Docs
Packagesazuread.ConditionalAccessPolicy
Explore with Pulumi AI
Manages a Conditional Access Policy within Azure Active Directory.
Licensing Requirements Specifying
client_applicationsproperty requires the activation of Microsoft Entra on your tenant and the availability of sufficient Workload Identities Premium licences (one per service principal managed by a conditional access).
API Permissions
The following API permissions are required in order to use this resource.
When authenticated with a service principal, this resource requires the following application roles: Policy.ReadWrite.ConditionalAccess and Policy.Read.All
When authenticated with a user principal, this resource requires one of the following directory roles: Conditional Access Administrator or Global Administrator
Example Usage
All users except guests or external users
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var example = new AzureAD.ConditionalAccessPolicy("example", new()
{
Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
{
Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
{
ExcludedApplications = new[] {},
IncludedApplications = new[]
{
"All",
},
},
ClientAppTypes = new[]
{
"all",
},
Devices = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesArgs
{
Filter = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesFilterArgs
{
Mode = "exclude",
Rule = "device.operatingSystem eq \"Doors\"",
},
},
Locations = new AzureAD.Inputs.ConditionalAccessPolicyConditionsLocationsArgs
{
ExcludedLocations = new[]
{
"AllTrusted",
},
IncludedLocations = new[]
{
"All",
},
},
Platforms = new AzureAD.Inputs.ConditionalAccessPolicyConditionsPlatformsArgs
{
ExcludedPlatforms = new[]
{
"iOS",
},
IncludedPlatforms = new[]
{
"android",
},
},
SignInRiskLevels = new[]
{
"medium",
},
UserRiskLevels = new[]
{
"medium",
},
Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
{
ExcludedUsers = new[]
{
"GuestsOrExternalUsers",
},
IncludedUsers = new[]
{
"All",
},
},
},
DisplayName = "example policy",
GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
{
BuiltInControls = new[]
{
"mfa",
},
Operator = "OR",
},
SessionControls = new AzureAD.Inputs.ConditionalAccessPolicySessionControlsArgs
{
ApplicationEnforcedRestrictionsEnabled = true,
CloudAppSecurityPolicy = "monitorOnly",
DisableResilienceDefaults = false,
SignInFrequency = 10,
SignInFrequencyPeriod = "hours",
},
State = "disabled",
});
});
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := azuread.NewConditionalAccessPolicy(ctx, "example", &azuread.ConditionalAccessPolicyArgs{
Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
ExcludedApplications: pulumi.StringArray{},
IncludedApplications: pulumi.StringArray{
pulumi.String("All"),
},
},
ClientAppTypes: pulumi.StringArray{
pulumi.String("all"),
},
Devices: &azuread.ConditionalAccessPolicyConditionsDevicesArgs{
Filter: &azuread.ConditionalAccessPolicyConditionsDevicesFilterArgs{
Mode: pulumi.String("exclude"),
Rule: pulumi.String("device.operatingSystem eq \"Doors\""),
},
},
Locations: &azuread.ConditionalAccessPolicyConditionsLocationsArgs{
ExcludedLocations: pulumi.StringArray{
pulumi.String("AllTrusted"),
},
IncludedLocations: pulumi.StringArray{
pulumi.String("All"),
},
},
Platforms: &azuread.ConditionalAccessPolicyConditionsPlatformsArgs{
ExcludedPlatforms: pulumi.StringArray{
pulumi.String("iOS"),
},
IncludedPlatforms: pulumi.StringArray{
pulumi.String("android"),
},
},
SignInRiskLevels: pulumi.StringArray{
pulumi.String("medium"),
},
UserRiskLevels: pulumi.StringArray{
pulumi.String("medium"),
},
Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
ExcludedUsers: pulumi.StringArray{
pulumi.String("GuestsOrExternalUsers"),
},
IncludedUsers: pulumi.StringArray{
pulumi.String("All"),
},
},
},
DisplayName: pulumi.String("example policy"),
GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
BuiltInControls: pulumi.StringArray{
pulumi.String("mfa"),
},
Operator: pulumi.String("OR"),
},
SessionControls: &azuread.ConditionalAccessPolicySessionControlsArgs{
ApplicationEnforcedRestrictionsEnabled: pulumi.Bool(true),
CloudAppSecurityPolicy: pulumi.String("monitorOnly"),
DisableResilienceDefaults: pulumi.Bool(false),
SignInFrequency: pulumi.Int(10),
SignInFrequencyPeriod: pulumi.String("hours"),
},
State: pulumi.String("disabled"),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.ConditionalAccessPolicy;
import com.pulumi.azuread.ConditionalAccessPolicyArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsDevicesArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsDevicesFilterArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsLocationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsPlatformsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyGrantControlsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicySessionControlsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new ConditionalAccessPolicy("example", ConditionalAccessPolicyArgs.builder()
.conditions(ConditionalAccessPolicyConditionsArgs.builder()
.applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
.excludedApplications()
.includedApplications("All")
.build())
.clientAppTypes("all")
.devices(ConditionalAccessPolicyConditionsDevicesArgs.builder()
.filter(ConditionalAccessPolicyConditionsDevicesFilterArgs.builder()
.mode("exclude")
.rule("device.operatingSystem eq \"Doors\"")
.build())
.build())
.locations(ConditionalAccessPolicyConditionsLocationsArgs.builder()
.excludedLocations("AllTrusted")
.includedLocations("All")
.build())
.platforms(ConditionalAccessPolicyConditionsPlatformsArgs.builder()
.excludedPlatforms("iOS")
.includedPlatforms("android")
.build())
.signInRiskLevels("medium")
.userRiskLevels("medium")
.users(ConditionalAccessPolicyConditionsUsersArgs.builder()
.excludedUsers("GuestsOrExternalUsers")
.includedUsers("All")
.build())
.build())
.displayName("example policy")
.grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
.builtInControls("mfa")
.operator("OR")
.build())
.sessionControls(ConditionalAccessPolicySessionControlsArgs.builder()
.applicationEnforcedRestrictionsEnabled(true)
.cloudAppSecurityPolicy("monitorOnly")
.disableResilienceDefaults(false)
.signInFrequency(10)
.signInFrequencyPeriod("hours")
.build())
.state("disabled")
.build());
}
}
import pulumi
import pulumi_azuread as azuread
example = azuread.ConditionalAccessPolicy("example",
conditions=azuread.ConditionalAccessPolicyConditionsArgs(
applications=azuread.ConditionalAccessPolicyConditionsApplicationsArgs(
excluded_applications=[],
included_applications=["All"],
),
client_app_types=["all"],
devices=azuread.ConditionalAccessPolicyConditionsDevicesArgs(
filter=azuread.ConditionalAccessPolicyConditionsDevicesFilterArgs(
mode="exclude",
rule="device.operatingSystem eq \"Doors\"",
),
),
locations=azuread.ConditionalAccessPolicyConditionsLocationsArgs(
excluded_locations=["AllTrusted"],
included_locations=["All"],
),
platforms=azuread.ConditionalAccessPolicyConditionsPlatformsArgs(
excluded_platforms=["iOS"],
included_platforms=["android"],
),
sign_in_risk_levels=["medium"],
user_risk_levels=["medium"],
users=azuread.ConditionalAccessPolicyConditionsUsersArgs(
excluded_users=["GuestsOrExternalUsers"],
included_users=["All"],
),
),
display_name="example policy",
grant_controls=azuread.ConditionalAccessPolicyGrantControlsArgs(
built_in_controls=["mfa"],
operator="OR",
),
session_controls=azuread.ConditionalAccessPolicySessionControlsArgs(
application_enforced_restrictions_enabled=True,
cloud_app_security_policy="monitorOnly",
disable_resilience_defaults=False,
sign_in_frequency=10,
sign_in_frequency_period="hours",
),
state="disabled")
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const example = new azuread.ConditionalAccessPolicy("example", {
conditions: {
applications: {
excludedApplications: [],
includedApplications: ["All"],
},
clientAppTypes: ["all"],
devices: {
filter: {
mode: "exclude",
rule: "device.operatingSystem eq \"Doors\"",
},
},
locations: {
excludedLocations: ["AllTrusted"],
includedLocations: ["All"],
},
platforms: {
excludedPlatforms: ["iOS"],
includedPlatforms: ["android"],
},
signInRiskLevels: ["medium"],
userRiskLevels: ["medium"],
users: {
excludedUsers: ["GuestsOrExternalUsers"],
includedUsers: ["All"],
},
},
displayName: "example policy",
grantControls: {
builtInControls: ["mfa"],
operator: "OR",
},
sessionControls: {
applicationEnforcedRestrictionsEnabled: true,
cloudAppSecurityPolicy: "monitorOnly",
disableResilienceDefaults: false,
signInFrequency: 10,
signInFrequencyPeriod: "hours",
},
state: "disabled",
});
resources:
example:
type: azuread:ConditionalAccessPolicy
properties:
conditions:
applications:
excludedApplications: []
includedApplications:
- All
clientAppTypes:
- all
devices:
filter:
mode: exclude
rule: device.operatingSystem eq "Doors"
locations:
excludedLocations:
- AllTrusted
includedLocations:
- All
platforms:
excludedPlatforms:
- iOS
includedPlatforms:
- android
signInRiskLevels:
- medium
userRiskLevels:
- medium
users:
excludedUsers:
- GuestsOrExternalUsers
includedUsers:
- All
displayName: example policy
grantControls:
builtInControls:
- mfa
operator: OR
sessionControls:
applicationEnforcedRestrictionsEnabled: true
cloudAppSecurityPolicy: monitorOnly
disableResilienceDefaults: false
signInFrequency: 10
signInFrequencyPeriod: hours
state: disabled
Included client applications / service principals
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var current = AzureAD.GetClientConfig.Invoke();
var example = new AzureAD.ConditionalAccessPolicy("example", new()
{
DisplayName = "example policy",
State = "disabled",
Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
{
ClientAppTypes = new[]
{
"all",
},
Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
{
IncludedApplications = new[]
{
"All",
},
},
ClientApplications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs
{
IncludedServicePrincipals = new[]
{
current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
},
ExcludedServicePrincipals = new[] {},
},
Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
{
IncludedUsers = new[]
{
"None",
},
},
},
GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
{
Operator = "OR",
BuiltInControls = new[]
{
"block",
},
},
});
});
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := azuread.GetClientConfig(ctx, nil, nil)
if err != nil {
return err
}
_, err = azuread.NewConditionalAccessPolicy(ctx, "example", &azuread.ConditionalAccessPolicyArgs{
DisplayName: pulumi.String("example policy"),
State: pulumi.String("disabled"),
Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
ClientAppTypes: pulumi.StringArray{
pulumi.String("all"),
},
Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
IncludedApplications: pulumi.StringArray{
pulumi.String("All"),
},
},
ClientApplications: &azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs{
IncludedServicePrincipals: pulumi.StringArray{
*pulumi.String(current.ObjectId),
},
ExcludedServicePrincipals: pulumi.StringArray{},
},
Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
IncludedUsers: pulumi.StringArray{
pulumi.String("None"),
},
},
},
GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
Operator: pulumi.String("OR"),
BuiltInControls: pulumi.StringArray{
pulumi.String("block"),
},
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.ConditionalAccessPolicy;
import com.pulumi.azuread.ConditionalAccessPolicyArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyGrantControlsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AzureadFunctions.getClientConfig();
var example = new ConditionalAccessPolicy("example", ConditionalAccessPolicyArgs.builder()
.displayName("example policy")
.state("disabled")
.conditions(ConditionalAccessPolicyConditionsArgs.builder()
.clientAppTypes("all")
.applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
.includedApplications("All")
.build())
.clientApplications(ConditionalAccessPolicyConditionsClientApplicationsArgs.builder()
.includedServicePrincipals(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.excludedServicePrincipals()
.build())
.users(ConditionalAccessPolicyConditionsUsersArgs.builder()
.includedUsers("None")
.build())
.build())
.grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
.operator("OR")
.builtInControls("block")
.build())
.build());
}
}
import pulumi
import pulumi_azuread as azuread
current = azuread.get_client_config()
example = azuread.ConditionalAccessPolicy("example",
display_name="example policy",
state="disabled",
conditions=azuread.ConditionalAccessPolicyConditionsArgs(
client_app_types=["all"],
applications=azuread.ConditionalAccessPolicyConditionsApplicationsArgs(
included_applications=["All"],
),
client_applications=azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs(
included_service_principals=[current.object_id],
excluded_service_principals=[],
),
users=azuread.ConditionalAccessPolicyConditionsUsersArgs(
included_users=["None"],
),
),
grant_controls=azuread.ConditionalAccessPolicyGrantControlsArgs(
operator="OR",
built_in_controls=["block"],
))
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const current = azuread.getClientConfig({});
const example = new azuread.ConditionalAccessPolicy("example", {
displayName: "example policy",
state: "disabled",
conditions: {
clientAppTypes: ["all"],
applications: {
includedApplications: ["All"],
},
clientApplications: {
includedServicePrincipals: [current.then(current => current.objectId)],
excludedServicePrincipals: [],
},
users: {
includedUsers: ["None"],
},
},
grantControls: {
operator: "OR",
builtInControls: ["block"],
},
});
resources:
example:
type: azuread:ConditionalAccessPolicy
properties:
displayName: example policy
state: disabled
conditions:
clientAppTypes:
- all
applications:
includedApplications:
- All
clientApplications:
includedServicePrincipals:
- ${current.objectId}
excludedServicePrincipals: []
users:
includedUsers:
- None
grantControls:
operator: OR
builtInControls:
- block
variables:
current:
fn::invoke:
Function: azuread:getClientConfig
Arguments: {}
Excluded client applications / service principals
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var current = AzureAD.GetClientConfig.Invoke();
var example = new AzureAD.ConditionalAccessPolicy("example", new()
{
DisplayName = "example policy",
State = "disabled",
Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
{
ClientAppTypes = new[]
{
"all",
},
Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
{
IncludedApplications = new[]
{
"All",
},
},
ClientApplications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs
{
IncludedServicePrincipals = new[]
{
"ServicePrincipalsInMyTenant",
},
ExcludedServicePrincipals = new[]
{
current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
},
},
Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
{
IncludedUsers = new[]
{
"None",
},
},
},
GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
{
Operator = "OR",
BuiltInControls = new[]
{
"block",
},
},
});
});
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := azuread.GetClientConfig(ctx, nil, nil)
if err != nil {
return err
}
_, err = azuread.NewConditionalAccessPolicy(ctx, "example", &azuread.ConditionalAccessPolicyArgs{
DisplayName: pulumi.String("example policy"),
State: pulumi.String("disabled"),
Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
ClientAppTypes: pulumi.StringArray{
pulumi.String("all"),
},
Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
IncludedApplications: pulumi.StringArray{
pulumi.String("All"),
},
},
ClientApplications: &azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs{
IncludedServicePrincipals: pulumi.StringArray{
pulumi.String("ServicePrincipalsInMyTenant"),
},
ExcludedServicePrincipals: pulumi.StringArray{
*pulumi.String(current.ObjectId),
},
},
Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
IncludedUsers: pulumi.StringArray{
pulumi.String("None"),
},
},
},
GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
Operator: pulumi.String("OR"),
BuiltInControls: pulumi.StringArray{
pulumi.String("block"),
},
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.ConditionalAccessPolicy;
import com.pulumi.azuread.ConditionalAccessPolicyArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyGrantControlsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AzureadFunctions.getClientConfig();
var example = new ConditionalAccessPolicy("example", ConditionalAccessPolicyArgs.builder()
.displayName("example policy")
.state("disabled")
.conditions(ConditionalAccessPolicyConditionsArgs.builder()
.clientAppTypes("all")
.applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
.includedApplications("All")
.build())
.clientApplications(ConditionalAccessPolicyConditionsClientApplicationsArgs.builder()
.includedServicePrincipals("ServicePrincipalsInMyTenant")
.excludedServicePrincipals(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.build())
.users(ConditionalAccessPolicyConditionsUsersArgs.builder()
.includedUsers("None")
.build())
.build())
.grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
.operator("OR")
.builtInControls("block")
.build())
.build());
}
}
import pulumi
import pulumi_azuread as azuread
current = azuread.get_client_config()
example = azuread.ConditionalAccessPolicy("example",
display_name="example policy",
state="disabled",
conditions=azuread.ConditionalAccessPolicyConditionsArgs(
client_app_types=["all"],
applications=azuread.ConditionalAccessPolicyConditionsApplicationsArgs(
included_applications=["All"],
),
client_applications=azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs(
included_service_principals=["ServicePrincipalsInMyTenant"],
excluded_service_principals=[current.object_id],
),
users=azuread.ConditionalAccessPolicyConditionsUsersArgs(
included_users=["None"],
),
),
grant_controls=azuread.ConditionalAccessPolicyGrantControlsArgs(
operator="OR",
built_in_controls=["block"],
))
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const current = azuread.getClientConfig({});
const example = new azuread.ConditionalAccessPolicy("example", {
displayName: "example policy",
state: "disabled",
conditions: {
clientAppTypes: ["all"],
applications: {
includedApplications: ["All"],
},
clientApplications: {
includedServicePrincipals: ["ServicePrincipalsInMyTenant"],
excludedServicePrincipals: [current.then(current => current.objectId)],
},
users: {
includedUsers: ["None"],
},
},
grantControls: {
operator: "OR",
builtInControls: ["block"],
},
});
resources:
example:
type: azuread:ConditionalAccessPolicy
properties:
displayName: example policy
state: disabled
conditions:
clientAppTypes:
- all
applications:
includedApplications:
- All
clientApplications:
includedServicePrincipals:
- ServicePrincipalsInMyTenant
excludedServicePrincipals:
- ${current.objectId}
users:
includedUsers:
- None
grantControls:
operator: OR
builtInControls:
- block
variables:
current:
fn::invoke:
Function: azuread:getClientConfig
Arguments: {}
Create ConditionalAccessPolicy Resource
new ConditionalAccessPolicy(name: string, args: ConditionalAccessPolicyArgs, opts?: CustomResourceOptions);@overload
def ConditionalAccessPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
conditions: Optional[ConditionalAccessPolicyConditionsArgs] = None,
display_name: Optional[str] = None,
grant_controls: Optional[ConditionalAccessPolicyGrantControlsArgs] = None,
session_controls: Optional[ConditionalAccessPolicySessionControlsArgs] = None,
state: Optional[str] = None)
@overload
def ConditionalAccessPolicy(resource_name: str,
args: ConditionalAccessPolicyArgs,
opts: Optional[ResourceOptions] = None)func NewConditionalAccessPolicy(ctx *Context, name string, args ConditionalAccessPolicyArgs, opts ...ResourceOption) (*ConditionalAccessPolicy, error)public ConditionalAccessPolicy(string name, ConditionalAccessPolicyArgs args, CustomResourceOptions? opts = null)
public ConditionalAccessPolicy(String name, ConditionalAccessPolicyArgs args)
public ConditionalAccessPolicy(String name, ConditionalAccessPolicyArgs args, CustomResourceOptions options)
type: azuread:ConditionalAccessPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ConditionalAccessPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ConditionalAccessPolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ConditionalAccessPolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ConditionalAccessPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ConditionalAccessPolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
ConditionalAccessPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The ConditionalAccessPolicy resource accepts the following input properties:
- Conditions
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply.- Display
Name string The friendly name for this Conditional Access Policy.
- State string
Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced- Grant
Controls Pulumi.Azure AD. Inputs. Conditional Access Policy Grant Controls A
grant_controlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy.- Session
Controls Pulumi.Azure AD. Inputs. Conditional Access Policy Session Controls A
session_controlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controlsand/orsession_controlsblocks must be specified.
- Conditions
Conditional
Access Policy Conditions Args A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply.- Display
Name string The friendly name for this Conditional Access Policy.
- State string
Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced- Grant
Controls ConditionalAccess Policy Grant Controls Args A
grant_controlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy.- Session
Controls ConditionalAccess Policy Session Controls Args A
session_controlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controlsand/orsession_controlsblocks must be specified.
- conditions
Conditional
Access Policy Conditions A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply.- display
Name String The friendly name for this Conditional Access Policy.
- state String
Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced- grant
Controls ConditionalAccess Policy Grant Controls A
grant_controlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy.- session
Controls ConditionalAccess Policy Session Controls A
session_controlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controlsand/orsession_controlsblocks must be specified.
- conditions
Conditional
Access Policy Conditions A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply.- display
Name string The friendly name for this Conditional Access Policy.
- state string
Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced- grant
Controls ConditionalAccess Policy Grant Controls A
grant_controlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy.- session
Controls ConditionalAccess Policy Session Controls A
session_controlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controlsand/orsession_controlsblocks must be specified.
- conditions
Conditional
Access Policy Conditions Args A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply.- display_
name str The friendly name for this Conditional Access Policy.
- state str
Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced- grant_
controls ConditionalAccess Policy Grant Controls Args A
grant_controlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy.- session_
controls ConditionalAccess Policy Session Controls Args A
session_controlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controlsand/orsession_controlsblocks must be specified.
- conditions Property Map
A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply.- display
Name String The friendly name for this Conditional Access Policy.
- state String
Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced- grant
Controls Property Map A
grant_controlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy.- session
Controls Property Map A
session_controlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controlsand/orsession_controlsblocks must be specified.
Outputs
All input properties are implicitly available as output properties. Additionally, the ConditionalAccessPolicy resource produces the following output properties:
- Id string
The provider-assigned unique ID for this managed resource.
- Id string
The provider-assigned unique ID for this managed resource.
- id String
The provider-assigned unique ID for this managed resource.
- id string
The provider-assigned unique ID for this managed resource.
- id str
The provider-assigned unique ID for this managed resource.
- id String
The provider-assigned unique ID for this managed resource.
Look up Existing ConditionalAccessPolicy Resource
Get an existing ConditionalAccessPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ConditionalAccessPolicyState, opts?: CustomResourceOptions): ConditionalAccessPolicy@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
conditions: Optional[ConditionalAccessPolicyConditionsArgs] = None,
display_name: Optional[str] = None,
grant_controls: Optional[ConditionalAccessPolicyGrantControlsArgs] = None,
session_controls: Optional[ConditionalAccessPolicySessionControlsArgs] = None,
state: Optional[str] = None) -> ConditionalAccessPolicyfunc GetConditionalAccessPolicy(ctx *Context, name string, id IDInput, state *ConditionalAccessPolicyState, opts ...ResourceOption) (*ConditionalAccessPolicy, error)public static ConditionalAccessPolicy Get(string name, Input<string> id, ConditionalAccessPolicyState? state, CustomResourceOptions? opts = null)public static ConditionalAccessPolicy get(String name, Output<String> id, ConditionalAccessPolicyState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Conditions
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply.- Display
Name string The friendly name for this Conditional Access Policy.
- Grant
Controls Pulumi.Azure AD. Inputs. Conditional Access Policy Grant Controls A
grant_controlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy.- Session
Controls Pulumi.Azure AD. Inputs. Conditional Access Policy Session Controls A
session_controlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controlsand/orsession_controlsblocks must be specified.- State string
Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced
- Conditions
Conditional
Access Policy Conditions Args A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply.- Display
Name string The friendly name for this Conditional Access Policy.
- Grant
Controls ConditionalAccess Policy Grant Controls Args A
grant_controlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy.- Session
Controls ConditionalAccess Policy Session Controls Args A
session_controlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controlsand/orsession_controlsblocks must be specified.- State string
Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced
- conditions
Conditional
Access Policy Conditions A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply.- display
Name String The friendly name for this Conditional Access Policy.
- grant
Controls ConditionalAccess Policy Grant Controls A
grant_controlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy.- session
Controls ConditionalAccess Policy Session Controls A
session_controlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controlsand/orsession_controlsblocks must be specified.- state String
Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced
- conditions
Conditional
Access Policy Conditions A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply.- display
Name string The friendly name for this Conditional Access Policy.
- grant
Controls ConditionalAccess Policy Grant Controls A
grant_controlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy.- session
Controls ConditionalAccess Policy Session Controls A
session_controlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controlsand/orsession_controlsblocks must be specified.- state string
Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced
- conditions
Conditional
Access Policy Conditions Args A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply.- display_
name str The friendly name for this Conditional Access Policy.
- grant_
controls ConditionalAccess Policy Grant Controls Args A
grant_controlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy.- session_
controls ConditionalAccess Policy Session Controls Args A
session_controlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controlsand/orsession_controlsblocks must be specified.- state str
Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced
- conditions Property Map
A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply.- display
Name String The friendly name for this Conditional Access Policy.
- grant
Controls Property Map A
grant_controlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy.- session
Controls Property Map A
session_controlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controlsand/orsession_controlsblocks must be specified.- state String
Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced
Supporting Types
ConditionalAccessPolicyConditions, ConditionalAccessPolicyConditionsArgs
- Applications
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Applications An
applicationsblock as documented below, which specifies applications and user actions included in and excluded from the policy.- Client
App List<string>Types A list of client application types included in the policy. Possible values are:
all,browser,mobileAppsAndDesktopClients,exchangeActiveSync,easSupportedandother.- Users
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Users A
usersblock as documented below, which specifies users, groups, and roles included in and excluded from the policy.- Client
Applications Pulumi.Azure AD. Inputs. Conditional Access Policy Conditions Client Applications An
client_applicationsblock as documented below, which specifies service principals included in and excluded from the policy.- Devices
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Devices A
devicesblock as documented below, which describes devices to be included in and excluded from the policy. Adevicesblock can be added to an existing policy, but removing thedevicesblock forces a new resource to be created.- Locations
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Locations A
locationsblock as documented below, which specifies locations included in and excluded from the policy.- Platforms
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Platforms A
platformsblock as documented below, which specifies platforms included in and excluded from the policy.- Service
Principal List<string>Risk Levels A list of service principal sign-in risk levels included in the policy. Possible values are:
low,medium,high,none,unknownFutureValue.- Sign
In List<string>Risk Levels A list of user sign-in risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue.- User
Risk List<string>Levels A list of user risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue.
- Applications
Conditional
Access Policy Conditions Applications An
applicationsblock as documented below, which specifies applications and user actions included in and excluded from the policy.- Client
App []stringTypes A list of client application types included in the policy. Possible values are:
all,browser,mobileAppsAndDesktopClients,exchangeActiveSync,easSupportedandother.- Users
Conditional
Access Policy Conditions Users A
usersblock as documented below, which specifies users, groups, and roles included in and excluded from the policy.- Client
Applications ConditionalAccess Policy Conditions Client Applications An
client_applicationsblock as documented below, which specifies service principals included in and excluded from the policy.- Devices
Conditional
Access Policy Conditions Devices A
devicesblock as documented below, which describes devices to be included in and excluded from the policy. Adevicesblock can be added to an existing policy, but removing thedevicesblock forces a new resource to be created.- Locations
Conditional
Access Policy Conditions Locations A
locationsblock as documented below, which specifies locations included in and excluded from the policy.- Platforms
Conditional
Access Policy Conditions Platforms A
platformsblock as documented below, which specifies platforms included in and excluded from the policy.- Service
Principal []stringRisk Levels A list of service principal sign-in risk levels included in the policy. Possible values are:
low,medium,high,none,unknownFutureValue.- Sign
In []stringRisk Levels A list of user sign-in risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue.- User
Risk []stringLevels A list of user risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue.
- applications
Conditional
Access Policy Conditions Applications An
applicationsblock as documented below, which specifies applications and user actions included in and excluded from the policy.- client
App List<String>Types A list of client application types included in the policy. Possible values are:
all,browser,mobileAppsAndDesktopClients,exchangeActiveSync,easSupportedandother.- users
Conditional
Access Policy Conditions Users A
usersblock as documented below, which specifies users, groups, and roles included in and excluded from the policy.- client
Applications ConditionalAccess Policy Conditions Client Applications An
client_applicationsblock as documented below, which specifies service principals included in and excluded from the policy.- devices
Conditional
Access Policy Conditions Devices A
devicesblock as documented below, which describes devices to be included in and excluded from the policy. Adevicesblock can be added to an existing policy, but removing thedevicesblock forces a new resource to be created.- locations
Conditional
Access Policy Conditions Locations A
locationsblock as documented below, which specifies locations included in and excluded from the policy.- platforms
Conditional
Access Policy Conditions Platforms A
platformsblock as documented below, which specifies platforms included in and excluded from the policy.- service
Principal List<String>Risk Levels A list of service principal sign-in risk levels included in the policy. Possible values are:
low,medium,high,none,unknownFutureValue.- sign
In List<String>Risk Levels A list of user sign-in risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue.- user
Risk List<String>Levels A list of user risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue.
- applications
Conditional
Access Policy Conditions Applications An
applicationsblock as documented below, which specifies applications and user actions included in and excluded from the policy.- client
App string[]Types A list of client application types included in the policy. Possible values are:
all,browser,mobileAppsAndDesktopClients,exchangeActiveSync,easSupportedandother.- users
Conditional
Access Policy Conditions Users A
usersblock as documented below, which specifies users, groups, and roles included in and excluded from the policy.- client
Applications ConditionalAccess Policy Conditions Client Applications An
client_applicationsblock as documented below, which specifies service principals included in and excluded from the policy.- devices
Conditional
Access Policy Conditions Devices A
devicesblock as documented below, which describes devices to be included in and excluded from the policy. Adevicesblock can be added to an existing policy, but removing thedevicesblock forces a new resource to be created.- locations
Conditional
Access Policy Conditions Locations A
locationsblock as documented below, which specifies locations included in and excluded from the policy.- platforms
Conditional
Access Policy Conditions Platforms A
platformsblock as documented below, which specifies platforms included in and excluded from the policy.- service
Principal string[]Risk Levels A list of service principal sign-in risk levels included in the policy. Possible values are:
low,medium,high,none,unknownFutureValue.- sign
In string[]Risk Levels A list of user sign-in risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue.- user
Risk string[]Levels A list of user risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue.
- applications
Conditional
Access Policy Conditions Applications An
applicationsblock as documented below, which specifies applications and user actions included in and excluded from the policy.- client_
app_ Sequence[str]types A list of client application types included in the policy. Possible values are:
all,browser,mobileAppsAndDesktopClients,exchangeActiveSync,easSupportedandother.- users
Conditional
Access Policy Conditions Users A
usersblock as documented below, which specifies users, groups, and roles included in and excluded from the policy.- client_
applications ConditionalAccess Policy Conditions Client Applications An
client_applicationsblock as documented below, which specifies service principals included in and excluded from the policy.- devices
Conditional
Access Policy Conditions Devices A
devicesblock as documented below, which describes devices to be included in and excluded from the policy. Adevicesblock can be added to an existing policy, but removing thedevicesblock forces a new resource to be created.- locations
Conditional
Access Policy Conditions Locations A
locationsblock as documented below, which specifies locations included in and excluded from the policy.- platforms
Conditional
Access Policy Conditions Platforms A
platformsblock as documented below, which specifies platforms included in and excluded from the policy.- service_
principal_ Sequence[str]risk_ levels A list of service principal sign-in risk levels included in the policy. Possible values are:
low,medium,high,none,unknownFutureValue.- sign_
in_ Sequence[str]risk_ levels A list of user sign-in risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue.- user_
risk_ Sequence[str]levels A list of user risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue.
- applications Property Map
An
applicationsblock as documented below, which specifies applications and user actions included in and excluded from the policy.- client
App List<String>Types A list of client application types included in the policy. Possible values are:
all,browser,mobileAppsAndDesktopClients,exchangeActiveSync,easSupportedandother.- users Property Map
A
usersblock as documented below, which specifies users, groups, and roles included in and excluded from the policy.- client
Applications Property Map An
client_applicationsblock as documented below, which specifies service principals included in and excluded from the policy.- devices Property Map
A
devicesblock as documented below, which describes devices to be included in and excluded from the policy. Adevicesblock can be added to an existing policy, but removing thedevicesblock forces a new resource to be created.- locations Property Map
A
locationsblock as documented below, which specifies locations included in and excluded from the policy.- platforms Property Map
A
platformsblock as documented below, which specifies platforms included in and excluded from the policy.- service
Principal List<String>Risk Levels A list of service principal sign-in risk levels included in the policy. Possible values are:
low,medium,high,none,unknownFutureValue.- sign
In List<String>Risk Levels A list of user sign-in risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue.- user
Risk List<String>Levels A list of user risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue.
ConditionalAccessPolicyConditionsApplications, ConditionalAccessPolicyConditionsApplicationsArgs
- Excluded
Applications List<string> A list of application IDs explicitly excluded from the policy. Can also be set to
Office365.- Included
Applications List<string> A list of application IDs the policy applies to, unless explicitly excluded (in
excluded_applications). Can also be set toAll,NoneorOffice365. Cannot be specified withincluded_user_actions. One ofincluded_applicationsorincluded_user_actionsmust be specified.- Included
User List<string>Actions A list of user actions to include. Supported values are
urn:user:registerdeviceandurn:user:registersecurityinfo. Cannot be specified withincluded_applications. One ofincluded_applicationsorincluded_user_actionsmust be specified.
- Excluded
Applications []string A list of application IDs explicitly excluded from the policy. Can also be set to
Office365.- Included
Applications []string A list of application IDs the policy applies to, unless explicitly excluded (in
excluded_applications). Can also be set toAll,NoneorOffice365. Cannot be specified withincluded_user_actions. One ofincluded_applicationsorincluded_user_actionsmust be specified.- Included
User []stringActions A list of user actions to include. Supported values are
urn:user:registerdeviceandurn:user:registersecurityinfo. Cannot be specified withincluded_applications. One ofincluded_applicationsorincluded_user_actionsmust be specified.
- excluded
Applications List<String> A list of application IDs explicitly excluded from the policy. Can also be set to
Office365.- included
Applications List<String> A list of application IDs the policy applies to, unless explicitly excluded (in
excluded_applications). Can also be set toAll,NoneorOffice365. Cannot be specified withincluded_user_actions. One ofincluded_applicationsorincluded_user_actionsmust be specified.- included
User List<String>Actions A list of user actions to include. Supported values are
urn:user:registerdeviceandurn:user:registersecurityinfo. Cannot be specified withincluded_applications. One ofincluded_applicationsorincluded_user_actionsmust be specified.
- excluded
Applications string[] A list of application IDs explicitly excluded from the policy. Can also be set to
Office365.- included
Applications string[] A list of application IDs the policy applies to, unless explicitly excluded (in
excluded_applications). Can also be set toAll,NoneorOffice365. Cannot be specified withincluded_user_actions. One ofincluded_applicationsorincluded_user_actionsmust be specified.- included
User string[]Actions A list of user actions to include. Supported values are
urn:user:registerdeviceandurn:user:registersecurityinfo. Cannot be specified withincluded_applications. One ofincluded_applicationsorincluded_user_actionsmust be specified.
- excluded_
applications Sequence[str] A list of application IDs explicitly excluded from the policy. Can also be set to
Office365.- included_
applications Sequence[str] A list of application IDs the policy applies to, unless explicitly excluded (in
excluded_applications). Can also be set toAll,NoneorOffice365. Cannot be specified withincluded_user_actions. One ofincluded_applicationsorincluded_user_actionsmust be specified.- included_
user_ Sequence[str]actions A list of user actions to include. Supported values are
urn:user:registerdeviceandurn:user:registersecurityinfo. Cannot be specified withincluded_applications. One ofincluded_applicationsorincluded_user_actionsmust be specified.
- excluded
Applications List<String> A list of application IDs explicitly excluded from the policy. Can also be set to
Office365.- included
Applications List<String> A list of application IDs the policy applies to, unless explicitly excluded (in
excluded_applications). Can also be set toAll,NoneorOffice365. Cannot be specified withincluded_user_actions. One ofincluded_applicationsorincluded_user_actionsmust be specified.- included
User List<String>Actions A list of user actions to include. Supported values are
urn:user:registerdeviceandurn:user:registersecurityinfo. Cannot be specified withincluded_applications. One ofincluded_applicationsorincluded_user_actionsmust be specified.
ConditionalAccessPolicyConditionsClientApplications, ConditionalAccessPolicyConditionsClientApplicationsArgs
- Excluded
Service List<string>Principals A list of service principal IDs explicitly excluded in the policy.
- Included
Service List<string>Principals A list of service principal IDs explicitly included in the policy. Can be set to
ServicePrincipalsInMyTenantto include all service principals. This is mandatory value when at least oneexcluded_service_principalsis set.
- Excluded
Service []stringPrincipals A list of service principal IDs explicitly excluded in the policy.
- Included
Service []stringPrincipals A list of service principal IDs explicitly included in the policy. Can be set to
ServicePrincipalsInMyTenantto include all service principals. This is mandatory value when at least oneexcluded_service_principalsis set.
- excluded
Service List<String>Principals A list of service principal IDs explicitly excluded in the policy.
- included
Service List<String>Principals A list of service principal IDs explicitly included in the policy. Can be set to
ServicePrincipalsInMyTenantto include all service principals. This is mandatory value when at least oneexcluded_service_principalsis set.
- excluded
Service string[]Principals A list of service principal IDs explicitly excluded in the policy.
- included
Service string[]Principals A list of service principal IDs explicitly included in the policy. Can be set to
ServicePrincipalsInMyTenantto include all service principals. This is mandatory value when at least oneexcluded_service_principalsis set.
- excluded_
service_ Sequence[str]principals A list of service principal IDs explicitly excluded in the policy.
- included_
service_ Sequence[str]principals A list of service principal IDs explicitly included in the policy. Can be set to
ServicePrincipalsInMyTenantto include all service principals. This is mandatory value when at least oneexcluded_service_principalsis set.
- excluded
Service List<String>Principals A list of service principal IDs explicitly excluded in the policy.
- included
Service List<String>Principals A list of service principal IDs explicitly included in the policy. Can be set to
ServicePrincipalsInMyTenantto include all service principals. This is mandatory value when at least oneexcluded_service_principalsis set.
ConditionalAccessPolicyConditionsDevices, ConditionalAccessPolicyConditionsDevicesArgs
- Filter
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Devices Filter A
filterblock as described below. Afilterblock can be added to an existing policy, but removing thefilterblock forces a new resource to be created.
- Filter
Conditional
Access Policy Conditions Devices Filter A
filterblock as described below. Afilterblock can be added to an existing policy, but removing thefilterblock forces a new resource to be created.
- filter
Conditional
Access Policy Conditions Devices Filter A
filterblock as described below. Afilterblock can be added to an existing policy, but removing thefilterblock forces a new resource to be created.
- filter
Conditional
Access Policy Conditions Devices Filter A
filterblock as described below. Afilterblock can be added to an existing policy, but removing thefilterblock forces a new resource to be created.
- filter
Conditional
Access Policy Conditions Devices Filter A
filterblock as described below. Afilterblock can be added to an existing policy, but removing thefilterblock forces a new resource to be created.
- filter Property Map
A
filterblock as described below. Afilterblock can be added to an existing policy, but removing thefilterblock forces a new resource to be created.
ConditionalAccessPolicyConditionsDevicesFilter, ConditionalAccessPolicyConditionsDevicesFilterArgs
- Mode string
Whether to include in, or exclude from, matching devices from the policy. Supported values are
includeorexclude.- Rule string
Condition filter to match devices. For more information, see official documentation.
- Mode string
Whether to include in, or exclude from, matching devices from the policy. Supported values are
includeorexclude.- Rule string
Condition filter to match devices. For more information, see official documentation.
- mode String
Whether to include in, or exclude from, matching devices from the policy. Supported values are
includeorexclude.- rule String
Condition filter to match devices. For more information, see official documentation.
- mode string
Whether to include in, or exclude from, matching devices from the policy. Supported values are
includeorexclude.- rule string
Condition filter to match devices. For more information, see official documentation.
- mode str
Whether to include in, or exclude from, matching devices from the policy. Supported values are
includeorexclude.- rule str
Condition filter to match devices. For more information, see official documentation.
- mode String
Whether to include in, or exclude from, matching devices from the policy. Supported values are
includeorexclude.- rule String
Condition filter to match devices. For more information, see official documentation.
ConditionalAccessPolicyConditionsLocations, ConditionalAccessPolicyConditionsLocationsArgs
- Included
Locations List<string> A list of location IDs in scope of policy unless explicitly excluded. Can also be set to
All, orAllTrusted.- Excluded
Locations List<string> A list of location IDs excluded from scope of policy. Can also be set to
AllTrusted.
- Included
Locations []string A list of location IDs in scope of policy unless explicitly excluded. Can also be set to
All, orAllTrusted.- Excluded
Locations []string A list of location IDs excluded from scope of policy. Can also be set to
AllTrusted.
- included
Locations List<String> A list of location IDs in scope of policy unless explicitly excluded. Can also be set to
All, orAllTrusted.- excluded
Locations List<String> A list of location IDs excluded from scope of policy. Can also be set to
AllTrusted.
- included
Locations string[] A list of location IDs in scope of policy unless explicitly excluded. Can also be set to
All, orAllTrusted.- excluded
Locations string[] A list of location IDs excluded from scope of policy. Can also be set to
AllTrusted.
- included_
locations Sequence[str] A list of location IDs in scope of policy unless explicitly excluded. Can also be set to
All, orAllTrusted.- excluded_
locations Sequence[str] A list of location IDs excluded from scope of policy. Can also be set to
AllTrusted.
- included
Locations List<String> A list of location IDs in scope of policy unless explicitly excluded. Can also be set to
All, orAllTrusted.- excluded
Locations List<String> A list of location IDs excluded from scope of policy. Can also be set to
AllTrusted.
ConditionalAccessPolicyConditionsPlatforms, ConditionalAccessPolicyConditionsPlatformsArgs
- Included
Platforms List<string> A list of platforms the policy applies to, unless explicitly excluded. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue.- Excluded
Platforms List<string> A list of platforms explicitly excluded from the policy. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue.
- Included
Platforms []string A list of platforms the policy applies to, unless explicitly excluded. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue.- Excluded
Platforms []string A list of platforms explicitly excluded from the policy. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue.
- included
Platforms List<String> A list of platforms the policy applies to, unless explicitly excluded. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue.- excluded
Platforms List<String> A list of platforms explicitly excluded from the policy. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue.
- included
Platforms string[] A list of platforms the policy applies to, unless explicitly excluded. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue.- excluded
Platforms string[] A list of platforms explicitly excluded from the policy. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue.
- included_
platforms Sequence[str] A list of platforms the policy applies to, unless explicitly excluded. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue.- excluded_
platforms Sequence[str] A list of platforms explicitly excluded from the policy. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue.
- included
Platforms List<String> A list of platforms the policy applies to, unless explicitly excluded. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue.- excluded
Platforms List<String> A list of platforms explicitly excluded from the policy. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue.
ConditionalAccessPolicyConditionsUsers, ConditionalAccessPolicyConditionsUsersArgs
- Excluded
Groups List<string> A list of group IDs excluded from scope of policy.
- Excluded
Roles List<string> A list of role IDs excluded from scope of policy.
- Excluded
Users List<string> A list of user IDs excluded from scope of policy and/or
GuestsOrExternalUsers.- Included
Groups List<string> A list of group IDs in scope of policy unless explicitly excluded.
- Included
Roles List<string> A list of role IDs in scope of policy unless explicitly excluded.
- Included
Users List<string> A list of user IDs in scope of policy unless explicitly excluded, or
NoneorAllorGuestsOrExternalUsers.At least one of
included_groups,included_rolesorincluded_usersmust be specified.
- Excluded
Groups []string A list of group IDs excluded from scope of policy.
- Excluded
Roles []string A list of role IDs excluded from scope of policy.
- Excluded
Users []string A list of user IDs excluded from scope of policy and/or
GuestsOrExternalUsers.- Included
Groups []string A list of group IDs in scope of policy unless explicitly excluded.
- Included
Roles []string A list of role IDs in scope of policy unless explicitly excluded.
- Included
Users []string A list of user IDs in scope of policy unless explicitly excluded, or
NoneorAllorGuestsOrExternalUsers.At least one of
included_groups,included_rolesorincluded_usersmust be specified.
- excluded
Groups List<String> A list of group IDs excluded from scope of policy.
- excluded
Roles List<String> A list of role IDs excluded from scope of policy.
- excluded
Users List<String> A list of user IDs excluded from scope of policy and/or
GuestsOrExternalUsers.- included
Groups List<String> A list of group IDs in scope of policy unless explicitly excluded.
- included
Roles List<String> A list of role IDs in scope of policy unless explicitly excluded.
- included
Users List<String> A list of user IDs in scope of policy unless explicitly excluded, or
NoneorAllorGuestsOrExternalUsers.At least one of
included_groups,included_rolesorincluded_usersmust be specified.
- excluded
Groups string[] A list of group IDs excluded from scope of policy.
- excluded
Roles string[] A list of role IDs excluded from scope of policy.
- excluded
Users string[] A list of user IDs excluded from scope of policy and/or
GuestsOrExternalUsers.- included
Groups string[] A list of group IDs in scope of policy unless explicitly excluded.
- included
Roles string[] A list of role IDs in scope of policy unless explicitly excluded.
- included
Users string[] A list of user IDs in scope of policy unless explicitly excluded, or
NoneorAllorGuestsOrExternalUsers.At least one of
included_groups,included_rolesorincluded_usersmust be specified.
- excluded_
groups Sequence[str] A list of group IDs excluded from scope of policy.
- excluded_
roles Sequence[str] A list of role IDs excluded from scope of policy.
- excluded_
users Sequence[str] A list of user IDs excluded from scope of policy and/or
GuestsOrExternalUsers.- included_
groups Sequence[str] A list of group IDs in scope of policy unless explicitly excluded.
- included_
roles Sequence[str] A list of role IDs in scope of policy unless explicitly excluded.
- included_
users Sequence[str] A list of user IDs in scope of policy unless explicitly excluded, or
NoneorAllorGuestsOrExternalUsers.At least one of
included_groups,included_rolesorincluded_usersmust be specified.
- excluded
Groups List<String> A list of group IDs excluded from scope of policy.
- excluded
Roles List<String> A list of role IDs excluded from scope of policy.
- excluded
Users List<String> A list of user IDs excluded from scope of policy and/or
GuestsOrExternalUsers.- included
Groups List<String> A list of group IDs in scope of policy unless explicitly excluded.
- included
Roles List<String> A list of role IDs in scope of policy unless explicitly excluded.
- included
Users List<String> A list of user IDs in scope of policy unless explicitly excluded, or
NoneorAllorGuestsOrExternalUsers.At least one of
included_groups,included_rolesorincluded_usersmust be specified.
ConditionalAccessPolicyGrantControls, ConditionalAccessPolicyGrantControlsArgs
- Operator string
Defines the relationship of the grant controls. Possible values are:
AND,OR.- Built
In List<string>Controls List of built-in controls required by the policy. Possible values are:
block,mfa,approvedApplication,compliantApplication,compliantDevice,domainJoinedDevice,passwordChangeorunknownFutureValue.- Custom
Authentication List<string>Factors List of custom controls IDs required by the policy.
- Terms
Of List<string>Uses List of terms of use IDs required by the policy.
At least one of
built_in_controlsorterms_of_usemust be specified.
- Operator string
Defines the relationship of the grant controls. Possible values are:
AND,OR.- Built
In []stringControls List of built-in controls required by the policy. Possible values are:
block,mfa,approvedApplication,compliantApplication,compliantDevice,domainJoinedDevice,passwordChangeorunknownFutureValue.- Custom
Authentication []stringFactors List of custom controls IDs required by the policy.
- Terms
Of []stringUses List of terms of use IDs required by the policy.
At least one of
built_in_controlsorterms_of_usemust be specified.
- operator String
Defines the relationship of the grant controls. Possible values are:
AND,OR.- built
In List<String>Controls List of built-in controls required by the policy. Possible values are:
block,mfa,approvedApplication,compliantApplication,compliantDevice,domainJoinedDevice,passwordChangeorunknownFutureValue.- custom
Authentication List<String>Factors List of custom controls IDs required by the policy.
- terms
Of List<String>Uses List of terms of use IDs required by the policy.
At least one of
built_in_controlsorterms_of_usemust be specified.
- operator string
Defines the relationship of the grant controls. Possible values are:
AND,OR.- built
In string[]Controls List of built-in controls required by the policy. Possible values are:
block,mfa,approvedApplication,compliantApplication,compliantDevice,domainJoinedDevice,passwordChangeorunknownFutureValue.- custom
Authentication string[]Factors List of custom controls IDs required by the policy.
- terms
Of string[]Uses List of terms of use IDs required by the policy.
At least one of
built_in_controlsorterms_of_usemust be specified.
- operator str
Defines the relationship of the grant controls. Possible values are:
AND,OR.- built_
in_ Sequence[str]controls List of built-in controls required by the policy. Possible values are:
block,mfa,approvedApplication,compliantApplication,compliantDevice,domainJoinedDevice,passwordChangeorunknownFutureValue.- custom_
authentication_ Sequence[str]factors List of custom controls IDs required by the policy.
- terms_
of_ Sequence[str]uses List of terms of use IDs required by the policy.
At least one of
built_in_controlsorterms_of_usemust be specified.
- operator String
Defines the relationship of the grant controls. Possible values are:
AND,OR.- built
In List<String>Controls List of built-in controls required by the policy. Possible values are:
block,mfa,approvedApplication,compliantApplication,compliantDevice,domainJoinedDevice,passwordChangeorunknownFutureValue.- custom
Authentication List<String>Factors List of custom controls IDs required by the policy.
- terms
Of List<String>Uses List of terms of use IDs required by the policy.
At least one of
built_in_controlsorterms_of_usemust be specified.
ConditionalAccessPolicySessionControls, ConditionalAccessPolicySessionControlsArgs
- Application
Enforced boolRestrictions Enabled Whether or not application enforced restrictions are enabled. Defaults to
false.Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
- Cloud
App stringSecurity Policy Enables cloud app security and specifies the cloud app security policy to use. Possible values are:
blockDownloads,mcasConfigured,monitorOnlyorunknownFutureValue.- Disable
Resilience boolDefaults Disables resilience defaults. Defaults to
false.- Persistent
Browser stringMode Session control to define whether to persist cookies or not. Possible values are:
alwaysornever.- Sign
In intFrequency Number of days or hours to enforce sign-in frequency. Required when
sign_in_frequency_periodis specified. Due to an API issue, removing this property forces a new resource to be created.- Sign
In stringFrequency Period The time period to enforce sign-in frequency. Possible values are:
hoursordays. Required whensign_in_frequency_periodis specified. Due to an API issue, removing this property forces a new resource to be created.
- Application
Enforced boolRestrictions Enabled Whether or not application enforced restrictions are enabled. Defaults to
false.Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
- Cloud
App stringSecurity Policy Enables cloud app security and specifies the cloud app security policy to use. Possible values are:
blockDownloads,mcasConfigured,monitorOnlyorunknownFutureValue.- Disable
Resilience boolDefaults Disables resilience defaults. Defaults to
false.- Persistent
Browser stringMode Session control to define whether to persist cookies or not. Possible values are:
alwaysornever.- Sign
In intFrequency Number of days or hours to enforce sign-in frequency. Required when
sign_in_frequency_periodis specified. Due to an API issue, removing this property forces a new resource to be created.- Sign
In stringFrequency Period The time period to enforce sign-in frequency. Possible values are:
hoursordays. Required whensign_in_frequency_periodis specified. Due to an API issue, removing this property forces a new resource to be created.
- application
Enforced BooleanRestrictions Enabled Whether or not application enforced restrictions are enabled. Defaults to
false.Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
- cloud
App StringSecurity Policy Enables cloud app security and specifies the cloud app security policy to use. Possible values are:
blockDownloads,mcasConfigured,monitorOnlyorunknownFutureValue.- disable
Resilience BooleanDefaults Disables resilience defaults. Defaults to
false.- persistent
Browser StringMode Session control to define whether to persist cookies or not. Possible values are:
alwaysornever.- sign
In IntegerFrequency Number of days or hours to enforce sign-in frequency. Required when
sign_in_frequency_periodis specified. Due to an API issue, removing this property forces a new resource to be created.- sign
In StringFrequency Period The time period to enforce sign-in frequency. Possible values are:
hoursordays. Required whensign_in_frequency_periodis specified. Due to an API issue, removing this property forces a new resource to be created.
- application
Enforced booleanRestrictions Enabled Whether or not application enforced restrictions are enabled. Defaults to
false.Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
- cloud
App stringSecurity Policy Enables cloud app security and specifies the cloud app security policy to use. Possible values are:
blockDownloads,mcasConfigured,monitorOnlyorunknownFutureValue.- disable
Resilience booleanDefaults Disables resilience defaults. Defaults to
false.- persistent
Browser stringMode Session control to define whether to persist cookies or not. Possible values are:
alwaysornever.- sign
In numberFrequency Number of days or hours to enforce sign-in frequency. Required when
sign_in_frequency_periodis specified. Due to an API issue, removing this property forces a new resource to be created.- sign
In stringFrequency Period The time period to enforce sign-in frequency. Possible values are:
hoursordays. Required whensign_in_frequency_periodis specified. Due to an API issue, removing this property forces a new resource to be created.
- application_
enforced_ boolrestrictions_ enabled Whether or not application enforced restrictions are enabled. Defaults to
false.Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
- cloud_
app_ strsecurity_ policy Enables cloud app security and specifies the cloud app security policy to use. Possible values are:
blockDownloads,mcasConfigured,monitorOnlyorunknownFutureValue.- disable_
resilience_ booldefaults Disables resilience defaults. Defaults to
false.- persistent_
browser_ strmode Session control to define whether to persist cookies or not. Possible values are:
alwaysornever.- sign_
in_ intfrequency Number of days or hours to enforce sign-in frequency. Required when
sign_in_frequency_periodis specified. Due to an API issue, removing this property forces a new resource to be created.- sign_
in_ strfrequency_ period The time period to enforce sign-in frequency. Possible values are:
hoursordays. Required whensign_in_frequency_periodis specified. Due to an API issue, removing this property forces a new resource to be created.
- application
Enforced BooleanRestrictions Enabled Whether or not application enforced restrictions are enabled. Defaults to
false.Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
- cloud
App StringSecurity Policy Enables cloud app security and specifies the cloud app security policy to use. Possible values are:
blockDownloads,mcasConfigured,monitorOnlyorunknownFutureValue.- disable
Resilience BooleanDefaults Disables resilience defaults. Defaults to
false.- persistent
Browser StringMode Session control to define whether to persist cookies or not. Possible values are:
alwaysornever.- sign
In NumberFrequency Number of days or hours to enforce sign-in frequency. Required when
sign_in_frequency_periodis specified. Due to an API issue, removing this property forces a new resource to be created.- sign
In StringFrequency Period The time period to enforce sign-in frequency. Possible values are:
hoursordays. Required whensign_in_frequency_periodis specified. Due to an API issue, removing this property forces a new resource to be created.
Import
Conditional Access Policies can be imported using the id, e.g.
$ pulumi import azuread:index/conditionalAccessPolicy:ConditionalAccessPolicy my_location 00000000-0000-0000-0000-000000000000
Package Details
- Repository
- Azure Active Directory (Azure AD) pulumi/pulumi-azuread
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
azureadTerraform Provider.