1. Packages
  2. Azure Active Directory (Azure AD)
  3. API Docs
  4. ConditionalAccessPolicy
Azure Active Directory (Azure AD) v5.41.0 published on Friday, Sep 15, 2023 by Pulumi

azuread.ConditionalAccessPolicy

Explore with Pulumi AI

azuread logo
Azure Active Directory (Azure AD) v5.41.0 published on Friday, Sep 15, 2023 by Pulumi

    Manages a Conditional Access Policy within Azure Active Directory.

    Licensing Requirements Specifying client_applications property requires the activation of Microsoft Entra on your tenant and the availability of sufficient Workload Identities Premium licences (one per service principal managed by a conditional access).

    API Permissions

    The following API permissions are required in order to use this resource.

    When authenticated with a service principal, this resource requires the following application roles: Policy.ReadWrite.ConditionalAccess and Policy.Read.All

    When authenticated with a user principal, this resource requires one of the following directory roles: Conditional Access Administrator or Global Administrator

    Example Usage

    All users except guests or external users

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using AzureAD = Pulumi.AzureAD;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new AzureAD.ConditionalAccessPolicy("example", new()
        {
            Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
            {
                Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
                {
                    ExcludedApplications = new[] {},
                    IncludedApplications = new[]
                    {
                        "All",
                    },
                },
                ClientAppTypes = new[]
                {
                    "all",
                },
                Devices = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesArgs
                {
                    Filter = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesFilterArgs
                    {
                        Mode = "exclude",
                        Rule = "device.operatingSystem eq \"Doors\"",
                    },
                },
                Locations = new AzureAD.Inputs.ConditionalAccessPolicyConditionsLocationsArgs
                {
                    ExcludedLocations = new[]
                    {
                        "AllTrusted",
                    },
                    IncludedLocations = new[]
                    {
                        "All",
                    },
                },
                Platforms = new AzureAD.Inputs.ConditionalAccessPolicyConditionsPlatformsArgs
                {
                    ExcludedPlatforms = new[]
                    {
                        "iOS",
                    },
                    IncludedPlatforms = new[]
                    {
                        "android",
                    },
                },
                SignInRiskLevels = new[]
                {
                    "medium",
                },
                UserRiskLevels = new[]
                {
                    "medium",
                },
                Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
                {
                    ExcludedUsers = new[]
                    {
                        "GuestsOrExternalUsers",
                    },
                    IncludedUsers = new[]
                    {
                        "All",
                    },
                },
            },
            DisplayName = "example policy",
            GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
            {
                BuiltInControls = new[]
                {
                    "mfa",
                },
                Operator = "OR",
            },
            SessionControls = new AzureAD.Inputs.ConditionalAccessPolicySessionControlsArgs
            {
                ApplicationEnforcedRestrictionsEnabled = true,
                CloudAppSecurityPolicy = "monitorOnly",
                DisableResilienceDefaults = false,
                SignInFrequency = 10,
                SignInFrequencyPeriod = "hours",
            },
            State = "disabled",
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := azuread.NewConditionalAccessPolicy(ctx, "example", &azuread.ConditionalAccessPolicyArgs{
    			Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
    				Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
    					ExcludedApplications: pulumi.StringArray{},
    					IncludedApplications: pulumi.StringArray{
    						pulumi.String("All"),
    					},
    				},
    				ClientAppTypes: pulumi.StringArray{
    					pulumi.String("all"),
    				},
    				Devices: &azuread.ConditionalAccessPolicyConditionsDevicesArgs{
    					Filter: &azuread.ConditionalAccessPolicyConditionsDevicesFilterArgs{
    						Mode: pulumi.String("exclude"),
    						Rule: pulumi.String("device.operatingSystem eq \"Doors\""),
    					},
    				},
    				Locations: &azuread.ConditionalAccessPolicyConditionsLocationsArgs{
    					ExcludedLocations: pulumi.StringArray{
    						pulumi.String("AllTrusted"),
    					},
    					IncludedLocations: pulumi.StringArray{
    						pulumi.String("All"),
    					},
    				},
    				Platforms: &azuread.ConditionalAccessPolicyConditionsPlatformsArgs{
    					ExcludedPlatforms: pulumi.StringArray{
    						pulumi.String("iOS"),
    					},
    					IncludedPlatforms: pulumi.StringArray{
    						pulumi.String("android"),
    					},
    				},
    				SignInRiskLevels: pulumi.StringArray{
    					pulumi.String("medium"),
    				},
    				UserRiskLevels: pulumi.StringArray{
    					pulumi.String("medium"),
    				},
    				Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
    					ExcludedUsers: pulumi.StringArray{
    						pulumi.String("GuestsOrExternalUsers"),
    					},
    					IncludedUsers: pulumi.StringArray{
    						pulumi.String("All"),
    					},
    				},
    			},
    			DisplayName: pulumi.String("example policy"),
    			GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
    				BuiltInControls: pulumi.StringArray{
    					pulumi.String("mfa"),
    				},
    				Operator: pulumi.String("OR"),
    			},
    			SessionControls: &azuread.ConditionalAccessPolicySessionControlsArgs{
    				ApplicationEnforcedRestrictionsEnabled: pulumi.Bool(true),
    				CloudAppSecurityPolicy:                 pulumi.String("monitorOnly"),
    				DisableResilienceDefaults:              pulumi.Bool(false),
    				SignInFrequency:                        pulumi.Int(10),
    				SignInFrequencyPeriod:                  pulumi.String("hours"),
    			},
    			State: pulumi.String("disabled"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azuread.ConditionalAccessPolicy;
    import com.pulumi.azuread.ConditionalAccessPolicyArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsApplicationsArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsDevicesArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsDevicesFilterArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsLocationsArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsPlatformsArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyGrantControlsArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicySessionControlsArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ConditionalAccessPolicy("example", ConditionalAccessPolicyArgs.builder()        
                .conditions(ConditionalAccessPolicyConditionsArgs.builder()
                    .applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
                        .excludedApplications()
                        .includedApplications("All")
                        .build())
                    .clientAppTypes("all")
                    .devices(ConditionalAccessPolicyConditionsDevicesArgs.builder()
                        .filter(ConditionalAccessPolicyConditionsDevicesFilterArgs.builder()
                            .mode("exclude")
                            .rule("device.operatingSystem eq \"Doors\"")
                            .build())
                        .build())
                    .locations(ConditionalAccessPolicyConditionsLocationsArgs.builder()
                        .excludedLocations("AllTrusted")
                        .includedLocations("All")
                        .build())
                    .platforms(ConditionalAccessPolicyConditionsPlatformsArgs.builder()
                        .excludedPlatforms("iOS")
                        .includedPlatforms("android")
                        .build())
                    .signInRiskLevels("medium")
                    .userRiskLevels("medium")
                    .users(ConditionalAccessPolicyConditionsUsersArgs.builder()
                        .excludedUsers("GuestsOrExternalUsers")
                        .includedUsers("All")
                        .build())
                    .build())
                .displayName("example policy")
                .grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
                    .builtInControls("mfa")
                    .operator("OR")
                    .build())
                .sessionControls(ConditionalAccessPolicySessionControlsArgs.builder()
                    .applicationEnforcedRestrictionsEnabled(true)
                    .cloudAppSecurityPolicy("monitorOnly")
                    .disableResilienceDefaults(false)
                    .signInFrequency(10)
                    .signInFrequencyPeriod("hours")
                    .build())
                .state("disabled")
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_azuread as azuread
    
    example = azuread.ConditionalAccessPolicy("example",
        conditions=azuread.ConditionalAccessPolicyConditionsArgs(
            applications=azuread.ConditionalAccessPolicyConditionsApplicationsArgs(
                excluded_applications=[],
                included_applications=["All"],
            ),
            client_app_types=["all"],
            devices=azuread.ConditionalAccessPolicyConditionsDevicesArgs(
                filter=azuread.ConditionalAccessPolicyConditionsDevicesFilterArgs(
                    mode="exclude",
                    rule="device.operatingSystem eq \"Doors\"",
                ),
            ),
            locations=azuread.ConditionalAccessPolicyConditionsLocationsArgs(
                excluded_locations=["AllTrusted"],
                included_locations=["All"],
            ),
            platforms=azuread.ConditionalAccessPolicyConditionsPlatformsArgs(
                excluded_platforms=["iOS"],
                included_platforms=["android"],
            ),
            sign_in_risk_levels=["medium"],
            user_risk_levels=["medium"],
            users=azuread.ConditionalAccessPolicyConditionsUsersArgs(
                excluded_users=["GuestsOrExternalUsers"],
                included_users=["All"],
            ),
        ),
        display_name="example policy",
        grant_controls=azuread.ConditionalAccessPolicyGrantControlsArgs(
            built_in_controls=["mfa"],
            operator="OR",
        ),
        session_controls=azuread.ConditionalAccessPolicySessionControlsArgs(
            application_enforced_restrictions_enabled=True,
            cloud_app_security_policy="monitorOnly",
            disable_resilience_defaults=False,
            sign_in_frequency=10,
            sign_in_frequency_period="hours",
        ),
        state="disabled")
    
    import * as pulumi from "@pulumi/pulumi";
    import * as azuread from "@pulumi/azuread";
    
    const example = new azuread.ConditionalAccessPolicy("example", {
        conditions: {
            applications: {
                excludedApplications: [],
                includedApplications: ["All"],
            },
            clientAppTypes: ["all"],
            devices: {
                filter: {
                    mode: "exclude",
                    rule: "device.operatingSystem eq \"Doors\"",
                },
            },
            locations: {
                excludedLocations: ["AllTrusted"],
                includedLocations: ["All"],
            },
            platforms: {
                excludedPlatforms: ["iOS"],
                includedPlatforms: ["android"],
            },
            signInRiskLevels: ["medium"],
            userRiskLevels: ["medium"],
            users: {
                excludedUsers: ["GuestsOrExternalUsers"],
                includedUsers: ["All"],
            },
        },
        displayName: "example policy",
        grantControls: {
            builtInControls: ["mfa"],
            operator: "OR",
        },
        sessionControls: {
            applicationEnforcedRestrictionsEnabled: true,
            cloudAppSecurityPolicy: "monitorOnly",
            disableResilienceDefaults: false,
            signInFrequency: 10,
            signInFrequencyPeriod: "hours",
        },
        state: "disabled",
    });
    
    resources:
      example:
        type: azuread:ConditionalAccessPolicy
        properties:
          conditions:
            applications:
              excludedApplications: []
              includedApplications:
                - All
            clientAppTypes:
              - all
            devices:
              filter:
                mode: exclude
                rule: device.operatingSystem eq "Doors"
            locations:
              excludedLocations:
                - AllTrusted
              includedLocations:
                - All
            platforms:
              excludedPlatforms:
                - iOS
              includedPlatforms:
                - android
            signInRiskLevels:
              - medium
            userRiskLevels:
              - medium
            users:
              excludedUsers:
                - GuestsOrExternalUsers
              includedUsers:
                - All
          displayName: example policy
          grantControls:
            builtInControls:
              - mfa
            operator: OR
          sessionControls:
            applicationEnforcedRestrictionsEnabled: true
            cloudAppSecurityPolicy: monitorOnly
            disableResilienceDefaults: false
            signInFrequency: 10
            signInFrequencyPeriod: hours
          state: disabled
    

    Included client applications / service principals

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using AzureAD = Pulumi.AzureAD;
    
    return await Deployment.RunAsync(() => 
    {
        var current = AzureAD.GetClientConfig.Invoke();
    
        var example = new AzureAD.ConditionalAccessPolicy("example", new()
        {
            DisplayName = "example policy",
            State = "disabled",
            Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
            {
                ClientAppTypes = new[]
                {
                    "all",
                },
                Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
                {
                    IncludedApplications = new[]
                    {
                        "All",
                    },
                },
                ClientApplications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs
                {
                    IncludedServicePrincipals = new[]
                    {
                        current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
                    },
                    ExcludedServicePrincipals = new[] {},
                },
                Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
                {
                    IncludedUsers = new[]
                    {
                        "None",
                    },
                },
            },
            GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
            {
                Operator = "OR",
                BuiltInControls = new[]
                {
                    "block",
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		current, err := azuread.GetClientConfig(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		_, err = azuread.NewConditionalAccessPolicy(ctx, "example", &azuread.ConditionalAccessPolicyArgs{
    			DisplayName: pulumi.String("example policy"),
    			State:       pulumi.String("disabled"),
    			Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
    				ClientAppTypes: pulumi.StringArray{
    					pulumi.String("all"),
    				},
    				Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
    					IncludedApplications: pulumi.StringArray{
    						pulumi.String("All"),
    					},
    				},
    				ClientApplications: &azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs{
    					IncludedServicePrincipals: pulumi.StringArray{
    						*pulumi.String(current.ObjectId),
    					},
    					ExcludedServicePrincipals: pulumi.StringArray{},
    				},
    				Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
    					IncludedUsers: pulumi.StringArray{
    						pulumi.String("None"),
    					},
    				},
    			},
    			GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
    				Operator: pulumi.String("OR"),
    				BuiltInControls: pulumi.StringArray{
    					pulumi.String("block"),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azuread.AzureadFunctions;
    import com.pulumi.azuread.ConditionalAccessPolicy;
    import com.pulumi.azuread.ConditionalAccessPolicyArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsApplicationsArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyGrantControlsArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var current = AzureadFunctions.getClientConfig();
    
            var example = new ConditionalAccessPolicy("example", ConditionalAccessPolicyArgs.builder()        
                .displayName("example policy")
                .state("disabled")
                .conditions(ConditionalAccessPolicyConditionsArgs.builder()
                    .clientAppTypes("all")
                    .applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
                        .includedApplications("All")
                        .build())
                    .clientApplications(ConditionalAccessPolicyConditionsClientApplicationsArgs.builder()
                        .includedServicePrincipals(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
                        .excludedServicePrincipals()
                        .build())
                    .users(ConditionalAccessPolicyConditionsUsersArgs.builder()
                        .includedUsers("None")
                        .build())
                    .build())
                .grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
                    .operator("OR")
                    .builtInControls("block")
                    .build())
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_azuread as azuread
    
    current = azuread.get_client_config()
    example = azuread.ConditionalAccessPolicy("example",
        display_name="example policy",
        state="disabled",
        conditions=azuread.ConditionalAccessPolicyConditionsArgs(
            client_app_types=["all"],
            applications=azuread.ConditionalAccessPolicyConditionsApplicationsArgs(
                included_applications=["All"],
            ),
            client_applications=azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs(
                included_service_principals=[current.object_id],
                excluded_service_principals=[],
            ),
            users=azuread.ConditionalAccessPolicyConditionsUsersArgs(
                included_users=["None"],
            ),
        ),
        grant_controls=azuread.ConditionalAccessPolicyGrantControlsArgs(
            operator="OR",
            built_in_controls=["block"],
        ))
    
    import * as pulumi from "@pulumi/pulumi";
    import * as azuread from "@pulumi/azuread";
    
    const current = azuread.getClientConfig({});
    const example = new azuread.ConditionalAccessPolicy("example", {
        displayName: "example policy",
        state: "disabled",
        conditions: {
            clientAppTypes: ["all"],
            applications: {
                includedApplications: ["All"],
            },
            clientApplications: {
                includedServicePrincipals: [current.then(current => current.objectId)],
                excludedServicePrincipals: [],
            },
            users: {
                includedUsers: ["None"],
            },
        },
        grantControls: {
            operator: "OR",
            builtInControls: ["block"],
        },
    });
    
    resources:
      example:
        type: azuread:ConditionalAccessPolicy
        properties:
          displayName: example policy
          state: disabled
          conditions:
            clientAppTypes:
              - all
            applications:
              includedApplications:
                - All
            clientApplications:
              includedServicePrincipals:
                - ${current.objectId}
              excludedServicePrincipals: []
            users:
              includedUsers:
                - None
          grantControls:
            operator: OR
            builtInControls:
              - block
    variables:
      current:
        fn::invoke:
          Function: azuread:getClientConfig
          Arguments: {}
    

    Excluded client applications / service principals

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using AzureAD = Pulumi.AzureAD;
    
    return await Deployment.RunAsync(() => 
    {
        var current = AzureAD.GetClientConfig.Invoke();
    
        var example = new AzureAD.ConditionalAccessPolicy("example", new()
        {
            DisplayName = "example policy",
            State = "disabled",
            Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
            {
                ClientAppTypes = new[]
                {
                    "all",
                },
                Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
                {
                    IncludedApplications = new[]
                    {
                        "All",
                    },
                },
                ClientApplications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs
                {
                    IncludedServicePrincipals = new[]
                    {
                        "ServicePrincipalsInMyTenant",
                    },
                    ExcludedServicePrincipals = new[]
                    {
                        current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
                    },
                },
                Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
                {
                    IncludedUsers = new[]
                    {
                        "None",
                    },
                },
            },
            GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
            {
                Operator = "OR",
                BuiltInControls = new[]
                {
                    "block",
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		current, err := azuread.GetClientConfig(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		_, err = azuread.NewConditionalAccessPolicy(ctx, "example", &azuread.ConditionalAccessPolicyArgs{
    			DisplayName: pulumi.String("example policy"),
    			State:       pulumi.String("disabled"),
    			Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
    				ClientAppTypes: pulumi.StringArray{
    					pulumi.String("all"),
    				},
    				Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
    					IncludedApplications: pulumi.StringArray{
    						pulumi.String("All"),
    					},
    				},
    				ClientApplications: &azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs{
    					IncludedServicePrincipals: pulumi.StringArray{
    						pulumi.String("ServicePrincipalsInMyTenant"),
    					},
    					ExcludedServicePrincipals: pulumi.StringArray{
    						*pulumi.String(current.ObjectId),
    					},
    				},
    				Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
    					IncludedUsers: pulumi.StringArray{
    						pulumi.String("None"),
    					},
    				},
    			},
    			GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
    				Operator: pulumi.String("OR"),
    				BuiltInControls: pulumi.StringArray{
    					pulumi.String("block"),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azuread.AzureadFunctions;
    import com.pulumi.azuread.ConditionalAccessPolicy;
    import com.pulumi.azuread.ConditionalAccessPolicyArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsApplicationsArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyGrantControlsArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var current = AzureadFunctions.getClientConfig();
    
            var example = new ConditionalAccessPolicy("example", ConditionalAccessPolicyArgs.builder()        
                .displayName("example policy")
                .state("disabled")
                .conditions(ConditionalAccessPolicyConditionsArgs.builder()
                    .clientAppTypes("all")
                    .applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
                        .includedApplications("All")
                        .build())
                    .clientApplications(ConditionalAccessPolicyConditionsClientApplicationsArgs.builder()
                        .includedServicePrincipals("ServicePrincipalsInMyTenant")
                        .excludedServicePrincipals(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
                        .build())
                    .users(ConditionalAccessPolicyConditionsUsersArgs.builder()
                        .includedUsers("None")
                        .build())
                    .build())
                .grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
                    .operator("OR")
                    .builtInControls("block")
                    .build())
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_azuread as azuread
    
    current = azuread.get_client_config()
    example = azuread.ConditionalAccessPolicy("example",
        display_name="example policy",
        state="disabled",
        conditions=azuread.ConditionalAccessPolicyConditionsArgs(
            client_app_types=["all"],
            applications=azuread.ConditionalAccessPolicyConditionsApplicationsArgs(
                included_applications=["All"],
            ),
            client_applications=azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs(
                included_service_principals=["ServicePrincipalsInMyTenant"],
                excluded_service_principals=[current.object_id],
            ),
            users=azuread.ConditionalAccessPolicyConditionsUsersArgs(
                included_users=["None"],
            ),
        ),
        grant_controls=azuread.ConditionalAccessPolicyGrantControlsArgs(
            operator="OR",
            built_in_controls=["block"],
        ))
    
    import * as pulumi from "@pulumi/pulumi";
    import * as azuread from "@pulumi/azuread";
    
    const current = azuread.getClientConfig({});
    const example = new azuread.ConditionalAccessPolicy("example", {
        displayName: "example policy",
        state: "disabled",
        conditions: {
            clientAppTypes: ["all"],
            applications: {
                includedApplications: ["All"],
            },
            clientApplications: {
                includedServicePrincipals: ["ServicePrincipalsInMyTenant"],
                excludedServicePrincipals: [current.then(current => current.objectId)],
            },
            users: {
                includedUsers: ["None"],
            },
        },
        grantControls: {
            operator: "OR",
            builtInControls: ["block"],
        },
    });
    
    resources:
      example:
        type: azuread:ConditionalAccessPolicy
        properties:
          displayName: example policy
          state: disabled
          conditions:
            clientAppTypes:
              - all
            applications:
              includedApplications:
                - All
            clientApplications:
              includedServicePrincipals:
                - ServicePrincipalsInMyTenant
              excludedServicePrincipals:
                - ${current.objectId}
            users:
              includedUsers:
                - None
          grantControls:
            operator: OR
            builtInControls:
              - block
    variables:
      current:
        fn::invoke:
          Function: azuread:getClientConfig
          Arguments: {}
    

    Create ConditionalAccessPolicy Resource

    new ConditionalAccessPolicy(name: string, args: ConditionalAccessPolicyArgs, opts?: CustomResourceOptions);
    @overload
    def ConditionalAccessPolicy(resource_name: str,
                                opts: Optional[ResourceOptions] = None,
                                conditions: Optional[ConditionalAccessPolicyConditionsArgs] = None,
                                display_name: Optional[str] = None,
                                grant_controls: Optional[ConditionalAccessPolicyGrantControlsArgs] = None,
                                session_controls: Optional[ConditionalAccessPolicySessionControlsArgs] = None,
                                state: Optional[str] = None)
    @overload
    def ConditionalAccessPolicy(resource_name: str,
                                args: ConditionalAccessPolicyArgs,
                                opts: Optional[ResourceOptions] = None)
    func NewConditionalAccessPolicy(ctx *Context, name string, args ConditionalAccessPolicyArgs, opts ...ResourceOption) (*ConditionalAccessPolicy, error)
    public ConditionalAccessPolicy(string name, ConditionalAccessPolicyArgs args, CustomResourceOptions? opts = null)
    public ConditionalAccessPolicy(String name, ConditionalAccessPolicyArgs args)
    public ConditionalAccessPolicy(String name, ConditionalAccessPolicyArgs args, CustomResourceOptions options)
    
    type: azuread:ConditionalAccessPolicy
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args ConditionalAccessPolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args ConditionalAccessPolicyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args ConditionalAccessPolicyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args ConditionalAccessPolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args ConditionalAccessPolicyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    ConditionalAccessPolicy Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The ConditionalAccessPolicy resource accepts the following input properties:

    Conditions Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditions

    A conditions block as documented below, which specifies the rules that must be met for the policy to apply.

    DisplayName string

    The friendly name for this Conditional Access Policy.

    State string

    Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced

    GrantControls Pulumi.AzureAD.Inputs.ConditionalAccessPolicyGrantControls

    A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.

    SessionControls Pulumi.AzureAD.Inputs.ConditionalAccessPolicySessionControls

    A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

    Note: At least one of grant_controls and/or session_controls blocks must be specified.

    Conditions ConditionalAccessPolicyConditionsArgs

    A conditions block as documented below, which specifies the rules that must be met for the policy to apply.

    DisplayName string

    The friendly name for this Conditional Access Policy.

    State string

    Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced

    GrantControls ConditionalAccessPolicyGrantControlsArgs

    A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.

    SessionControls ConditionalAccessPolicySessionControlsArgs

    A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

    Note: At least one of grant_controls and/or session_controls blocks must be specified.

    conditions ConditionalAccessPolicyConditions

    A conditions block as documented below, which specifies the rules that must be met for the policy to apply.

    displayName String

    The friendly name for this Conditional Access Policy.

    state String

    Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced

    grantControls ConditionalAccessPolicyGrantControls

    A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.

    sessionControls ConditionalAccessPolicySessionControls

    A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

    Note: At least one of grant_controls and/or session_controls blocks must be specified.

    conditions ConditionalAccessPolicyConditions

    A conditions block as documented below, which specifies the rules that must be met for the policy to apply.

    displayName string

    The friendly name for this Conditional Access Policy.

    state string

    Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced

    grantControls ConditionalAccessPolicyGrantControls

    A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.

    sessionControls ConditionalAccessPolicySessionControls

    A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

    Note: At least one of grant_controls and/or session_controls blocks must be specified.

    conditions ConditionalAccessPolicyConditionsArgs

    A conditions block as documented below, which specifies the rules that must be met for the policy to apply.

    display_name str

    The friendly name for this Conditional Access Policy.

    state str

    Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced

    grant_controls ConditionalAccessPolicyGrantControlsArgs

    A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.

    session_controls ConditionalAccessPolicySessionControlsArgs

    A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

    Note: At least one of grant_controls and/or session_controls blocks must be specified.

    conditions Property Map

    A conditions block as documented below, which specifies the rules that must be met for the policy to apply.

    displayName String

    The friendly name for this Conditional Access Policy.

    state String

    Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced

    grantControls Property Map

    A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.

    sessionControls Property Map

    A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

    Note: At least one of grant_controls and/or session_controls blocks must be specified.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the ConditionalAccessPolicy resource produces the following output properties:

    Id string

    The provider-assigned unique ID for this managed resource.

    Id string

    The provider-assigned unique ID for this managed resource.

    id String

    The provider-assigned unique ID for this managed resource.

    id string

    The provider-assigned unique ID for this managed resource.

    id str

    The provider-assigned unique ID for this managed resource.

    id String

    The provider-assigned unique ID for this managed resource.

    Look up Existing ConditionalAccessPolicy Resource

    Get an existing ConditionalAccessPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: ConditionalAccessPolicyState, opts?: CustomResourceOptions): ConditionalAccessPolicy
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            conditions: Optional[ConditionalAccessPolicyConditionsArgs] = None,
            display_name: Optional[str] = None,
            grant_controls: Optional[ConditionalAccessPolicyGrantControlsArgs] = None,
            session_controls: Optional[ConditionalAccessPolicySessionControlsArgs] = None,
            state: Optional[str] = None) -> ConditionalAccessPolicy
    func GetConditionalAccessPolicy(ctx *Context, name string, id IDInput, state *ConditionalAccessPolicyState, opts ...ResourceOption) (*ConditionalAccessPolicy, error)
    public static ConditionalAccessPolicy Get(string name, Input<string> id, ConditionalAccessPolicyState? state, CustomResourceOptions? opts = null)
    public static ConditionalAccessPolicy get(String name, Output<String> id, ConditionalAccessPolicyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Conditions Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditions

    A conditions block as documented below, which specifies the rules that must be met for the policy to apply.

    DisplayName string

    The friendly name for this Conditional Access Policy.

    GrantControls Pulumi.AzureAD.Inputs.ConditionalAccessPolicyGrantControls

    A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.

    SessionControls Pulumi.AzureAD.Inputs.ConditionalAccessPolicySessionControls

    A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

    Note: At least one of grant_controls and/or session_controls blocks must be specified.

    State string

    Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced

    Conditions ConditionalAccessPolicyConditionsArgs

    A conditions block as documented below, which specifies the rules that must be met for the policy to apply.

    DisplayName string

    The friendly name for this Conditional Access Policy.

    GrantControls ConditionalAccessPolicyGrantControlsArgs

    A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.

    SessionControls ConditionalAccessPolicySessionControlsArgs

    A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

    Note: At least one of grant_controls and/or session_controls blocks must be specified.

    State string

    Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced

    conditions ConditionalAccessPolicyConditions

    A conditions block as documented below, which specifies the rules that must be met for the policy to apply.

    displayName String

    The friendly name for this Conditional Access Policy.

    grantControls ConditionalAccessPolicyGrantControls

    A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.

    sessionControls ConditionalAccessPolicySessionControls

    A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

    Note: At least one of grant_controls and/or session_controls blocks must be specified.

    state String

    Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced

    conditions ConditionalAccessPolicyConditions

    A conditions block as documented below, which specifies the rules that must be met for the policy to apply.

    displayName string

    The friendly name for this Conditional Access Policy.

    grantControls ConditionalAccessPolicyGrantControls

    A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.

    sessionControls ConditionalAccessPolicySessionControls

    A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

    Note: At least one of grant_controls and/or session_controls blocks must be specified.

    state string

    Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced

    conditions ConditionalAccessPolicyConditionsArgs

    A conditions block as documented below, which specifies the rules that must be met for the policy to apply.

    display_name str

    The friendly name for this Conditional Access Policy.

    grant_controls ConditionalAccessPolicyGrantControlsArgs

    A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.

    session_controls ConditionalAccessPolicySessionControlsArgs

    A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

    Note: At least one of grant_controls and/or session_controls blocks must be specified.

    state str

    Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced

    conditions Property Map

    A conditions block as documented below, which specifies the rules that must be met for the policy to apply.

    displayName String

    The friendly name for this Conditional Access Policy.

    grantControls Property Map

    A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.

    sessionControls Property Map

    A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

    Note: At least one of grant_controls and/or session_controls blocks must be specified.

    state String

    Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced

    Supporting Types

    ConditionalAccessPolicyConditions, ConditionalAccessPolicyConditionsArgs

    Applications Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsApplications

    An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.

    ClientAppTypes List<string>

    A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.

    Users Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsUsers

    A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.

    ClientApplications Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsClientApplications

    An client_applications block as documented below, which specifies service principals included in and excluded from the policy.

    Devices Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsDevices

    A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.

    Locations Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsLocations

    A locations block as documented below, which specifies locations included in and excluded from the policy.

    Platforms Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsPlatforms

    A platforms block as documented below, which specifies platforms included in and excluded from the policy.

    ServicePrincipalRiskLevels List<string>

    A list of service principal sign-in risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.

    SignInRiskLevels List<string>

    A list of user sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.

    UserRiskLevels List<string>

    A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.

    Applications ConditionalAccessPolicyConditionsApplications

    An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.

    ClientAppTypes []string

    A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.

    Users ConditionalAccessPolicyConditionsUsers

    A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.

    ClientApplications ConditionalAccessPolicyConditionsClientApplications

    An client_applications block as documented below, which specifies service principals included in and excluded from the policy.

    Devices ConditionalAccessPolicyConditionsDevices

    A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.

    Locations ConditionalAccessPolicyConditionsLocations

    A locations block as documented below, which specifies locations included in and excluded from the policy.

    Platforms ConditionalAccessPolicyConditionsPlatforms

    A platforms block as documented below, which specifies platforms included in and excluded from the policy.

    ServicePrincipalRiskLevels []string

    A list of service principal sign-in risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.

    SignInRiskLevels []string

    A list of user sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.

    UserRiskLevels []string

    A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.

    applications ConditionalAccessPolicyConditionsApplications

    An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.

    clientAppTypes List<String>

    A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.

    users ConditionalAccessPolicyConditionsUsers

    A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.

    clientApplications ConditionalAccessPolicyConditionsClientApplications

    An client_applications block as documented below, which specifies service principals included in and excluded from the policy.

    devices ConditionalAccessPolicyConditionsDevices

    A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.

    locations ConditionalAccessPolicyConditionsLocations

    A locations block as documented below, which specifies locations included in and excluded from the policy.

    platforms ConditionalAccessPolicyConditionsPlatforms

    A platforms block as documented below, which specifies platforms included in and excluded from the policy.

    servicePrincipalRiskLevels List<String>

    A list of service principal sign-in risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.

    signInRiskLevels List<String>

    A list of user sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.

    userRiskLevels List<String>

    A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.

    applications ConditionalAccessPolicyConditionsApplications

    An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.

    clientAppTypes string[]

    A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.

    users ConditionalAccessPolicyConditionsUsers

    A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.

    clientApplications ConditionalAccessPolicyConditionsClientApplications

    An client_applications block as documented below, which specifies service principals included in and excluded from the policy.

    devices ConditionalAccessPolicyConditionsDevices

    A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.

    locations ConditionalAccessPolicyConditionsLocations

    A locations block as documented below, which specifies locations included in and excluded from the policy.

    platforms ConditionalAccessPolicyConditionsPlatforms

    A platforms block as documented below, which specifies platforms included in and excluded from the policy.

    servicePrincipalRiskLevels string[]

    A list of service principal sign-in risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.

    signInRiskLevels string[]

    A list of user sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.

    userRiskLevels string[]

    A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.

    applications ConditionalAccessPolicyConditionsApplications

    An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.

    client_app_types Sequence[str]

    A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.

    users ConditionalAccessPolicyConditionsUsers

    A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.

    client_applications ConditionalAccessPolicyConditionsClientApplications

    An client_applications block as documented below, which specifies service principals included in and excluded from the policy.

    devices ConditionalAccessPolicyConditionsDevices

    A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.

    locations ConditionalAccessPolicyConditionsLocations

    A locations block as documented below, which specifies locations included in and excluded from the policy.

    platforms ConditionalAccessPolicyConditionsPlatforms

    A platforms block as documented below, which specifies platforms included in and excluded from the policy.

    service_principal_risk_levels Sequence[str]

    A list of service principal sign-in risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.

    sign_in_risk_levels Sequence[str]

    A list of user sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.

    user_risk_levels Sequence[str]

    A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.

    applications Property Map

    An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.

    clientAppTypes List<String>

    A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.

    users Property Map

    A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.

    clientApplications Property Map

    An client_applications block as documented below, which specifies service principals included in and excluded from the policy.

    devices Property Map

    A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.

    locations Property Map

    A locations block as documented below, which specifies locations included in and excluded from the policy.

    platforms Property Map

    A platforms block as documented below, which specifies platforms included in and excluded from the policy.

    servicePrincipalRiskLevels List<String>

    A list of service principal sign-in risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.

    signInRiskLevels List<String>

    A list of user sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.

    userRiskLevels List<String>

    A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.

    ConditionalAccessPolicyConditionsApplications, ConditionalAccessPolicyConditionsApplicationsArgs

    ExcludedApplications List<string>

    A list of application IDs explicitly excluded from the policy. Can also be set to Office365.

    IncludedApplications List<string>

    A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.

    IncludedUserActions List<string>

    A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.

    ExcludedApplications []string

    A list of application IDs explicitly excluded from the policy. Can also be set to Office365.

    IncludedApplications []string

    A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.

    IncludedUserActions []string

    A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.

    excludedApplications List<String>

    A list of application IDs explicitly excluded from the policy. Can also be set to Office365.

    includedApplications List<String>

    A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.

    includedUserActions List<String>

    A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.

    excludedApplications string[]

    A list of application IDs explicitly excluded from the policy. Can also be set to Office365.

    includedApplications string[]

    A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.

    includedUserActions string[]

    A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.

    excluded_applications Sequence[str]

    A list of application IDs explicitly excluded from the policy. Can also be set to Office365.

    included_applications Sequence[str]

    A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.

    included_user_actions Sequence[str]

    A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.

    excludedApplications List<String>

    A list of application IDs explicitly excluded from the policy. Can also be set to Office365.

    includedApplications List<String>

    A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.

    includedUserActions List<String>

    A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.

    ConditionalAccessPolicyConditionsClientApplications, ConditionalAccessPolicyConditionsClientApplicationsArgs

    ExcludedServicePrincipals List<string>

    A list of service principal IDs explicitly excluded in the policy.

    IncludedServicePrincipals List<string>

    A list of service principal IDs explicitly included in the policy. Can be set to ServicePrincipalsInMyTenant to include all service principals. This is mandatory value when at least one excluded_service_principals is set.

    ExcludedServicePrincipals []string

    A list of service principal IDs explicitly excluded in the policy.

    IncludedServicePrincipals []string

    A list of service principal IDs explicitly included in the policy. Can be set to ServicePrincipalsInMyTenant to include all service principals. This is mandatory value when at least one excluded_service_principals is set.

    excludedServicePrincipals List<String>

    A list of service principal IDs explicitly excluded in the policy.

    includedServicePrincipals List<String>

    A list of service principal IDs explicitly included in the policy. Can be set to ServicePrincipalsInMyTenant to include all service principals. This is mandatory value when at least one excluded_service_principals is set.

    excludedServicePrincipals string[]

    A list of service principal IDs explicitly excluded in the policy.

    includedServicePrincipals string[]

    A list of service principal IDs explicitly included in the policy. Can be set to ServicePrincipalsInMyTenant to include all service principals. This is mandatory value when at least one excluded_service_principals is set.

    excluded_service_principals Sequence[str]

    A list of service principal IDs explicitly excluded in the policy.

    included_service_principals Sequence[str]

    A list of service principal IDs explicitly included in the policy. Can be set to ServicePrincipalsInMyTenant to include all service principals. This is mandatory value when at least one excluded_service_principals is set.

    excludedServicePrincipals List<String>

    A list of service principal IDs explicitly excluded in the policy.

    includedServicePrincipals List<String>

    A list of service principal IDs explicitly included in the policy. Can be set to ServicePrincipalsInMyTenant to include all service principals. This is mandatory value when at least one excluded_service_principals is set.

    ConditionalAccessPolicyConditionsDevices, ConditionalAccessPolicyConditionsDevicesArgs

    Filter Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesFilter

    A filter block as described below. A filter block can be added to an existing policy, but removing the filter block forces a new resource to be created.

    Filter ConditionalAccessPolicyConditionsDevicesFilter

    A filter block as described below. A filter block can be added to an existing policy, but removing the filter block forces a new resource to be created.

    filter ConditionalAccessPolicyConditionsDevicesFilter

    A filter block as described below. A filter block can be added to an existing policy, but removing the filter block forces a new resource to be created.

    filter ConditionalAccessPolicyConditionsDevicesFilter

    A filter block as described below. A filter block can be added to an existing policy, but removing the filter block forces a new resource to be created.

    filter ConditionalAccessPolicyConditionsDevicesFilter

    A filter block as described below. A filter block can be added to an existing policy, but removing the filter block forces a new resource to be created.

    filter Property Map

    A filter block as described below. A filter block can be added to an existing policy, but removing the filter block forces a new resource to be created.

    ConditionalAccessPolicyConditionsDevicesFilter, ConditionalAccessPolicyConditionsDevicesFilterArgs

    Mode string

    Whether to include in, or exclude from, matching devices from the policy. Supported values are include or exclude.

    Rule string

    Condition filter to match devices. For more information, see official documentation.

    Mode string

    Whether to include in, or exclude from, matching devices from the policy. Supported values are include or exclude.

    Rule string

    Condition filter to match devices. For more information, see official documentation.

    mode String

    Whether to include in, or exclude from, matching devices from the policy. Supported values are include or exclude.

    rule String

    Condition filter to match devices. For more information, see official documentation.

    mode string

    Whether to include in, or exclude from, matching devices from the policy. Supported values are include or exclude.

    rule string

    Condition filter to match devices. For more information, see official documentation.

    mode str

    Whether to include in, or exclude from, matching devices from the policy. Supported values are include or exclude.

    rule str

    Condition filter to match devices. For more information, see official documentation.

    mode String

    Whether to include in, or exclude from, matching devices from the policy. Supported values are include or exclude.

    rule String

    Condition filter to match devices. For more information, see official documentation.

    ConditionalAccessPolicyConditionsLocations, ConditionalAccessPolicyConditionsLocationsArgs

    IncludedLocations List<string>

    A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.

    ExcludedLocations List<string>

    A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.

    IncludedLocations []string

    A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.

    ExcludedLocations []string

    A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.

    includedLocations List<String>

    A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.

    excludedLocations List<String>

    A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.

    includedLocations string[]

    A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.

    excludedLocations string[]

    A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.

    included_locations Sequence[str]

    A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.

    excluded_locations Sequence[str]

    A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.

    includedLocations List<String>

    A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.

    excludedLocations List<String>

    A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.

    ConditionalAccessPolicyConditionsPlatforms, ConditionalAccessPolicyConditionsPlatformsArgs

    IncludedPlatforms List<string>

    A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.

    ExcludedPlatforms List<string>

    A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.

    IncludedPlatforms []string

    A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.

    ExcludedPlatforms []string

    A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.

    includedPlatforms List<String>

    A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.

    excludedPlatforms List<String>

    A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.

    includedPlatforms string[]

    A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.

    excludedPlatforms string[]

    A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.

    included_platforms Sequence[str]

    A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.

    excluded_platforms Sequence[str]

    A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.

    includedPlatforms List<String>

    A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.

    excludedPlatforms List<String>

    A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.

    ConditionalAccessPolicyConditionsUsers, ConditionalAccessPolicyConditionsUsersArgs

    ExcludedGroups List<string>

    A list of group IDs excluded from scope of policy.

    ExcludedRoles List<string>

    A list of role IDs excluded from scope of policy.

    ExcludedUsers List<string>

    A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.

    IncludedGroups List<string>

    A list of group IDs in scope of policy unless explicitly excluded.

    IncludedRoles List<string>

    A list of role IDs in scope of policy unless explicitly excluded.

    IncludedUsers List<string>

    A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

    At least one of included_groups, included_roles or included_users must be specified.

    ExcludedGroups []string

    A list of group IDs excluded from scope of policy.

    ExcludedRoles []string

    A list of role IDs excluded from scope of policy.

    ExcludedUsers []string

    A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.

    IncludedGroups []string

    A list of group IDs in scope of policy unless explicitly excluded.

    IncludedRoles []string

    A list of role IDs in scope of policy unless explicitly excluded.

    IncludedUsers []string

    A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

    At least one of included_groups, included_roles or included_users must be specified.

    excludedGroups List<String>

    A list of group IDs excluded from scope of policy.

    excludedRoles List<String>

    A list of role IDs excluded from scope of policy.

    excludedUsers List<String>

    A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.

    includedGroups List<String>

    A list of group IDs in scope of policy unless explicitly excluded.

    includedRoles List<String>

    A list of role IDs in scope of policy unless explicitly excluded.

    includedUsers List<String>

    A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

    At least one of included_groups, included_roles or included_users must be specified.

    excludedGroups string[]

    A list of group IDs excluded from scope of policy.

    excludedRoles string[]

    A list of role IDs excluded from scope of policy.

    excludedUsers string[]

    A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.

    includedGroups string[]

    A list of group IDs in scope of policy unless explicitly excluded.

    includedRoles string[]

    A list of role IDs in scope of policy unless explicitly excluded.

    includedUsers string[]

    A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

    At least one of included_groups, included_roles or included_users must be specified.

    excluded_groups Sequence[str]

    A list of group IDs excluded from scope of policy.

    excluded_roles Sequence[str]

    A list of role IDs excluded from scope of policy.

    excluded_users Sequence[str]

    A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.

    included_groups Sequence[str]

    A list of group IDs in scope of policy unless explicitly excluded.

    included_roles Sequence[str]

    A list of role IDs in scope of policy unless explicitly excluded.

    included_users Sequence[str]

    A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

    At least one of included_groups, included_roles or included_users must be specified.

    excludedGroups List<String>

    A list of group IDs excluded from scope of policy.

    excludedRoles List<String>

    A list of role IDs excluded from scope of policy.

    excludedUsers List<String>

    A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.

    includedGroups List<String>

    A list of group IDs in scope of policy unless explicitly excluded.

    includedRoles List<String>

    A list of role IDs in scope of policy unless explicitly excluded.

    includedUsers List<String>

    A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

    At least one of included_groups, included_roles or included_users must be specified.

    ConditionalAccessPolicyGrantControls, ConditionalAccessPolicyGrantControlsArgs

    Operator string

    Defines the relationship of the grant controls. Possible values are: AND, OR.

    BuiltInControls List<string>

    List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.

    CustomAuthenticationFactors List<string>

    List of custom controls IDs required by the policy.

    TermsOfUses List<string>

    List of terms of use IDs required by the policy.

    At least one of built_in_controls or terms_of_use must be specified.

    Operator string

    Defines the relationship of the grant controls. Possible values are: AND, OR.

    BuiltInControls []string

    List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.

    CustomAuthenticationFactors []string

    List of custom controls IDs required by the policy.

    TermsOfUses []string

    List of terms of use IDs required by the policy.

    At least one of built_in_controls or terms_of_use must be specified.

    operator String

    Defines the relationship of the grant controls. Possible values are: AND, OR.

    builtInControls List<String>

    List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.

    customAuthenticationFactors List<String>

    List of custom controls IDs required by the policy.

    termsOfUses List<String>

    List of terms of use IDs required by the policy.

    At least one of built_in_controls or terms_of_use must be specified.

    operator string

    Defines the relationship of the grant controls. Possible values are: AND, OR.

    builtInControls string[]

    List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.

    customAuthenticationFactors string[]

    List of custom controls IDs required by the policy.

    termsOfUses string[]

    List of terms of use IDs required by the policy.

    At least one of built_in_controls or terms_of_use must be specified.

    operator str

    Defines the relationship of the grant controls. Possible values are: AND, OR.

    built_in_controls Sequence[str]

    List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.

    custom_authentication_factors Sequence[str]

    List of custom controls IDs required by the policy.

    terms_of_uses Sequence[str]

    List of terms of use IDs required by the policy.

    At least one of built_in_controls or terms_of_use must be specified.

    operator String

    Defines the relationship of the grant controls. Possible values are: AND, OR.

    builtInControls List<String>

    List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.

    customAuthenticationFactors List<String>

    List of custom controls IDs required by the policy.

    termsOfUses List<String>

    List of terms of use IDs required by the policy.

    At least one of built_in_controls or terms_of_use must be specified.

    ConditionalAccessPolicySessionControls, ConditionalAccessPolicySessionControlsArgs

    ApplicationEnforcedRestrictionsEnabled bool

    Whether or not application enforced restrictions are enabled. Defaults to false.

    Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.

    CloudAppSecurityPolicy string

    Enables cloud app security and specifies the cloud app security policy to use. Possible values are: blockDownloads, mcasConfigured, monitorOnly or unknownFutureValue.

    DisableResilienceDefaults bool

    Disables resilience defaults. Defaults to false.

    PersistentBrowserMode string

    Session control to define whether to persist cookies or not. Possible values are: always or never.

    SignInFrequency int

    Number of days or hours to enforce sign-in frequency. Required when sign_in_frequency_period is specified. Due to an API issue, removing this property forces a new resource to be created.

    SignInFrequencyPeriod string

    The time period to enforce sign-in frequency. Possible values are: hours or days. Required when sign_in_frequency_period is specified. Due to an API issue, removing this property forces a new resource to be created.

    ApplicationEnforcedRestrictionsEnabled bool

    Whether or not application enforced restrictions are enabled. Defaults to false.

    Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.

    CloudAppSecurityPolicy string

    Enables cloud app security and specifies the cloud app security policy to use. Possible values are: blockDownloads, mcasConfigured, monitorOnly or unknownFutureValue.

    DisableResilienceDefaults bool

    Disables resilience defaults. Defaults to false.

    PersistentBrowserMode string

    Session control to define whether to persist cookies or not. Possible values are: always or never.

    SignInFrequency int

    Number of days or hours to enforce sign-in frequency. Required when sign_in_frequency_period is specified. Due to an API issue, removing this property forces a new resource to be created.

    SignInFrequencyPeriod string

    The time period to enforce sign-in frequency. Possible values are: hours or days. Required when sign_in_frequency_period is specified. Due to an API issue, removing this property forces a new resource to be created.

    applicationEnforcedRestrictionsEnabled Boolean

    Whether or not application enforced restrictions are enabled. Defaults to false.

    Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.

    cloudAppSecurityPolicy String

    Enables cloud app security and specifies the cloud app security policy to use. Possible values are: blockDownloads, mcasConfigured, monitorOnly or unknownFutureValue.

    disableResilienceDefaults Boolean

    Disables resilience defaults. Defaults to false.

    persistentBrowserMode String

    Session control to define whether to persist cookies or not. Possible values are: always or never.

    signInFrequency Integer

    Number of days or hours to enforce sign-in frequency. Required when sign_in_frequency_period is specified. Due to an API issue, removing this property forces a new resource to be created.

    signInFrequencyPeriod String

    The time period to enforce sign-in frequency. Possible values are: hours or days. Required when sign_in_frequency_period is specified. Due to an API issue, removing this property forces a new resource to be created.

    applicationEnforcedRestrictionsEnabled boolean

    Whether or not application enforced restrictions are enabled. Defaults to false.

    Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.

    cloudAppSecurityPolicy string

    Enables cloud app security and specifies the cloud app security policy to use. Possible values are: blockDownloads, mcasConfigured, monitorOnly or unknownFutureValue.

    disableResilienceDefaults boolean

    Disables resilience defaults. Defaults to false.

    persistentBrowserMode string

    Session control to define whether to persist cookies or not. Possible values are: always or never.

    signInFrequency number

    Number of days or hours to enforce sign-in frequency. Required when sign_in_frequency_period is specified. Due to an API issue, removing this property forces a new resource to be created.

    signInFrequencyPeriod string

    The time period to enforce sign-in frequency. Possible values are: hours or days. Required when sign_in_frequency_period is specified. Due to an API issue, removing this property forces a new resource to be created.

    application_enforced_restrictions_enabled bool

    Whether or not application enforced restrictions are enabled. Defaults to false.

    Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.

    cloud_app_security_policy str

    Enables cloud app security and specifies the cloud app security policy to use. Possible values are: blockDownloads, mcasConfigured, monitorOnly or unknownFutureValue.

    disable_resilience_defaults bool

    Disables resilience defaults. Defaults to false.

    persistent_browser_mode str

    Session control to define whether to persist cookies or not. Possible values are: always or never.

    sign_in_frequency int

    Number of days or hours to enforce sign-in frequency. Required when sign_in_frequency_period is specified. Due to an API issue, removing this property forces a new resource to be created.

    sign_in_frequency_period str

    The time period to enforce sign-in frequency. Possible values are: hours or days. Required when sign_in_frequency_period is specified. Due to an API issue, removing this property forces a new resource to be created.

    applicationEnforcedRestrictionsEnabled Boolean

    Whether or not application enforced restrictions are enabled. Defaults to false.

    Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.

    cloudAppSecurityPolicy String

    Enables cloud app security and specifies the cloud app security policy to use. Possible values are: blockDownloads, mcasConfigured, monitorOnly or unknownFutureValue.

    disableResilienceDefaults Boolean

    Disables resilience defaults. Defaults to false.

    persistentBrowserMode String

    Session control to define whether to persist cookies or not. Possible values are: always or never.

    signInFrequency Number

    Number of days or hours to enforce sign-in frequency. Required when sign_in_frequency_period is specified. Due to an API issue, removing this property forces a new resource to be created.

    signInFrequencyPeriod String

    The time period to enforce sign-in frequency. Possible values are: hours or days. Required when sign_in_frequency_period is specified. Due to an API issue, removing this property forces a new resource to be created.

    Import

    Conditional Access Policies can be imported using the id, e.g.

     $ pulumi import azuread:index/conditionalAccessPolicy:ConditionalAccessPolicy my_location 00000000-0000-0000-0000-000000000000
    

    Package Details

    Repository
    Azure Active Directory (Azure AD) pulumi/pulumi-azuread
    License
    Apache-2.0
    Notes

    This Pulumi package is based on the azuread Terraform Provider.

    azuread logo
    Azure Active Directory (Azure AD) v5.41.0 published on Friday, Sep 15, 2023 by Pulumi