignmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var internalApplication = new Application("internalApplication", ApplicationArgs.builder()
.displayName("internal")
.appRoles(ApplicationAppRoleArgs.builder()
.allowedMemberTypes("Application")
.description("Apps can query the database")
.displayName("Query")
.enabled(true)
.id("00000000-0000-0000-0000-111111111111")
.value("Query.All")
.build())
.build());
var internalServicePrincipal = new ServicePrincipal("internalServicePrincipal", ServicePrincipalArgs.builder()
.applicationId(internalApplication.applicationId())
.build());
var exampleApplication = new Application("exampleApplication", ApplicationArgs.builder()
.displayName("example")
.requiredResourceAccesses(ApplicationRequiredResourceAccessArgs.builder()
.resourceAppId(internalApplication.applicationId())
.resourceAccesses(ApplicationRequiredResourceAccessResourceAccessArgs.builder()
.id(internalServicePrincipal.appRoleIds().applyValue(appRoleIds -> appRoleIds.Query.All()))
.type("Role")
.build())
.build())
.build());
var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()
.applicationId(exampleApplication.applicationId())
.build());
var exampleAppRoleAssignment = new AppRoleAssignment("exampleAppRoleAssignment", AppRoleAssignmentArgs.builder()
.appRoleId(internalServicePrincipal.appRoleIds().applyValue(appRoleIds -> appRoleIds.Query.All()))
.principalObjectId(exampleServicePrincipal.objectId())
.resourceObjectId(internalServicePrincipal.objectId())
.build());
}
}
Coming soon!
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const internalApplication = new azuread.Application("internalApplication", {
displayName: "internal",
appRoles: [{
allowedMemberTypes: ["Application"],
description: "Apps can query the database",
displayName: "Query",
enabled: true,
id: "00000000-0000-0000-0000-111111111111",
value: "Query.All",
}],
});
const internalServicePrincipal = new azuread.ServicePrincipal("internalServicePrincipal", {applicationId: internalApplication.applicationId});
const exampleApplication = new azuread.Application("exampleApplication", {
displayName: "example",
requiredResourceAccesses: [{
resourceAppId: internalApplication.applicationId,
resourceAccesses: [{
id: internalServicePrincipal.appRoleIds["Query.All"],
type: "Role",
}],
}],
});
const exampleServicePrincipal = new azuread.ServicePrincipal("exampleServicePrincipal", {applicationId: exampleApplication.applicationId});
const exampleAppRoleAssignment = new azuread.AppRoleAssignment("exampleAppRoleAssignment", {
appRoleId: internalServicePrincipal.appRoleIds["Query.All"],
principalObjectId: exampleServicePrincipal.objectId,
resourceObjectId: internalServicePrincipal.objectId,
});
resources:
internalApplication:
type: azuread:Application
properties:
displayName: internal
appRoles:
- allowedMemberTypes:
- Application
description: Apps can query the database
displayName: Query
enabled: true
id: 00000000-0000-0000-0000-111111111111
value: Query.All
internalServicePrincipal:
type: azuread:ServicePrincipal
properties:
applicationId: ${internalApplication.applicationId}
exampleApplication:
type: azuread:Application
properties:
displayName: example
requiredResourceAccesses:
- resourceAppId: ${internalApplication.applicationId}
resourceAccesses:
- id: ${internalServicePrincipal.appRoleIds"Query.All"[%!s(MISSING)]}
type: Role
exampleServicePrincipal:
type: azuread:ServicePrincipal
properties:
applicationId: ${exampleApplication.applicationId}
exampleAppRoleAssignment:
type: azuread:AppRoleAssignment
properties:
appRoleId: ${internalServicePrincipal.appRoleIds"Query.All"[%!s(MISSING)]}
principalObjectId: ${exampleServicePrincipal.objectId}
resourceObjectId: ${internalServicePrincipal.objectId}
Assign a user and group to an internal application
using System.Collections.Generic;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var exampleDomains = AzureAD.GetDomains.Invoke(new()
{
OnlyInitial = true,
});
var internalApplication = new AzureAD.Application("internalApplication", new()
{
DisplayName = "internal",
AppRoles = new[]
{
new AzureAD.Inputs.ApplicationAppRoleArgs
{
AllowedMemberTypes = new[]
{
"Application",
"User",
},
Description = "Admins can perform all task actions",
DisplayName = "Admin",
Enabled = true,
Id = "00000000-0000-0000-0000-222222222222",
Value = "Admin.All",
},
},
});
var internalServicePrincipal = new AzureAD.ServicePrincipal("internalServicePrincipal", new()
{
ApplicationId = internalApplication.ApplicationId,
});
var exampleGroup = new AzureAD.Group("exampleGroup", new()
{
DisplayName = "example",
SecurityEnabled = true,
});
var exampleAppRoleAssignment = new AzureAD.AppRoleAssignment("exampleAppRoleAssignment", new()
{
AppRoleId = internalServicePrincipal.AppRoleIds.Apply(appRoleIds => appRoleIds.Admin_All),
PrincipalObjectId = exampleGroup.ObjectId,
ResourceObjectId = internalServicePrincipal.ObjectId,
});
var exampleUser = new AzureAD.User("exampleUser", new()
{
DisplayName = "D. Duck",
Password = "SecretP@sswd99!",
UserPrincipalName = $"d.duck@{exampleDomains.Apply(getDomainsResult => getDomainsResult.Domains[0]?.DomainName)}",
});
var exampleIndex_appRoleAssignmentAppRoleAssignment = new AzureAD.AppRoleAssignment("exampleIndex/appRoleAssignmentAppRoleAssignment", new()
{
AppRoleId = internalServicePrincipal.AppRoleIds.Apply(appRoleIds => appRoleIds.Admin_All),
PrincipalObjectId = exampleUser.ObjectId,
ResourceObjectId = internalServicePrincipal.ObjectId,
});
});
package main
import (
"fmt"
"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleDomains, err := azuread.GetDomains(ctx, &GetDomainsArgs{
OnlyInitial: pulumi.BoolRef(true),
}, nil)
if err != nil {
return err
}
internalApplication, err := azuread.NewApplication(ctx, "internalApplication", &azuread.ApplicationArgs{
DisplayName: pulumi.String("internal"),
AppRoles: ApplicationAppRoleArray{
&ApplicationAppRoleArgs{
AllowedMemberTypes: pulumi.StringArray{
pulumi.String("Application"),
pulumi.String("User"),
},
Description: pulumi.String("Admins can perform all task actions"),
DisplayName: pulumi.String("Admin"),
Enabled: pulumi.Bool(true),
Id: pulumi.String("00000000-0000-0000-0000-222222222222"),
Value: pulumi.String("Admin.All"),
},
},
})
if err != nil {
return err
}
internalServicePrincipal, err := azuread.NewServicePrincipal(ctx, "internalServicePrincipal", &azuread.ServicePrincipalArgs{
ApplicationId: internalApplication.ApplicationId,
})
if err != nil {
return err
}
exampleGroup, err := azuread.NewGroup(ctx, "exampleGroup", &azuread.GroupArgs{
DisplayName: pulumi.String("example"),
SecurityEnabled: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = azuread.NewAppRoleAssignment(ctx, "exampleAppRoleAssignment", &azuread.AppRoleAssignmentArgs{
AppRoleId: internalServicePrincipal.AppRoleIds.ApplyT(func(appRoleIds map[string]string) (string, error) {
return appRoleIds.Admin.All, nil
}).(pulumi.StringOutput),
PrincipalObjectId: exampleGroup.ObjectId,
ResourceObjectId: internalServicePrincipal.ObjectId,
})
if err != nil {
return err
}
exampleUser, err := azuread.NewUser(ctx, "exampleUser", &azuread.UserArgs{
DisplayName: pulumi.String("D. Duck"),
Password: pulumi.String("SecretP@sswd99!"),
UserPrincipalName: pulumi.String(fmt.Sprintf("d.duck@%v", exampleDomains.Domains[0].DomainName)),
})
if err != nil {
return err
}
_, err = azuread.NewAppRoleAssignment(ctx, "exampleIndex/appRoleAssignmentAppRoleAssignment", &azuread.AppRoleAssignmentArgs{
AppRoleId: internalServicePrincipal.AppRoleIds.ApplyT(func(appRoleIds map[string]string) (string, error) {
return appRoleIds.Admin.All, nil
}).(pulumi.StringOutput),
PrincipalObjectId: exampleUser.ObjectId,
ResourceObjectId: internalServicePrincipal.ObjectId,
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.inputs.GetDomainsArgs;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.inputs.ApplicationAppRoleArgs;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import com.pulumi.azuread.Group;
import com.pulumi.azuread.GroupArgs;
import com.pulumi.azuread.AppRoleAssignment;
import com.pulumi.azuread.AppRoleAssignmentArgs;
import com.pulumi.azuread.User;
import com.pulumi.azuread.UserArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var exampleDomains = AzureadFunctions.getDomains(GetDomainsArgs.builder()
.onlyInitial(true)
.build());
var internalApplication = new Application("internalApplication", ApplicationArgs.builder()
.displayName("internal")
.appRoles(ApplicationAppRoleArgs.builder()
.allowedMemberTypes(
"Application",
"User")
.description("Admins can perform all task actions")
.displayName("Admin")
.enabled(true)
.id("00000000-0000-0000-0000-222222222222")
.value("Admin.All")
.build())
.build());
var internalServicePrincipal = new ServicePrincipal("internalServicePrincipal", ServicePrincipalArgs.builder()
.applicationId(internalApplication.applicationId())
.build());
var exampleGroup = new Group("exampleGroup", GroupArgs.builder()
.displayName("example")
.securityEnabled(true)
.build());
var exampleAppRoleAssignment = new AppRoleAssignment("exampleAppRoleAssignment", AppRoleAssignmentArgs.builder()
.appRoleId(internalServicePrincipal.appRoleIds().applyValue(appRoleIds -> appRoleIds.Admin.All()))
.principalObjectId(exampleGroup.objectId())
.resourceObjectId(internalServicePrincipal.objectId())
.build());
var exampleUser = new User("exampleUser", UserArgs.builder()
.displayName("D. Duck")
.password("SecretP@sswd99!")
.userPrincipalName(String.format("d.duck@%s", exampleDomains.applyValue(getDomainsResult -> getDomainsResult.domains()[0].domainName())))
.build());
var exampleIndex_appRoleAssignmentAppRoleAssignment = new AppRoleAssignment("exampleIndex/appRoleAssignmentAppRoleAssignment", AppRoleAssignmentArgs.builder()
.appRoleId(internalServicePrincipal.appRoleIds().applyValue(appRoleIds -> appRoleIds.Admin.All()))
.principalObjectId(exampleUser.objectId())
.resourceObjectId(internalServicePrincipal.objectId())
.build());
}
}
Coming soon!
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const exampleDomains = azuread.getDomains({
onlyInitial: true,
});
const internalApplication = new azuread.Application("internalApplication", {
displayName: "internal",
appRoles: [{
allowedMemberTypes: [
"Application",
"User",
],
description: "Admins can perform all task actions",
displayName: "Admin",
enabled: true,
id: "00000000-0000-0000-0000-222222222222",
value: "Admin.All",
}],
});
const internalServicePrincipal = new azuread.ServicePrincipal("internalServicePrincipal", {applicationId: internalApplication.applicationId});
const exampleGroup = new azuread.Group("exampleGroup", {
displayName: "example",
securityEnabled: true,
});
const exampleAppRoleAssignment = new azuread.AppRoleAssignment("exampleAppRoleAssignment", {
appRoleId: internalServicePrincipal.appRoleIds["Admin.All"],
principalObjectId: exampleGroup.objectId,
resourceObjectId: internalServicePrincipal.objectId,
});
const exampleUser = new azuread.User("exampleUser", {
displayName: "D. Duck",
password: "SecretP@sswd99!",
userPrincipalName: exampleDomains.then(exampleDomains => `d.duck@${exampleDomains.domains?[0]?.domainName}`),
});
const exampleIndex_appRoleAssignmentAppRoleAssignment = new azuread.AppRoleAssignment("exampleIndex/appRoleAssignmentAppRoleAssignment", {
appRoleId: internalServicePrincipal.appRoleIds["Admin.All"],
principalObjectId: exampleUser.objectId,
resourceObjectId: internalServicePrincipal.objectId,
});
resources:
internalApplication:
type: azuread:Application
properties:
displayName: internal
appRoles:
- allowedMemberTypes:
- Application
- User
description: Admins can perform all task actions
displayName: Admin
enabled: true
id: 00000000-0000-0000-0000-222222222222
value: Admin.All
internalServicePrincipal:
type: azuread:ServicePrincipal
properties:
applicationId: ${internalApplication.applicationId}
exampleGroup:
type: azuread:Group
properties:
displayName: example
securityEnabled: true
exampleAppRoleAssignment:
type: azuread:AppRoleAssignment
properties:
appRoleId: ${internalServicePrincipal.appRoleIds"Admin.All"[%!s(MISSING)]}
principalObjectId: ${exampleGroup.objectId}
resourceObjectId: ${internalServicePrincipal.objectId}
exampleUser:
type: azuread:User
properties:
displayName: D. Duck
password: SecretP@sswd99!
userPrincipalName: d.duck@${exampleDomains.domains[0].domainName}
exampleIndex/appRoleAssignmentAppRoleAssignment:
type: azuread:AppRoleAssignment
properties:
appRoleId: ${internalServicePrincipal.appRoleIds"Admin.All"[%!s(MISSING)]}
principalObjectId: ${exampleUser.objectId}
resourceObjectId: ${internalServicePrincipal.objectId}
variables:
exampleDomains:
Fn::Invoke:
Function: azuread:getDomains
Arguments:
onlyInitial: true
Assign a group to the default app role for an internal application
using System.Collections.Generic;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var internalApplication = new AzureAD.Application("internalApplication", new()
{
DisplayName = "internal",
});
var internalServicePrincipal = new AzureAD.ServicePrincipal("internalServicePrincipal", new()
{
ApplicationId = internalApplication.ApplicationId,
});
var exampleGroup = new AzureAD.Group("exampleGroup", new()
{
DisplayName = "example",
SecurityEnabled = true,
});
var exampleAppRoleAssignment = new AzureAD.AppRoleAssignment("exampleAppRoleAssignment", new()
{
AppRoleId = "00000000-0000-0000-0000-000000000000",
PrincipalObjectId = exampleGroup.ObjectId,
ResourceObjectId = internalServicePrincipal.ObjectId,
});
});
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
internalApplication, err := azuread.NewApplication(ctx, "internalApplication", &azuread.ApplicationArgs{
DisplayName: pulumi.String("internal"),
})
if err != nil {
return err
}
internalServicePrincipal, err := azuread.NewServicePrincipal(ctx, "internalServicePrincipal", &azuread.ServicePrincipalArgs{
ApplicationId: internalApplication.ApplicationId,
})
if err != nil {
return err
}
exampleGroup, err := azuread.NewGroup(ctx, "exampleGroup", &azuread.GroupArgs{
DisplayName: pulumi.String("example"),
SecurityEnabled: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = azuread.NewAppRoleAssignment(ctx, "exampleAppRoleAssignment", &azuread.AppRoleAssignmentArgs{
AppRoleId: pulumi.String("00000000-0000-0000-0000-000000000000"),
PrincipalObjectId: exampleGroup.ObjectId,
ResourceObjectId: internalServicePrincipal.ObjectId,
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import com.pulumi.azuread.Group;
import com.pulumi.azuread.GroupArgs;
import com.pulumi.azuread.AppRoleAssignment;
import com.pulumi.azuread.AppRoleAssignmentArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var internalApplication = new Application("internalApplication", ApplicationArgs.builder()
.displayName("internal")
.build());
var internalServicePrincipal = new ServicePrincipal("internalServicePrincipal", ServicePrincipalArgs.builder()
.applicationId(internalApplication.applicationId())
.build());
var exampleGroup = new Group("exampleGroup", GroupArgs.builder()
.displayName("example")
.securityEnabled(true)
.build());
var exampleAppRoleAssignment = new AppRoleAssignment("exampleAppRoleAssignment", AppRoleAssignmentArgs.builder()
.appRoleId("00000000-0000-0000-0000-000000000000")
.principalObjectId(exampleGroup.objectId())
.resourceObjectId(internalServicePrincipal.objectId())
.build());
}
}
import pulumi
import pulumi_azuread as azuread
internal_application = azuread.Application("internalApplication", display_name="internal")
internal_service_principal = azuread.ServicePrincipal("internalServicePrincipal", application_id=internal_application.application_id)
example_group = azuread.Group("exampleGroup",
display_name="example",
security_enabled=True)
example_app_role_assignment = azuread.AppRoleAssignment("exampleAppRoleAssignment",
app_role_id="00000000-0000-0000-0000-000000000000",
principal_object_id=example_group.object_id,
resource_object_id=internal_service_principal.object_id)
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const internalApplication = new azuread.Application("internalApplication", {displayName: "internal"});
const internalServicePrincipal = new azuread.ServicePrincipal("internalServicePrincipal", {applicationId: internalApplication.applicationId});
const exampleGroup = new azuread.Group("exampleGroup", {
displayName: "example",
securityEnabled: true,
});
const exampleAppRoleAssignment = new azuread.AppRoleAssignment("exampleAppRoleAssignment", {
appRoleId: "00000000-0000-0000-0000-000000000000",
principalObjectId: exampleGroup.objectId,
resourceObjectId: internalServicePrincipal.objectId,
});
resources:
internalApplication:
type: azuread:Application
properties:
displayName: internal
internalServicePrincipal:
type: azuread:ServicePrincipal
properties:
applicationId: ${internalApplication.applicationId}
exampleGroup:
type: azuread:Group
properties:
displayName: example
securityEnabled: true
exampleAppRoleAssignment:
type: azuread:AppRoleAssignment
properties:
appRoleId: 00000000-0000-0000-0000-000000000000
principalObjectId: ${exampleGroup.objectId}
resourceObjectId: ${internalServicePrincipal.objectId}
Create AppRoleAssignment Resource
new AppRoleAssignment(name: string, args: AppRoleAssignmentArgs, opts?: CustomResourceOptions);@overload
def AppRoleAssignment(resource_name: str,
opts: Optional[ResourceOptions] = None,
app_role_id: Optional[str] = None,
principal_object_id: Optional[str] = None,
resource_object_id: Optional[str] = None)
@overload
def AppRoleAssignment(resource_name: str,
args: AppRoleAssignmentArgs,
opts: Optional[ResourceOptions] = None)func NewAppRoleAssignment(ctx *Context, name string, args AppRoleAssignmentArgs, opts ...ResourceOption) (*AppRoleAssignment, error)public AppRoleAssignment(string name, AppRoleAssignmentArgs args, CustomResourceOptions? opts = null)
public AppRoleAssignment(String name, AppRoleAssignmentArgs args)
public AppRoleAssignment(String name, AppRoleAssignmentArgs args, CustomResourceOptions options)
type: azuread:AppRoleAssignment
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AppRoleAssignmentArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AppRoleAssignmentArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AppRoleAssignmentArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AppRoleAssignmentArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AppRoleAssignmentArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
AppRoleAssignment Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The AppRoleAssignment resource accepts the following input properties:
- App
Role stringId The ID of the app role to be assigned, or the default role ID
00000000-0000-0000-0000-000000000000. Changing this forces a new resource to be created.- Principal
Object stringId The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.
- Resource
Object stringId The object ID of the service principal representing the resource. Changing this forces a new resource to be created.
- App
Role stringId The ID of the app role to be assigned, or the default role ID
00000000-0000-0000-0000-000000000000. Changing this forces a new resource to be created.- Principal
Object stringId The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.
- Resource
Object stringId The object ID of the service principal representing the resource. Changing this forces a new resource to be created.
- app
Role StringId The ID of the app role to be assigned, or the default role ID
00000000-0000-0000-0000-000000000000. Changing this forces a new resource to be created.- principal
Object StringId The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.
- resource
Object StringId The object ID of the service principal representing the resource. Changing this forces a new resource to be created.
- app
Role stringId The ID of the app role to be assigned, or the default role ID
00000000-0000-0000-0000-000000000000. Changing this forces a new resource to be created.- principal
Object stringId The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.
- resource
Object stringId The object ID of the service principal representing the resource. Changing this forces a new resource to be created.
- app_
role_ strid The ID of the app role to be assigned, or the default role ID
00000000-0000-0000-0000-000000000000. Changing this forces a new resource to be created.- principal_
object_ strid The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.
- resource_
object_ strid The object ID of the service principal representing the resource. Changing this forces a new resource to be created.
- app
Role StringId The ID of the app role to be assigned, or the default role ID
00000000-0000-0000-0000-000000000000. Changing this forces a new resource to be created.- principal
Object StringId The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.
- resource
Object StringId The object ID of the service principal representing the resource. Changing this forces a new resource to be created.
Outputs
All input properties are implicitly available as output properties. Additionally, the AppRoleAssignment resource produces the following output properties:
- Id string
The provider-assigned unique ID for this managed resource.
- Principal
Display stringName The display name of the principal to which the app role is assigned.
- Principal
Type string The object type of the principal to which the app role is assigned.
- Resource
Display stringName The display name of the application representing the resource.
- Id string
The provider-assigned unique ID for this managed resource.
- Principal
Display stringName The display name of the principal to which the app role is assigned.
- Principal
Type string The object type of the principal to which the app role is assigned.
- Resource
Display stringName The display name of the application representing the resource.
- id String
The provider-assigned unique ID for this managed resource.
- principal
Display StringName The display name of the principal to which the app role is assigned.
- principal
Type String The object type of the principal to which the app role is assigned.
- resource
Display StringName The display name of the application representing the resource.
- id string
The provider-assigned unique ID for this managed resource.
- principal
Display stringName The display name of the principal to which the app role is assigned.
- principal
Type string The object type of the principal to which the app role is assigned.
- resource
Display stringName The display name of the application representing the resource.
- id str
The provider-assigned unique ID for this managed resource.
- principal_
display_ strname The display name of the principal to which the app role is assigned.
- principal_
type str The object type of the principal to which the app role is assigned.
- resource_
display_ strname The display name of the application representing the resource.
- id String
The provider-assigned unique ID for this managed resource.
- principal
Display StringName The display name of the principal to which the app role is assigned.
- principal
Type String The object type of the principal to which the app role is assigned.
- resource
Display StringName The display name of the application representing the resource.
Look up Existing AppRoleAssignment Resource
Get an existing AppRoleAssignment resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: AppRoleAssignmentState, opts?: CustomResourceOptions): AppRoleAssignment@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
app_role_id: Optional[str] = None,
principal_display_name: Optional[str] = None,
principal_object_id: Optional[str] = None,
principal_type: Optional[str] = None,
resource_display_name: Optional[str] = None,
resource_object_id: Optional[str] = None) -> AppRoleAssignmentfunc GetAppRoleAssignment(ctx *Context, name string, id IDInput, state *AppRoleAssignmentState, opts ...ResourceOption) (*AppRoleAssignment, error)public static AppRoleAssignment Get(string name, Input<string> id, AppRoleAssignmentState? state, CustomResourceOptions? opts = null)public static AppRoleAssignment get(String name, Output<String> id, AppRoleAssignmentState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- App
Role stringId The ID of the app role to be assigned, or the default role ID
00000000-0000-0000-0000-000000000000. Changing this forces a new resource to be created.- Principal
Display stringName The display name of the principal to which the app role is assigned.
- Principal
Object stringId The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.
- Principal
Type string The object type of the principal to which the app role is assigned.
- Resource
Display stringName The display name of the application representing the resource.
- Resource
Object stringId The object ID of the service principal representing the resource. Changing this forces a new resource to be created.
- App
Role stringId The ID of the app role to be assigned, or the default role ID
00000000-0000-0000-0000-000000000000. Changing this forces a new resource to be created.- Principal
Display stringName The display name of the principal to which the app role is assigned.
- Principal
Object stringId The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.
- Principal
Type string The object type of the principal to which the app role is assigned.
- Resource
Display stringName The display name of the application representing the resource.
- Resource
Object stringId The object ID of the service principal representing the resource. Changing this forces a new resource to be created.
- app
Role StringId The ID of the app role to be assigned, or the default role ID
00000000-0000-0000-0000-000000000000. Changing this forces a new resource to be created.- principal
Display StringName The display name of the principal to which the app role is assigned.
- principal
Object StringId The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.
- principal
Type String The object type of the principal to which the app role is assigned.
- resource
Display StringName The display name of the application representing the resource.
- resource
Object StringId The object ID of the service principal representing the resource. Changing this forces a new resource to be created.
- app
Role stringId The ID of the app role to be assigned, or the default role ID
00000000-0000-0000-0000-000000000000. Changing this forces a new resource to be created.- principal
Display stringName The display name of the principal to which the app role is assigned.
- principal
Object stringId The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.
- principal
Type string The object type of the principal to which the app role is assigned.
- resource
Display stringName The display name of the application representing the resource.
- resource
Object stringId The object ID of the service principal representing the resource. Changing this forces a new resource to be created.
- app_
role_ strid The ID of the app role to be assigned, or the default role ID
00000000-0000-0000-0000-000000000000. Changing this forces a new resource to be created.- principal_
display_ strname The display name of the principal to which the app role is assigned.
- principal_
object_ strid The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.
- principal_
type str The object type of the principal to which the app role is assigned.
- resource_
display_ strname The display name of the application representing the resource.
- resource_
object_ strid The object ID of the service principal representing the resource. Changing this forces a new resource to be created.
- app
Role StringId The ID of the app role to be assigned, or the default role ID
00000000-0000-0000-0000-000000000000. Changing this forces a new resource to be created.- principal
Display StringName The display name of the principal to which the app role is assigned.
- principal
Object StringId The object ID of the user, group or service principal to be assigned this app role. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.
- principal
Type String The object type of the principal to which the app role is assigned.
- resource
Display StringName The display name of the application representing the resource.
- resource
Object StringId The object ID of the service principal representing the resource. Changing this forces a new resource to be created.
Import
App role assignments can be imported using the object ID of the service principal representing the resource and the ID of the app role assignment (note_not_ the ID of the app role), e.g.
$ pulumi import azuread:index/appRoleAssignment:AppRoleAssignment example 00000000-0000-0000-0000-000000000000/appRoleAssignment/aaBBcDDeFG6h5JKLMN2PQrrssTTUUvWWxxxxxyyyzzz
-> This ID format is unique to Terraform and is composed of the Resource Service Principal Object ID and the ID of the App Role Assignment in the format {ResourcePrincipalID}/appRoleAssignment/{AppRoleAssignmentID}.
Package Details
- Repository
- https://github.com/pulumi/pulumi-azuread
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
azureadTerraform Provider.