1. Packages
  2. Azure Active Directory (Azure AD)
  3. API Docs
  4. ConditionalAccessPolicy
Azure Active Directory (Azure AD) v5.47.2 published on Tuesday, Feb 27, 2024 by Pulumi

azuread.ConditionalAccessPolicy

Explore with Pulumi AI

azuread logo
Azure Active Directory (Azure AD) v5.47.2 published on Tuesday, Feb 27, 2024 by Pulumi

    Manages a Conditional Access Policy within Azure Active Directory.

    Licensing Requirements Specifying client_applications property requires the activation of Microsoft Entra on your tenant and the availability of sufficient Workload Identities Premium licences (one per service principal managed by a conditional access).

    API Permissions

    The following API permissions are required in order to use this resource.

    When authenticated with a service principal, this resource requires the following application roles: Policy.ReadWrite.ConditionalAccess and Policy.Read.All

    When authenticated with a user principal, this resource requires one of the following directory roles: Conditional Access Administrator or Global Administrator

    Example Usage

    All users except guests or external users

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using AzureAD = Pulumi.AzureAD;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new AzureAD.ConditionalAccessPolicy("example", new()
        {
            DisplayName = "example policy",
            State = "disabled",
            Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
            {
                ClientAppTypes = new[]
                {
                    "all",
                },
                SignInRiskLevels = new[]
                {
                    "medium",
                },
                UserRiskLevels = new[]
                {
                    "medium",
                },
                Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
                {
                    IncludedApplications = new[]
                    {
                        "All",
                    },
                    ExcludedApplications = new() { },
                },
                Devices = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesArgs
                {
                    Filter = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesFilterArgs
                    {
                        Mode = "exclude",
                        Rule = "device.operatingSystem eq \"Doors\"",
                    },
                },
                Locations = new AzureAD.Inputs.ConditionalAccessPolicyConditionsLocationsArgs
                {
                    IncludedLocations = new[]
                    {
                        "All",
                    },
                    ExcludedLocations = new[]
                    {
                        "AllTrusted",
                    },
                },
                Platforms = new AzureAD.Inputs.ConditionalAccessPolicyConditionsPlatformsArgs
                {
                    IncludedPlatforms = new[]
                    {
                        "android",
                    },
                    ExcludedPlatforms = new[]
                    {
                        "iOS",
                    },
                },
                Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
                {
                    IncludedUsers = new[]
                    {
                        "All",
                    },
                    ExcludedUsers = new[]
                    {
                        "GuestsOrExternalUsers",
                    },
                },
            },
            GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
            {
                Operator = "OR",
                BuiltInControls = new[]
                {
                    "mfa",
                },
            },
            SessionControls = new AzureAD.Inputs.ConditionalAccessPolicySessionControlsArgs
            {
                ApplicationEnforcedRestrictionsEnabled = true,
                DisableResilienceDefaults = false,
                SignInFrequency = 10,
                SignInFrequencyPeriod = "hours",
                CloudAppSecurityPolicy = "monitorOnly",
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := azuread.NewConditionalAccessPolicy(ctx, "example", &azuread.ConditionalAccessPolicyArgs{
    			DisplayName: pulumi.String("example policy"),
    			State:       pulumi.String("disabled"),
    			Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
    				ClientAppTypes: pulumi.StringArray{
    					pulumi.String("all"),
    				},
    				SignInRiskLevels: pulumi.StringArray{
    					pulumi.String("medium"),
    				},
    				UserRiskLevels: pulumi.StringArray{
    					pulumi.String("medium"),
    				},
    				Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
    					IncludedApplications: pulumi.StringArray{
    						pulumi.String("All"),
    					},
    					ExcludedApplications: pulumi.StringArray{},
    				},
    				Devices: &azuread.ConditionalAccessPolicyConditionsDevicesArgs{
    					Filter: &azuread.ConditionalAccessPolicyConditionsDevicesFilterArgs{
    						Mode: pulumi.String("exclude"),
    						Rule: pulumi.String("device.operatingSystem eq \"Doors\""),
    					},
    				},
    				Locations: &azuread.ConditionalAccessPolicyConditionsLocationsArgs{
    					IncludedLocations: pulumi.StringArray{
    						pulumi.String("All"),
    					},
    					ExcludedLocations: pulumi.StringArray{
    						pulumi.String("AllTrusted"),
    					},
    				},
    				Platforms: &azuread.ConditionalAccessPolicyConditionsPlatformsArgs{
    					IncludedPlatforms: pulumi.StringArray{
    						pulumi.String("android"),
    					},
    					ExcludedPlatforms: pulumi.StringArray{
    						pulumi.String("iOS"),
    					},
    				},
    				Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
    					IncludedUsers: pulumi.StringArray{
    						pulumi.String("All"),
    					},
    					ExcludedUsers: pulumi.StringArray{
    						pulumi.String("GuestsOrExternalUsers"),
    					},
    				},
    			},
    			GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
    				Operator: pulumi.String("OR"),
    				BuiltInControls: pulumi.StringArray{
    					pulumi.String("mfa"),
    				},
    			},
    			SessionControls: &azuread.ConditionalAccessPolicySessionControlsArgs{
    				ApplicationEnforcedRestrictionsEnabled: pulumi.Bool(true),
    				DisableResilienceDefaults:              pulumi.Bool(false),
    				SignInFrequency:                        pulumi.Int(10),
    				SignInFrequencyPeriod:                  pulumi.String("hours"),
    				CloudAppSecurityPolicy:                 pulumi.String("monitorOnly"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azuread.ConditionalAccessPolicy;
    import com.pulumi.azuread.ConditionalAccessPolicyArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsApplicationsArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsDevicesArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsDevicesFilterArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsLocationsArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsPlatformsArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyGrantControlsArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicySessionControlsArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ConditionalAccessPolicy("example", ConditionalAccessPolicyArgs.builder()        
                .displayName("example policy")
                .state("disabled")
                .conditions(ConditionalAccessPolicyConditionsArgs.builder()
                    .clientAppTypes("all")
                    .signInRiskLevels("medium")
                    .userRiskLevels("medium")
                    .applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
                        .includedApplications("All")
                        .excludedApplications()
                        .build())
                    .devices(ConditionalAccessPolicyConditionsDevicesArgs.builder()
                        .filter(ConditionalAccessPolicyConditionsDevicesFilterArgs.builder()
                            .mode("exclude")
                            .rule("device.operatingSystem eq \"Doors\"")
                            .build())
                        .build())
                    .locations(ConditionalAccessPolicyConditionsLocationsArgs.builder()
                        .includedLocations("All")
                        .excludedLocations("AllTrusted")
                        .build())
                    .platforms(ConditionalAccessPolicyConditionsPlatformsArgs.builder()
                        .includedPlatforms("android")
                        .excludedPlatforms("iOS")
                        .build())
                    .users(ConditionalAccessPolicyConditionsUsersArgs.builder()
                        .includedUsers("All")
                        .excludedUsers("GuestsOrExternalUsers")
                        .build())
                    .build())
                .grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
                    .operator("OR")
                    .builtInControls("mfa")
                    .build())
                .sessionControls(ConditionalAccessPolicySessionControlsArgs.builder()
                    .applicationEnforcedRestrictionsEnabled(true)
                    .disableResilienceDefaults(false)
                    .signInFrequency(10)
                    .signInFrequencyPeriod("hours")
                    .cloudAppSecurityPolicy("monitorOnly")
                    .build())
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_azuread as azuread
    
    example = azuread.ConditionalAccessPolicy("example",
        display_name="example policy",
        state="disabled",
        conditions=azuread.ConditionalAccessPolicyConditionsArgs(
            client_app_types=["all"],
            sign_in_risk_levels=["medium"],
            user_risk_levels=["medium"],
            applications=azuread.ConditionalAccessPolicyConditionsApplicationsArgs(
                included_applications=["All"],
                excluded_applications=[],
            ),
            devices=azuread.ConditionalAccessPolicyConditionsDevicesArgs(
                filter=azuread.ConditionalAccessPolicyConditionsDevicesFilterArgs(
                    mode="exclude",
                    rule="device.operatingSystem eq \"Doors\"",
                ),
            ),
            locations=azuread.ConditionalAccessPolicyConditionsLocationsArgs(
                included_locations=["All"],
                excluded_locations=["AllTrusted"],
            ),
            platforms=azuread.ConditionalAccessPolicyConditionsPlatformsArgs(
                included_platforms=["android"],
                excluded_platforms=["iOS"],
            ),
            users=azuread.ConditionalAccessPolicyConditionsUsersArgs(
                included_users=["All"],
                excluded_users=["GuestsOrExternalUsers"],
            ),
        ),
        grant_controls=azuread.ConditionalAccessPolicyGrantControlsArgs(
            operator="OR",
            built_in_controls=["mfa"],
        ),
        session_controls=azuread.ConditionalAccessPolicySessionControlsArgs(
            application_enforced_restrictions_enabled=True,
            disable_resilience_defaults=False,
            sign_in_frequency=10,
            sign_in_frequency_period="hours",
            cloud_app_security_policy="monitorOnly",
        ))
    
    import * as pulumi from "@pulumi/pulumi";
    import * as azuread from "@pulumi/azuread";
    
    const example = new azuread.ConditionalAccessPolicy("example", {
        displayName: "example policy",
        state: "disabled",
        conditions: {
            clientAppTypes: ["all"],
            signInRiskLevels: ["medium"],
            userRiskLevels: ["medium"],
            applications: {
                includedApplications: ["All"],
                excludedApplications: [],
            },
            devices: {
                filter: {
                    mode: "exclude",
                    rule: "device.operatingSystem eq \"Doors\"",
                },
            },
            locations: {
                includedLocations: ["All"],
                excludedLocations: ["AllTrusted"],
            },
            platforms: {
                includedPlatforms: ["android"],
                excludedPlatforms: ["iOS"],
            },
            users: {
                includedUsers: ["All"],
                excludedUsers: ["GuestsOrExternalUsers"],
            },
        },
        grantControls: {
            operator: "OR",
            builtInControls: ["mfa"],
        },
        sessionControls: {
            applicationEnforcedRestrictionsEnabled: true,
            disableResilienceDefaults: false,
            signInFrequency: 10,
            signInFrequencyPeriod: "hours",
            cloudAppSecurityPolicy: "monitorOnly",
        },
    });
    
    resources:
      example:
        type: azuread:ConditionalAccessPolicy
        properties:
          displayName: example policy
          state: disabled
          conditions:
            clientAppTypes:
              - all
            signInRiskLevels:
              - medium
            userRiskLevels:
              - medium
            applications:
              includedApplications:
                - All
              excludedApplications: []
            devices:
              filter:
                mode: exclude
                rule: device.operatingSystem eq "Doors"
            locations:
              includedLocations:
                - All
              excludedLocations:
                - AllTrusted
            platforms:
              includedPlatforms:
                - android
              excludedPlatforms:
                - iOS
            users:
              includedUsers:
                - All
              excludedUsers:
                - GuestsOrExternalUsers
          grantControls:
            operator: OR
            builtInControls:
              - mfa
          sessionControls:
            applicationEnforcedRestrictionsEnabled: true
            disableResilienceDefaults: false
            signInFrequency: 10
            signInFrequencyPeriod: hours
            cloudAppSecurityPolicy: monitorOnly
    

    Included client applications / service principals

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using AzureAD = Pulumi.AzureAD;
    
    return await Deployment.RunAsync(() => 
    {
        var current = AzureAD.GetClientConfig.Invoke();
    
        var example = new AzureAD.ConditionalAccessPolicy("example", new()
        {
            DisplayName = "example policy",
            State = "disabled",
            Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
            {
                ClientAppTypes = new[]
                {
                    "all",
                },
                Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
                {
                    IncludedApplications = new[]
                    {
                        "All",
                    },
                },
                ClientApplications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs
                {
                    IncludedServicePrincipals = new[]
                    {
                        current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
                    },
                    ExcludedServicePrincipals = new() { },
                },
                Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
                {
                    IncludedUsers = new[]
                    {
                        "None",
                    },
                },
            },
            GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
            {
                Operator = "OR",
                BuiltInControls = new[]
                {
                    "block",
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		current, err := azuread.GetClientConfig(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		_, err = azuread.NewConditionalAccessPolicy(ctx, "example", &azuread.ConditionalAccessPolicyArgs{
    			DisplayName: pulumi.String("example policy"),
    			State:       pulumi.String("disabled"),
    			Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
    				ClientAppTypes: pulumi.StringArray{
    					pulumi.String("all"),
    				},
    				Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
    					IncludedApplications: pulumi.StringArray{
    						pulumi.String("All"),
    					},
    				},
    				ClientApplications: &azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs{
    					IncludedServicePrincipals: pulumi.StringArray{
    						*pulumi.String(current.ObjectId),
    					},
    					ExcludedServicePrincipals: pulumi.StringArray{},
    				},
    				Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
    					IncludedUsers: pulumi.StringArray{
    						pulumi.String("None"),
    					},
    				},
    			},
    			GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
    				Operator: pulumi.String("OR"),
    				BuiltInControls: pulumi.StringArray{
    					pulumi.String("block"),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azuread.AzureadFunctions;
    import com.pulumi.azuread.ConditionalAccessPolicy;
    import com.pulumi.azuread.ConditionalAccessPolicyArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsApplicationsArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyGrantControlsArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var current = AzureadFunctions.getClientConfig();
    
            var example = new ConditionalAccessPolicy("example", ConditionalAccessPolicyArgs.builder()        
                .displayName("example policy")
                .state("disabled")
                .conditions(ConditionalAccessPolicyConditionsArgs.builder()
                    .clientAppTypes("all")
                    .applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
                        .includedApplications("All")
                        .build())
                    .clientApplications(ConditionalAccessPolicyConditionsClientApplicationsArgs.builder()
                        .includedServicePrincipals(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
                        .excludedServicePrincipals()
                        .build())
                    .users(ConditionalAccessPolicyConditionsUsersArgs.builder()
                        .includedUsers("None")
                        .build())
                    .build())
                .grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
                    .operator("OR")
                    .builtInControls("block")
                    .build())
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_azuread as azuread
    
    current = azuread.get_client_config()
    example = azuread.ConditionalAccessPolicy("example",
        display_name="example policy",
        state="disabled",
        conditions=azuread.ConditionalAccessPolicyConditionsArgs(
            client_app_types=["all"],
            applications=azuread.ConditionalAccessPolicyConditionsApplicationsArgs(
                included_applications=["All"],
            ),
            client_applications=azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs(
                included_service_principals=[current.object_id],
                excluded_service_principals=[],
            ),
            users=azuread.ConditionalAccessPolicyConditionsUsersArgs(
                included_users=["None"],
            ),
        ),
        grant_controls=azuread.ConditionalAccessPolicyGrantControlsArgs(
            operator="OR",
            built_in_controls=["block"],
        ))
    
    import * as pulumi from "@pulumi/pulumi";
    import * as azuread from "@pulumi/azuread";
    
    const current = azuread.getClientConfig({});
    const example = new azuread.ConditionalAccessPolicy("example", {
        displayName: "example policy",
        state: "disabled",
        conditions: {
            clientAppTypes: ["all"],
            applications: {
                includedApplications: ["All"],
            },
            clientApplications: {
                includedServicePrincipals: [current.then(current => current.objectId)],
                excludedServicePrincipals: [],
            },
            users: {
                includedUsers: ["None"],
            },
        },
        grantControls: {
            operator: "OR",
            builtInControls: ["block"],
        },
    });
    
    resources:
      example:
        type: azuread:ConditionalAccessPolicy
        properties:
          displayName: example policy
          state: disabled
          conditions:
            clientAppTypes:
              - all
            applications:
              includedApplications:
                - All
            clientApplications:
              includedServicePrincipals:
                - ${current.objectId}
              excludedServicePrincipals: []
            users:
              includedUsers:
                - None
          grantControls:
            operator: OR
            builtInControls:
              - block
    variables:
      current:
        fn::invoke:
          Function: azuread:getClientConfig
          Arguments: {}
    

    Excluded client applications / service principals

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using AzureAD = Pulumi.AzureAD;
    
    return await Deployment.RunAsync(() => 
    {
        var current = AzureAD.GetClientConfig.Invoke();
    
        var example = new AzureAD.ConditionalAccessPolicy("example", new()
        {
            DisplayName = "example policy",
            State = "disabled",
            Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
            {
                ClientAppTypes = new[]
                {
                    "all",
                },
                Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
                {
                    IncludedApplications = new[]
                    {
                        "All",
                    },
                },
                ClientApplications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs
                {
                    IncludedServicePrincipals = new[]
                    {
                        "ServicePrincipalsInMyTenant",
                    },
                    ExcludedServicePrincipals = new[]
                    {
                        current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
                    },
                },
                Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
                {
                    IncludedUsers = new[]
                    {
                        "None",
                    },
                },
            },
            GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
            {
                Operator = "OR",
                BuiltInControls = new[]
                {
                    "block",
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		current, err := azuread.GetClientConfig(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		_, err = azuread.NewConditionalAccessPolicy(ctx, "example", &azuread.ConditionalAccessPolicyArgs{
    			DisplayName: pulumi.String("example policy"),
    			State:       pulumi.String("disabled"),
    			Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
    				ClientAppTypes: pulumi.StringArray{
    					pulumi.String("all"),
    				},
    				Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
    					IncludedApplications: pulumi.StringArray{
    						pulumi.String("All"),
    					},
    				},
    				ClientApplications: &azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs{
    					IncludedServicePrincipals: pulumi.StringArray{
    						pulumi.String("ServicePrincipalsInMyTenant"),
    					},
    					ExcludedServicePrincipals: pulumi.StringArray{
    						*pulumi.String(current.ObjectId),
    					},
    				},
    				Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
    					IncludedUsers: pulumi.StringArray{
    						pulumi.String("None"),
    					},
    				},
    			},
    			GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
    				Operator: pulumi.String("OR"),
    				BuiltInControls: pulumi.StringArray{
    					pulumi.String("block"),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azuread.AzureadFunctions;
    import com.pulumi.azuread.ConditionalAccessPolicy;
    import com.pulumi.azuread.ConditionalAccessPolicyArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsApplicationsArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersArgs;
    import com.pulumi.azuread.inputs.ConditionalAccessPolicyGrantControlsArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var current = AzureadFunctions.getClientConfig();
    
            var example = new ConditionalAccessPolicy("example", ConditionalAccessPolicyArgs.builder()        
                .displayName("example policy")
                .state("disabled")
                .conditions(ConditionalAccessPolicyConditionsArgs.builder()
                    .clientAppTypes("all")
                    .applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
                        .includedApplications("All")
                        .build())
                    .clientApplications(ConditionalAccessPolicyConditionsClientApplicationsArgs.builder()
                        .includedServicePrincipals("ServicePrincipalsInMyTenant")
                        .excludedServicePrincipals(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
                        .build())
                    .users(ConditionalAccessPolicyConditionsUsersArgs.builder()
                        .includedUsers("None")
                        .build())
                    .build())
                .grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
                    .operator("OR")
                    .builtInControls("block")
                    .build())
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_azuread as azuread
    
    current = azuread.get_client_config()
    example = azuread.ConditionalAccessPolicy("example",
        display_name="example policy",
        state="disabled",
        conditions=azuread.ConditionalAccessPolicyConditionsArgs(
            client_app_types=["all"],
            applications=azuread.ConditionalAccessPolicyConditionsApplicationsArgs(
                included_applications=["All"],
            ),
            client_applications=azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs(
                included_service_principals=["ServicePrincipalsInMyTenant"],
                excluded_service_principals=[current.object_id],
            ),
            users=azuread.ConditionalAccessPolicyConditionsUsersArgs(
                included_users=["None"],
            ),
        ),
        grant_controls=azuread.ConditionalAccessPolicyGrantControlsArgs(
            operator="OR",
            built_in_controls=["block"],
        ))
    
    import * as pulumi from "@pulumi/pulumi";
    import * as azuread from "@pulumi/azuread";
    
    const current = azuread.getClientConfig({});
    const example = new azuread.ConditionalAccessPolicy("example", {
        displayName: "example policy",
        state: "disabled",
        conditions: {
            clientAppTypes: ["all"],
            applications: {
                includedApplications: ["All"],
            },
            clientApplications: {
                includedServicePrincipals: ["ServicePrincipalsInMyTenant"],
                excludedServicePrincipals: [current.then(current => current.objectId)],
            },
            users: {
                includedUsers: ["None"],
            },
        },
        grantControls: {
            operator: "OR",
            builtInControls: ["block"],
        },
    });
    
    resources:
      example:
        type: azuread:ConditionalAccessPolicy
        properties:
          displayName: example policy
          state: disabled
          conditions:
            clientAppTypes:
              - all
            applications:
              includedApplications:
                - All
            clientApplications:
              includedServicePrincipals:
                - ServicePrincipalsInMyTenant
              excludedServicePrincipals:
                - ${current.objectId}
            users:
              includedUsers:
                - None
          grantControls:
            operator: OR
            builtInControls:
              - block
    variables:
      current:
        fn::invoke:
          Function: azuread:getClientConfig
          Arguments: {}
    

    Create ConditionalAccessPolicy Resource

    new ConditionalAccessPolicy(name: string, args: ConditionalAccessPolicyArgs, opts?: CustomResourceOptions);
    @overload
    def ConditionalAccessPolicy(resource_name: str,
                                opts: Optional[ResourceOptions] = None,
                                conditions: Optional[ConditionalAccessPolicyConditionsArgs] = None,
                                display_name: Optional[str] = None,
                                grant_controls: Optional[ConditionalAccessPolicyGrantControlsArgs] = None,
                                session_controls: Optional[ConditionalAccessPolicySessionControlsArgs] = None,
                                state: Optional[str] = None)
    @overload
    def ConditionalAccessPolicy(resource_name: str,
                                args: ConditionalAccessPolicyArgs,
                                opts: Optional[ResourceOptions] = None)
    func NewConditionalAccessPolicy(ctx *Context, name string, args ConditionalAccessPolicyArgs, opts ...ResourceOption) (*ConditionalAccessPolicy, error)
    public ConditionalAccessPolicy(string name, ConditionalAccessPolicyArgs args, CustomResourceOptions? opts = null)
    public ConditionalAccessPolicy(String name, ConditionalAccessPolicyArgs args)
    public ConditionalAccessPolicy(String name, ConditionalAccessPolicyArgs args, CustomResourceOptions options)
    
    type: azuread:ConditionalAccessPolicy
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args ConditionalAccessPolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args ConditionalAccessPolicyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args ConditionalAccessPolicyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args ConditionalAccessPolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args ConditionalAccessPolicyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    ConditionalAccessPolicy Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The ConditionalAccessPolicy resource accepts the following input properties:

    Conditions Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditions
    A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
    DisplayName string
    The friendly name for this Conditional Access Policy.
    State string
    Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
    GrantControls Pulumi.AzureAD.Inputs.ConditionalAccessPolicyGrantControls
    A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
    SessionControls Pulumi.AzureAD.Inputs.ConditionalAccessPolicySessionControls

    A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

    Note: At least one of grant_controls and/or session_controls blocks must be specified.

    Conditions ConditionalAccessPolicyConditionsArgs
    A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
    DisplayName string
    The friendly name for this Conditional Access Policy.
    State string
    Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
    GrantControls ConditionalAccessPolicyGrantControlsArgs
    A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
    SessionControls ConditionalAccessPolicySessionControlsArgs

    A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

    Note: At least one of grant_controls and/or session_controls blocks must be specified.

    conditions ConditionalAccessPolicyConditions
    A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
    displayName String
    The friendly name for this Conditional Access Policy.
    state String
    Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
    grantControls ConditionalAccessPolicyGrantControls
    A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
    sessionControls ConditionalAccessPolicySessionControls

    A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

    Note: At least one of grant_controls and/or session_controls blocks must be specified.

    conditions ConditionalAccessPolicyConditions
    A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
    displayName string
    The friendly name for this Conditional Access Policy.
    state string
    Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
    grantControls ConditionalAccessPolicyGrantControls
    A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
    sessionControls ConditionalAccessPolicySessionControls

    A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

    Note: At least one of grant_controls and/or session_controls blocks must be specified.

    conditions ConditionalAccessPolicyConditionsArgs
    A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
    display_name str
    The friendly name for this Conditional Access Policy.
    state str
    Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
    grant_controls ConditionalAccessPolicyGrantControlsArgs
    A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
    session_controls ConditionalAccessPolicySessionControlsArgs

    A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

    Note: At least one of grant_controls and/or session_controls blocks must be specified.

    conditions Property Map
    A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
    displayName String
    The friendly name for this Conditional Access Policy.
    state String
    Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
    grantControls Property Map
    A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
    sessionControls Property Map

    A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

    Note: At least one of grant_controls and/or session_controls blocks must be specified.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the ConditionalAccessPolicy resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing ConditionalAccessPolicy Resource

    Get an existing ConditionalAccessPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: ConditionalAccessPolicyState, opts?: CustomResourceOptions): ConditionalAccessPolicy
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            conditions: Optional[ConditionalAccessPolicyConditionsArgs] = None,
            display_name: Optional[str] = None,
            grant_controls: Optional[ConditionalAccessPolicyGrantControlsArgs] = None,
            session_controls: Optional[ConditionalAccessPolicySessionControlsArgs] = None,
            state: Optional[str] = None) -> ConditionalAccessPolicy
    func GetConditionalAccessPolicy(ctx *Context, name string, id IDInput, state *ConditionalAccessPolicyState, opts ...ResourceOption) (*ConditionalAccessPolicy, error)
    public static ConditionalAccessPolicy Get(string name, Input<string> id, ConditionalAccessPolicyState? state, CustomResourceOptions? opts = null)
    public static ConditionalAccessPolicy get(String name, Output<String> id, ConditionalAccessPolicyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Conditions Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditions
    A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
    DisplayName string
    The friendly name for this Conditional Access Policy.
    GrantControls Pulumi.AzureAD.Inputs.ConditionalAccessPolicyGrantControls
    A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
    SessionControls Pulumi.AzureAD.Inputs.ConditionalAccessPolicySessionControls

    A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

    Note: At least one of grant_controls and/or session_controls blocks must be specified.

    State string
    Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
    Conditions ConditionalAccessPolicyConditionsArgs
    A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
    DisplayName string
    The friendly name for this Conditional Access Policy.
    GrantControls ConditionalAccessPolicyGrantControlsArgs
    A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
    SessionControls ConditionalAccessPolicySessionControlsArgs

    A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

    Note: At least one of grant_controls and/or session_controls blocks must be specified.

    State string
    Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
    conditions ConditionalAccessPolicyConditions
    A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
    displayName String
    The friendly name for this Conditional Access Policy.
    grantControls ConditionalAccessPolicyGrantControls
    A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
    sessionControls ConditionalAccessPolicySessionControls

    A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

    Note: At least one of grant_controls and/or session_controls blocks must be specified.

    state String
    Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
    conditions ConditionalAccessPolicyConditions
    A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
    displayName string
    The friendly name for this Conditional Access Policy.
    grantControls ConditionalAccessPolicyGrantControls
    A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
    sessionControls ConditionalAccessPolicySessionControls

    A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

    Note: At least one of grant_controls and/or session_controls blocks must be specified.

    state string
    Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
    conditions ConditionalAccessPolicyConditionsArgs
    A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
    display_name str
    The friendly name for this Conditional Access Policy.
    grant_controls ConditionalAccessPolicyGrantControlsArgs
    A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
    session_controls ConditionalAccessPolicySessionControlsArgs

    A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

    Note: At least one of grant_controls and/or session_controls blocks must be specified.

    state str
    Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
    conditions Property Map
    A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
    displayName String
    The friendly name for this Conditional Access Policy.
    grantControls Property Map
    A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
    sessionControls Property Map

    A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

    Note: At least one of grant_controls and/or session_controls blocks must be specified.

    state String
    Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced

    Supporting Types

    ConditionalAccessPolicyConditions, ConditionalAccessPolicyConditionsArgs

    Applications Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsApplications
    An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.
    ClientAppTypes List<string>
    A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.
    Users Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsUsers
    A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.
    ClientApplications Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsClientApplications
    An client_applications block as documented below, which specifies service principals included in and excluded from the policy.
    Devices Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsDevices
    A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.
    Locations Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsLocations
    A locations block as documented below, which specifies locations included in and excluded from the policy.
    Platforms Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsPlatforms
    A platforms block as documented below, which specifies platforms included in and excluded from the policy.
    ServicePrincipalRiskLevels List<string>
    A list of service principal sign-in risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.
    SignInRiskLevels List<string>
    A list of user sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
    UserRiskLevels List<string>
    A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
    Applications ConditionalAccessPolicyConditionsApplications
    An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.
    ClientAppTypes []string
    A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.
    Users ConditionalAccessPolicyConditionsUsers
    A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.
    ClientApplications ConditionalAccessPolicyConditionsClientApplications
    An client_applications block as documented below, which specifies service principals included in and excluded from the policy.
    Devices ConditionalAccessPolicyConditionsDevices
    A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.
    Locations ConditionalAccessPolicyConditionsLocations
    A locations block as documented below, which specifies locations included in and excluded from the policy.
    Platforms ConditionalAccessPolicyConditionsPlatforms
    A platforms block as documented below, which specifies platforms included in and excluded from the policy.
    ServicePrincipalRiskLevels []string
    A list of service principal sign-in risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.
    SignInRiskLevels []string
    A list of user sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
    UserRiskLevels []string
    A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
    applications ConditionalAccessPolicyConditionsApplications
    An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.
    clientAppTypes List<String>
    A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.
    users ConditionalAccessPolicyConditionsUsers
    A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.
    clientApplications ConditionalAccessPolicyConditionsClientApplications
    An client_applications block as documented below, which specifies service principals included in and excluded from the policy.
    devices ConditionalAccessPolicyConditionsDevices
    A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.
    locations ConditionalAccessPolicyConditionsLocations
    A locations block as documented below, which specifies locations included in and excluded from the policy.
    platforms ConditionalAccessPolicyConditionsPlatforms
    A platforms block as documented below, which specifies platforms included in and excluded from the policy.
    servicePrincipalRiskLevels List<String>
    A list of service principal sign-in risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.
    signInRiskLevels List<String>
    A list of user sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
    userRiskLevels List<String>
    A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
    applications ConditionalAccessPolicyConditionsApplications
    An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.
    clientAppTypes string[]
    A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.
    users ConditionalAccessPolicyConditionsUsers
    A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.
    clientApplications ConditionalAccessPolicyConditionsClientApplications
    An client_applications block as documented below, which specifies service principals included in and excluded from the policy.
    devices ConditionalAccessPolicyConditionsDevices
    A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.
    locations ConditionalAccessPolicyConditionsLocations
    A locations block as documented below, which specifies locations included in and excluded from the policy.
    platforms ConditionalAccessPolicyConditionsPlatforms
    A platforms block as documented below, which specifies platforms included in and excluded from the policy.
    servicePrincipalRiskLevels string[]
    A list of service principal sign-in risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.
    signInRiskLevels string[]
    A list of user sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
    userRiskLevels string[]
    A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
    applications ConditionalAccessPolicyConditionsApplications
    An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.
    client_app_types Sequence[str]
    A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.
    users ConditionalAccessPolicyConditionsUsers
    A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.
    client_applications ConditionalAccessPolicyConditionsClientApplications
    An client_applications block as documented below, which specifies service principals included in and excluded from the policy.
    devices ConditionalAccessPolicyConditionsDevices
    A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.
    locations ConditionalAccessPolicyConditionsLocations
    A locations block as documented below, which specifies locations included in and excluded from the policy.
    platforms ConditionalAccessPolicyConditionsPlatforms
    A platforms block as documented below, which specifies platforms included in and excluded from the policy.
    service_principal_risk_levels Sequence[str]
    A list of service principal sign-in risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.
    sign_in_risk_levels Sequence[str]
    A list of user sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
    user_risk_levels Sequence[str]
    A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
    applications Property Map
    An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.
    clientAppTypes List<String>
    A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.
    users Property Map
    A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.
    clientApplications Property Map
    An client_applications block as documented below, which specifies service principals included in and excluded from the policy.
    devices Property Map
    A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.
    locations Property Map
    A locations block as documented below, which specifies locations included in and excluded from the policy.
    platforms Property Map
    A platforms block as documented below, which specifies platforms included in and excluded from the policy.
    servicePrincipalRiskLevels List<String>
    A list of service principal sign-in risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.
    signInRiskLevels List<String>
    A list of user sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
    userRiskLevels List<String>
    A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.

    ConditionalAccessPolicyConditionsApplications, ConditionalAccessPolicyConditionsApplicationsArgs

    ExcludedApplications List<string>
    A list of application IDs explicitly excluded from the policy. Can also be set to Office365.
    IncludedApplications List<string>
    A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.
    IncludedUserActions List<string>
    A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.
    ExcludedApplications []string
    A list of application IDs explicitly excluded from the policy. Can also be set to Office365.
    IncludedApplications []string
    A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.
    IncludedUserActions []string
    A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.
    excludedApplications List<String>
    A list of application IDs explicitly excluded from the policy. Can also be set to Office365.
    includedApplications List<String>
    A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.
    includedUserActions List<String>
    A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.
    excludedApplications string[]
    A list of application IDs explicitly excluded from the policy. Can also be set to Office365.
    includedApplications string[]
    A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.
    includedUserActions string[]
    A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.
    excluded_applications Sequence[str]
    A list of application IDs explicitly excluded from the policy. Can also be set to Office365.
    included_applications Sequence[str]
    A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.
    included_user_actions Sequence[str]
    A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.
    excludedApplications List<String>
    A list of application IDs explicitly excluded from the policy. Can also be set to Office365.
    includedApplications List<String>
    A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.
    includedUserActions List<String>
    A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.

    ConditionalAccessPolicyConditionsClientApplications, ConditionalAccessPolicyConditionsClientApplicationsArgs

    ExcludedServicePrincipals List<string>
    A list of service principal IDs explicitly excluded in the policy.
    IncludedServicePrincipals List<string>
    A list of service principal IDs explicitly included in the policy. Can be set to ServicePrincipalsInMyTenant to include all service principals. This is mandatory value when at least one excluded_service_principals is set.
    ExcludedServicePrincipals []string
    A list of service principal IDs explicitly excluded in the policy.
    IncludedServicePrincipals []string
    A list of service principal IDs explicitly included in the policy. Can be set to ServicePrincipalsInMyTenant to include all service principals. This is mandatory value when at least one excluded_service_principals is set.
    excludedServicePrincipals List<String>
    A list of service principal IDs explicitly excluded in the policy.
    includedServicePrincipals List<String>
    A list of service principal IDs explicitly included in the policy. Can be set to ServicePrincipalsInMyTenant to include all service principals. This is mandatory value when at least one excluded_service_principals is set.
    excludedServicePrincipals string[]
    A list of service principal IDs explicitly excluded in the policy.
    includedServicePrincipals string[]
    A list of service principal IDs explicitly included in the policy. Can be set to ServicePrincipalsInMyTenant to include all service principals. This is mandatory value when at least one excluded_service_principals is set.
    excluded_service_principals Sequence[str]
    A list of service principal IDs explicitly excluded in the policy.
    included_service_principals Sequence[str]
    A list of service principal IDs explicitly included in the policy. Can be set to ServicePrincipalsInMyTenant to include all service principals. This is mandatory value when at least one excluded_service_principals is set.
    excludedServicePrincipals List<String>
    A list of service principal IDs explicitly excluded in the policy.
    includedServicePrincipals List<String>
    A list of service principal IDs explicitly included in the policy. Can be set to ServicePrincipalsInMyTenant to include all service principals. This is mandatory value when at least one excluded_service_principals is set.

    ConditionalAccessPolicyConditionsDevices, ConditionalAccessPolicyConditionsDevicesArgs

    Filter ConditionalAccessPolicyConditionsDevicesFilter
    A filter block as described below.
    filter ConditionalAccessPolicyConditionsDevicesFilter
    A filter block as described below.
    filter ConditionalAccessPolicyConditionsDevicesFilter
    A filter block as described below.
    filter ConditionalAccessPolicyConditionsDevicesFilter
    A filter block as described below.
    filter Property Map
    A filter block as described below.

    ConditionalAccessPolicyConditionsDevicesFilter, ConditionalAccessPolicyConditionsDevicesFilterArgs

    Mode string
    Whether to include in, or exclude from, matching devices from the policy. Supported values are include or exclude.
    Rule string
    Condition filter to match devices. For more information, see official documentation.
    Mode string
    Whether to include in, or exclude from, matching devices from the policy. Supported values are include or exclude.
    Rule string
    Condition filter to match devices. For more information, see official documentation.
    mode String
    Whether to include in, or exclude from, matching devices from the policy. Supported values are include or exclude.
    rule String
    Condition filter to match devices. For more information, see official documentation.
    mode string
    Whether to include in, or exclude from, matching devices from the policy. Supported values are include or exclude.
    rule string
    Condition filter to match devices. For more information, see official documentation.
    mode str
    Whether to include in, or exclude from, matching devices from the policy. Supported values are include or exclude.
    rule str
    Condition filter to match devices. For more information, see official documentation.
    mode String
    Whether to include in, or exclude from, matching devices from the policy. Supported values are include or exclude.
    rule String
    Condition filter to match devices. For more information, see official documentation.

    ConditionalAccessPolicyConditionsLocations, ConditionalAccessPolicyConditionsLocationsArgs

    IncludedLocations List<string>
    A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.
    ExcludedLocations List<string>
    A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.
    IncludedLocations []string
    A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.
    ExcludedLocations []string
    A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.
    includedLocations List<String>
    A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.
    excludedLocations List<String>
    A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.
    includedLocations string[]
    A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.
    excludedLocations string[]
    A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.
    included_locations Sequence[str]
    A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.
    excluded_locations Sequence[str]
    A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.
    includedLocations List<String>
    A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.
    excludedLocations List<String>
    A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.

    ConditionalAccessPolicyConditionsPlatforms, ConditionalAccessPolicyConditionsPlatformsArgs

    IncludedPlatforms List<string>
    A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
    ExcludedPlatforms List<string>
    A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
    IncludedPlatforms []string
    A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
    ExcludedPlatforms []string
    A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
    includedPlatforms List<String>
    A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
    excludedPlatforms List<String>
    A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
    includedPlatforms string[]
    A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
    excludedPlatforms string[]
    A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
    included_platforms Sequence[str]
    A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
    excluded_platforms Sequence[str]
    A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
    includedPlatforms List<String>
    A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
    excludedPlatforms List<String>
    A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.

    ConditionalAccessPolicyConditionsUsers, ConditionalAccessPolicyConditionsUsersArgs

    ExcludedGroups List<string>
    A list of group IDs excluded from scope of policy.
    ExcludedGuestsOrExternalUsers List<Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser>
    A guests_or_external_users block as documented below, which specifies internal guests and external users excluded from scope of policy.
    ExcludedRoles List<string>
    A list of role IDs excluded from scope of policy.
    ExcludedUsers List<string>
    A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.
    IncludedGroups List<string>
    A list of group IDs in scope of policy unless explicitly excluded.
    IncludedGuestsOrExternalUsers List<Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser>
    A guests_or_external_users block as documented below, which specifies internal guests and external users in scope of policy.
    IncludedRoles List<string>
    A list of role IDs in scope of policy unless explicitly excluded.
    IncludedUsers List<string>

    A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

    At least one of included_groups, included_guests_or_external_users, included_roles or included_users must be specified.

    ExcludedGroups []string
    A list of group IDs excluded from scope of policy.
    ExcludedGuestsOrExternalUsers []ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser
    A guests_or_external_users block as documented below, which specifies internal guests and external users excluded from scope of policy.
    ExcludedRoles []string
    A list of role IDs excluded from scope of policy.
    ExcludedUsers []string
    A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.
    IncludedGroups []string
    A list of group IDs in scope of policy unless explicitly excluded.
    IncludedGuestsOrExternalUsers []ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser
    A guests_or_external_users block as documented below, which specifies internal guests and external users in scope of policy.
    IncludedRoles []string
    A list of role IDs in scope of policy unless explicitly excluded.
    IncludedUsers []string

    A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

    At least one of included_groups, included_guests_or_external_users, included_roles or included_users must be specified.

    excludedGroups List<String>
    A list of group IDs excluded from scope of policy.
    excludedGuestsOrExternalUsers List<ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser>
    A guests_or_external_users block as documented below, which specifies internal guests and external users excluded from scope of policy.
    excludedRoles List<String>
    A list of role IDs excluded from scope of policy.
    excludedUsers List<String>
    A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.
    includedGroups List<String>
    A list of group IDs in scope of policy unless explicitly excluded.
    includedGuestsOrExternalUsers List<ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser>
    A guests_or_external_users block as documented below, which specifies internal guests and external users in scope of policy.
    includedRoles List<String>
    A list of role IDs in scope of policy unless explicitly excluded.
    includedUsers List<String>

    A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

    At least one of included_groups, included_guests_or_external_users, included_roles or included_users must be specified.

    excludedGroups string[]
    A list of group IDs excluded from scope of policy.
    excludedGuestsOrExternalUsers ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser[]
    A guests_or_external_users block as documented below, which specifies internal guests and external users excluded from scope of policy.
    excludedRoles string[]
    A list of role IDs excluded from scope of policy.
    excludedUsers string[]
    A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.
    includedGroups string[]
    A list of group IDs in scope of policy unless explicitly excluded.
    includedGuestsOrExternalUsers ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser[]
    A guests_or_external_users block as documented below, which specifies internal guests and external users in scope of policy.
    includedRoles string[]
    A list of role IDs in scope of policy unless explicitly excluded.
    includedUsers string[]

    A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

    At least one of included_groups, included_guests_or_external_users, included_roles or included_users must be specified.

    excluded_groups Sequence[str]
    A list of group IDs excluded from scope of policy.
    excluded_guests_or_external_users Sequence[ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser]
    A guests_or_external_users block as documented below, which specifies internal guests and external users excluded from scope of policy.
    excluded_roles Sequence[str]
    A list of role IDs excluded from scope of policy.
    excluded_users Sequence[str]
    A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.
    included_groups Sequence[str]
    A list of group IDs in scope of policy unless explicitly excluded.
    included_guests_or_external_users Sequence[ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser]
    A guests_or_external_users block as documented below, which specifies internal guests and external users in scope of policy.
    included_roles Sequence[str]
    A list of role IDs in scope of policy unless explicitly excluded.
    included_users Sequence[str]

    A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

    At least one of included_groups, included_guests_or_external_users, included_roles or included_users must be specified.

    excludedGroups List<String>
    A list of group IDs excluded from scope of policy.
    excludedGuestsOrExternalUsers List<Property Map>
    A guests_or_external_users block as documented below, which specifies internal guests and external users excluded from scope of policy.
    excludedRoles List<String>
    A list of role IDs excluded from scope of policy.
    excludedUsers List<String>
    A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.
    includedGroups List<String>
    A list of group IDs in scope of policy unless explicitly excluded.
    includedGuestsOrExternalUsers List<Property Map>
    A guests_or_external_users block as documented below, which specifies internal guests and external users in scope of policy.
    includedRoles List<String>
    A list of role IDs in scope of policy unless explicitly excluded.
    includedUsers List<String>

    A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

    At least one of included_groups, included_guests_or_external_users, included_roles or included_users must be specified.

    ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser, ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs

    GuestOrExternalUserTypes List<string>
    A list of guest or external user types. Possible values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, none, otherExternalUser, serviceProvider, unknownFutureValue.
    ExternalTenants List<Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant>
    An external_tenants block as documented below, which specifies external tenants in a policy scope.
    GuestOrExternalUserTypes []string
    A list of guest or external user types. Possible values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, none, otherExternalUser, serviceProvider, unknownFutureValue.
    ExternalTenants []ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant
    An external_tenants block as documented below, which specifies external tenants in a policy scope.
    guestOrExternalUserTypes List<String>
    A list of guest or external user types. Possible values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, none, otherExternalUser, serviceProvider, unknownFutureValue.
    externalTenants List<ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant>
    An external_tenants block as documented below, which specifies external tenants in a policy scope.
    guestOrExternalUserTypes string[]
    A list of guest or external user types. Possible values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, none, otherExternalUser, serviceProvider, unknownFutureValue.
    externalTenants ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant[]
    An external_tenants block as documented below, which specifies external tenants in a policy scope.
    guest_or_external_user_types Sequence[str]
    A list of guest or external user types. Possible values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, none, otherExternalUser, serviceProvider, unknownFutureValue.
    external_tenants Sequence[ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant]
    An external_tenants block as documented below, which specifies external tenants in a policy scope.
    guestOrExternalUserTypes List<String>
    A list of guest or external user types. Possible values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, none, otherExternalUser, serviceProvider, unknownFutureValue.
    externalTenants List<Property Map>
    An external_tenants block as documented below, which specifies external tenants in a policy scope.

    ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant, ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs

    MembershipKind string
    The external tenant membership kind. Possible values are: all, enumerated, unknownFutureValue.
    Members List<string>
    A list tenant IDs. Can only be specified if membership_kind is enumerated.
    MembershipKind string
    The external tenant membership kind. Possible values are: all, enumerated, unknownFutureValue.
    Members []string
    A list tenant IDs. Can only be specified if membership_kind is enumerated.
    membershipKind String
    The external tenant membership kind. Possible values are: all, enumerated, unknownFutureValue.
    members List<String>
    A list tenant IDs. Can only be specified if membership_kind is enumerated.
    membershipKind string
    The external tenant membership kind. Possible values are: all, enumerated, unknownFutureValue.
    members string[]
    A list tenant IDs. Can only be specified if membership_kind is enumerated.
    membership_kind str
    The external tenant membership kind. Possible values are: all, enumerated, unknownFutureValue.
    members Sequence[str]
    A list tenant IDs. Can only be specified if membership_kind is enumerated.
    membershipKind String
    The external tenant membership kind. Possible values are: all, enumerated, unknownFutureValue.
    members List<String>
    A list tenant IDs. Can only be specified if membership_kind is enumerated.

    ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser, ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs

    GuestOrExternalUserTypes List<string>
    A list of guest or external user types. Possible values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, none, otherExternalUser, serviceProvider, unknownFutureValue.
    ExternalTenants List<Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant>
    An external_tenants block as documented below, which specifies external tenants in a policy scope.
    GuestOrExternalUserTypes []string
    A list of guest or external user types. Possible values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, none, otherExternalUser, serviceProvider, unknownFutureValue.
    ExternalTenants []ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant
    An external_tenants block as documented below, which specifies external tenants in a policy scope.
    guestOrExternalUserTypes List<String>
    A list of guest or external user types. Possible values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, none, otherExternalUser, serviceProvider, unknownFutureValue.
    externalTenants List<ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant>
    An external_tenants block as documented below, which specifies external tenants in a policy scope.
    guestOrExternalUserTypes string[]
    A list of guest or external user types. Possible values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, none, otherExternalUser, serviceProvider, unknownFutureValue.
    externalTenants ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant[]
    An external_tenants block as documented below, which specifies external tenants in a policy scope.
    guest_or_external_user_types Sequence[str]
    A list of guest or external user types. Possible values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, none, otherExternalUser, serviceProvider, unknownFutureValue.
    external_tenants Sequence[ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant]
    An external_tenants block as documented below, which specifies external tenants in a policy scope.
    guestOrExternalUserTypes List<String>
    A list of guest or external user types. Possible values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, none, otherExternalUser, serviceProvider, unknownFutureValue.
    externalTenants List<Property Map>
    An external_tenants block as documented below, which specifies external tenants in a policy scope.

    ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant, ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs

    MembershipKind string
    The external tenant membership kind. Possible values are: all, enumerated, unknownFutureValue.
    Members List<string>
    A list tenant IDs. Can only be specified if membership_kind is enumerated.
    MembershipKind string
    The external tenant membership kind. Possible values are: all, enumerated, unknownFutureValue.
    Members []string
    A list tenant IDs. Can only be specified if membership_kind is enumerated.
    membershipKind String
    The external tenant membership kind. Possible values are: all, enumerated, unknownFutureValue.
    members List<String>
    A list tenant IDs. Can only be specified if membership_kind is enumerated.
    membershipKind string
    The external tenant membership kind. Possible values are: all, enumerated, unknownFutureValue.
    members string[]
    A list tenant IDs. Can only be specified if membership_kind is enumerated.
    membership_kind str
    The external tenant membership kind. Possible values are: all, enumerated, unknownFutureValue.
    members Sequence[str]
    A list tenant IDs. Can only be specified if membership_kind is enumerated.
    membershipKind String
    The external tenant membership kind. Possible values are: all, enumerated, unknownFutureValue.
    members List<String>
    A list tenant IDs. Can only be specified if membership_kind is enumerated.

    ConditionalAccessPolicyGrantControls, ConditionalAccessPolicyGrantControlsArgs

    Operator string
    Defines the relationship of the grant controls. Possible values are: AND, OR.
    AuthenticationStrengthPolicyId string
    ID of an Authentication Strength Policy to use in this policy.
    BuiltInControls List<string>
    List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.
    CustomAuthenticationFactors List<string>
    List of custom controls IDs required by the policy.
    TermsOfUses List<string>

    List of terms of use IDs required by the policy.

    At least one of authentication_strength_policy_id, built_in_controls or terms_of_use must be specified.

    Operator string
    Defines the relationship of the grant controls. Possible values are: AND, OR.
    AuthenticationStrengthPolicyId string
    ID of an Authentication Strength Policy to use in this policy.
    BuiltInControls []string
    List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.
    CustomAuthenticationFactors []string
    List of custom controls IDs required by the policy.
    TermsOfUses []string

    List of terms of use IDs required by the policy.

    At least one of authentication_strength_policy_id, built_in_controls or terms_of_use must be specified.

    operator String
    Defines the relationship of the grant controls. Possible values are: AND, OR.
    authenticationStrengthPolicyId String
    ID of an Authentication Strength Policy to use in this policy.
    builtInControls List<String>
    List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.
    customAuthenticationFactors List<String>
    List of custom controls IDs required by the policy.
    termsOfUses List<String>

    List of terms of use IDs required by the policy.

    At least one of authentication_strength_policy_id, built_in_controls or terms_of_use must be specified.

    operator string
    Defines the relationship of the grant controls. Possible values are: AND, OR.
    authenticationStrengthPolicyId string
    ID of an Authentication Strength Policy to use in this policy.
    builtInControls string[]
    List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.
    customAuthenticationFactors string[]
    List of custom controls IDs required by the policy.
    termsOfUses string[]

    List of terms of use IDs required by the policy.

    At least one of authentication_strength_policy_id, built_in_controls or terms_of_use must be specified.

    operator str
    Defines the relationship of the grant controls. Possible values are: AND, OR.
    authentication_strength_policy_id str
    ID of an Authentication Strength Policy to use in this policy.
    built_in_controls Sequence[str]
    List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.
    custom_authentication_factors Sequence[str]
    List of custom controls IDs required by the policy.
    terms_of_uses Sequence[str]

    List of terms of use IDs required by the policy.

    At least one of authentication_strength_policy_id, built_in_controls or terms_of_use must be specified.

    operator String
    Defines the relationship of the grant controls. Possible values are: AND, OR.
    authenticationStrengthPolicyId String
    ID of an Authentication Strength Policy to use in this policy.
    builtInControls List<String>
    List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.
    customAuthenticationFactors List<String>
    List of custom controls IDs required by the policy.
    termsOfUses List<String>

    List of terms of use IDs required by the policy.

    At least one of authentication_strength_policy_id, built_in_controls or terms_of_use must be specified.

    ConditionalAccessPolicySessionControls, ConditionalAccessPolicySessionControlsArgs

    ApplicationEnforcedRestrictionsEnabled bool

    Whether application enforced restrictions are enabled. Defaults to false.

    Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.

    CloudAppSecurityPolicy string
    Enables cloud app security and specifies the cloud app security policy to use. Possible values are: blockDownloads, mcasConfigured, monitorOnly or unknownFutureValue.
    DisableResilienceDefaults bool
    Disables resilience defaults. Defaults to false.
    PersistentBrowserMode string
    Session control to define whether to persist cookies. Possible values are: always or never.
    SignInFrequency int
    Number of days or hours to enforce sign-in frequency. Required when sign_in_frequency_period is specified.
    SignInFrequencyAuthenticationType string
    Authentication type for enforcing sign-in frequency. Possible values are: primaryAndSecondaryAuthentication or secondaryAuthentication. Defaults to primaryAndSecondaryAuthentication.
    SignInFrequencyInterval string
    The interval to apply to sign-in frequency control. Possible values are: timeBased or everyTime. Defaults to timeBased.
    SignInFrequencyPeriod string
    The time period to enforce sign-in frequency. Possible values are: hours or days. Required when sign_in_frequency_period is specified.
    ApplicationEnforcedRestrictionsEnabled bool

    Whether application enforced restrictions are enabled. Defaults to false.

    Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.

    CloudAppSecurityPolicy string
    Enables cloud app security and specifies the cloud app security policy to use. Possible values are: blockDownloads, mcasConfigured, monitorOnly or unknownFutureValue.
    DisableResilienceDefaults bool
    Disables resilience defaults. Defaults to false.
    PersistentBrowserMode string
    Session control to define whether to persist cookies. Possible values are: always or never.
    SignInFrequency int
    Number of days or hours to enforce sign-in frequency. Required when sign_in_frequency_period is specified.
    SignInFrequencyAuthenticationType string
    Authentication type for enforcing sign-in frequency. Possible values are: primaryAndSecondaryAuthentication or secondaryAuthentication. Defaults to primaryAndSecondaryAuthentication.
    SignInFrequencyInterval string
    The interval to apply to sign-in frequency control. Possible values are: timeBased or everyTime. Defaults to timeBased.
    SignInFrequencyPeriod string
    The time period to enforce sign-in frequency. Possible values are: hours or days. Required when sign_in_frequency_period is specified.
    applicationEnforcedRestrictionsEnabled Boolean

    Whether application enforced restrictions are enabled. Defaults to false.

    Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.

    cloudAppSecurityPolicy String
    Enables cloud app security and specifies the cloud app security policy to use. Possible values are: blockDownloads, mcasConfigured, monitorOnly or unknownFutureValue.
    disableResilienceDefaults Boolean
    Disables resilience defaults. Defaults to false.
    persistentBrowserMode String
    Session control to define whether to persist cookies. Possible values are: always or never.
    signInFrequency Integer
    Number of days or hours to enforce sign-in frequency. Required when sign_in_frequency_period is specified.
    signInFrequencyAuthenticationType String
    Authentication type for enforcing sign-in frequency. Possible values are: primaryAndSecondaryAuthentication or secondaryAuthentication. Defaults to primaryAndSecondaryAuthentication.
    signInFrequencyInterval String
    The interval to apply to sign-in frequency control. Possible values are: timeBased or everyTime. Defaults to timeBased.
    signInFrequencyPeriod String
    The time period to enforce sign-in frequency. Possible values are: hours or days. Required when sign_in_frequency_period is specified.
    applicationEnforcedRestrictionsEnabled boolean

    Whether application enforced restrictions are enabled. Defaults to false.

    Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.

    cloudAppSecurityPolicy string
    Enables cloud app security and specifies the cloud app security policy to use. Possible values are: blockDownloads, mcasConfigured, monitorOnly or unknownFutureValue.
    disableResilienceDefaults boolean
    Disables resilience defaults. Defaults to false.
    persistentBrowserMode string
    Session control to define whether to persist cookies. Possible values are: always or never.
    signInFrequency number
    Number of days or hours to enforce sign-in frequency. Required when sign_in_frequency_period is specified.
    signInFrequencyAuthenticationType string
    Authentication type for enforcing sign-in frequency. Possible values are: primaryAndSecondaryAuthentication or secondaryAuthentication. Defaults to primaryAndSecondaryAuthentication.
    signInFrequencyInterval string
    The interval to apply to sign-in frequency control. Possible values are: timeBased or everyTime. Defaults to timeBased.
    signInFrequencyPeriod string
    The time period to enforce sign-in frequency. Possible values are: hours or days. Required when sign_in_frequency_period is specified.
    application_enforced_restrictions_enabled bool

    Whether application enforced restrictions are enabled. Defaults to false.

    Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.

    cloud_app_security_policy str
    Enables cloud app security and specifies the cloud app security policy to use. Possible values are: blockDownloads, mcasConfigured, monitorOnly or unknownFutureValue.
    disable_resilience_defaults bool
    Disables resilience defaults. Defaults to false.
    persistent_browser_mode str
    Session control to define whether to persist cookies. Possible values are: always or never.
    sign_in_frequency int
    Number of days or hours to enforce sign-in frequency. Required when sign_in_frequency_period is specified.
    sign_in_frequency_authentication_type str
    Authentication type for enforcing sign-in frequency. Possible values are: primaryAndSecondaryAuthentication or secondaryAuthentication. Defaults to primaryAndSecondaryAuthentication.
    sign_in_frequency_interval str
    The interval to apply to sign-in frequency control. Possible values are: timeBased or everyTime. Defaults to timeBased.
    sign_in_frequency_period str
    The time period to enforce sign-in frequency. Possible values are: hours or days. Required when sign_in_frequency_period is specified.
    applicationEnforcedRestrictionsEnabled Boolean

    Whether application enforced restrictions are enabled. Defaults to false.

    Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.

    cloudAppSecurityPolicy String
    Enables cloud app security and specifies the cloud app security policy to use. Possible values are: blockDownloads, mcasConfigured, monitorOnly or unknownFutureValue.
    disableResilienceDefaults Boolean
    Disables resilience defaults. Defaults to false.
    persistentBrowserMode String
    Session control to define whether to persist cookies. Possible values are: always or never.
    signInFrequency Number
    Number of days or hours to enforce sign-in frequency. Required when sign_in_frequency_period is specified.
    signInFrequencyAuthenticationType String
    Authentication type for enforcing sign-in frequency. Possible values are: primaryAndSecondaryAuthentication or secondaryAuthentication. Defaults to primaryAndSecondaryAuthentication.
    signInFrequencyInterval String
    The interval to apply to sign-in frequency control. Possible values are: timeBased or everyTime. Defaults to timeBased.
    signInFrequencyPeriod String
    The time period to enforce sign-in frequency. Possible values are: hours or days. Required when sign_in_frequency_period is specified.

    Import

    Conditional Access Policies can be imported using the id, e.g.

    $ pulumi import azuread:index/conditionalAccessPolicy:ConditionalAccessPolicy my_location 00000000-0000-0000-0000-000000000000
    

    Package Details

    Repository
    Azure Active Directory (Azure AD) pulumi/pulumi-azuread
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the azuread Terraform Provider.
    azuread logo
    Azure Active Directory (Azure AD) v5.47.2 published on Tuesday, Feb 27, 2024 by Pulumi