Viewing docs for Azure Active Directory (Azure AD) v6.9.0
published on Tuesday, Mar 24, 2026 by Pulumi
published on Tuesday, Mar 24, 2026 by Pulumi
Viewing docs for Azure Active Directory (Azure AD) v6.9.0
published on Tuesday, Mar 24, 2026 by Pulumi
published on Tuesday, Mar 24, 2026 by Pulumi
Manages a Conditional Access Policy within Azure Active Directory.
Licensing Requirements Specifying
clientApplicationsproperty requires the activation of Microsoft Entra on your tenant and the availability of sufficient Workload Identities Premium licences (one per service principal managed by a conditional access).
API Limits This resource is subject to a restrictive API request limit of 1 request/second. Whilst Terraform will automatically back-off and retry throttled requests, if you have a large number of resource changes to make, you may wish to reduce parallelism or specify extended custom resource timeouts.
API Permissions
The following API permissions are required in order to use this resource.
When authenticated with a service principal, this resource requires the following application roles: Policy.ReadWrite.ConditionalAccess and Policy.Read.All
When authenticated with a user principal, this resource requires one of the following directory roles: Conditional Access Administrator or Global Administrator
Example Usage
All users except guests or external users
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const example = new azuread.ConditionalAccessPolicy("example", {
displayName: "example policy",
state: "disabled",
conditions: {
clientAppTypes: ["all"],
signInRiskLevels: ["medium"],
userRiskLevels: ["medium"],
applications: {
includedApplications: ["All"],
excludedApplications: [],
},
devices: {
filter: {
mode: "exclude",
rule: "device.operatingSystem eq \"Doors\"",
},
},
locations: {
includedLocations: ["All"],
excludedLocations: ["AllTrusted"],
},
platforms: {
includedPlatforms: ["android"],
excludedPlatforms: ["iOS"],
},
users: {
includedUsers: ["All"],
excludedUsers: ["GuestsOrExternalUsers"],
},
},
grantControls: {
operator: "OR",
builtInControls: ["mfa"],
},
sessionControls: {
applicationEnforcedRestrictionsEnabled: true,
disableResilienceDefaults: false,
signInFrequency: 10,
signInFrequencyPeriod: "hours",
cloudAppSecurityPolicy: "monitorOnly",
},
});
import pulumi
import pulumi_azuread as azuread
example = azuread.ConditionalAccessPolicy("example",
display_name="example policy",
state="disabled",
conditions={
"client_app_types": ["all"],
"sign_in_risk_levels": ["medium"],
"user_risk_levels": ["medium"],
"applications": {
"included_applications": ["All"],
"excluded_applications": [],
},
"devices": {
"filter": {
"mode": "exclude",
"rule": "device.operatingSystem eq \"Doors\"",
},
},
"locations": {
"included_locations": ["All"],
"excluded_locations": ["AllTrusted"],
},
"platforms": {
"included_platforms": ["android"],
"excluded_platforms": ["iOS"],
},
"users": {
"included_users": ["All"],
"excluded_users": ["GuestsOrExternalUsers"],
},
},
grant_controls={
"operator": "OR",
"built_in_controls": ["mfa"],
},
session_controls={
"application_enforced_restrictions_enabled": True,
"disable_resilience_defaults": False,
"sign_in_frequency": 10,
"sign_in_frequency_period": "hours",
"cloud_app_security_policy": "monitorOnly",
})
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := azuread.NewConditionalAccessPolicy(ctx, "example", &azuread.ConditionalAccessPolicyArgs{
DisplayName: pulumi.String("example policy"),
State: pulumi.String("disabled"),
Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
ClientAppTypes: pulumi.StringArray{
pulumi.String("all"),
},
SignInRiskLevels: pulumi.StringArray{
pulumi.String("medium"),
},
UserRiskLevels: pulumi.StringArray{
pulumi.String("medium"),
},
Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
IncludedApplications: pulumi.StringArray{
pulumi.String("All"),
},
ExcludedApplications: pulumi.StringArray{},
},
Devices: &azuread.ConditionalAccessPolicyConditionsDevicesArgs{
Filter: &azuread.ConditionalAccessPolicyConditionsDevicesFilterArgs{
Mode: pulumi.String("exclude"),
Rule: pulumi.String("device.operatingSystem eq \"Doors\""),
},
},
Locations: &azuread.ConditionalAccessPolicyConditionsLocationsArgs{
IncludedLocations: pulumi.StringArray{
pulumi.String("All"),
},
ExcludedLocations: pulumi.StringArray{
pulumi.String("AllTrusted"),
},
},
Platforms: &azuread.ConditionalAccessPolicyConditionsPlatformsArgs{
IncludedPlatforms: pulumi.StringArray{
pulumi.String("android"),
},
ExcludedPlatforms: pulumi.StringArray{
pulumi.String("iOS"),
},
},
Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
IncludedUsers: pulumi.StringArray{
pulumi.String("All"),
},
ExcludedUsers: pulumi.StringArray{
pulumi.String("GuestsOrExternalUsers"),
},
},
},
GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
Operator: pulumi.String("OR"),
BuiltInControls: pulumi.StringArray{
pulumi.String("mfa"),
},
},
SessionControls: &azuread.ConditionalAccessPolicySessionControlsArgs{
ApplicationEnforcedRestrictionsEnabled: pulumi.Bool(true),
DisableResilienceDefaults: pulumi.Bool(false),
SignInFrequency: pulumi.Int(10),
SignInFrequencyPeriod: pulumi.String("hours"),
CloudAppSecurityPolicy: pulumi.String("monitorOnly"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var example = new AzureAD.Index.ConditionalAccessPolicy("example", new()
{
DisplayName = "example policy",
State = "disabled",
Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
{
ClientAppTypes = new[]
{
"all",
},
SignInRiskLevels = new[]
{
"medium",
},
UserRiskLevels = new[]
{
"medium",
},
Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
{
IncludedApplications = new[]
{
"All",
},
ExcludedApplications = new() { },
},
Devices = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesArgs
{
Filter = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesFilterArgs
{
Mode = "exclude",
Rule = "device.operatingSystem eq \"Doors\"",
},
},
Locations = new AzureAD.Inputs.ConditionalAccessPolicyConditionsLocationsArgs
{
IncludedLocations = new[]
{
"All",
},
ExcludedLocations = new[]
{
"AllTrusted",
},
},
Platforms = new AzureAD.Inputs.ConditionalAccessPolicyConditionsPlatformsArgs
{
IncludedPlatforms = new[]
{
"android",
},
ExcludedPlatforms = new[]
{
"iOS",
},
},
Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
{
IncludedUsers = new[]
{
"All",
},
ExcludedUsers = new[]
{
"GuestsOrExternalUsers",
},
},
},
GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
{
Operator = "OR",
BuiltInControls = new[]
{
"mfa",
},
},
SessionControls = new AzureAD.Inputs.ConditionalAccessPolicySessionControlsArgs
{
ApplicationEnforcedRestrictionsEnabled = true,
DisableResilienceDefaults = false,
SignInFrequency = 10,
SignInFrequencyPeriod = "hours",
CloudAppSecurityPolicy = "monitorOnly",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.ConditionalAccessPolicy;
import com.pulumi.azuread.ConditionalAccessPolicyArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsDevicesArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsDevicesFilterArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsLocationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsPlatformsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyGrantControlsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicySessionControlsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new ConditionalAccessPolicy("example", ConditionalAccessPolicyArgs.builder()
.displayName("example policy")
.state("disabled")
.conditions(ConditionalAccessPolicyConditionsArgs.builder()
.clientAppTypes("all")
.signInRiskLevels("medium")
.userRiskLevels("medium")
.applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
.includedApplications("All")
.excludedApplications()
.build())
.devices(ConditionalAccessPolicyConditionsDevicesArgs.builder()
.filter(ConditionalAccessPolicyConditionsDevicesFilterArgs.builder()
.mode("exclude")
.rule("device.operatingSystem eq \"Doors\"")
.build())
.build())
.locations(ConditionalAccessPolicyConditionsLocationsArgs.builder()
.includedLocations("All")
.excludedLocations("AllTrusted")
.build())
.platforms(ConditionalAccessPolicyConditionsPlatformsArgs.builder()
.includedPlatforms("android")
.excludedPlatforms("iOS")
.build())
.users(ConditionalAccessPolicyConditionsUsersArgs.builder()
.includedUsers("All")
.excludedUsers("GuestsOrExternalUsers")
.build())
.build())
.grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
.operator("OR")
.builtInControls("mfa")
.build())
.sessionControls(ConditionalAccessPolicySessionControlsArgs.builder()
.applicationEnforcedRestrictionsEnabled(true)
.disableResilienceDefaults(false)
.signInFrequency(10)
.signInFrequencyPeriod("hours")
.cloudAppSecurityPolicy("monitorOnly")
.build())
.build());
}
}
resources:
example:
type: azuread:ConditionalAccessPolicy
properties:
displayName: example policy
state: disabled
conditions:
clientAppTypes:
- all
signInRiskLevels:
- medium
userRiskLevels:
- medium
applications:
includedApplications:
- All
excludedApplications: []
devices:
filter:
mode: exclude
rule: device.operatingSystem eq "Doors"
locations:
includedLocations:
- All
excludedLocations:
- AllTrusted
platforms:
includedPlatforms:
- android
excludedPlatforms:
- iOS
users:
includedUsers:
- All
excludedUsers:
- GuestsOrExternalUsers
grantControls:
operator: OR
builtInControls:
- mfa
sessionControls:
applicationEnforcedRestrictionsEnabled: true
disableResilienceDefaults: false
signInFrequency: 10
signInFrequencyPeriod: hours
cloudAppSecurityPolicy: monitorOnly
Included client applications / service principals
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const current = azuread.getClientConfig({});
const example = new azuread.ConditionalAccessPolicy("example", {
displayName: "example policy",
state: "disabled",
conditions: {
clientAppTypes: ["all"],
applications: {
includedApplications: ["All"],
},
clientApplications: {
includedServicePrincipals: [current.then(current => current.objectId)],
excludedServicePrincipals: [],
},
users: {
includedUsers: ["None"],
},
},
grantControls: {
operator: "OR",
builtInControls: ["block"],
},
});
import pulumi
import pulumi_azuread as azuread
current = azuread.get_client_config()
example = azuread.ConditionalAccessPolicy("example",
display_name="example policy",
state="disabled",
conditions={
"client_app_types": ["all"],
"applications": {
"included_applications": ["All"],
},
"client_applications": {
"included_service_principals": [current.object_id],
"excluded_service_principals": [],
},
"users": {
"included_users": ["None"],
},
},
grant_controls={
"operator": "OR",
"built_in_controls": ["block"],
})
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := azuread.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
_, err = azuread.NewConditionalAccessPolicy(ctx, "example", &azuread.ConditionalAccessPolicyArgs{
DisplayName: pulumi.String("example policy"),
State: pulumi.String("disabled"),
Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
ClientAppTypes: pulumi.StringArray{
pulumi.String("all"),
},
Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
IncludedApplications: pulumi.StringArray{
pulumi.String("All"),
},
},
ClientApplications: &azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs{
IncludedServicePrincipals: pulumi.StringArray{
pulumi.String(current.ObjectId),
},
ExcludedServicePrincipals: pulumi.StringArray{},
},
Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
IncludedUsers: pulumi.StringArray{
pulumi.String("None"),
},
},
},
GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
Operator: pulumi.String("OR"),
BuiltInControls: pulumi.StringArray{
pulumi.String("block"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var current = AzureAD.Index.GetClientConfig.Invoke();
var example = new AzureAD.Index.ConditionalAccessPolicy("example", new()
{
DisplayName = "example policy",
State = "disabled",
Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
{
ClientAppTypes = new[]
{
"all",
},
Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
{
IncludedApplications = new[]
{
"All",
},
},
ClientApplications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs
{
IncludedServicePrincipals = new[]
{
current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
},
ExcludedServicePrincipals = new() { },
},
Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
{
IncludedUsers = new[]
{
"None",
},
},
},
GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
{
Operator = "OR",
BuiltInControls = new[]
{
"block",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.ConditionalAccessPolicy;
import com.pulumi.azuread.ConditionalAccessPolicyArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyGrantControlsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AzureadFunctions.getClientConfig(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference);
var example = new ConditionalAccessPolicy("example", ConditionalAccessPolicyArgs.builder()
.displayName("example policy")
.state("disabled")
.conditions(ConditionalAccessPolicyConditionsArgs.builder()
.clientAppTypes("all")
.applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
.includedApplications("All")
.build())
.clientApplications(ConditionalAccessPolicyConditionsClientApplicationsArgs.builder()
.includedServicePrincipals(current.objectId())
.excludedServicePrincipals()
.build())
.users(ConditionalAccessPolicyConditionsUsersArgs.builder()
.includedUsers("None")
.build())
.build())
.grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
.operator("OR")
.builtInControls("block")
.build())
.build());
}
}
resources:
example:
type: azuread:ConditionalAccessPolicy
properties:
displayName: example policy
state: disabled
conditions:
clientAppTypes:
- all
applications:
includedApplications:
- All
clientApplications:
includedServicePrincipals:
- ${current.objectId}
excludedServicePrincipals: []
users:
includedUsers:
- None
grantControls:
operator: OR
builtInControls:
- block
variables:
current:
fn::invoke:
function: azuread:getClientConfig
arguments: {}
Excluded client applications / service principals
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const current = azuread.getClientConfig({});
const example = new azuread.ConditionalAccessPolicy("example", {
displayName: "example policy",
state: "disabled",
conditions: {
clientAppTypes: ["all"],
applications: {
includedApplications: ["All"],
},
clientApplications: {
includedServicePrincipals: ["ServicePrincipalsInMyTenant"],
excludedServicePrincipals: [current.then(current => current.objectId)],
},
users: {
includedUsers: ["None"],
},
},
grantControls: {
operator: "OR",
builtInControls: ["block"],
},
});
import pulumi
import pulumi_azuread as azuread
current = azuread.get_client_config()
example = azuread.ConditionalAccessPolicy("example",
display_name="example policy",
state="disabled",
conditions={
"client_app_types": ["all"],
"applications": {
"included_applications": ["All"],
},
"client_applications": {
"included_service_principals": ["ServicePrincipalsInMyTenant"],
"excluded_service_principals": [current.object_id],
},
"users": {
"included_users": ["None"],
},
},
grant_controls={
"operator": "OR",
"built_in_controls": ["block"],
})
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := azuread.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
_, err = azuread.NewConditionalAccessPolicy(ctx, "example", &azuread.ConditionalAccessPolicyArgs{
DisplayName: pulumi.String("example policy"),
State: pulumi.String("disabled"),
Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
ClientAppTypes: pulumi.StringArray{
pulumi.String("all"),
},
Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
IncludedApplications: pulumi.StringArray{
pulumi.String("All"),
},
},
ClientApplications: &azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs{
IncludedServicePrincipals: pulumi.StringArray{
pulumi.String("ServicePrincipalsInMyTenant"),
},
ExcludedServicePrincipals: pulumi.StringArray{
pulumi.String(current.ObjectId),
},
},
Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
IncludedUsers: pulumi.StringArray{
pulumi.String("None"),
},
},
},
GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
Operator: pulumi.String("OR"),
BuiltInControls: pulumi.StringArray{
pulumi.String("block"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var current = AzureAD.Index.GetClientConfig.Invoke();
var example = new AzureAD.Index.ConditionalAccessPolicy("example", new()
{
DisplayName = "example policy",
State = "disabled",
Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
{
ClientAppTypes = new[]
{
"all",
},
Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
{
IncludedApplications = new[]
{
"All",
},
},
ClientApplications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs
{
IncludedServicePrincipals = new[]
{
"ServicePrincipalsInMyTenant",
},
ExcludedServicePrincipals = new[]
{
current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
},
},
Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
{
IncludedUsers = new[]
{
"None",
},
},
},
GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
{
Operator = "OR",
BuiltInControls = new[]
{
"block",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.ConditionalAccessPolicy;
import com.pulumi.azuread.ConditionalAccessPolicyArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyGrantControlsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AzureadFunctions.getClientConfig(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference);
var example = new ConditionalAccessPolicy("example", ConditionalAccessPolicyArgs.builder()
.displayName("example policy")
.state("disabled")
.conditions(ConditionalAccessPolicyConditionsArgs.builder()
.clientAppTypes("all")
.applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
.includedApplications("All")
.build())
.clientApplications(ConditionalAccessPolicyConditionsClientApplicationsArgs.builder()
.includedServicePrincipals("ServicePrincipalsInMyTenant")
.excludedServicePrincipals(current.objectId())
.build())
.users(ConditionalAccessPolicyConditionsUsersArgs.builder()
.includedUsers("None")
.build())
.build())
.grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
.operator("OR")
.builtInControls("block")
.build())
.build());
}
}
resources:
example:
type: azuread:ConditionalAccessPolicy
properties:
displayName: example policy
state: disabled
conditions:
clientAppTypes:
- all
applications:
includedApplications:
- All
clientApplications:
includedServicePrincipals:
- ServicePrincipalsInMyTenant
excludedServicePrincipals:
- ${current.objectId}
users:
includedUsers:
- None
grantControls:
operator: OR
builtInControls:
- block
variables:
current:
fn::invoke:
function: azuread:getClientConfig
arguments: {}
Create ConditionalAccessPolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ConditionalAccessPolicy(name: string, args: ConditionalAccessPolicyArgs, opts?: CustomResourceOptions);@overload
def ConditionalAccessPolicy(resource_name: str,
args: ConditionalAccessPolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def ConditionalAccessPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
conditions: Optional[ConditionalAccessPolicyConditionsArgs] = None,
display_name: Optional[str] = None,
state: Optional[str] = None,
grant_controls: Optional[ConditionalAccessPolicyGrantControlsArgs] = None,
session_controls: Optional[ConditionalAccessPolicySessionControlsArgs] = None)func NewConditionalAccessPolicy(ctx *Context, name string, args ConditionalAccessPolicyArgs, opts ...ResourceOption) (*ConditionalAccessPolicy, error)public ConditionalAccessPolicy(string name, ConditionalAccessPolicyArgs args, CustomResourceOptions? opts = null)
public ConditionalAccessPolicy(String name, ConditionalAccessPolicyArgs args)
public ConditionalAccessPolicy(String name, ConditionalAccessPolicyArgs args, CustomResourceOptions options)
type: azuread:ConditionalAccessPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ConditionalAccessPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ConditionalAccessPolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ConditionalAccessPolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ConditionalAccessPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ConditionalAccessPolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var conditionalAccessPolicyResource = new AzureAD.ConditionalAccessPolicy("conditionalAccessPolicyResource", new()
{
Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
{
Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
{
ExcludedApplications = new[]
{
"string",
},
IncludedApplications = new[]
{
"string",
},
IncludedUserActions = new[]
{
"string",
},
},
ClientAppTypes = new[]
{
"string",
},
Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
{
ExcludedGroups = new[]
{
"string",
},
ExcludedGuestsOrExternalUsers = new[]
{
new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs
{
GuestOrExternalUserTypes = new[]
{
"string",
},
ExternalTenants = new[]
{
new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs
{
MembershipKind = "string",
Members = new[]
{
"string",
},
},
},
},
},
ExcludedRoles = new[]
{
"string",
},
ExcludedUsers = new[]
{
"string",
},
IncludedGroups = new[]
{
"string",
},
IncludedGuestsOrExternalUsers = new[]
{
new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs
{
GuestOrExternalUserTypes = new[]
{
"string",
},
ExternalTenants = new[]
{
new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs
{
MembershipKind = "string",
Members = new[]
{
"string",
},
},
},
},
},
IncludedRoles = new[]
{
"string",
},
IncludedUsers = new[]
{
"string",
},
},
AuthenticationFlowTransferMethods = new[]
{
"string",
},
ClientApplications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs
{
ExcludedServicePrincipals = new[]
{
"string",
},
Filter = new AzureAD.Inputs.ConditionalAccessPolicyConditionsClientApplicationsFilterArgs
{
Mode = "string",
Rule = "string",
},
IncludedServicePrincipals = new[]
{
"string",
},
},
Devices = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesArgs
{
Filter = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesFilterArgs
{
Mode = "string",
Rule = "string",
},
},
InsiderRiskLevels = "string",
Locations = new AzureAD.Inputs.ConditionalAccessPolicyConditionsLocationsArgs
{
IncludedLocations = new[]
{
"string",
},
ExcludedLocations = new[]
{
"string",
},
},
Platforms = new AzureAD.Inputs.ConditionalAccessPolicyConditionsPlatformsArgs
{
IncludedPlatforms = new[]
{
"string",
},
ExcludedPlatforms = new[]
{
"string",
},
},
ServicePrincipalRiskLevels = new[]
{
"string",
},
SignInRiskLevels = new[]
{
"string",
},
UserRiskLevels = new[]
{
"string",
},
},
DisplayName = "string",
State = "string",
GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
{
Operator = "string",
AuthenticationStrengthPolicyId = "string",
BuiltInControls = new[]
{
"string",
},
CustomAuthenticationFactors = new[]
{
"string",
},
TermsOfUses = new[]
{
"string",
},
},
SessionControls = new AzureAD.Inputs.ConditionalAccessPolicySessionControlsArgs
{
ApplicationEnforcedRestrictionsEnabled = false,
CloudAppSecurityPolicy = "string",
DisableResilienceDefaults = false,
PersistentBrowserMode = "string",
SignInFrequency = 0,
SignInFrequencyAuthenticationType = "string",
SignInFrequencyInterval = "string",
SignInFrequencyPeriod = "string",
},
});
example, err := azuread.NewConditionalAccessPolicy(ctx, "conditionalAccessPolicyResource", &azuread.ConditionalAccessPolicyArgs{
Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
ExcludedApplications: pulumi.StringArray{
pulumi.String("string"),
},
IncludedApplications: pulumi.StringArray{
pulumi.String("string"),
},
IncludedUserActions: pulumi.StringArray{
pulumi.String("string"),
},
},
ClientAppTypes: pulumi.StringArray{
pulumi.String("string"),
},
Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
ExcludedGroups: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedGuestsOrExternalUsers: azuread.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArray{
&azuread.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs{
GuestOrExternalUserTypes: pulumi.StringArray{
pulumi.String("string"),
},
ExternalTenants: azuread.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArray{
&azuread.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs{
MembershipKind: pulumi.String("string"),
Members: pulumi.StringArray{
pulumi.String("string"),
},
},
},
},
},
ExcludedRoles: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedUsers: pulumi.StringArray{
pulumi.String("string"),
},
IncludedGroups: pulumi.StringArray{
pulumi.String("string"),
},
IncludedGuestsOrExternalUsers: azuread.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArray{
&azuread.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs{
GuestOrExternalUserTypes: pulumi.StringArray{
pulumi.String("string"),
},
ExternalTenants: azuread.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArray{
&azuread.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs{
MembershipKind: pulumi.String("string"),
Members: pulumi.StringArray{
pulumi.String("string"),
},
},
},
},
},
IncludedRoles: pulumi.StringArray{
pulumi.String("string"),
},
IncludedUsers: pulumi.StringArray{
pulumi.String("string"),
},
},
AuthenticationFlowTransferMethods: pulumi.StringArray{
pulumi.String("string"),
},
ClientApplications: &azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs{
ExcludedServicePrincipals: pulumi.StringArray{
pulumi.String("string"),
},
Filter: &azuread.ConditionalAccessPolicyConditionsClientApplicationsFilterArgs{
Mode: pulumi.String("string"),
Rule: pulumi.String("string"),
},
IncludedServicePrincipals: pulumi.StringArray{
pulumi.String("string"),
},
},
Devices: &azuread.ConditionalAccessPolicyConditionsDevicesArgs{
Filter: &azuread.ConditionalAccessPolicyConditionsDevicesFilterArgs{
Mode: pulumi.String("string"),
Rule: pulumi.String("string"),
},
},
InsiderRiskLevels: pulumi.String("string"),
Locations: &azuread.ConditionalAccessPolicyConditionsLocationsArgs{
IncludedLocations: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedLocations: pulumi.StringArray{
pulumi.String("string"),
},
},
Platforms: &azuread.ConditionalAccessPolicyConditionsPlatformsArgs{
IncludedPlatforms: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedPlatforms: pulumi.StringArray{
pulumi.String("string"),
},
},
ServicePrincipalRiskLevels: pulumi.StringArray{
pulumi.String("string"),
},
SignInRiskLevels: pulumi.StringArray{
pulumi.String("string"),
},
UserRiskLevels: pulumi.StringArray{
pulumi.String("string"),
},
},
DisplayName: pulumi.String("string"),
State: pulumi.String("string"),
GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
Operator: pulumi.String("string"),
AuthenticationStrengthPolicyId: pulumi.String("string"),
BuiltInControls: pulumi.StringArray{
pulumi.String("string"),
},
CustomAuthenticationFactors: pulumi.StringArray{
pulumi.String("string"),
},
TermsOfUses: pulumi.StringArray{
pulumi.String("string"),
},
},
SessionControls: &azuread.ConditionalAccessPolicySessionControlsArgs{
ApplicationEnforcedRestrictionsEnabled: pulumi.Bool(false),
CloudAppSecurityPolicy: pulumi.String("string"),
DisableResilienceDefaults: pulumi.Bool(false),
PersistentBrowserMode: pulumi.String("string"),
SignInFrequency: pulumi.Int(0),
SignInFrequencyAuthenticationType: pulumi.String("string"),
SignInFrequencyInterval: pulumi.String("string"),
SignInFrequencyPeriod: pulumi.String("string"),
},
})
var conditionalAccessPolicyResource = new ConditionalAccessPolicy("conditionalAccessPolicyResource", ConditionalAccessPolicyArgs.builder()
.conditions(ConditionalAccessPolicyConditionsArgs.builder()
.applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
.excludedApplications("string")
.includedApplications("string")
.includedUserActions("string")
.build())
.clientAppTypes("string")
.users(ConditionalAccessPolicyConditionsUsersArgs.builder()
.excludedGroups("string")
.excludedGuestsOrExternalUsers(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs.builder()
.guestOrExternalUserTypes("string")
.externalTenants(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs.builder()
.membershipKind("string")
.members("string")
.build())
.build())
.excludedRoles("string")
.excludedUsers("string")
.includedGroups("string")
.includedGuestsOrExternalUsers(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs.builder()
.guestOrExternalUserTypes("string")
.externalTenants(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs.builder()
.membershipKind("string")
.members("string")
.build())
.build())
.includedRoles("string")
.includedUsers("string")
.build())
.authenticationFlowTransferMethods("string")
.clientApplications(ConditionalAccessPolicyConditionsClientApplicationsArgs.builder()
.excludedServicePrincipals("string")
.filter(ConditionalAccessPolicyConditionsClientApplicationsFilterArgs.builder()
.mode("string")
.rule("string")
.build())
.includedServicePrincipals("string")
.build())
.devices(ConditionalAccessPolicyConditionsDevicesArgs.builder()
.filter(ConditionalAccessPolicyConditionsDevicesFilterArgs.builder()
.mode("string")
.rule("string")
.build())
.build())
.insiderRiskLevels("string")
.locations(ConditionalAccessPolicyConditionsLocationsArgs.builder()
.includedLocations("string")
.excludedLocations("string")
.build())
.platforms(ConditionalAccessPolicyConditionsPlatformsArgs.builder()
.includedPlatforms("string")
.excludedPlatforms("string")
.build())
.servicePrincipalRiskLevels("string")
.signInRiskLevels("string")
.userRiskLevels("string")
.build())
.displayName("string")
.state("string")
.grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
.operator("string")
.authenticationStrengthPolicyId("string")
.builtInControls("string")
.customAuthenticationFactors("string")
.termsOfUses("string")
.build())
.sessionControls(ConditionalAccessPolicySessionControlsArgs.builder()
.applicationEnforcedRestrictionsEnabled(false)
.cloudAppSecurityPolicy("string")
.disableResilienceDefaults(false)
.persistentBrowserMode("string")
.signInFrequency(0)
.signInFrequencyAuthenticationType("string")
.signInFrequencyInterval("string")
.signInFrequencyPeriod("string")
.build())
.build());
conditional_access_policy_resource = azuread.ConditionalAccessPolicy("conditionalAccessPolicyResource",
conditions={
"applications": {
"excluded_applications": ["string"],
"included_applications": ["string"],
"included_user_actions": ["string"],
},
"client_app_types": ["string"],
"users": {
"excluded_groups": ["string"],
"excluded_guests_or_external_users": [{
"guest_or_external_user_types": ["string"],
"external_tenants": [{
"membership_kind": "string",
"members": ["string"],
}],
}],
"excluded_roles": ["string"],
"excluded_users": ["string"],
"included_groups": ["string"],
"included_guests_or_external_users": [{
"guest_or_external_user_types": ["string"],
"external_tenants": [{
"membership_kind": "string",
"members": ["string"],
}],
}],
"included_roles": ["string"],
"included_users": ["string"],
},
"authentication_flow_transfer_methods": ["string"],
"client_applications": {
"excluded_service_principals": ["string"],
"filter": {
"mode": "string",
"rule": "string",
},
"included_service_principals": ["string"],
},
"devices": {
"filter": {
"mode": "string",
"rule": "string",
},
},
"insider_risk_levels": "string",
"locations": {
"included_locations": ["string"],
"excluded_locations": ["string"],
},
"platforms": {
"included_platforms": ["string"],
"excluded_platforms": ["string"],
},
"service_principal_risk_levels": ["string"],
"sign_in_risk_levels": ["string"],
"user_risk_levels": ["string"],
},
display_name="string",
state="string",
grant_controls={
"operator": "string",
"authentication_strength_policy_id": "string",
"built_in_controls": ["string"],
"custom_authentication_factors": ["string"],
"terms_of_uses": ["string"],
},
session_controls={
"application_enforced_restrictions_enabled": False,
"cloud_app_security_policy": "string",
"disable_resilience_defaults": False,
"persistent_browser_mode": "string",
"sign_in_frequency": 0,
"sign_in_frequency_authentication_type": "string",
"sign_in_frequency_interval": "string",
"sign_in_frequency_period": "string",
})
const conditionalAccessPolicyResource = new azuread.ConditionalAccessPolicy("conditionalAccessPolicyResource", {
conditions: {
applications: {
excludedApplications: ["string"],
includedApplications: ["string"],
includedUserActions: ["string"],
},
clientAppTypes: ["string"],
users: {
excludedGroups: ["string"],
excludedGuestsOrExternalUsers: [{
guestOrExternalUserTypes: ["string"],
externalTenants: [{
membershipKind: "string",
members: ["string"],
}],
}],
excludedRoles: ["string"],
excludedUsers: ["string"],
includedGroups: ["string"],
includedGuestsOrExternalUsers: [{
guestOrExternalUserTypes: ["string"],
externalTenants: [{
membershipKind: "string",
members: ["string"],
}],
}],
includedRoles: ["string"],
includedUsers: ["string"],
},
authenticationFlowTransferMethods: ["string"],
clientApplications: {
excludedServicePrincipals: ["string"],
filter: {
mode: "string",
rule: "string",
},
includedServicePrincipals: ["string"],
},
devices: {
filter: {
mode: "string",
rule: "string",
},
},
insiderRiskLevels: "string",
locations: {
includedLocations: ["string"],
excludedLocations: ["string"],
},
platforms: {
includedPlatforms: ["string"],
excludedPlatforms: ["string"],
},
servicePrincipalRiskLevels: ["string"],
signInRiskLevels: ["string"],
userRiskLevels: ["string"],
},
displayName: "string",
state: "string",
grantControls: {
operator: "string",
authenticationStrengthPolicyId: "string",
builtInControls: ["string"],
customAuthenticationFactors: ["string"],
termsOfUses: ["string"],
},
sessionControls: {
applicationEnforcedRestrictionsEnabled: false,
cloudAppSecurityPolicy: "string",
disableResilienceDefaults: false,
persistentBrowserMode: "string",
signInFrequency: 0,
signInFrequencyAuthenticationType: "string",
signInFrequencyInterval: "string",
signInFrequencyPeriod: "string",
},
});
type: azuread:ConditionalAccessPolicy
properties:
conditions:
applications:
excludedApplications:
- string
includedApplications:
- string
includedUserActions:
- string
authenticationFlowTransferMethods:
- string
clientAppTypes:
- string
clientApplications:
excludedServicePrincipals:
- string
filter:
mode: string
rule: string
includedServicePrincipals:
- string
devices:
filter:
mode: string
rule: string
insiderRiskLevels: string
locations:
excludedLocations:
- string
includedLocations:
- string
platforms:
excludedPlatforms:
- string
includedPlatforms:
- string
servicePrincipalRiskLevels:
- string
signInRiskLevels:
- string
userRiskLevels:
- string
users:
excludedGroups:
- string
excludedGuestsOrExternalUsers:
- externalTenants:
- members:
- string
membershipKind: string
guestOrExternalUserTypes:
- string
excludedRoles:
- string
excludedUsers:
- string
includedGroups:
- string
includedGuestsOrExternalUsers:
- externalTenants:
- members:
- string
membershipKind: string
guestOrExternalUserTypes:
- string
includedRoles:
- string
includedUsers:
- string
displayName: string
grantControls:
authenticationStrengthPolicyId: string
builtInControls:
- string
customAuthenticationFactors:
- string
operator: string
termsOfUses:
- string
sessionControls:
applicationEnforcedRestrictionsEnabled: false
cloudAppSecurityPolicy: string
disableResilienceDefaults: false
persistentBrowserMode: string
signInFrequency: 0
signInFrequencyAuthenticationType: string
signInFrequencyInterval: string
signInFrequencyPeriod: string
state: string
ConditionalAccessPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The ConditionalAccessPolicy resource accepts the following input properties:
- Conditions
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions - A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply. - Display
Name string - The friendly name for this Conditional Access Policy.
- State string
- Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced - Grant
Controls Pulumi.Azure AD. Inputs. Conditional Access Policy Grant Controls - A
grantControlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - Session
Controls Pulumi.Azure AD. Inputs. Conditional Access Policy Session Controls A
sessionControlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grantControlsand/orsessionControlsblocks must be specified.
- Conditions
Conditional
Access Policy Conditions Args - A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply. - Display
Name string - The friendly name for this Conditional Access Policy.
- State string
- Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced - Grant
Controls ConditionalAccess Policy Grant Controls Args - A
grantControlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - Session
Controls ConditionalAccess Policy Session Controls Args A
sessionControlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grantControlsand/orsessionControlsblocks must be specified.
- conditions
Conditional
Access Policy Conditions - A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply. - display
Name String - The friendly name for this Conditional Access Policy.
- state String
- Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced - grant
Controls ConditionalAccess Policy Grant Controls - A
grantControlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - session
Controls ConditionalAccess Policy Session Controls A
sessionControlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grantControlsand/orsessionControlsblocks must be specified.
- conditions
Conditional
Access Policy Conditions - A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply. - display
Name string - The friendly name for this Conditional Access Policy.
- state string
- Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced - grant
Controls ConditionalAccess Policy Grant Controls - A
grantControlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - session
Controls ConditionalAccess Policy Session Controls A
sessionControlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grantControlsand/orsessionControlsblocks must be specified.
- conditions
Conditional
Access Policy Conditions Args - A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply. - display_
name str - The friendly name for this Conditional Access Policy.
- state str
- Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced - grant_
controls ConditionalAccess Policy Grant Controls Args - A
grantControlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - session_
controls ConditionalAccess Policy Session Controls Args A
sessionControlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grantControlsand/orsessionControlsblocks must be specified.
- conditions Property Map
- A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply. - display
Name String - The friendly name for this Conditional Access Policy.
- state String
- Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced - grant
Controls Property Map - A
grantControlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - session
Controls Property Map A
sessionControlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grantControlsand/orsessionControlsblocks must be specified.
Outputs
All input properties are implicitly available as output properties. Additionally, the ConditionalAccessPolicy resource produces the following output properties:
Look up Existing ConditionalAccessPolicy Resource
Get an existing ConditionalAccessPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ConditionalAccessPolicyState, opts?: CustomResourceOptions): ConditionalAccessPolicy@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
conditions: Optional[ConditionalAccessPolicyConditionsArgs] = None,
display_name: Optional[str] = None,
grant_controls: Optional[ConditionalAccessPolicyGrantControlsArgs] = None,
object_id: Optional[str] = None,
session_controls: Optional[ConditionalAccessPolicySessionControlsArgs] = None,
state: Optional[str] = None) -> ConditionalAccessPolicyfunc GetConditionalAccessPolicy(ctx *Context, name string, id IDInput, state *ConditionalAccessPolicyState, opts ...ResourceOption) (*ConditionalAccessPolicy, error)public static ConditionalAccessPolicy Get(string name, Input<string> id, ConditionalAccessPolicyState? state, CustomResourceOptions? opts = null)public static ConditionalAccessPolicy get(String name, Output<String> id, ConditionalAccessPolicyState state, CustomResourceOptions options)resources: _: type: azuread:ConditionalAccessPolicy get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Conditions
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions - A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply. - Display
Name string - The friendly name for this Conditional Access Policy.
- Grant
Controls Pulumi.Azure AD. Inputs. Conditional Access Policy Grant Controls - A
grantControlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - Object
Id string - The object ID of the policy
- Session
Controls Pulumi.Azure AD. Inputs. Conditional Access Policy Session Controls A
sessionControlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grantControlsand/orsessionControlsblocks must be specified.- State string
- Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced
- Conditions
Conditional
Access Policy Conditions Args - A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply. - Display
Name string - The friendly name for this Conditional Access Policy.
- Grant
Controls ConditionalAccess Policy Grant Controls Args - A
grantControlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - Object
Id string - The object ID of the policy
- Session
Controls ConditionalAccess Policy Session Controls Args A
sessionControlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grantControlsand/orsessionControlsblocks must be specified.- State string
- Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced
- conditions
Conditional
Access Policy Conditions - A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply. - display
Name String - The friendly name for this Conditional Access Policy.
- grant
Controls ConditionalAccess Policy Grant Controls - A
grantControlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - object
Id String - The object ID of the policy
- session
Controls ConditionalAccess Policy Session Controls A
sessionControlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grantControlsand/orsessionControlsblocks must be specified.- state String
- Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced
- conditions
Conditional
Access Policy Conditions - A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply. - display
Name string - The friendly name for this Conditional Access Policy.
- grant
Controls ConditionalAccess Policy Grant Controls - A
grantControlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - object
Id string - The object ID of the policy
- session
Controls ConditionalAccess Policy Session Controls A
sessionControlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grantControlsand/orsessionControlsblocks must be specified.- state string
- Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced
- conditions
Conditional
Access Policy Conditions Args - A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply. - display_
name str - The friendly name for this Conditional Access Policy.
- grant_
controls ConditionalAccess Policy Grant Controls Args - A
grantControlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - object_
id str - The object ID of the policy
- session_
controls ConditionalAccess Policy Session Controls Args A
sessionControlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grantControlsand/orsessionControlsblocks must be specified.- state str
- Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced
- conditions Property Map
- A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply. - display
Name String - The friendly name for this Conditional Access Policy.
- grant
Controls Property Map - A
grantControlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - object
Id String - The object ID of the policy
- session
Controls Property Map A
sessionControlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grantControlsand/orsessionControlsblocks must be specified.- state String
- Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced
Supporting Types
ConditionalAccessPolicyConditions, ConditionalAccessPolicyConditionsArgs
- Applications
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Applications - An
applicationsblock as documented below, which specifies applications and user actions included in and excluded from the policy. - Client
App List<string>Types - A list of client application types included in the policy. Possible values are:
all,browser,mobileAppsAndDesktopClients,exchangeActiveSync,easSupportedandother. - Users
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Users - A
usersblock as documented below, which specifies users, groups, and roles included in and excluded from the policy. - Authentication
Flow List<string>Transfer Methods - A list of authentication flow transfer methods included in the policy. Possible values are:
authenticationTransferanddeviceCodeFlow. - Client
Applications Pulumi.Azure AD. Inputs. Conditional Access Policy Conditions Client Applications - An
clientApplicationsblock as documented below, which specifies service principals included in and excluded from the policy. - Devices
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Devices - A
devicesblock as documented below, which describes devices to be included in and excluded from the policy. Adevicesblock can be added to an existing policy, but removing thedevicesblock forces a new resource to be created. - Insider
Risk stringLevels - The insider risk level in the policy. Possible values are:
minor,moderate,elevated,unknownFutureValue. - Locations
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Locations - A
locationsblock as documented below, which specifies locations included in and excluded from the policy. - Platforms
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Platforms - A
platformsblock as documented below, which specifies platforms included in and excluded from the policy. - Service
Principal List<string>Risk Levels - A list of service principal sign-in risk levels included in the policy. Possible values are:
low,medium,high,none,unknownFutureValue. - Sign
In List<string>Risk Levels - A list of user sign-in risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue. - User
Risk List<string>Levels - A list of user risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue.
- Applications
Conditional
Access Policy Conditions Applications - An
applicationsblock as documented below, which specifies applications and user actions included in and excluded from the policy. - Client
App []stringTypes - A list of client application types included in the policy. Possible values are:
all,browser,mobileAppsAndDesktopClients,exchangeActiveSync,easSupportedandother. - Users
Conditional
Access Policy Conditions Users - A
usersblock as documented below, which specifies users, groups, and roles included in and excluded from the policy. - Authentication
Flow []stringTransfer Methods - A list of authentication flow transfer methods included in the policy. Possible values are:
authenticationTransferanddeviceCodeFlow. - Client
Applications ConditionalAccess Policy Conditions Client Applications - An
clientApplicationsblock as documented below, which specifies service principals included in and excluded from the policy. - Devices
Conditional
Access Policy Conditions Devices - A
devicesblock as documented below, which describes devices to be included in and excluded from the policy. Adevicesblock can be added to an existing policy, but removing thedevicesblock forces a new resource to be created. - Insider
Risk stringLevels - The insider risk level in the policy. Possible values are:
minor,moderate,elevated,unknownFutureValue. - Locations
Conditional
Access Policy Conditions Locations - A
locationsblock as documented below, which specifies locations included in and excluded from the policy. - Platforms
Conditional
Access Policy Conditions Platforms - A
platformsblock as documented below, which specifies platforms included in and excluded from the policy. - Service
Principal []stringRisk Levels - A list of service principal sign-in risk levels included in the policy. Possible values are:
low,medium,high,none,unknownFutureValue. - Sign
In []stringRisk Levels - A list of user sign-in risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue. - User
Risk []stringLevels - A list of user risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue.
- applications
Conditional
Access Policy Conditions Applications - An
applicationsblock as documented below, which specifies applications and user actions included in and excluded from the policy. - client
App List<String>Types - A list of client application types included in the policy. Possible values are:
all,browser,mobileAppsAndDesktopClients,exchangeActiveSync,easSupportedandother. - users
Conditional
Access Policy Conditions Users - A
usersblock as documented below, which specifies users, groups, and roles included in and excluded from the policy. - authentication
Flow List<String>Transfer Methods - A list of authentication flow transfer methods included in the policy. Possible values are:
authenticationTransferanddeviceCodeFlow. - client
Applications ConditionalAccess Policy Conditions Client Applications - An
clientApplicationsblock as documented below, which specifies service principals included in and excluded from the policy. - devices
Conditional
Access Policy Conditions Devices - A
devicesblock as documented below, which describes devices to be included in and excluded from the policy. Adevicesblock can be added to an existing policy, but removing thedevicesblock forces a new resource to be created. - insider
Risk StringLevels - The insider risk level in the policy. Possible values are:
minor,moderate,elevated,unknownFutureValue. - locations
Conditional
Access Policy Conditions Locations - A
locationsblock as documented below, which specifies locations included in and excluded from the policy. - platforms
Conditional
Access Policy Conditions Platforms - A
platformsblock as documented below, which specifies platforms included in and excluded from the policy. - service
Principal List<String>Risk Levels - A list of service principal sign-in risk levels included in the policy. Possible values are:
low,medium,high,none,unknownFutureValue. - sign
In List<String>Risk Levels - A list of user sign-in risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue. - user
Risk List<String>Levels - A list of user risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue.
- applications
Conditional
Access Policy Conditions Applications - An
applicationsblock as documented below, which specifies applications and user actions included in and excluded from the policy. - client
App string[]Types - A list of client application types included in the policy. Possible values are:
all,browser,mobileAppsAndDesktopClients,exchangeActiveSync,easSupportedandother. - users
Conditional
Access Policy Conditions Users - A
usersblock as documented below, which specifies users, groups, and roles included in and excluded from the policy. - authentication
Flow string[]Transfer Methods - A list of authentication flow transfer methods included in the policy. Possible values are:
authenticationTransferanddeviceCodeFlow. - client
Applications ConditionalAccess Policy Conditions Client Applications - An
clientApplicationsblock as documented below, which specifies service principals included in and excluded from the policy. - devices
Conditional
Access Policy Conditions Devices - A
devicesblock as documented below, which describes devices to be included in and excluded from the policy. Adevicesblock can be added to an existing policy, but removing thedevicesblock forces a new resource to be created. - insider
Risk stringLevels - The insider risk level in the policy. Possible values are:
minor,moderate,elevated,unknownFutureValue. - locations
Conditional
Access Policy Conditions Locations - A
locationsblock as documented below, which specifies locations included in and excluded from the policy. - platforms
Conditional
Access Policy Conditions Platforms - A
platformsblock as documented below, which specifies platforms included in and excluded from the policy. - service
Principal string[]Risk Levels - A list of service principal sign-in risk levels included in the policy. Possible values are:
low,medium,high,none,unknownFutureValue. - sign
In string[]Risk Levels - A list of user sign-in risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue. - user
Risk string[]Levels - A list of user risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue.
- applications
Conditional
Access Policy Conditions Applications - An
applicationsblock as documented below, which specifies applications and user actions included in and excluded from the policy. - client_
app_ Sequence[str]types - A list of client application types included in the policy. Possible values are:
all,browser,mobileAppsAndDesktopClients,exchangeActiveSync,easSupportedandother. - users
Conditional
Access Policy Conditions Users - A
usersblock as documented below, which specifies users, groups, and roles included in and excluded from the policy. - authentication_
flow_ Sequence[str]transfer_ methods - A list of authentication flow transfer methods included in the policy. Possible values are:
authenticationTransferanddeviceCodeFlow. - client_
applications ConditionalAccess Policy Conditions Client Applications - An
clientApplicationsblock as documented below, which specifies service principals included in and excluded from the policy. - devices
Conditional
Access Policy Conditions Devices - A
devicesblock as documented below, which describes devices to be included in and excluded from the policy. Adevicesblock can be added to an existing policy, but removing thedevicesblock forces a new resource to be created. - insider_
risk_ strlevels - The insider risk level in the policy. Possible values are:
minor,moderate,elevated,unknownFutureValue. - locations
Conditional
Access Policy Conditions Locations - A
locationsblock as documented below, which specifies locations included in and excluded from the policy. - platforms
Conditional
Access Policy Conditions Platforms - A
platformsblock as documented below, which specifies platforms included in and excluded from the policy. - service_
principal_ Sequence[str]risk_ levels - A list of service principal sign-in risk levels included in the policy. Possible values are:
low,medium,high,none,unknownFutureValue. - sign_
in_ Sequence[str]risk_ levels - A list of user sign-in risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue. - user_
risk_ Sequence[str]levels - A list of user risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue.
- applications Property Map
- An
applicationsblock as documented below, which specifies applications and user actions included in and excluded from the policy. - client
App List<String>Types - A list of client application types included in the policy. Possible values are:
all,browser,mobileAppsAndDesktopClients,exchangeActiveSync,easSupportedandother. - users Property Map
- A
usersblock as documented below, which specifies users, groups, and roles included in and excluded from the policy. - authentication
Flow List<String>Transfer Methods - A list of authentication flow transfer methods included in the policy. Possible values are:
authenticationTransferanddeviceCodeFlow. - client
Applications Property Map - An
clientApplicationsblock as documented below, which specifies service principals included in and excluded from the policy. - devices Property Map
- A
devicesblock as documented below, which describes devices to be included in and excluded from the policy. Adevicesblock can be added to an existing policy, but removing thedevicesblock forces a new resource to be created. - insider
Risk StringLevels - The insider risk level in the policy. Possible values are:
minor,moderate,elevated,unknownFutureValue. - locations Property Map
- A
locationsblock as documented below, which specifies locations included in and excluded from the policy. - platforms Property Map
- A
platformsblock as documented below, which specifies platforms included in and excluded from the policy. - service
Principal List<String>Risk Levels - A list of service principal sign-in risk levels included in the policy. Possible values are:
low,medium,high,none,unknownFutureValue. - sign
In List<String>Risk Levels - A list of user sign-in risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue. - user
Risk List<String>Levels - A list of user risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue.
ConditionalAccessPolicyConditionsApplications, ConditionalAccessPolicyConditionsApplicationsArgs
- Excluded
Applications List<string> - A list of application IDs explicitly excluded from the policy. Can also be set to
Office365. - Included
Applications List<string> - A list of application IDs the policy applies to, unless explicitly excluded (in
excludedApplications). Can also be set toAll,NoneorOffice365. Cannot be specified withincludedUserActions. One ofincludedApplicationsorincludedUserActionsmust be specified. - Included
User List<string>Actions - A list of user actions to include. Supported values are
urn:user:registerdeviceandurn:user:registersecurityinfo. Cannot be specified withincludedApplications. One ofincludedApplicationsorincludedUserActionsmust be specified.
- Excluded
Applications []string - A list of application IDs explicitly excluded from the policy. Can also be set to
Office365. - Included
Applications []string - A list of application IDs the policy applies to, unless explicitly excluded (in
excludedApplications). Can also be set toAll,NoneorOffice365. Cannot be specified withincludedUserActions. One ofincludedApplicationsorincludedUserActionsmust be specified. - Included
User []stringActions - A list of user actions to include. Supported values are
urn:user:registerdeviceandurn:user:registersecurityinfo. Cannot be specified withincludedApplications. One ofincludedApplicationsorincludedUserActionsmust be specified.
- excluded
Applications List<String> - A list of application IDs explicitly excluded from the policy. Can also be set to
Office365. - included
Applications List<String> - A list of application IDs the policy applies to, unless explicitly excluded (in
excludedApplications). Can also be set toAll,NoneorOffice365. Cannot be specified withincludedUserActions. One ofincludedApplicationsorincludedUserActionsmust be specified. - included
User List<String>Actions - A list of user actions to include. Supported values are
urn:user:registerdeviceandurn:user:registersecurityinfo. Cannot be specified withincludedApplications. One ofincludedApplicationsorincludedUserActionsmust be specified.
- excluded
Applications string[] - A list of application IDs explicitly excluded from the policy. Can also be set to
Office365. - included
Applications string[] - A list of application IDs the policy applies to, unless explicitly excluded (in
excludedApplications). Can also be set toAll,NoneorOffice365. Cannot be specified withincludedUserActions. One ofincludedApplicationsorincludedUserActionsmust be specified. - included
User string[]Actions - A list of user actions to include. Supported values are
urn:user:registerdeviceandurn:user:registersecurityinfo. Cannot be specified withincludedApplications. One ofincludedApplicationsorincludedUserActionsmust be specified.
- excluded_
applications Sequence[str] - A list of application IDs explicitly excluded from the policy. Can also be set to
Office365. - included_
applications Sequence[str] - A list of application IDs the policy applies to, unless explicitly excluded (in
excludedApplications). Can also be set toAll,NoneorOffice365. Cannot be specified withincludedUserActions. One ofincludedApplicationsorincludedUserActionsmust be specified. - included_
user_ Sequence[str]actions - A list of user actions to include. Supported values are
urn:user:registerdeviceandurn:user:registersecurityinfo. Cannot be specified withincludedApplications. One ofincludedApplicationsorincludedUserActionsmust be specified.
- excluded
Applications List<String> - A list of application IDs explicitly excluded from the policy. Can also be set to
Office365. - included
Applications List<String> - A list of application IDs the policy applies to, unless explicitly excluded (in
excludedApplications). Can also be set toAll,NoneorOffice365. Cannot be specified withincludedUserActions. One ofincludedApplicationsorincludedUserActionsmust be specified. - included
User List<String>Actions - A list of user actions to include. Supported values are
urn:user:registerdeviceandurn:user:registersecurityinfo. Cannot be specified withincludedApplications. One ofincludedApplicationsorincludedUserActionsmust be specified.
ConditionalAccessPolicyConditionsClientApplications, ConditionalAccessPolicyConditionsClientApplicationsArgs
- Excluded
Service List<string>Principals - A list of service principal IDs explicitly excluded in the policy.
- Filter
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Client Applications Filter A
filterblock as documented below.Note: Specifying
filterrequires theAttribute Definition Readerrole, this is not included in theGlobal Administratoror other administrator roles and must be separately assigned.- Included
Service List<string>Principals - A list of service principal IDs explicitly included in the policy. Can be set to
ServicePrincipalsInMyTenantto include all service principals. This is mandatory value when at least oneexcludedServicePrincipalsis set.
- Excluded
Service []stringPrincipals - A list of service principal IDs explicitly excluded in the policy.
- Filter
Conditional
Access Policy Conditions Client Applications Filter A
filterblock as documented below.Note: Specifying
filterrequires theAttribute Definition Readerrole, this is not included in theGlobal Administratoror other administrator roles and must be separately assigned.- Included
Service []stringPrincipals - A list of service principal IDs explicitly included in the policy. Can be set to
ServicePrincipalsInMyTenantto include all service principals. This is mandatory value when at least oneexcludedServicePrincipalsis set.
- excluded
Service List<String>Principals - A list of service principal IDs explicitly excluded in the policy.
- filter
Conditional
Access Policy Conditions Client Applications Filter A
filterblock as documented below.Note: Specifying
filterrequires theAttribute Definition Readerrole, this is not included in theGlobal Administratoror other administrator roles and must be separately assigned.- included
Service List<String>Principals - A list of service principal IDs explicitly included in the policy. Can be set to
ServicePrincipalsInMyTenantto include all service principals. This is mandatory value when at least oneexcludedServicePrincipalsis set.
- excluded
Service string[]Principals - A list of service principal IDs explicitly excluded in the policy.
- filter
Conditional
Access Policy Conditions Client Applications Filter A
filterblock as documented below.Note: Specifying
filterrequires theAttribute Definition Readerrole, this is not included in theGlobal Administratoror other administrator roles and must be separately assigned.- included
Service string[]Principals - A list of service principal IDs explicitly included in the policy. Can be set to
ServicePrincipalsInMyTenantto include all service principals. This is mandatory value when at least oneexcludedServicePrincipalsis set.
- excluded_
service_ Sequence[str]principals - A list of service principal IDs explicitly excluded in the policy.
- filter
Conditional
Access Policy Conditions Client Applications Filter A
filterblock as documented below.Note: Specifying
filterrequires theAttribute Definition Readerrole, this is not included in theGlobal Administratoror other administrator roles and must be separately assigned.- included_
service_ Sequence[str]principals - A list of service principal IDs explicitly included in the policy. Can be set to
ServicePrincipalsInMyTenantto include all service principals. This is mandatory value when at least oneexcludedServicePrincipalsis set.
- excluded
Service List<String>Principals - A list of service principal IDs explicitly excluded in the policy.
- filter Property Map
A
filterblock as documented below.Note: Specifying
filterrequires theAttribute Definition Readerrole, this is not included in theGlobal Administratoror other administrator roles and must be separately assigned.- included
Service List<String>Principals - A list of service principal IDs explicitly included in the policy. Can be set to
ServicePrincipalsInMyTenantto include all service principals. This is mandatory value when at least oneexcludedServicePrincipalsis set.
ConditionalAccessPolicyConditionsClientApplicationsFilter, ConditionalAccessPolicyConditionsClientApplicationsFilterArgs
ConditionalAccessPolicyConditionsDevices, ConditionalAccessPolicyConditionsDevicesArgs
- Filter
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Devices Filter A
filterblock as documented below.Note: For more information on device filters, see the official documentation.
- Filter
Conditional
Access Policy Conditions Devices Filter A
filterblock as documented below.Note: For more information on device filters, see the official documentation.
- filter
Conditional
Access Policy Conditions Devices Filter A
filterblock as documented below.Note: For more information on device filters, see the official documentation.
- filter
Conditional
Access Policy Conditions Devices Filter A
filterblock as documented below.Note: For more information on device filters, see the official documentation.
- filter
Conditional
Access Policy Conditions Devices Filter A
filterblock as documented below.Note: For more information on device filters, see the official documentation.
- filter Property Map
A
filterblock as documented below.Note: For more information on device filters, see the official documentation.
ConditionalAccessPolicyConditionsDevicesFilter, ConditionalAccessPolicyConditionsDevicesFilterArgs
ConditionalAccessPolicyConditionsLocations, ConditionalAccessPolicyConditionsLocationsArgs
- Included
Locations List<string> - A list of location IDs in scope of policy unless explicitly excluded. Can also be set to
All, orAllTrusted. - Excluded
Locations List<string> - A list of location IDs excluded from scope of policy. Can also be set to
AllTrusted.
- Included
Locations []string - A list of location IDs in scope of policy unless explicitly excluded. Can also be set to
All, orAllTrusted. - Excluded
Locations []string - A list of location IDs excluded from scope of policy. Can also be set to
AllTrusted.
- included
Locations List<String> - A list of location IDs in scope of policy unless explicitly excluded. Can also be set to
All, orAllTrusted. - excluded
Locations List<String> - A list of location IDs excluded from scope of policy. Can also be set to
AllTrusted.
- included
Locations string[] - A list of location IDs in scope of policy unless explicitly excluded. Can also be set to
All, orAllTrusted. - excluded
Locations string[] - A list of location IDs excluded from scope of policy. Can also be set to
AllTrusted.
- included_
locations Sequence[str] - A list of location IDs in scope of policy unless explicitly excluded. Can also be set to
All, orAllTrusted. - excluded_
locations Sequence[str] - A list of location IDs excluded from scope of policy. Can also be set to
AllTrusted.
- included
Locations List<String> - A list of location IDs in scope of policy unless explicitly excluded. Can also be set to
All, orAllTrusted. - excluded
Locations List<String> - A list of location IDs excluded from scope of policy. Can also be set to
AllTrusted.
ConditionalAccessPolicyConditionsPlatforms, ConditionalAccessPolicyConditionsPlatformsArgs
- Included
Platforms List<string> - A list of platforms the policy applies to, unless explicitly excluded. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue. - Excluded
Platforms List<string> - A list of platforms explicitly excluded from the policy. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue.
- Included
Platforms []string - A list of platforms the policy applies to, unless explicitly excluded. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue. - Excluded
Platforms []string - A list of platforms explicitly excluded from the policy. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue.
- included
Platforms List<String> - A list of platforms the policy applies to, unless explicitly excluded. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue. - excluded
Platforms List<String> - A list of platforms explicitly excluded from the policy. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue.
- included
Platforms string[] - A list of platforms the policy applies to, unless explicitly excluded. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue. - excluded
Platforms string[] - A list of platforms explicitly excluded from the policy. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue.
- included_
platforms Sequence[str] - A list of platforms the policy applies to, unless explicitly excluded. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue. - excluded_
platforms Sequence[str] - A list of platforms explicitly excluded from the policy. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue.
- included
Platforms List<String> - A list of platforms the policy applies to, unless explicitly excluded. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue. - excluded
Platforms List<String> - A list of platforms explicitly excluded from the policy. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue.
ConditionalAccessPolicyConditionsUsers, ConditionalAccessPolicyConditionsUsersArgs
- Excluded
Groups List<string> - A list of group IDs excluded from scope of policy.
- Excluded
Guests List<Pulumi.Or External Users Azure AD. Inputs. Conditional Access Policy Conditions Users Excluded Guests Or External User> - A
guestsOrExternalUsersblock as documented below, which specifies internal guests and external users excluded from scope of policy. - Excluded
Roles List<string> - A list of role IDs excluded from scope of policy.
- Excluded
Users List<string> - A list of user IDs excluded from scope of policy and/or
GuestsOrExternalUsers. - Included
Groups List<string> - A list of group IDs in scope of policy unless explicitly excluded.
- Included
Guests List<Pulumi.Or External Users Azure AD. Inputs. Conditional Access Policy Conditions Users Included Guests Or External User> - A
guestsOrExternalUsersblock as documented below, which specifies internal guests and external users in scope of policy. - Included
Roles List<string> - A list of role IDs in scope of policy unless explicitly excluded.
- Included
Users List<string> A list of user IDs in scope of policy unless explicitly excluded, or
NoneorAllorGuestsOrExternalUsers.At least one of
includedGroups,includedGuestsOrExternalUsers,includedRolesorincludedUsersmust be specified.
- Excluded
Groups []string - A list of group IDs excluded from scope of policy.
- Excluded
Guests []ConditionalOr External Users Access Policy Conditions Users Excluded Guests Or External User - A
guestsOrExternalUsersblock as documented below, which specifies internal guests and external users excluded from scope of policy. - Excluded
Roles []string - A list of role IDs excluded from scope of policy.
- Excluded
Users []string - A list of user IDs excluded from scope of policy and/or
GuestsOrExternalUsers. - Included
Groups []string - A list of group IDs in scope of policy unless explicitly excluded.
- Included
Guests []ConditionalOr External Users Access Policy Conditions Users Included Guests Or External User - A
guestsOrExternalUsersblock as documented below, which specifies internal guests and external users in scope of policy. - Included
Roles []string - A list of role IDs in scope of policy unless explicitly excluded.
- Included
Users []string A list of user IDs in scope of policy unless explicitly excluded, or
NoneorAllorGuestsOrExternalUsers.At least one of
includedGroups,includedGuestsOrExternalUsers,includedRolesorincludedUsersmust be specified.
- excluded
Groups List<String> - A list of group IDs excluded from scope of policy.
- excluded
Guests List<ConditionalOr External Users Access Policy Conditions Users Excluded Guests Or External User> - A
guestsOrExternalUsersblock as documented below, which specifies internal guests and external users excluded from scope of policy. - excluded
Roles List<String> - A list of role IDs excluded from scope of policy.
- excluded
Users List<String> - A list of user IDs excluded from scope of policy and/or
GuestsOrExternalUsers. - included
Groups List<String> - A list of group IDs in scope of policy unless explicitly excluded.
- included
Guests List<ConditionalOr External Users Access Policy Conditions Users Included Guests Or External User> - A
guestsOrExternalUsersblock as documented below, which specifies internal guests and external users in scope of policy. - included
Roles List<String> - A list of role IDs in scope of policy unless explicitly excluded.
- included
Users List<String> A list of user IDs in scope of policy unless explicitly excluded, or
NoneorAllorGuestsOrExternalUsers.At least one of
includedGroups,includedGuestsOrExternalUsers,includedRolesorincludedUsersmust be specified.
- excluded
Groups string[] - A list of group IDs excluded from scope of policy.
- excluded
Guests ConditionalOr External Users Access Policy Conditions Users Excluded Guests Or External User[] - A
guestsOrExternalUsersblock as documented below, which specifies internal guests and external users excluded from scope of policy. - excluded
Roles string[] - A list of role IDs excluded from scope of policy.
- excluded
Users string[] - A list of user IDs excluded from scope of policy and/or
GuestsOrExternalUsers. - included
Groups string[] - A list of group IDs in scope of policy unless explicitly excluded.
- included
Guests ConditionalOr External Users Access Policy Conditions Users Included Guests Or External User[] - A
guestsOrExternalUsersblock as documented below, which specifies internal guests and external users in scope of policy. - included
Roles string[] - A list of role IDs in scope of policy unless explicitly excluded.
- included
Users string[] A list of user IDs in scope of policy unless explicitly excluded, or
NoneorAllorGuestsOrExternalUsers.At least one of
includedGroups,includedGuestsOrExternalUsers,includedRolesorincludedUsersmust be specified.
- excluded_
groups Sequence[str] - A list of group IDs excluded from scope of policy.
- excluded_
guests_ Sequence[Conditionalor_ external_ users Access Policy Conditions Users Excluded Guests Or External User] - A
guestsOrExternalUsersblock as documented below, which specifies internal guests and external users excluded from scope of policy. - excluded_
roles Sequence[str] - A list of role IDs excluded from scope of policy.
- excluded_
users Sequence[str] - A list of user IDs excluded from scope of policy and/or
GuestsOrExternalUsers. - included_
groups Sequence[str] - A list of group IDs in scope of policy unless explicitly excluded.
- included_
guests_ Sequence[Conditionalor_ external_ users Access Policy Conditions Users Included Guests Or External User] - A
guestsOrExternalUsersblock as documented below, which specifies internal guests and external users in scope of policy. - included_
roles Sequence[str] - A list of role IDs in scope of policy unless explicitly excluded.
- included_
users Sequence[str] A list of user IDs in scope of policy unless explicitly excluded, or
NoneorAllorGuestsOrExternalUsers.At least one of
includedGroups,includedGuestsOrExternalUsers,includedRolesorincludedUsersmust be specified.
- excluded
Groups List<String> - A list of group IDs excluded from scope of policy.
- excluded
Guests List<Property Map>Or External Users - A
guestsOrExternalUsersblock as documented below, which specifies internal guests and external users excluded from scope of policy. - excluded
Roles List<String> - A list of role IDs excluded from scope of policy.
- excluded
Users List<String> - A list of user IDs excluded from scope of policy and/or
GuestsOrExternalUsers. - included
Groups List<String> - A list of group IDs in scope of policy unless explicitly excluded.
- included
Guests List<Property Map>Or External Users - A
guestsOrExternalUsersblock as documented below, which specifies internal guests and external users in scope of policy. - included
Roles List<String> - A list of role IDs in scope of policy unless explicitly excluded.
- included
Users List<String> A list of user IDs in scope of policy unless explicitly excluded, or
NoneorAllorGuestsOrExternalUsers.At least one of
includedGroups,includedGuestsOrExternalUsers,includedRolesorincludedUsersmust be specified.
ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser, ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs
- Guest
Or List<string>External User Types - A list of guest or external user types. Possible values are:
b2bCollaborationGuest,b2bCollaborationMember,b2bDirectConnectUser,internalGuest,none,otherExternalUser,serviceProvider,unknownFutureValue. - External
Tenants List<Pulumi.Azure AD. Inputs. Conditional Access Policy Conditions Users Excluded Guests Or External User External Tenant> - An
externalTenantsblock as documented below, which specifies external tenants in a policy scope.
- Guest
Or []stringExternal User Types - A list of guest or external user types. Possible values are:
b2bCollaborationGuest,b2bCollaborationMember,b2bDirectConnectUser,internalGuest,none,otherExternalUser,serviceProvider,unknownFutureValue. - External
Tenants []ConditionalAccess Policy Conditions Users Excluded Guests Or External User External Tenant - An
externalTenantsblock as documented below, which specifies external tenants in a policy scope.
- guest
Or List<String>External User Types - A list of guest or external user types. Possible values are:
b2bCollaborationGuest,b2bCollaborationMember,b2bDirectConnectUser,internalGuest,none,otherExternalUser,serviceProvider,unknownFutureValue. - external
Tenants List<ConditionalAccess Policy Conditions Users Excluded Guests Or External User External Tenant> - An
externalTenantsblock as documented below, which specifies external tenants in a policy scope.
- guest
Or string[]External User Types - A list of guest or external user types. Possible values are:
b2bCollaborationGuest,b2bCollaborationMember,b2bDirectConnectUser,internalGuest,none,otherExternalUser,serviceProvider,unknownFutureValue. - external
Tenants ConditionalAccess Policy Conditions Users Excluded Guests Or External User External Tenant[] - An
externalTenantsblock as documented below, which specifies external tenants in a policy scope.
- guest_
or_ Sequence[str]external_ user_ types - A list of guest or external user types. Possible values are:
b2bCollaborationGuest,b2bCollaborationMember,b2bDirectConnectUser,internalGuest,none,otherExternalUser,serviceProvider,unknownFutureValue. - external_
tenants Sequence[ConditionalAccess Policy Conditions Users Excluded Guests Or External User External Tenant] - An
externalTenantsblock as documented below, which specifies external tenants in a policy scope.
- guest
Or List<String>External User Types - A list of guest or external user types. Possible values are:
b2bCollaborationGuest,b2bCollaborationMember,b2bDirectConnectUser,internalGuest,none,otherExternalUser,serviceProvider,unknownFutureValue. - external
Tenants List<Property Map> - An
externalTenantsblock as documented below, which specifies external tenants in a policy scope.
ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant, ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs
- Membership
Kind string - The external tenant membership kind. Possible values are:
all,enumerated,unknownFutureValue. - Members List<string>
- A list tenant IDs. Can only be specified if
membershipKindisenumerated.
- Membership
Kind string - The external tenant membership kind. Possible values are:
all,enumerated,unknownFutureValue. - Members []string
- A list tenant IDs. Can only be specified if
membershipKindisenumerated.
- membership
Kind String - The external tenant membership kind. Possible values are:
all,enumerated,unknownFutureValue. - members List<String>
- A list tenant IDs. Can only be specified if
membershipKindisenumerated.
- membership
Kind string - The external tenant membership kind. Possible values are:
all,enumerated,unknownFutureValue. - members string[]
- A list tenant IDs. Can only be specified if
membershipKindisenumerated.
- membership_
kind str - The external tenant membership kind. Possible values are:
all,enumerated,unknownFutureValue. - members Sequence[str]
- A list tenant IDs. Can only be specified if
membershipKindisenumerated.
- membership
Kind String - The external tenant membership kind. Possible values are:
all,enumerated,unknownFutureValue. - members List<String>
- A list tenant IDs. Can only be specified if
membershipKindisenumerated.
ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser, ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs
- Guest
Or List<string>External User Types - A list of guest or external user types. Possible values are:
b2bCollaborationGuest,b2bCollaborationMember,b2bDirectConnectUser,internalGuest,none,otherExternalUser,serviceProvider,unknownFutureValue. - External
Tenants List<Pulumi.Azure AD. Inputs. Conditional Access Policy Conditions Users Included Guests Or External User External Tenant> - An
externalTenantsblock as documented below, which specifies external tenants in a policy scope.
- Guest
Or []stringExternal User Types - A list of guest or external user types. Possible values are:
b2bCollaborationGuest,b2bCollaborationMember,b2bDirectConnectUser,internalGuest,none,otherExternalUser,serviceProvider,unknownFutureValue. - External
Tenants []ConditionalAccess Policy Conditions Users Included Guests Or External User External Tenant - An
externalTenantsblock as documented below, which specifies external tenants in a policy scope.
- guest
Or List<String>External User Types - A list of guest or external user types. Possible values are:
b2bCollaborationGuest,b2bCollaborationMember,b2bDirectConnectUser,internalGuest,none,otherExternalUser,serviceProvider,unknownFutureValue. - external
Tenants List<ConditionalAccess Policy Conditions Users Included Guests Or External User External Tenant> - An
externalTenantsblock as documented below, which specifies external tenants in a policy scope.
- guest
Or string[]External User Types - A list of guest or external user types. Possible values are:
b2bCollaborationGuest,b2bCollaborationMember,b2bDirectConnectUser,internalGuest,none,otherExternalUser,serviceProvider,unknownFutureValue. - external
Tenants ConditionalAccess Policy Conditions Users Included Guests Or External User External Tenant[] - An
externalTenantsblock as documented below, which specifies external tenants in a policy scope.
- guest_
or_ Sequence[str]external_ user_ types - A list of guest or external user types. Possible values are:
b2bCollaborationGuest,b2bCollaborationMember,b2bDirectConnectUser,internalGuest,none,otherExternalUser,serviceProvider,unknownFutureValue. - external_
tenants Sequence[ConditionalAccess Policy Conditions Users Included Guests Or External User External Tenant] - An
externalTenantsblock as documented below, which specifies external tenants in a policy scope.
- guest
Or List<String>External User Types - A list of guest or external user types. Possible values are:
b2bCollaborationGuest,b2bCollaborationMember,b2bDirectConnectUser,internalGuest,none,otherExternalUser,serviceProvider,unknownFutureValue. - external
Tenants List<Property Map> - An
externalTenantsblock as documented below, which specifies external tenants in a policy scope.
ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant, ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs
- Membership
Kind string - The external tenant membership kind. Possible values are:
all,enumerated,unknownFutureValue. - Members List<string>
- A list tenant IDs. Can only be specified if
membershipKindisenumerated.
- Membership
Kind string - The external tenant membership kind. Possible values are:
all,enumerated,unknownFutureValue. - Members []string
- A list tenant IDs. Can only be specified if
membershipKindisenumerated.
- membership
Kind String - The external tenant membership kind. Possible values are:
all,enumerated,unknownFutureValue. - members List<String>
- A list tenant IDs. Can only be specified if
membershipKindisenumerated.
- membership
Kind string - The external tenant membership kind. Possible values are:
all,enumerated,unknownFutureValue. - members string[]
- A list tenant IDs. Can only be specified if
membershipKindisenumerated.
- membership_
kind str - The external tenant membership kind. Possible values are:
all,enumerated,unknownFutureValue. - members Sequence[str]
- A list tenant IDs. Can only be specified if
membershipKindisenumerated.
- membership
Kind String - The external tenant membership kind. Possible values are:
all,enumerated,unknownFutureValue. - members List<String>
- A list tenant IDs. Can only be specified if
membershipKindisenumerated.
ConditionalAccessPolicyGrantControls, ConditionalAccessPolicyGrantControlsArgs
- Operator string
- Defines the relationship of the grant controls. Possible values are:
AND,OR. - Authentication
Strength stringPolicy Id - ID of an Authentication Strength Policy to use in this policy. When using a hard-coded ID, the UUID value should be prefixed with:
/policies/authenticationStrengthPolicies/. - Built
In List<string>Controls - List of built-in controls required by the policy. Possible values are:
block,mfa,approvedApplication,compliantApplication,compliantDevice,domainJoinedDevice,passwordChangeorunknownFutureValue. - Custom
Authentication List<string>Factors - List of custom controls IDs required by the policy.
- Terms
Of List<string>Uses List of terms of use IDs required by the policy.
At least one of
authenticationStrengthPolicyId,builtInControlsortermsOfUsemust be specified.
- Operator string
- Defines the relationship of the grant controls. Possible values are:
AND,OR. - Authentication
Strength stringPolicy Id - ID of an Authentication Strength Policy to use in this policy. When using a hard-coded ID, the UUID value should be prefixed with:
/policies/authenticationStrengthPolicies/. - Built
In []stringControls - List of built-in controls required by the policy. Possible values are:
block,mfa,approvedApplication,compliantApplication,compliantDevice,domainJoinedDevice,passwordChangeorunknownFutureValue. - Custom
Authentication []stringFactors - List of custom controls IDs required by the policy.
- Terms
Of []stringUses List of terms of use IDs required by the policy.
At least one of
authenticationStrengthPolicyId,builtInControlsortermsOfUsemust be specified.
- operator String
- Defines the relationship of the grant controls. Possible values are:
AND,OR. - authentication
Strength StringPolicy Id - ID of an Authentication Strength Policy to use in this policy. When using a hard-coded ID, the UUID value should be prefixed with:
/policies/authenticationStrengthPolicies/. - built
In List<String>Controls - List of built-in controls required by the policy. Possible values are:
block,mfa,approvedApplication,compliantApplication,compliantDevice,domainJoinedDevice,passwordChangeorunknownFutureValue. - custom
Authentication List<String>Factors - List of custom controls IDs required by the policy.
- terms
Of List<String>Uses List of terms of use IDs required by the policy.
At least one of
authenticationStrengthPolicyId,builtInControlsortermsOfUsemust be specified.
- operator string
- Defines the relationship of the grant controls. Possible values are:
AND,OR. - authentication
Strength stringPolicy Id - ID of an Authentication Strength Policy to use in this policy. When using a hard-coded ID, the UUID value should be prefixed with:
/policies/authenticationStrengthPolicies/. - built
In string[]Controls - List of built-in controls required by the policy. Possible values are:
block,mfa,approvedApplication,compliantApplication,compliantDevice,domainJoinedDevice,passwordChangeorunknownFutureValue. - custom
Authentication string[]Factors - List of custom controls IDs required by the policy.
- terms
Of string[]Uses List of terms of use IDs required by the policy.
At least one of
authenticationStrengthPolicyId,builtInControlsortermsOfUsemust be specified.
- operator str
- Defines the relationship of the grant controls. Possible values are:
AND,OR. - authentication_
strength_ strpolicy_ id - ID of an Authentication Strength Policy to use in this policy. When using a hard-coded ID, the UUID value should be prefixed with:
/policies/authenticationStrengthPolicies/. - built_
in_ Sequence[str]controls - List of built-in controls required by the policy. Possible values are:
block,mfa,approvedApplication,compliantApplication,compliantDevice,domainJoinedDevice,passwordChangeorunknownFutureValue. - custom_
authentication_ Sequence[str]factors - List of custom controls IDs required by the policy.
- terms_
of_ Sequence[str]uses List of terms of use IDs required by the policy.
At least one of
authenticationStrengthPolicyId,builtInControlsortermsOfUsemust be specified.
- operator String
- Defines the relationship of the grant controls. Possible values are:
AND,OR. - authentication
Strength StringPolicy Id - ID of an Authentication Strength Policy to use in this policy. When using a hard-coded ID, the UUID value should be prefixed with:
/policies/authenticationStrengthPolicies/. - built
In List<String>Controls - List of built-in controls required by the policy. Possible values are:
block,mfa,approvedApplication,compliantApplication,compliantDevice,domainJoinedDevice,passwordChangeorunknownFutureValue. - custom
Authentication List<String>Factors - List of custom controls IDs required by the policy.
- terms
Of List<String>Uses List of terms of use IDs required by the policy.
At least one of
authenticationStrengthPolicyId,builtInControlsortermsOfUsemust be specified.
ConditionalAccessPolicySessionControls, ConditionalAccessPolicySessionControlsArgs
- Application
Enforced boolRestrictions Enabled Whether application enforced restrictions are enabled. Defaults to
false.Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
- Cloud
App stringSecurity Policy - Enables cloud app security and specifies the cloud app security policy to use. Possible values are:
blockDownloads,mcasConfigured,monitorOnlyorunknownFutureValue. - Disable
Resilience boolDefaults - Disables resilience defaults. Defaults to
false. - Persistent
Browser stringMode - Session control to define whether to persist cookies. Possible values are:
alwaysornever. - Sign
In intFrequency - Number of days or hours to enforce sign-in frequency. Required when
signInFrequencyPeriodis specified. - Sign
In stringFrequency Authentication Type - Authentication type for enforcing sign-in frequency. Possible values are:
primaryAndSecondaryAuthenticationorsecondaryAuthentication. Defaults toprimaryAndSecondaryAuthentication. - Sign
In stringFrequency Interval - The interval to apply to sign-in frequency control. Possible values are:
timeBasedoreveryTime. Defaults totimeBased. - Sign
In stringFrequency Period - The time period to enforce sign-in frequency. Possible values are:
hoursordays. Required whensignInFrequencyPeriodis specified.
- Application
Enforced boolRestrictions Enabled Whether application enforced restrictions are enabled. Defaults to
false.Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
- Cloud
App stringSecurity Policy - Enables cloud app security and specifies the cloud app security policy to use. Possible values are:
blockDownloads,mcasConfigured,monitorOnlyorunknownFutureValue. - Disable
Resilience boolDefaults - Disables resilience defaults. Defaults to
false. - Persistent
Browser stringMode - Session control to define whether to persist cookies. Possible values are:
alwaysornever. - Sign
In intFrequency - Number of days or hours to enforce sign-in frequency. Required when
signInFrequencyPeriodis specified. - Sign
In stringFrequency Authentication Type - Authentication type for enforcing sign-in frequency. Possible values are:
primaryAndSecondaryAuthenticationorsecondaryAuthentication. Defaults toprimaryAndSecondaryAuthentication. - Sign
In stringFrequency Interval - The interval to apply to sign-in frequency control. Possible values are:
timeBasedoreveryTime. Defaults totimeBased. - Sign
In stringFrequency Period - The time period to enforce sign-in frequency. Possible values are:
hoursordays. Required whensignInFrequencyPeriodis specified.
- application
Enforced BooleanRestrictions Enabled Whether application enforced restrictions are enabled. Defaults to
false.Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
- cloud
App StringSecurity Policy - Enables cloud app security and specifies the cloud app security policy to use. Possible values are:
blockDownloads,mcasConfigured,monitorOnlyorunknownFutureValue. - disable
Resilience BooleanDefaults - Disables resilience defaults. Defaults to
false. - persistent
Browser StringMode - Session control to define whether to persist cookies. Possible values are:
alwaysornever. - sign
In IntegerFrequency - Number of days or hours to enforce sign-in frequency. Required when
signInFrequencyPeriodis specified. - sign
In StringFrequency Authentication Type - Authentication type for enforcing sign-in frequency. Possible values are:
primaryAndSecondaryAuthenticationorsecondaryAuthentication. Defaults toprimaryAndSecondaryAuthentication. - sign
In StringFrequency Interval - The interval to apply to sign-in frequency control. Possible values are:
timeBasedoreveryTime. Defaults totimeBased. - sign
In StringFrequency Period - The time period to enforce sign-in frequency. Possible values are:
hoursordays. Required whensignInFrequencyPeriodis specified.
- application
Enforced booleanRestrictions Enabled Whether application enforced restrictions are enabled. Defaults to
false.Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
- cloud
App stringSecurity Policy - Enables cloud app security and specifies the cloud app security policy to use. Possible values are:
blockDownloads,mcasConfigured,monitorOnlyorunknownFutureValue. - disable
Resilience booleanDefaults - Disables resilience defaults. Defaults to
false. - persistent
Browser stringMode - Session control to define whether to persist cookies. Possible values are:
alwaysornever. - sign
In numberFrequency - Number of days or hours to enforce sign-in frequency. Required when
signInFrequencyPeriodis specified. - sign
In stringFrequency Authentication Type - Authentication type for enforcing sign-in frequency. Possible values are:
primaryAndSecondaryAuthenticationorsecondaryAuthentication. Defaults toprimaryAndSecondaryAuthentication. - sign
In stringFrequency Interval - The interval to apply to sign-in frequency control. Possible values are:
timeBasedoreveryTime. Defaults totimeBased. - sign
In stringFrequency Period - The time period to enforce sign-in frequency. Possible values are:
hoursordays. Required whensignInFrequencyPeriodis specified.
- application_
enforced_ boolrestrictions_ enabled Whether application enforced restrictions are enabled. Defaults to
false.Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
- cloud_
app_ strsecurity_ policy - Enables cloud app security and specifies the cloud app security policy to use. Possible values are:
blockDownloads,mcasConfigured,monitorOnlyorunknownFutureValue. - disable_
resilience_ booldefaults - Disables resilience defaults. Defaults to
false. - persistent_
browser_ strmode - Session control to define whether to persist cookies. Possible values are:
alwaysornever. - sign_
in_ intfrequency - Number of days or hours to enforce sign-in frequency. Required when
signInFrequencyPeriodis specified. - sign_
in_ strfrequency_ authentication_ type - Authentication type for enforcing sign-in frequency. Possible values are:
primaryAndSecondaryAuthenticationorsecondaryAuthentication. Defaults toprimaryAndSecondaryAuthentication. - sign_
in_ strfrequency_ interval - The interval to apply to sign-in frequency control. Possible values are:
timeBasedoreveryTime. Defaults totimeBased. - sign_
in_ strfrequency_ period - The time period to enforce sign-in frequency. Possible values are:
hoursordays. Required whensignInFrequencyPeriodis specified.
- application
Enforced BooleanRestrictions Enabled Whether application enforced restrictions are enabled. Defaults to
false.Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
- cloud
App StringSecurity Policy - Enables cloud app security and specifies the cloud app security policy to use. Possible values are:
blockDownloads,mcasConfigured,monitorOnlyorunknownFutureValue. - disable
Resilience BooleanDefaults - Disables resilience defaults. Defaults to
false. - persistent
Browser StringMode - Session control to define whether to persist cookies. Possible values are:
alwaysornever. - sign
In NumberFrequency - Number of days or hours to enforce sign-in frequency. Required when
signInFrequencyPeriodis specified. - sign
In StringFrequency Authentication Type - Authentication type for enforcing sign-in frequency. Possible values are:
primaryAndSecondaryAuthenticationorsecondaryAuthentication. Defaults toprimaryAndSecondaryAuthentication. - sign
In StringFrequency Interval - The interval to apply to sign-in frequency control. Possible values are:
timeBasedoreveryTime. Defaults totimeBased. - sign
In StringFrequency Period - The time period to enforce sign-in frequency. Possible values are:
hoursordays. Required whensignInFrequencyPeriodis specified.
Import
Conditional Access Policies can be imported using the id, e.g.
$ pulumi import azuread:index/conditionalAccessPolicy:ConditionalAccessPolicy my_location /identity/conditionalAccess/policies/00000000-0000-0000-0000-000000000000
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Azure Active Directory (Azure AD) pulumi/pulumi-azuread
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
azureadTerraform Provider.
Viewing docs for Azure Active Directory (Azure AD) v6.9.0
published on Tuesday, Mar 24, 2026 by Pulumi
published on Tuesday, Mar 24, 2026 by Pulumi
