Azure Active Directory (Azure AD) v5.36.0, Mar 7 23

azuread.ConditionalAccessPolicy

Manages a Conditional Access Policy within Azure Active Directory.

API Permissions

The following API permissions are required in order to use this resource.

When authenticated with a service principal, this resource requires the following application roles: Policy.ReadWrite.ConditionalAccess and Policy.Read.All

When authenticated with a user principal, this resource requires one of the following directory roles: Conditional Access Administrator or Global Administrator

Example Usage

using System.Collections.Generic;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var example = new AzureAD.ConditionalAccessPolicy("example", new()
    {
        Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
        {
            Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
            {
                ExcludedApplications = new[] {},
                IncludedApplications = new[]
                {
                    "All",
                },
            },
            ClientAppTypes = new[]
            {
                "all",
            },
            Devices = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesArgs
            {
                Filter = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesFilterArgs
                {
                    Mode = "exclude",
                    Rule = "device.operatingSystem eq \"Doors\"",
                },
            },
            Locations = new AzureAD.Inputs.ConditionalAccessPolicyConditionsLocationsArgs
            {
                ExcludedLocations = new[]
                {
                    "AllTrusted",
                },
                IncludedLocations = new[]
                {
                    "All",
                },
            },
            Platforms = new AzureAD.Inputs.ConditionalAccessPolicyConditionsPlatformsArgs
            {
                ExcludedPlatforms = new[]
                {
                    "iOS",
                },
                IncludedPlatforms = new[]
                {
                    "android",
                },
            },
            SignInRiskLevels = new[]
            {
                "medium",
            },
            UserRiskLevels = new[]
            {
                "medium",
            },
            Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
            {
                ExcludedUsers = new[]
                {
                    "GuestsOrExternalUsers",
                },
                IncludedUsers = new[]
                {
                    "All",
                },
            },
        },
        DisplayName = "example policy",
        GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
        {
            BuiltInControls = new[]
            {
                "mfa",
            },
            Operator = "OR",
        },
        SessionControls = new AzureAD.Inputs.ConditionalAccessPolicySessionControlsArgs
        {
            ApplicationEnforcedRestrictionsEnabled = true,
            CloudAppSecurityPolicy = "monitorOnly",
            SignInFrequency = 10,
            SignInFrequencyPeriod = "hours",
        },
        State = "disabled",
    });

});

package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := azuread.NewConditionalAccessPolicy(ctx, "example", &azuread.ConditionalAccessPolicyArgs{
			Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
				Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
					ExcludedApplications: pulumi.StringArray{},
					IncludedApplications: pulumi.StringArray{
						pulumi.String("All"),
					},
				},
				ClientAppTypes: pulumi.StringArray{
					pulumi.String("all"),
				},
				Devices: &azuread.ConditionalAccessPolicyConditionsDevicesArgs{
					Filter: &azuread.ConditionalAccessPolicyConditionsDevicesFilterArgs{
						Mode: pulumi.String("exclude"),
						Rule: pulumi.String("device.operatingSystem eq \"Doors\""),
					},
				},
				Locations: &azuread.ConditionalAccessPolicyConditionsLocationsArgs{
					ExcludedLocations: pulumi.StringArray{
						pulumi.String("AllTrusted"),
					},
					IncludedLocations: pulumi.StringArray{
						pulumi.String("All"),
					},
				},
				Platforms: &azuread.ConditionalAccessPolicyConditionsPlatformsArgs{
					ExcludedPlatforms: pulumi.StringArray{
						pulumi.String("iOS"),
					},
					IncludedPlatforms: pulumi.StringArray{
						pulumi.String("android"),
					},
				},
				SignInRiskLevels: pulumi.StringArray{
					pulumi.String("medium"),
				},
				UserRiskLevels: pulumi.StringArray{
					pulumi.String("medium"),
				},
				Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
					ExcludedUsers: pulumi.StringArray{
						pulumi.String("GuestsOrExternalUsers"),
					},
					IncludedUsers: pulumi.StringArray{
						pulumi.String("All"),
					},
				},
			},
			DisplayName: pulumi.String("example policy"),
			GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
				BuiltInControls: pulumi.StringArray{
					pulumi.String("mfa"),
				},
				Operator: pulumi.String("OR"),
			},
			SessionControls: &azuread.ConditionalAccessPolicySessionControlsArgs{
				ApplicationEnforcedRestrictionsEnabled: pulumi.Bool(true),
				CloudAppSecurityPolicy:                 pulumi.String("monitorOnly"),
				SignInFrequency:                        pulumi.Int(10),
				SignInFrequencyPeriod:                  pulumi.String("hours"),
			},
			State: pulumi.String("disabled"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.ConditionalAccessPolicy;
import com.pulumi.azuread.ConditionalAccessPolicyArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsDevicesArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsDevicesFilterArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsLocationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsPlatformsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyGrantControlsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicySessionControlsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new ConditionalAccessPolicy("example", ConditionalAccessPolicyArgs.builder()        
            .conditions(ConditionalAccessPolicyConditionsArgs.builder()
                .applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
                    .excludedApplications()
                    .includedApplications("All")
                    .build())
                .clientAppTypes("all")
                .devices(ConditionalAccessPolicyConditionsDevicesArgs.builder()
                    .filter(ConditionalAccessPolicyConditionsDevicesFilterArgs.builder()
                        .mode("exclude")
                        .rule("device.operatingSystem eq \"Doors\"")
                        .build())
                    .build())
                .locations(ConditionalAccessPolicyConditionsLocationsArgs.builder()
                    .excludedLocations("AllTrusted")
                    .includedLocations("All")
                    .build())
                .platforms(ConditionalAccessPolicyConditionsPlatformsArgs.builder()
                    .excludedPlatforms("iOS")
                    .includedPlatforms("android")
                    .build())
                .signInRiskLevels("medium")
                .userRiskLevels("medium")
                .users(ConditionalAccessPolicyConditionsUsersArgs.builder()
                    .excludedUsers("GuestsOrExternalUsers")
                    .includedUsers("All")
                    .build())
                .build())
            .displayName("example policy")
            .grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
                .builtInControls("mfa")
                .operator("OR")
                .build())
            .sessionControls(ConditionalAccessPolicySessionControlsArgs.builder()
                .applicationEnforcedRestrictionsEnabled(true)
                .cloudAppSecurityPolicy("monitorOnly")
                .signInFrequency(10)
                .signInFrequencyPeriod("hours")
                .build())
            .state("disabled")
            .build());

    }
}

import pulumi
import pulumi_azuread as azuread

example = azuread.ConditionalAccessPolicy("example",
    conditions=azuread.ConditionalAccessPolicyConditionsArgs(
        applications=azuread.ConditionalAccessPolicyConditionsApplicationsArgs(
            excluded_applications=[],
            included_applications=["All"],
        ),
        client_app_types=["all"],
        devices=azuread.ConditionalAccessPolicyConditionsDevicesArgs(
            filter=azuread.ConditionalAccessPolicyConditionsDevicesFilterArgs(
                mode="exclude",
                rule="device.operatingSystem eq \"Doors\"",
            ),
        ),
        locations=azuread.ConditionalAccessPolicyConditionsLocationsArgs(
            excluded_locations=["AllTrusted"],
            included_locations=["All"],
        ),
        platforms=azuread.ConditionalAccessPolicyConditionsPlatformsArgs(
            excluded_platforms=["iOS"],
            included_platforms=["android"],
        ),
        sign_in_risk_levels=["medium"],
        user_risk_levels=["medium"],
        users=azuread.ConditionalAccessPolicyConditionsUsersArgs(
            excluded_users=["GuestsOrExternalUsers"],
            included_users=["All"],
        ),
    ),
    display_name="example policy",
    grant_controls=azuread.ConditionalAccessPolicyGrantControlsArgs(
        built_in_controls=["mfa"],
        operator="OR",
    ),
    session_controls=azuread.ConditionalAccessPolicySessionControlsArgs(
        application_enforced_restrictions_enabled=True,
        cloud_app_security_policy="monitorOnly",
        sign_in_frequency=10,
        sign_in_frequency_period="hours",
    ),
    state="disabled")

import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const example = new azuread.ConditionalAccessPolicy("example", {
    conditions: {
        applications: {
            excludedApplications: [],
            includedApplications: ["All"],
        },
        clientAppTypes: ["all"],
        devices: {
            filter: {
                mode: "exclude",
                rule: "device.operatingSystem eq \"Doors\"",
            },
        },
        locations: {
            excludedLocations: ["AllTrusted"],
            includedLocations: ["All"],
        },
        platforms: {
            excludedPlatforms: ["iOS"],
            includedPlatforms: ["android"],
        },
        signInRiskLevels: ["medium"],
        userRiskLevels: ["medium"],
        users: {
            excludedUsers: ["GuestsOrExternalUsers"],
            includedUsers: ["All"],
        },
    },
    displayName: "example policy",
    grantControls: {
        builtInControls: ["mfa"],
        operator: "OR",
    },
    sessionControls: {
        applicationEnforcedRestrictionsEnabled: true,
        cloudAppSecurityPolicy: "monitorOnly",
        signInFrequency: 10,
        signInFrequencyPeriod: "hours",
    },
    state: "disabled",
});

resources:
  example:
    type: azuread:ConditionalAccessPolicy
    properties:
      conditions:
        applications:
          excludedApplications: []
          includedApplications:
            - All
        clientAppTypes:
          - all
        devices:
          filter:
            mode: exclude
            rule: device.operatingSystem eq "Doors"
        locations:
          excludedLocations:
            - AllTrusted
          includedLocations:
            - All
        platforms:
          excludedPlatforms:
            - iOS
          includedPlatforms:
            - android
        signInRiskLevels:
          - medium
        userRiskLevels:
          - medium
        users:
          excludedUsers:
            - GuestsOrExternalUsers
          includedUsers:
            - All
      displayName: example policy
      grantControls:
        builtInControls:
          - mfa
        operator: OR
      sessionControls:
        applicationEnforcedRestrictionsEnabled: true
        cloudAppSecurityPolicy: monitorOnly
        signInFrequency: 10
        signInFrequencyPeriod: hours
      state: disabled

Create ConditionalAccessPolicy Resource

new ConditionalAccessPolicy(name: string, args: ConditionalAccessPolicyArgs, opts?: CustomResourceOptions);

@overload
def ConditionalAccessPolicy(resource_name: str,
                            opts: Optional[ResourceOptions] = None,
                            conditions: Optional[ConditionalAccessPolicyConditionsArgs] = None,
                            display_name: Optional[str] = None,
                            grant_controls: Optional[ConditionalAccessPolicyGrantControlsArgs] = None,
                            session_controls: Optional[ConditionalAccessPolicySessionControlsArgs] = None,
                            state: Optional[str] = None)
@overload
def ConditionalAccessPolicy(resource_name: str,
                            args: ConditionalAccessPolicyArgs,
                            opts: Optional[ResourceOptions] = None)

func NewConditionalAccessPolicy(ctx *Context, name string, args ConditionalAccessPolicyArgs, opts ...ResourceOption) (*ConditionalAccessPolicy, error)

public ConditionalAccessPolicy(string name, ConditionalAccessPolicyArgs args, CustomResourceOptions? opts = null)

public ConditionalAccessPolicy(String name, ConditionalAccessPolicyArgs args)
public ConditionalAccessPolicy(String name, ConditionalAccessPolicyArgs args, CustomResourceOptions options)

type: azuread:ConditionalAccessPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ConditionalAccessPolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args ConditionalAccessPolicyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args ConditionalAccessPolicyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ConditionalAccessPolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args ConditionalAccessPolicyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

ConditionalAccessPolicy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The ConditionalAccessPolicy resource accepts the following input properties:

Conditions Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs: A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
DisplayName string: The friendly name for this Conditional Access Policy.
GrantControls Pulumi.AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs: A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
State string: Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
SessionControls Pulumi.AzureAD.Inputs.ConditionalAccessPolicySessionControlsArgs: A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

Conditions ConditionalAccessPolicyConditionsArgs: A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
DisplayName string: The friendly name for this Conditional Access Policy.
GrantControls ConditionalAccessPolicyGrantControlsArgs: A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
State string: Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
SessionControls ConditionalAccessPolicySessionControlsArgs: A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

conditions ConditionalAccessPolicyConditionsArgs: A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
displayName String: The friendly name for this Conditional Access Policy.
grantControls ConditionalAccessPolicyGrantControlsArgs: A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
state String: Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
sessionControls ConditionalAccessPolicySessionControlsArgs: A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

conditions ConditionalAccessPolicyConditionsArgs: A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
displayName string: The friendly name for this Conditional Access Policy.
grantControls ConditionalAccessPolicyGrantControlsArgs: A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
state string: Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
sessionControls ConditionalAccessPolicySessionControlsArgs: A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

conditions ConditionalAccessPolicyConditionsArgs: A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
display_name str: The friendly name for this Conditional Access Policy.
grant_controls ConditionalAccessPolicyGrantControlsArgs: A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
state str: Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
session_controls ConditionalAccessPolicySessionControlsArgs: A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

conditions Property Map: A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
displayName String: The friendly name for this Conditional Access Policy.
grantControls Property Map: A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
state String: Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
sessionControls Property Map: A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

Outputs

All input properties are implicitly available as output properties. Additionally, the ConditionalAccessPolicy resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing ConditionalAccessPolicy Resource

Get an existing ConditionalAccessPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ConditionalAccessPolicyState, opts?: CustomResourceOptions): ConditionalAccessPolicy

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        conditions: Optional[ConditionalAccessPolicyConditionsArgs] = None,
        display_name: Optional[str] = None,
        grant_controls: Optional[ConditionalAccessPolicyGrantControlsArgs] = None,
        session_controls: Optional[ConditionalAccessPolicySessionControlsArgs] = None,
        state: Optional[str] = None) -> ConditionalAccessPolicy

func GetConditionalAccessPolicy(ctx *Context, name string, id IDInput, state *ConditionalAccessPolicyState, opts ...ResourceOption) (*ConditionalAccessPolicy, error)

public static ConditionalAccessPolicy Get(string name, Input<string> id, ConditionalAccessPolicyState? state, CustomResourceOptions? opts = null)

public static ConditionalAccessPolicy get(String name, Output<String> id, ConditionalAccessPolicyState state, CustomResourceOptions options)

Resource lookup is not supported in YAML

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Conditions Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs: A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
DisplayName string: The friendly name for this Conditional Access Policy.
GrantControls Pulumi.AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs: A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
SessionControls Pulumi.AzureAD.Inputs.ConditionalAccessPolicySessionControlsArgs: A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.
State string: Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced

Conditions ConditionalAccessPolicyConditionsArgs: A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
DisplayName string: The friendly name for this Conditional Access Policy.
GrantControls ConditionalAccessPolicyGrantControlsArgs: A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
SessionControls ConditionalAccessPolicySessionControlsArgs: A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.
State string: Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced

conditions ConditionalAccessPolicyConditionsArgs: A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
displayName String: The friendly name for this Conditional Access Policy.
grantControls ConditionalAccessPolicyGrantControlsArgs: A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
sessionControls ConditionalAccessPolicySessionControlsArgs: A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.
state String: Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced

conditions ConditionalAccessPolicyConditionsArgs: A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
displayName string: The friendly name for this Conditional Access Policy.
grantControls ConditionalAccessPolicyGrantControlsArgs: A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
sessionControls ConditionalAccessPolicySessionControlsArgs: A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.
state string: Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced

conditions ConditionalAccessPolicyConditionsArgs: A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
display_name str: The friendly name for this Conditional Access Policy.
grant_controls ConditionalAccessPolicyGrantControlsArgs: A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
session_controls ConditionalAccessPolicySessionControlsArgs: A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.
state str: Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced

conditions Property Map: A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
displayName String: The friendly name for this Conditional Access Policy.
grantControls Property Map: A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
sessionControls Property Map: A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.
state String: Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced

Supporting Types

ConditionalAccessPolicyConditions

Applications Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsApplications: An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.
ClientAppTypes List<string>: A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.
Users Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsUsers: A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.
Devices Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsDevices: A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.
Locations Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsLocations: A locations block as documented below, which specifies locations included in and excluded from the policy.
Platforms Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsPlatforms: A platforms block as documented below, which specifies platforms included in and excluded from the policy.
SignInRiskLevels List<string>: A list of sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
UserRiskLevels List<string>: A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.

Applications ConditionalAccessPolicyConditionsApplications: An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.
ClientAppTypes []string: A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.
Users ConditionalAccessPolicyConditionsUsers: A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.
Devices ConditionalAccessPolicyConditionsDevices: A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.
Locations ConditionalAccessPolicyConditionsLocations: A locations block as documented below, which specifies locations included in and excluded from the policy.
Platforms ConditionalAccessPolicyConditionsPlatforms: A platforms block as documented below, which specifies platforms included in and excluded from the policy.
SignInRiskLevels []string: A list of sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
UserRiskLevels []string: A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.

applications ConditionalAccessPolicyConditionsApplications: An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.
clientAppTypes List<String>: A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.
users ConditionalAccessPolicyConditionsUsers: A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.
devices ConditionalAccessPolicyConditionsDevices: A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.
locations ConditionalAccessPolicyConditionsLocations: A locations block as documented below, which specifies locations included in and excluded from the policy.
platforms ConditionalAccessPolicyConditionsPlatforms: A platforms block as documented below, which specifies platforms included in and excluded from the policy.
signInRiskLevels List<String>: A list of sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
userRiskLevels List<String>: A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.

applications ConditionalAccessPolicyConditionsApplications: An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.
clientAppTypes string[]: A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.
users ConditionalAccessPolicyConditionsUsers: A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.
devices ConditionalAccessPolicyConditionsDevices: A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.
locations ConditionalAccessPolicyConditionsLocations: A locations block as documented below, which specifies locations included in and excluded from the policy.
platforms ConditionalAccessPolicyConditionsPlatforms: A platforms block as documented below, which specifies platforms included in and excluded from the policy.
signInRiskLevels string[]: A list of sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
userRiskLevels string[]: A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.

applications ConditionalAccessPolicyConditionsApplications: An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.
client_app_types Sequence[str]: A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.
users ConditionalAccessPolicyConditionsUsers: A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.
devices ConditionalAccessPolicyConditionsDevices: A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.
locations ConditionalAccessPolicyConditionsLocations: A locations block as documented below, which specifies locations included in and excluded from the policy.
platforms ConditionalAccessPolicyConditionsPlatforms: A platforms block as documented below, which specifies platforms included in and excluded from the policy.
sign_in_risk_levels Sequence[str]: A list of sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
user_risk_levels Sequence[str]: A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.

applications Property Map: An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.
clientAppTypes List<String>: A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.
users Property Map: A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.
devices Property Map: A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.
locations Property Map: A locations block as documented below, which specifies locations included in and excluded from the policy.
platforms Property Map: A platforms block as documented below, which specifies platforms included in and excluded from the policy.
signInRiskLevels List<String>: A list of sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
userRiskLevels List<String>: A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.

ConditionalAccessPolicyConditionsApplications

ExcludedApplications List<string>: A list of application IDs explicitly excluded from the policy. Can also be set to Office365.
IncludedApplications List<string>: A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.
IncludedUserActions List<string>: A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.

ExcludedApplications []string: A list of application IDs explicitly excluded from the policy. Can also be set to Office365.
IncludedApplications []string: A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.
IncludedUserActions []string: A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.

excludedApplications List<String>: A list of application IDs explicitly excluded from the policy. Can also be set to Office365.
includedApplications List<String>: A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.
includedUserActions List<String>: A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.

excludedApplications string[]: A list of application IDs explicitly excluded from the policy. Can also be set to Office365.
includedApplications string[]: A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.
includedUserActions string[]: A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.

excluded_applications Sequence[str]: A list of application IDs explicitly excluded from the policy. Can also be set to Office365.
included_applications Sequence[str]: A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.
included_user_actions Sequence[str]: A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.

excludedApplications List<String>: A list of application IDs explicitly excluded from the policy. Can also be set to Office365.
includedApplications List<String>: A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.
includedUserActions List<String>: A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.

ConditionalAccessPolicyConditionsDevices

Filter Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesFilter: A filter block as described below. A filter block can be added to an existing policy, but removing the filter block forces a new resource to be created.

Filter ConditionalAccessPolicyConditionsDevicesFilter: A filter block as described below. A filter block can be added to an existing policy, but removing the filter block forces a new resource to be created.

filter ConditionalAccessPolicyConditionsDevicesFilter: A filter block as described below. A filter block can be added to an existing policy, but removing the filter block forces a new resource to be created.

filter ConditionalAccessPolicyConditionsDevicesFilter: A filter block as described below. A filter block can be added to an existing policy, but removing the filter block forces a new resource to be created.

filter ConditionalAccessPolicyConditionsDevicesFilter: A filter block as described below. A filter block can be added to an existing policy, but removing the filter block forces a new resource to be created.

filter Property Map: A filter block as described below. A filter block can be added to an existing policy, but removing the filter block forces a new resource to be created.

ConditionalAccessPolicyConditionsDevicesFilter

Mode string: Whether to include in, or exclude from, matching devices from the policy. Supported values are include or exclude.
Rule string: Condition filter to match devices. For more information, see official documentation.

Mode string: Whether to include in, or exclude from, matching devices from the policy. Supported values are include or exclude.
Rule string: Condition filter to match devices. For more information, see official documentation.

mode String: Whether to include in, or exclude from, matching devices from the policy. Supported values are include or exclude.
rule String: Condition filter to match devices. For more information, see official documentation.

mode string: Whether to include in, or exclude from, matching devices from the policy. Supported values are include or exclude.
rule string: Condition filter to match devices. For more information, see official documentation.

mode str: Whether to include in, or exclude from, matching devices from the policy. Supported values are include or exclude.
rule str: Condition filter to match devices. For more information, see official documentation.

mode String: Whether to include in, or exclude from, matching devices from the policy. Supported values are include or exclude.
rule String: Condition filter to match devices. For more information, see official documentation.

ConditionalAccessPolicyConditionsLocations

IncludedLocations List<string>: A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.
ExcludedLocations List<string>: A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.

IncludedLocations []string: A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.
ExcludedLocations []string: A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.

includedLocations List<String>: A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.
excludedLocations List<String>: A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.

includedLocations string[]: A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.
excludedLocations string[]: A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.

included_locations Sequence[str]: A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.
excluded_locations Sequence[str]: A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.

includedLocations List<String>: A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.
excludedLocations List<String>: A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.

ConditionalAccessPolicyConditionsPlatforms

IncludedPlatforms List<string>: A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
ExcludedPlatforms List<string>: A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.

IncludedPlatforms []string: A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
ExcludedPlatforms []string: A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.

includedPlatforms List<String>: A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
excludedPlatforms List<String>: A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.

includedPlatforms string[]: A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
excludedPlatforms string[]: A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.

included_platforms Sequence[str]: A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
excluded_platforms Sequence[str]: A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.

includedPlatforms List<String>: A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
excludedPlatforms List<String>: A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.

ConditionalAccessPolicyConditionsUsers

ExcludedGroups List<string>: A list of group IDs excluded from scope of policy.
ExcludedRoles List<string>: A list of role IDs excluded from scope of policy.
ExcludedUsers List<string>: A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.
IncludedGroups List<string>: A list of group IDs in scope of policy unless explicitly excluded.
IncludedRoles List<string>: A list of role IDs in scope of policy unless explicitly excluded.
IncludedUsers List<string>: A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

ExcludedGroups []string: A list of group IDs excluded from scope of policy.
ExcludedRoles []string: A list of role IDs excluded from scope of policy.
ExcludedUsers []string: A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.
IncludedGroups []string: A list of group IDs in scope of policy unless explicitly excluded.
IncludedRoles []string: A list of role IDs in scope of policy unless explicitly excluded.
IncludedUsers []string: A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

excludedGroups List<String>: A list of group IDs excluded from scope of policy.
excludedRoles List<String>: A list of role IDs excluded from scope of policy.
excludedUsers List<String>: A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.
includedGroups List<String>: A list of group IDs in scope of policy unless explicitly excluded.
includedRoles List<String>: A list of role IDs in scope of policy unless explicitly excluded.
includedUsers List<String>: A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

excludedGroups string[]: A list of group IDs excluded from scope of policy.
excludedRoles string[]: A list of role IDs excluded from scope of policy.
excludedUsers string[]: A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.
includedGroups string[]: A list of group IDs in scope of policy unless explicitly excluded.
includedRoles string[]: A list of role IDs in scope of policy unless explicitly excluded.
includedUsers string[]: A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

excluded_groups Sequence[str]: A list of group IDs excluded from scope of policy.
excluded_roles Sequence[str]: A list of role IDs excluded from scope of policy.
excluded_users Sequence[str]: A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.
included_groups Sequence[str]: A list of group IDs in scope of policy unless explicitly excluded.
included_roles Sequence[str]: A list of role IDs in scope of policy unless explicitly excluded.
included_users Sequence[str]: A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

excludedGroups List<String>: A list of group IDs excluded from scope of policy.
excludedRoles List<String>: A list of role IDs excluded from scope of policy.
excludedUsers List<String>: A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.
includedGroups List<String>: A list of group IDs in scope of policy unless explicitly excluded.
includedRoles List<String>: A list of role IDs in scope of policy unless explicitly excluded.
includedUsers List<String>: A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

ConditionalAccessPolicyGrantControls

BuiltInControls List<string>: List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.
Operator string: Defines the relationship of the grant controls. Possible values are: AND, OR.
CustomAuthenticationFactors List<string>: List of custom controls IDs required by the policy.
TermsOfUses List<string>: List of terms of use IDs required by the policy.

BuiltInControls []string: List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.
Operator string: Defines the relationship of the grant controls. Possible values are: AND, OR.
CustomAuthenticationFactors []string: List of custom controls IDs required by the policy.
TermsOfUses []string: List of terms of use IDs required by the policy.

builtInControls List<String>: List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.
operator String: Defines the relationship of the grant controls. Possible values are: AND, OR.
customAuthenticationFactors List<String>: List of custom controls IDs required by the policy.
termsOfUses List<String>: List of terms of use IDs required by the policy.

builtInControls string[]: List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.
operator string: Defines the relationship of the grant controls. Possible values are: AND, OR.
customAuthenticationFactors string[]: List of custom controls IDs required by the policy.
termsOfUses string[]: List of terms of use IDs required by the policy.

built_in_controls Sequence[str]: List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.
operator str: Defines the relationship of the grant controls. Possible values are: AND, OR.
custom_authentication_factors Sequence[str]: List of custom controls IDs required by the policy.
terms_of_uses Sequence[str]: List of terms of use IDs required by the policy.

builtInControls List<String>: List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.
operator String: Defines the relationship of the grant controls. Possible values are: AND, OR.
customAuthenticationFactors List<String>: List of custom controls IDs required by the policy.
termsOfUses List<String>: List of terms of use IDs required by the policy.

ConditionalAccessPolicySessionControls

ApplicationEnforcedRestrictionsEnabled bool: Whether or not application enforced restrictions are enabled. Defaults to false.
CloudAppSecurityPolicy string: Enables cloud app security and specifies the cloud app security policy to use. Possible values are: blockDownloads, mcasConfigured, monitorOnly or unknownFutureValue.
PersistentBrowserMode string: Session control to define whether to persist cookies or not. Possible values are: always or never.
SignInFrequency int: Number of days or hours to enforce sign-in frequency. Required when sign_in_frequency_period is specified. Due to an API issue, removing this property forces a new resource to be created.
SignInFrequencyPeriod string: The time period to enforce sign-in frequency. Possible values are: hours or days. Required when sign_in_frequency_period is specified. Due to an API issue, removing this property forces a new resource to be created.

ApplicationEnforcedRestrictionsEnabled bool: Whether or not application enforced restrictions are enabled. Defaults to false.
CloudAppSecurityPolicy string: Enables cloud app security and specifies the cloud app security policy to use. Possible values are: blockDownloads, mcasConfigured, monitorOnly or unknownFutureValue.
PersistentBrowserMode string: Session control to define whether to persist cookies or not. Possible values are: always or never.
SignInFrequency int: Number of days or hours to enforce sign-in frequency. Required when sign_in_frequency_period is specified. Due to an API issue, removing this property forces a new resource to be created.
SignInFrequencyPeriod string: The time period to enforce sign-in frequency. Possible values are: hours or days. Required when sign_in_frequency_period is specified. Due to an API issue, removing this property forces a new resource to be created.

applicationEnforcedRestrictionsEnabled Boolean: Whether or not application enforced restrictions are enabled. Defaults to false.
cloudAppSecurityPolicy String: Enables cloud app security and specifies the cloud app security policy to use. Possible values are: blockDownloads, mcasConfigured, monitorOnly or unknownFutureValue.
persistentBrowserMode String: Session control to define whether to persist cookies or not. Possible values are: always or never.
signInFrequency Integer: Number of days or hours to enforce sign-in frequency. Required when sign_in_frequency_period is specified. Due to an API issue, removing this property forces a new resource to be created.
signInFrequencyPeriod String: The time period to enforce sign-in frequency. Possible values are: hours or days. Required when sign_in_frequency_period is specified. Due to an API issue, removing this property forces a new resource to be created.

applicationEnforcedRestrictionsEnabled boolean: Whether or not application enforced restrictions are enabled. Defaults to false.
cloudAppSecurityPolicy string: Enables cloud app security and specifies the cloud app security policy to use. Possible values are: blockDownloads, mcasConfigured, monitorOnly or unknownFutureValue.
persistentBrowserMode string: Session control to define whether to persist cookies or not. Possible values are: always or never.
signInFrequency number: Number of days or hours to enforce sign-in frequency. Required when sign_in_frequency_period is specified. Due to an API issue, removing this property forces a new resource to be created.
signInFrequencyPeriod string: The time period to enforce sign-in frequency. Possible values are: hours or days. Required when sign_in_frequency_period is specified. Due to an API issue, removing this property forces a new resource to be created.

application_enforced_restrictions_enabled bool: Whether or not application enforced restrictions are enabled. Defaults to false.
cloud_app_security_policy str: Enables cloud app security and specifies the cloud app security policy to use. Possible values are: blockDownloads, mcasConfigured, monitorOnly or unknownFutureValue.
persistent_browser_mode str: Session control to define whether to persist cookies or not. Possible values are: always or never.
sign_in_frequency int: Number of days or hours to enforce sign-in frequency. Required when sign_in_frequency_period is specified. Due to an API issue, removing this property forces a new resource to be created.
sign_in_frequency_period str: The time period to enforce sign-in frequency. Possible values are: hours or days. Required when sign_in_frequency_period is specified. Due to an API issue, removing this property forces a new resource to be created.

applicationEnforcedRestrictionsEnabled Boolean: Whether or not application enforced restrictions are enabled. Defaults to false.
cloudAppSecurityPolicy String: Enables cloud app security and specifies the cloud app security policy to use. Possible values are: blockDownloads, mcasConfigured, monitorOnly or unknownFutureValue.
persistentBrowserMode String: Session control to define whether to persist cookies or not. Possible values are: always or never.
signInFrequency Number: Number of days or hours to enforce sign-in frequency. Required when sign_in_frequency_period is specified. Due to an API issue, removing this property forces a new resource to be created.
signInFrequencyPeriod String: The time period to enforce sign-in frequency. Possible values are: hours or days. Required when sign_in_frequency_period is specified. Due to an API issue, removing this property forces a new resource to be created.

Import

Conditional Access Policies can be imported using the id, e.g.

 $ pulumi import azuread:index/conditionalAccessPolicy:ConditionalAccessPolicy my_location 00000000-0000-0000-0000-000000000000

Package Details

Repository: Azure Active Directory (Azure AD) pulumi/pulumi-azuread
License: Apache-2.0
Notes: This Pulumi package is based on the azuread Terraform Provider.