azuread.ServicePrincipal
Explore with Pulumi AI
Import
Service principals can be imported using their object ID, e.g.
$ pulumi import azuread:index/servicePrincipal:ServicePrincipal test 00000000-0000-0000-0000-000000000000
Example Usage
Create a service principal for an application
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var current = AzureAD.GetClientConfig.Invoke();
var exampleApplication = new AzureAD.Application("exampleApplication", new()
{
DisplayName = "example",
Owners = new[]
{
current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
},
});
var exampleServicePrincipal = new AzureAD.ServicePrincipal("exampleServicePrincipal", new()
{
ApplicationId = exampleApplication.ApplicationId,
AppRoleAssignmentRequired = false,
Owners = new[]
{
current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
},
});
});
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := azuread.GetClientConfig(ctx, nil, nil)
if err != nil {
return err
}
exampleApplication, err := azuread.NewApplication(ctx, "exampleApplication", &azuread.ApplicationArgs{
DisplayName: pulumi.String("example"),
Owners: pulumi.StringArray{
*pulumi.String(current.ObjectId),
},
})
if err != nil {
return err
}
_, err = azuread.NewServicePrincipal(ctx, "exampleServicePrincipal", &azuread.ServicePrincipalArgs{
ApplicationId: exampleApplication.ApplicationId,
AppRoleAssignmentRequired: pulumi.Bool(false),
Owners: pulumi.StringArray{
*pulumi.String(current.ObjectId),
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AzureadFunctions.getClientConfig();
var exampleApplication = new Application("exampleApplication", ApplicationArgs.builder()
.displayName("example")
.owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.build());
var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()
.applicationId(exampleApplication.applicationId())
.appRoleAssignmentRequired(false)
.owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.build());
}
}
import pulumi
import pulumi_azuread as azuread
current = azuread.get_client_config()
example_application = azuread.Application("exampleApplication",
display_name="example",
owners=[current.object_id])
example_service_principal = azuread.ServicePrincipal("exampleServicePrincipal",
application_id=example_application.application_id,
app_role_assignment_required=False,
owners=[current.object_id])
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const current = azuread.getClientConfig({});
const exampleApplication = new azuread.Application("exampleApplication", {
displayName: "example",
owners: [current.then(current => current.objectId)],
});
const exampleServicePrincipal = new azuread.ServicePrincipal("exampleServicePrincipal", {
applicationId: exampleApplication.applicationId,
appRoleAssignmentRequired: false,
owners: [current.then(current => current.objectId)],
});
resources:
exampleApplication:
type: azuread:Application
properties:
displayName: example
owners:
- ${current.objectId}
exampleServicePrincipal:
type: azuread:ServicePrincipal
properties:
applicationId: ${exampleApplication.applicationId}
appRoleAssignmentRequired: false
owners:
- ${current.objectId}
variables:
current:
fn::invoke:
Function: azuread:getClientConfig
Arguments: {}
Create a service principal for an enterprise application
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var current = AzureAD.GetClientConfig.Invoke();
var exampleApplication = new AzureAD.Application("exampleApplication", new()
{
DisplayName = "example",
Owners = new[]
{
current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
},
});
var exampleServicePrincipal = new AzureAD.ServicePrincipal("exampleServicePrincipal", new()
{
ApplicationId = exampleApplication.ApplicationId,
AppRoleAssignmentRequired = false,
Owners = new[]
{
current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
},
FeatureTags = new[]
{
new AzureAD.Inputs.ServicePrincipalFeatureTagArgs
{
Enterprise = true,
Gallery = true,
},
},
});
});
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := azuread.GetClientConfig(ctx, nil, nil)
if err != nil {
return err
}
exampleApplication, err := azuread.NewApplication(ctx, "exampleApplication", &azuread.ApplicationArgs{
DisplayName: pulumi.String("example"),
Owners: pulumi.StringArray{
*pulumi.String(current.ObjectId),
},
})
if err != nil {
return err
}
_, err = azuread.NewServicePrincipal(ctx, "exampleServicePrincipal", &azuread.ServicePrincipalArgs{
ApplicationId: exampleApplication.ApplicationId,
AppRoleAssignmentRequired: pulumi.Bool(false),
Owners: pulumi.StringArray{
*pulumi.String(current.ObjectId),
},
FeatureTags: azuread.ServicePrincipalFeatureTagArray{
&azuread.ServicePrincipalFeatureTagArgs{
Enterprise: pulumi.Bool(true),
Gallery: pulumi.Bool(true),
},
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import com.pulumi.azuread.inputs.ServicePrincipalFeatureTagArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AzureadFunctions.getClientConfig();
var exampleApplication = new Application("exampleApplication", ApplicationArgs.builder()
.displayName("example")
.owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.build());
var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()
.applicationId(exampleApplication.applicationId())
.appRoleAssignmentRequired(false)
.owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.featureTags(ServicePrincipalFeatureTagArgs.builder()
.enterprise(true)
.gallery(true)
.build())
.build());
}
}
import pulumi
import pulumi_azuread as azuread
current = azuread.get_client_config()
example_application = azuread.Application("exampleApplication",
display_name="example",
owners=[current.object_id])
example_service_principal = azuread.ServicePrincipal("exampleServicePrincipal",
application_id=example_application.application_id,
app_role_assignment_required=False,
owners=[current.object_id],
feature_tags=[azuread.ServicePrincipalFeatureTagArgs(
enterprise=True,
gallery=True,
)])
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const current = azuread.getClientConfig({});
const exampleApplication = new azuread.Application("exampleApplication", {
displayName: "example",
owners: [current.then(current => current.objectId)],
});
const exampleServicePrincipal = new azuread.ServicePrincipal("exampleServicePrincipal", {
applicationId: exampleApplication.applicationId,
appRoleAssignmentRequired: false,
owners: [current.then(current => current.objectId)],
featureTags: [{
enterprise: true,
gallery: true,
}],
});
resources:
exampleApplication:
type: azuread:Application
properties:
displayName: example
owners:
- ${current.objectId}
exampleServicePrincipal:
type: azuread:ServicePrincipal
properties:
applicationId: ${exampleApplication.applicationId}
appRoleAssignmentRequired: false
owners:
- ${current.objectId}
featureTags:
- enterprise: true
gallery: true
variables:
current:
fn::invoke:
Function: azuread:getClientConfig
Arguments: {}
Manage a service principal for a first-party Microsoft application
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var wellKnown = AzureAD.GetApplicationPublishedAppIds.Invoke();
var msgraph = new AzureAD.ServicePrincipal("msgraph", new()
{
ApplicationId = wellKnown.Apply(getApplicationPublishedAppIdsResult => getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
UseExisting = true,
});
});
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
wellKnown, err := azuread.GetApplicationPublishedAppIds(ctx, nil, nil)
if err != nil {
return err
}
_, err = azuread.NewServicePrincipal(ctx, "msgraph", &azuread.ServicePrincipalArgs{
ApplicationId: *pulumi.String(wellKnown.Result.MicrosoftGraph),
UseExisting: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();
var msgraph = new ServicePrincipal("msgraph", ServicePrincipalArgs.builder()
.applicationId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -> getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))
.useExisting(true)
.build());
}
}
import pulumi
import pulumi_azuread as azuread
well_known = azuread.get_application_published_app_ids()
msgraph = azuread.ServicePrincipal("msgraph",
application_id=well_known.result["MicrosoftGraph"],
use_existing=True)
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const wellKnown = azuread.getApplicationPublishedAppIds({});
const msgraph = new azuread.ServicePrincipal("msgraph", {
applicationId: wellKnown.then(wellKnown => wellKnown.result?.MicrosoftGraph),
useExisting: true,
});
resources:
msgraph:
type: azuread:ServicePrincipal
properties:
applicationId: ${wellKnown.result.MicrosoftGraph}
useExisting: true
variables:
wellKnown:
fn::invoke:
Function: azuread:getApplicationPublishedAppIds
Arguments: {}
Create a service principal for an application created from a gallery template
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var exampleApplicationTemplate = AzureAD.GetApplicationTemplate.Invoke(new()
{
DisplayName = "Marketo",
});
var exampleApplication = new AzureAD.Application("exampleApplication", new()
{
DisplayName = "example",
TemplateId = exampleApplicationTemplate.Apply(getApplicationTemplateResult => getApplicationTemplateResult.TemplateId),
});
var exampleServicePrincipal = new AzureAD.ServicePrincipal("exampleServicePrincipal", new()
{
ApplicationId = exampleApplication.ApplicationId,
UseExisting = true,
});
});
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleApplicationTemplate, err := azuread.GetApplicationTemplate(ctx, &azuread.GetApplicationTemplateArgs{
DisplayName: pulumi.StringRef("Marketo"),
}, nil)
if err != nil {
return err
}
exampleApplication, err := azuread.NewApplication(ctx, "exampleApplication", &azuread.ApplicationArgs{
DisplayName: pulumi.String("example"),
TemplateId: *pulumi.String(exampleApplicationTemplate.TemplateId),
})
if err != nil {
return err
}
_, err = azuread.NewServicePrincipal(ctx, "exampleServicePrincipal", &azuread.ServicePrincipalArgs{
ApplicationId: exampleApplication.ApplicationId,
UseExisting: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.inputs.GetApplicationTemplateArgs;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var exampleApplicationTemplate = AzureadFunctions.getApplicationTemplate(GetApplicationTemplateArgs.builder()
.displayName("Marketo")
.build());
var exampleApplication = new Application("exampleApplication", ApplicationArgs.builder()
.displayName("example")
.templateId(exampleApplicationTemplate.applyValue(getApplicationTemplateResult -> getApplicationTemplateResult.templateId()))
.build());
var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()
.applicationId(exampleApplication.applicationId())
.useExisting(true)
.build());
}
}
import pulumi
import pulumi_azuread as azuread
example_application_template = azuread.get_application_template(display_name="Marketo")
example_application = azuread.Application("exampleApplication",
display_name="example",
template_id=example_application_template.template_id)
example_service_principal = azuread.ServicePrincipal("exampleServicePrincipal",
application_id=example_application.application_id,
use_existing=True)
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const exampleApplicationTemplate = azuread.getApplicationTemplate({
displayName: "Marketo",
});
const exampleApplication = new azuread.Application("exampleApplication", {
displayName: "example",
templateId: exampleApplicationTemplate.then(exampleApplicationTemplate => exampleApplicationTemplate.templateId),
});
const exampleServicePrincipal = new azuread.ServicePrincipal("exampleServicePrincipal", {
applicationId: exampleApplication.applicationId,
useExisting: true,
});
resources:
exampleApplication:
type: azuread:Application
properties:
displayName: example
templateId: ${exampleApplicationTemplate.templateId}
exampleServicePrincipal:
type: azuread:ServicePrincipal
properties:
applicationId: ${exampleApplication.applicationId}
useExisting: true
variables:
exampleApplicationTemplate:
fn::invoke:
Function: azuread:getApplicationTemplate
Arguments:
displayName: Marketo
Create ServicePrincipal Resource
new ServicePrincipal(name: string, args: ServicePrincipalArgs, opts?: CustomResourceOptions);
@overload
def ServicePrincipal(resource_name: str,
opts: Optional[ResourceOptions] = None,
account_enabled: Optional[bool] = None,
alternative_names: Optional[Sequence[str]] = None,
app_role_assignment_required: Optional[bool] = None,
application_id: Optional[str] = None,
description: Optional[str] = None,
feature_tags: Optional[Sequence[ServicePrincipalFeatureTagArgs]] = None,
features: Optional[Sequence[ServicePrincipalFeatureArgs]] = None,
login_url: Optional[str] = None,
notes: Optional[str] = None,
notification_email_addresses: Optional[Sequence[str]] = None,
owners: Optional[Sequence[str]] = None,
preferred_single_sign_on_mode: Optional[str] = None,
saml_single_sign_on: Optional[ServicePrincipalSamlSingleSignOnArgs] = None,
tags: Optional[Sequence[str]] = None,
use_existing: Optional[bool] = None)
@overload
def ServicePrincipal(resource_name: str,
args: ServicePrincipalArgs,
opts: Optional[ResourceOptions] = None)
func NewServicePrincipal(ctx *Context, name string, args ServicePrincipalArgs, opts ...ResourceOption) (*ServicePrincipal, error)
public ServicePrincipal(string name, ServicePrincipalArgs args, CustomResourceOptions? opts = null)
public ServicePrincipal(String name, ServicePrincipalArgs args)
public ServicePrincipal(String name, ServicePrincipalArgs args, CustomResourceOptions options)
type: azuread:ServicePrincipal
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ServicePrincipalArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ServicePrincipalArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ServicePrincipalArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ServicePrincipalArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ServicePrincipalArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
ServicePrincipal Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The ServicePrincipal resource accepts the following input properties:
- Application
Id string The application ID (client ID) of the application for which to create a service principal.
- Account
Enabled bool Whether or not the service principal account is enabled. Defaults to
true
.- Alternative
Names List<string> A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
- App
Role boolAssignment Required Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to
false
.- Description string
A description of the service principal provided for internal end-users.
- List<Pulumi.
Azure AD. Inputs. Service Principal Feature Tag Args> A
feature_tags
block as described below. Cannot be used together with thetags
property.Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure
feature_tags
andtags
for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use thetags
property instead. Any tags configured for the linked application will propagate to this service principal.- Features
List<Pulumi.
Azure AD. Inputs. Service Principal Feature Args> Block of features to configure for this service principal using tags
This block has been renamed to
feature_tags
and will be removed in version 3.0 of the provider- Login
Url string The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
- Notes string
A free text field to capture information about the service principal, typically used for operational purposes.
- Notification
Email List<string>Addresses A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
- Owners List<string>
A list of object IDs of principals that will be granted ownership of the service principal
- Preferred
Single stringSign On Mode The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are
oidc
,password
,saml
ornotSupported
. Omit this property or specify a blank string to unset.- Saml
Single Pulumi.Sign On Azure AD. Inputs. Service Principal Saml Single Sign On Args A
saml_single_sign_on
block as documented below.- List<string>
A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the
feature_tags
block.Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the
tags
property or with thefeature_tags
block. If you need to set any custom tag values not supported by thefeature_tags
block, it's recommended to use thetags
property. Tag values set for the linked application will also propagate to this service principal.- Use
Existing bool When true, the resource will return an existing service principal instead of failing with an error
- Application
Id string The application ID (client ID) of the application for which to create a service principal.
- Account
Enabled bool Whether or not the service principal account is enabled. Defaults to
true
.- Alternative
Names []string A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
- App
Role boolAssignment Required Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to
false
.- Description string
A description of the service principal provided for internal end-users.
- []Service
Principal Feature Tag Args A
feature_tags
block as described below. Cannot be used together with thetags
property.Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure
feature_tags
andtags
for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use thetags
property instead. Any tags configured for the linked application will propagate to this service principal.- Features
[]Service
Principal Feature Args Block of features to configure for this service principal using tags
This block has been renamed to
feature_tags
and will be removed in version 3.0 of the provider- Login
Url string The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
- Notes string
A free text field to capture information about the service principal, typically used for operational purposes.
- Notification
Email []stringAddresses A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
- Owners []string
A list of object IDs of principals that will be granted ownership of the service principal
- Preferred
Single stringSign On Mode The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are
oidc
,password
,saml
ornotSupported
. Omit this property or specify a blank string to unset.- Saml
Single ServiceSign On Principal Saml Single Sign On Args A
saml_single_sign_on
block as documented below.- []string
A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the
feature_tags
block.Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the
tags
property or with thefeature_tags
block. If you need to set any custom tag values not supported by thefeature_tags
block, it's recommended to use thetags
property. Tag values set for the linked application will also propagate to this service principal.- Use
Existing bool When true, the resource will return an existing service principal instead of failing with an error
- application
Id String The application ID (client ID) of the application for which to create a service principal.
- account
Enabled Boolean Whether or not the service principal account is enabled. Defaults to
true
.- alternative
Names List<String> A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
- app
Role BooleanAssignment Required Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to
false
.- description String
A description of the service principal provided for internal end-users.
- List<Service
Principal Feature Tag Args> A
feature_tags
block as described below. Cannot be used together with thetags
property.Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure
feature_tags
andtags
for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use thetags
property instead. Any tags configured for the linked application will propagate to this service principal.- features
List<Service
Principal Feature Args> Block of features to configure for this service principal using tags
This block has been renamed to
feature_tags
and will be removed in version 3.0 of the provider- login
Url String The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
- notes String
A free text field to capture information about the service principal, typically used for operational purposes.
- notification
Email List<String>Addresses A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
- owners List<String>
A list of object IDs of principals that will be granted ownership of the service principal
- preferred
Single StringSign On Mode The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are
oidc
,password
,saml
ornotSupported
. Omit this property or specify a blank string to unset.- saml
Single ServiceSign On Principal Saml Single Sign On Args A
saml_single_sign_on
block as documented below.- List<String>
A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the
feature_tags
block.Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the
tags
property or with thefeature_tags
block. If you need to set any custom tag values not supported by thefeature_tags
block, it's recommended to use thetags
property. Tag values set for the linked application will also propagate to this service principal.- use
Existing Boolean When true, the resource will return an existing service principal instead of failing with an error
- application
Id string The application ID (client ID) of the application for which to create a service principal.
- account
Enabled boolean Whether or not the service principal account is enabled. Defaults to
true
.- alternative
Names string[] A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
- app
Role booleanAssignment Required Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to
false
.- description string
A description of the service principal provided for internal end-users.
- Service
Principal Feature Tag Args[] A
feature_tags
block as described below. Cannot be used together with thetags
property.Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure
feature_tags
andtags
for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use thetags
property instead. Any tags configured for the linked application will propagate to this service principal.- features
Service
Principal Feature Args[] Block of features to configure for this service principal using tags
This block has been renamed to
feature_tags
and will be removed in version 3.0 of the provider- login
Url string The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
- notes string
A free text field to capture information about the service principal, typically used for operational purposes.
- notification
Email string[]Addresses A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
- owners string[]
A list of object IDs of principals that will be granted ownership of the service principal
- preferred
Single stringSign On Mode The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are
oidc
,password
,saml
ornotSupported
. Omit this property or specify a blank string to unset.- saml
Single ServiceSign On Principal Saml Single Sign On Args A
saml_single_sign_on
block as documented below.- string[]
A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the
feature_tags
block.Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the
tags
property or with thefeature_tags
block. If you need to set any custom tag values not supported by thefeature_tags
block, it's recommended to use thetags
property. Tag values set for the linked application will also propagate to this service principal.- use
Existing boolean When true, the resource will return an existing service principal instead of failing with an error
- application_
id str The application ID (client ID) of the application for which to create a service principal.
- account_
enabled bool Whether or not the service principal account is enabled. Defaults to
true
.- alternative_
names Sequence[str] A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
- app_
role_ boolassignment_ required Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to
false
.- description str
A description of the service principal provided for internal end-users.
- Sequence[Service
Principal Feature Tag Args] A
feature_tags
block as described below. Cannot be used together with thetags
property.Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure
feature_tags
andtags
for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use thetags
property instead. Any tags configured for the linked application will propagate to this service principal.- features
Sequence[Service
Principal Feature Args] Block of features to configure for this service principal using tags
This block has been renamed to
feature_tags
and will be removed in version 3.0 of the provider- login_
url str The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
- notes str
A free text field to capture information about the service principal, typically used for operational purposes.
- notification_
email_ Sequence[str]addresses A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
- owners Sequence[str]
A list of object IDs of principals that will be granted ownership of the service principal
- preferred_
single_ strsign_ on_ mode The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are
oidc
,password
,saml
ornotSupported
. Omit this property or specify a blank string to unset.- saml_
single_ Servicesign_ on Principal Saml Single Sign On Args A
saml_single_sign_on
block as documented below.- Sequence[str]
A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the
feature_tags
block.Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the
tags
property or with thefeature_tags
block. If you need to set any custom tag values not supported by thefeature_tags
block, it's recommended to use thetags
property. Tag values set for the linked application will also propagate to this service principal.- use_
existing bool When true, the resource will return an existing service principal instead of failing with an error
- application
Id String The application ID (client ID) of the application for which to create a service principal.
- account
Enabled Boolean Whether or not the service principal account is enabled. Defaults to
true
.- alternative
Names List<String> A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
- app
Role BooleanAssignment Required Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to
false
.- description String
A description of the service principal provided for internal end-users.
- List<Property Map>
A
feature_tags
block as described below. Cannot be used together with thetags
property.Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure
feature_tags
andtags
for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use thetags
property instead. Any tags configured for the linked application will propagate to this service principal.- features List<Property Map>
Block of features to configure for this service principal using tags
This block has been renamed to
feature_tags
and will be removed in version 3.0 of the provider- login
Url String The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
- notes String
A free text field to capture information about the service principal, typically used for operational purposes.
- notification
Email List<String>Addresses A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
- owners List<String>
A list of object IDs of principals that will be granted ownership of the service principal
- preferred
Single StringSign On Mode The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are
oidc
,password
,saml
ornotSupported
. Omit this property or specify a blank string to unset.- saml
Single Property MapSign On A
saml_single_sign_on
block as documented below.- List<String>
A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the
feature_tags
block.Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the
tags
property or with thefeature_tags
block. If you need to set any custom tag values not supported by thefeature_tags
block, it's recommended to use thetags
property. Tag values set for the linked application will also propagate to this service principal.- use
Existing Boolean When true, the resource will return an existing service principal instead of failing with an error
Outputs
All input properties are implicitly available as output properties. Additionally, the ServicePrincipal resource produces the following output properties:
- App
Role Dictionary<string, string>Ids A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
- App
Roles List<Pulumi.Azure AD. Outputs. Service Principal App Role> A list of app roles published by the associated application, as documented below. For more information official documentation.
- Application
Tenant stringId The tenant ID where the associated application is registered.
- Display
Name string Display name for the app role that appears during app role assignment and in consent experiences.
- Homepage
Url string Home page or landing page of the associated application.
- Id string
The provider-assigned unique ID for this managed resource.
- Logout
Url string The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
- Oauth2Permission
Scope Dictionary<string, string>Ids A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
- Oauth2Permission
Scopes List<Pulumi.Azure AD. Outputs. Service Principal Oauth2Permission Scope> A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
- Object
Id string The object ID of the service principal.
- Redirect
Uris List<string> A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
- Saml
Metadata stringUrl The URL where the service exposes SAML metadata for federation.
- Service
Principal List<string>Names A list of identifier URI(s), copied over from the associated application.
- Sign
In stringAudience The Microsoft account types that are supported for the associated application. Possible values include
AzureADMyOrg
,AzureADMultipleOrgs
,AzureADandPersonalMicrosoftAccount
orPersonalMicrosoftAccount
.- Type string
Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
.
- App
Role map[string]stringIds A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
- App
Roles []ServicePrincipal App Role A list of app roles published by the associated application, as documented below. For more information official documentation.
- Application
Tenant stringId The tenant ID where the associated application is registered.
- Display
Name string Display name for the app role that appears during app role assignment and in consent experiences.
- Homepage
Url string Home page or landing page of the associated application.
- Id string
The provider-assigned unique ID for this managed resource.
- Logout
Url string The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
- Oauth2Permission
Scope map[string]stringIds A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
- Oauth2Permission
Scopes []ServicePrincipal Oauth2Permission Scope A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
- Object
Id string The object ID of the service principal.
- Redirect
Uris []string A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
- Saml
Metadata stringUrl The URL where the service exposes SAML metadata for federation.
- Service
Principal []stringNames A list of identifier URI(s), copied over from the associated application.
- Sign
In stringAudience The Microsoft account types that are supported for the associated application. Possible values include
AzureADMyOrg
,AzureADMultipleOrgs
,AzureADandPersonalMicrosoftAccount
orPersonalMicrosoftAccount
.- Type string
Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
.
- app
Role Map<String,String>Ids A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
- app
Roles List<ServicePrincipal App Role> A list of app roles published by the associated application, as documented below. For more information official documentation.
- application
Tenant StringId The tenant ID where the associated application is registered.
- display
Name String Display name for the app role that appears during app role assignment and in consent experiences.
- homepage
Url String Home page or landing page of the associated application.
- id String
The provider-assigned unique ID for this managed resource.
- logout
Url String The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
- oauth2Permission
Scope Map<String,String>Ids A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
- oauth2Permission
Scopes List<ServicePrincipal Oauth2Permission Scope> A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
- object
Id String The object ID of the service principal.
- redirect
Uris List<String> A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
- saml
Metadata StringUrl The URL where the service exposes SAML metadata for federation.
- service
Principal List<String>Names A list of identifier URI(s), copied over from the associated application.
- sign
In StringAudience The Microsoft account types that are supported for the associated application. Possible values include
AzureADMyOrg
,AzureADMultipleOrgs
,AzureADandPersonalMicrosoftAccount
orPersonalMicrosoftAccount
.- type String
Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
.
- app
Role {[key: string]: string}Ids A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
- app
Roles ServicePrincipal App Role[] A list of app roles published by the associated application, as documented below. For more information official documentation.
- application
Tenant stringId The tenant ID where the associated application is registered.
- display
Name string Display name for the app role that appears during app role assignment and in consent experiences.
- homepage
Url string Home page or landing page of the associated application.
- id string
The provider-assigned unique ID for this managed resource.
- logout
Url string The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
- oauth2Permission
Scope {[key: string]: string}Ids A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
- oauth2Permission
Scopes ServicePrincipal Oauth2Permission Scope[] A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
- object
Id string The object ID of the service principal.
- redirect
Uris string[] A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
- saml
Metadata stringUrl The URL where the service exposes SAML metadata for federation.
- service
Principal string[]Names A list of identifier URI(s), copied over from the associated application.
- sign
In stringAudience The Microsoft account types that are supported for the associated application. Possible values include
AzureADMyOrg
,AzureADMultipleOrgs
,AzureADandPersonalMicrosoftAccount
orPersonalMicrosoftAccount
.- type string
Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
.
- app_
role_ Mapping[str, str]ids A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
- app_
roles Sequence[ServicePrincipal App Role] A list of app roles published by the associated application, as documented below. For more information official documentation.
- application_
tenant_ strid The tenant ID where the associated application is registered.
- display_
name str Display name for the app role that appears during app role assignment and in consent experiences.
- homepage_
url str Home page or landing page of the associated application.
- id str
The provider-assigned unique ID for this managed resource.
- logout_
url str The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
- oauth2_
permission_ Mapping[str, str]scope_ ids A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
- oauth2_
permission_ Sequence[Servicescopes Principal Oauth2Permission Scope] A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
- object_
id str The object ID of the service principal.
- redirect_
uris Sequence[str] A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
- saml_
metadata_ strurl The URL where the service exposes SAML metadata for federation.
- service_
principal_ Sequence[str]names A list of identifier URI(s), copied over from the associated application.
- sign_
in_ straudience The Microsoft account types that are supported for the associated application. Possible values include
AzureADMyOrg
,AzureADMultipleOrgs
,AzureADandPersonalMicrosoftAccount
orPersonalMicrosoftAccount
.- type str
Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
.
- app
Role Map<String>Ids A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
- app
Roles List<Property Map> A list of app roles published by the associated application, as documented below. For more information official documentation.
- application
Tenant StringId The tenant ID where the associated application is registered.
- display
Name String Display name for the app role that appears during app role assignment and in consent experiences.
- homepage
Url String Home page or landing page of the associated application.
- id String
The provider-assigned unique ID for this managed resource.
- logout
Url String The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
- oauth2Permission
Scope Map<String>Ids A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
- oauth2Permission
Scopes List<Property Map> A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
- object
Id String The object ID of the service principal.
- redirect
Uris List<String> A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
- saml
Metadata StringUrl The URL where the service exposes SAML metadata for federation.
- service
Principal List<String>Names A list of identifier URI(s), copied over from the associated application.
- sign
In StringAudience The Microsoft account types that are supported for the associated application. Possible values include
AzureADMyOrg
,AzureADMultipleOrgs
,AzureADandPersonalMicrosoftAccount
orPersonalMicrosoftAccount
.- type String
Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
.
Look up Existing ServicePrincipal Resource
Get an existing ServicePrincipal resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ServicePrincipalState, opts?: CustomResourceOptions): ServicePrincipal
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
account_enabled: Optional[bool] = None,
alternative_names: Optional[Sequence[str]] = None,
app_role_assignment_required: Optional[bool] = None,
app_role_ids: Optional[Mapping[str, str]] = None,
app_roles: Optional[Sequence[ServicePrincipalAppRoleArgs]] = None,
application_id: Optional[str] = None,
application_tenant_id: Optional[str] = None,
description: Optional[str] = None,
display_name: Optional[str] = None,
feature_tags: Optional[Sequence[ServicePrincipalFeatureTagArgs]] = None,
features: Optional[Sequence[ServicePrincipalFeatureArgs]] = None,
homepage_url: Optional[str] = None,
login_url: Optional[str] = None,
logout_url: Optional[str] = None,
notes: Optional[str] = None,
notification_email_addresses: Optional[Sequence[str]] = None,
oauth2_permission_scope_ids: Optional[Mapping[str, str]] = None,
oauth2_permission_scopes: Optional[Sequence[ServicePrincipalOauth2PermissionScopeArgs]] = None,
object_id: Optional[str] = None,
owners: Optional[Sequence[str]] = None,
preferred_single_sign_on_mode: Optional[str] = None,
redirect_uris: Optional[Sequence[str]] = None,
saml_metadata_url: Optional[str] = None,
saml_single_sign_on: Optional[ServicePrincipalSamlSingleSignOnArgs] = None,
service_principal_names: Optional[Sequence[str]] = None,
sign_in_audience: Optional[str] = None,
tags: Optional[Sequence[str]] = None,
type: Optional[str] = None,
use_existing: Optional[bool] = None) -> ServicePrincipal
func GetServicePrincipal(ctx *Context, name string, id IDInput, state *ServicePrincipalState, opts ...ResourceOption) (*ServicePrincipal, error)
public static ServicePrincipal Get(string name, Input<string> id, ServicePrincipalState? state, CustomResourceOptions? opts = null)
public static ServicePrincipal get(String name, Output<String> id, ServicePrincipalState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Account
Enabled bool Whether or not the service principal account is enabled. Defaults to
true
.- Alternative
Names List<string> A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
- App
Role boolAssignment Required Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to
false
.- App
Role Dictionary<string, string>Ids A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
- App
Roles List<Pulumi.Azure AD. Inputs. Service Principal App Role Args> A list of app roles published by the associated application, as documented below. For more information official documentation.
- Application
Id string The application ID (client ID) of the application for which to create a service principal.
- Application
Tenant stringId The tenant ID where the associated application is registered.
- Description string
A description of the service principal provided for internal end-users.
- Display
Name string Display name for the app role that appears during app role assignment and in consent experiences.
- List<Pulumi.
Azure AD. Inputs. Service Principal Feature Tag Args> A
feature_tags
block as described below. Cannot be used together with thetags
property.Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure
feature_tags
andtags
for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use thetags
property instead. Any tags configured for the linked application will propagate to this service principal.- Features
List<Pulumi.
Azure AD. Inputs. Service Principal Feature Args> Block of features to configure for this service principal using tags
This block has been renamed to
feature_tags
and will be removed in version 3.0 of the provider- Homepage
Url string Home page or landing page of the associated application.
- Login
Url string The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
- Logout
Url string The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
- Notes string
A free text field to capture information about the service principal, typically used for operational purposes.
- Notification
Email List<string>Addresses A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
- Oauth2Permission
Scope Dictionary<string, string>Ids A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
- Oauth2Permission
Scopes List<Pulumi.Azure AD. Inputs. Service Principal Oauth2Permission Scope Args> A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
- Object
Id string The object ID of the service principal.
- Owners List<string>
A list of object IDs of principals that will be granted ownership of the service principal
- Preferred
Single stringSign On Mode The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are
oidc
,password
,saml
ornotSupported
. Omit this property or specify a blank string to unset.- Redirect
Uris List<string> A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
- Saml
Metadata stringUrl The URL where the service exposes SAML metadata for federation.
- Saml
Single Pulumi.Sign On Azure AD. Inputs. Service Principal Saml Single Sign On Args A
saml_single_sign_on
block as documented below.- Service
Principal List<string>Names A list of identifier URI(s), copied over from the associated application.
- Sign
In stringAudience The Microsoft account types that are supported for the associated application. Possible values include
AzureADMyOrg
,AzureADMultipleOrgs
,AzureADandPersonalMicrosoftAccount
orPersonalMicrosoftAccount
.- List<string>
A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the
feature_tags
block.Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the
tags
property or with thefeature_tags
block. If you need to set any custom tag values not supported by thefeature_tags
block, it's recommended to use thetags
property. Tag values set for the linked application will also propagate to this service principal.- Type string
Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
.- Use
Existing bool When true, the resource will return an existing service principal instead of failing with an error
- Account
Enabled bool Whether or not the service principal account is enabled. Defaults to
true
.- Alternative
Names []string A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
- App
Role boolAssignment Required Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to
false
.- App
Role map[string]stringIds A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
- App
Roles []ServicePrincipal App Role Args A list of app roles published by the associated application, as documented below. For more information official documentation.
- Application
Id string The application ID (client ID) of the application for which to create a service principal.
- Application
Tenant stringId The tenant ID where the associated application is registered.
- Description string
A description of the service principal provided for internal end-users.
- Display
Name string Display name for the app role that appears during app role assignment and in consent experiences.
- []Service
Principal Feature Tag Args A
feature_tags
block as described below. Cannot be used together with thetags
property.Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure
feature_tags
andtags
for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use thetags
property instead. Any tags configured for the linked application will propagate to this service principal.- Features
[]Service
Principal Feature Args Block of features to configure for this service principal using tags
This block has been renamed to
feature_tags
and will be removed in version 3.0 of the provider- Homepage
Url string Home page or landing page of the associated application.
- Login
Url string The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
- Logout
Url string The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
- Notes string
A free text field to capture information about the service principal, typically used for operational purposes.
- Notification
Email []stringAddresses A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
- Oauth2Permission
Scope map[string]stringIds A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
- Oauth2Permission
Scopes []ServicePrincipal Oauth2Permission Scope Args A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
- Object
Id string The object ID of the service principal.
- Owners []string
A list of object IDs of principals that will be granted ownership of the service principal
- Preferred
Single stringSign On Mode The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are
oidc
,password
,saml
ornotSupported
. Omit this property or specify a blank string to unset.- Redirect
Uris []string A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
- Saml
Metadata stringUrl The URL where the service exposes SAML metadata for federation.
- Saml
Single ServiceSign On Principal Saml Single Sign On Args A
saml_single_sign_on
block as documented below.- Service
Principal []stringNames A list of identifier URI(s), copied over from the associated application.
- Sign
In stringAudience The Microsoft account types that are supported for the associated application. Possible values include
AzureADMyOrg
,AzureADMultipleOrgs
,AzureADandPersonalMicrosoftAccount
orPersonalMicrosoftAccount
.- []string
A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the
feature_tags
block.Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the
tags
property or with thefeature_tags
block. If you need to set any custom tag values not supported by thefeature_tags
block, it's recommended to use thetags
property. Tag values set for the linked application will also propagate to this service principal.- Type string
Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
.- Use
Existing bool When true, the resource will return an existing service principal instead of failing with an error
- account
Enabled Boolean Whether or not the service principal account is enabled. Defaults to
true
.- alternative
Names List<String> A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
- app
Role BooleanAssignment Required Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to
false
.- app
Role Map<String,String>Ids A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
- app
Roles List<ServicePrincipal App Role Args> A list of app roles published by the associated application, as documented below. For more information official documentation.
- application
Id String The application ID (client ID) of the application for which to create a service principal.
- application
Tenant StringId The tenant ID where the associated application is registered.
- description String
A description of the service principal provided for internal end-users.
- display
Name String Display name for the app role that appears during app role assignment and in consent experiences.
- List<Service
Principal Feature Tag Args> A
feature_tags
block as described below. Cannot be used together with thetags
property.Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure
feature_tags
andtags
for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use thetags
property instead. Any tags configured for the linked application will propagate to this service principal.- features
List<Service
Principal Feature Args> Block of features to configure for this service principal using tags
This block has been renamed to
feature_tags
and will be removed in version 3.0 of the provider- homepage
Url String Home page or landing page of the associated application.
- login
Url String The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
- logout
Url String The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
- notes String
A free text field to capture information about the service principal, typically used for operational purposes.
- notification
Email List<String>Addresses A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
- oauth2Permission
Scope Map<String,String>Ids A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
- oauth2Permission
Scopes List<ServicePrincipal Oauth2Permission Scope Args> A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
- object
Id String The object ID of the service principal.
- owners List<String>
A list of object IDs of principals that will be granted ownership of the service principal
- preferred
Single StringSign On Mode The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are
oidc
,password
,saml
ornotSupported
. Omit this property or specify a blank string to unset.- redirect
Uris List<String> A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
- saml
Metadata StringUrl The URL where the service exposes SAML metadata for federation.
- saml
Single ServiceSign On Principal Saml Single Sign On Args A
saml_single_sign_on
block as documented below.- service
Principal List<String>Names A list of identifier URI(s), copied over from the associated application.
- sign
In StringAudience The Microsoft account types that are supported for the associated application. Possible values include
AzureADMyOrg
,AzureADMultipleOrgs
,AzureADandPersonalMicrosoftAccount
orPersonalMicrosoftAccount
.- List<String>
A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the
feature_tags
block.Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the
tags
property or with thefeature_tags
block. If you need to set any custom tag values not supported by thefeature_tags
block, it's recommended to use thetags
property. Tag values set for the linked application will also propagate to this service principal.- type String
Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
.- use
Existing Boolean When true, the resource will return an existing service principal instead of failing with an error
- account
Enabled boolean Whether or not the service principal account is enabled. Defaults to
true
.- alternative
Names string[] A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
- app
Role booleanAssignment Required Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to
false
.- app
Role {[key: string]: string}Ids A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
- app
Roles ServicePrincipal App Role Args[] A list of app roles published by the associated application, as documented below. For more information official documentation.
- application
Id string The application ID (client ID) of the application for which to create a service principal.
- application
Tenant stringId The tenant ID where the associated application is registered.
- description string
A description of the service principal provided for internal end-users.
- display
Name string Display name for the app role that appears during app role assignment and in consent experiences.
- Service
Principal Feature Tag Args[] A
feature_tags
block as described below. Cannot be used together with thetags
property.Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure
feature_tags
andtags
for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use thetags
property instead. Any tags configured for the linked application will propagate to this service principal.- features
Service
Principal Feature Args[] Block of features to configure for this service principal using tags
This block has been renamed to
feature_tags
and will be removed in version 3.0 of the provider- homepage
Url string Home page or landing page of the associated application.
- login
Url string The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
- logout
Url string The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
- notes string
A free text field to capture information about the service principal, typically used for operational purposes.
- notification
Email string[]Addresses A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
- oauth2Permission
Scope {[key: string]: string}Ids A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
- oauth2Permission
Scopes ServicePrincipal Oauth2Permission Scope Args[] A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
- object
Id string The object ID of the service principal.
- owners string[]
A list of object IDs of principals that will be granted ownership of the service principal
- preferred
Single stringSign On Mode The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are
oidc
,password
,saml
ornotSupported
. Omit this property or specify a blank string to unset.- redirect
Uris string[] A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
- saml
Metadata stringUrl The URL where the service exposes SAML metadata for federation.
- saml
Single ServiceSign On Principal Saml Single Sign On Args A
saml_single_sign_on
block as documented below.- service
Principal string[]Names A list of identifier URI(s), copied over from the associated application.
- sign
In stringAudience The Microsoft account types that are supported for the associated application. Possible values include
AzureADMyOrg
,AzureADMultipleOrgs
,AzureADandPersonalMicrosoftAccount
orPersonalMicrosoftAccount
.- string[]
A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the
feature_tags
block.Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the
tags
property or with thefeature_tags
block. If you need to set any custom tag values not supported by thefeature_tags
block, it's recommended to use thetags
property. Tag values set for the linked application will also propagate to this service principal.- type string
Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
.- use
Existing boolean When true, the resource will return an existing service principal instead of failing with an error
- account_
enabled bool Whether or not the service principal account is enabled. Defaults to
true
.- alternative_
names Sequence[str] A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
- app_
role_ boolassignment_ required Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to
false
.- app_
role_ Mapping[str, str]ids A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
- app_
roles Sequence[ServicePrincipal App Role Args] A list of app roles published by the associated application, as documented below. For more information official documentation.
- application_
id str The application ID (client ID) of the application for which to create a service principal.
- application_
tenant_ strid The tenant ID where the associated application is registered.
- description str
A description of the service principal provided for internal end-users.
- display_
name str Display name for the app role that appears during app role assignment and in consent experiences.
- Sequence[Service
Principal Feature Tag Args] A
feature_tags
block as described below. Cannot be used together with thetags
property.Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure
feature_tags
andtags
for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use thetags
property instead. Any tags configured for the linked application will propagate to this service principal.- features
Sequence[Service
Principal Feature Args] Block of features to configure for this service principal using tags
This block has been renamed to
feature_tags
and will be removed in version 3.0 of the provider- homepage_
url str Home page or landing page of the associated application.
- login_
url str The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
- logout_
url str The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
- notes str
A free text field to capture information about the service principal, typically used for operational purposes.
- notification_
email_ Sequence[str]addresses A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
- oauth2_
permission_ Mapping[str, str]scope_ ids A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
- oauth2_
permission_ Sequence[Servicescopes Principal Oauth2Permission Scope Args] A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
- object_
id str The object ID of the service principal.
- owners Sequence[str]
A list of object IDs of principals that will be granted ownership of the service principal
- preferred_
single_ strsign_ on_ mode The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are
oidc
,password
,saml
ornotSupported
. Omit this property or specify a blank string to unset.- redirect_
uris Sequence[str] A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
- saml_
metadata_ strurl The URL where the service exposes SAML metadata for federation.
- saml_
single_ Servicesign_ on Principal Saml Single Sign On Args A
saml_single_sign_on
block as documented below.- service_
principal_ Sequence[str]names A list of identifier URI(s), copied over from the associated application.
- sign_
in_ straudience The Microsoft account types that are supported for the associated application. Possible values include
AzureADMyOrg
,AzureADMultipleOrgs
,AzureADandPersonalMicrosoftAccount
orPersonalMicrosoftAccount
.- Sequence[str]
A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the
feature_tags
block.Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the
tags
property or with thefeature_tags
block. If you need to set any custom tag values not supported by thefeature_tags
block, it's recommended to use thetags
property. Tag values set for the linked application will also propagate to this service principal.- type str
Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
.- use_
existing bool When true, the resource will return an existing service principal instead of failing with an error
- account
Enabled Boolean Whether or not the service principal account is enabled. Defaults to
true
.- alternative
Names List<String> A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
- app
Role BooleanAssignment Required Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to
false
.- app
Role Map<String>Ids A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
- app
Roles List<Property Map> A list of app roles published by the associated application, as documented below. For more information official documentation.
- application
Id String The application ID (client ID) of the application for which to create a service principal.
- application
Tenant StringId The tenant ID where the associated application is registered.
- description String
A description of the service principal provided for internal end-users.
- display
Name String Display name for the app role that appears during app role assignment and in consent experiences.
- List<Property Map>
A
feature_tags
block as described below. Cannot be used together with thetags
property.Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure
feature_tags
andtags
for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use thetags
property instead. Any tags configured for the linked application will propagate to this service principal.- features List<Property Map>
Block of features to configure for this service principal using tags
This block has been renamed to
feature_tags
and will be removed in version 3.0 of the provider- homepage
Url String Home page or landing page of the associated application.
- login
Url String The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
- logout
Url String The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
- notes String
A free text field to capture information about the service principal, typically used for operational purposes.
- notification
Email List<String>Addresses A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
- oauth2Permission
Scope Map<String>Ids A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
- oauth2Permission
Scopes List<Property Map> A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
- object
Id String The object ID of the service principal.
- owners List<String>
A list of object IDs of principals that will be granted ownership of the service principal
- preferred
Single StringSign On Mode The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are
oidc
,password
,saml
ornotSupported
. Omit this property or specify a blank string to unset.- redirect
Uris List<String> A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
- saml
Metadata StringUrl The URL where the service exposes SAML metadata for federation.
- saml
Single Property MapSign On A
saml_single_sign_on
block as documented below.- service
Principal List<String>Names A list of identifier URI(s), copied over from the associated application.
- sign
In StringAudience The Microsoft account types that are supported for the associated application. Possible values include
AzureADMyOrg
,AzureADMultipleOrgs
,AzureADandPersonalMicrosoftAccount
orPersonalMicrosoftAccount
.- List<String>
A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the
feature_tags
block.Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the
tags
property or with thefeature_tags
block. If you need to set any custom tag values not supported by thefeature_tags
block, it's recommended to use thetags
property. Tag values set for the linked application will also propagate to this service principal.- type String
Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
.- use
Existing Boolean When true, the resource will return an existing service principal instead of failing with an error
Supporting Types
ServicePrincipalAppRole
- Allowed
Member List<string>Types Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are:
User
andApplication
, or both.- Description string
A description of the service principal provided for internal end-users.
- Display
Name string Display name for the app role that appears during app role assignment and in consent experiences.
- Enabled bool
Specifies whether the permission scope is enabled.
- Id string
The unique identifier of the delegated permission.
- Value string
The value that is used for the
scp
claim in OAuth 2.0 access tokens.
- Allowed
Member []stringTypes Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are:
User
andApplication
, or both.- Description string
A description of the service principal provided for internal end-users.
- Display
Name string Display name for the app role that appears during app role assignment and in consent experiences.
- Enabled bool
Specifies whether the permission scope is enabled.
- Id string
The unique identifier of the delegated permission.
- Value string
The value that is used for the
scp
claim in OAuth 2.0 access tokens.
- allowed
Member List<String>Types Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are:
User
andApplication
, or both.- description String
A description of the service principal provided for internal end-users.
- display
Name String Display name for the app role that appears during app role assignment and in consent experiences.
- enabled Boolean
Specifies whether the permission scope is enabled.
- id String
The unique identifier of the delegated permission.
- value String
The value that is used for the
scp
claim in OAuth 2.0 access tokens.
- allowed
Member string[]Types Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are:
User
andApplication
, or both.- description string
A description of the service principal provided for internal end-users.
- display
Name string Display name for the app role that appears during app role assignment and in consent experiences.
- enabled boolean
Specifies whether the permission scope is enabled.
- id string
The unique identifier of the delegated permission.
- value string
The value that is used for the
scp
claim in OAuth 2.0 access tokens.
- allowed_
member_ Sequence[str]types Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are:
User
andApplication
, or both.- description str
A description of the service principal provided for internal end-users.
- display_
name str Display name for the app role that appears during app role assignment and in consent experiences.
- enabled bool
Specifies whether the permission scope is enabled.
- id str
The unique identifier of the delegated permission.
- value str
The value that is used for the
scp
claim in OAuth 2.0 access tokens.
- allowed
Member List<String>Types Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are:
User
andApplication
, or both.- description String
A description of the service principal provided for internal end-users.
- display
Name String Display name for the app role that appears during app role assignment and in consent experiences.
- enabled Boolean
Specifies whether the permission scope is enabled.
- id String
The unique identifier of the delegated permission.
- value String
The value that is used for the
scp
claim in OAuth 2.0 access tokens.
ServicePrincipalFeature
- Custom
Single boolSign On App - Enterprise
Application bool - Gallery
Application bool - Visible
To boolUsers
- Custom
Single boolSign On App - Enterprise
Application bool - Gallery
Application bool - Visible
To boolUsers
- custom
Single BooleanSign On App - enterprise
Application Boolean - gallery
Application Boolean - visible
To BooleanUsers
- custom
Single booleanSign On App - enterprise
Application boolean - gallery
Application boolean - visible
To booleanUsers
- custom
Single BooleanSign On App - enterprise
Application Boolean - gallery
Application Boolean - visible
To BooleanUsers
ServicePrincipalFeatureTag
- Custom
Single boolSign On Whether this service principal represents a custom SAML application. Enabling this will assign the
WindowsAzureActiveDirectoryCustomSingleSignOnApplication
tag. Defaults tofalse
.- Enterprise bool
Whether this service principal represents an Enterprise Application. Enabling this will assign the
WindowsAzureActiveDirectoryIntegratedApp
tag. Defaults tofalse
.- Gallery bool
Whether this service principal represents a gallery application. Enabling this will assign the
WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1
tag. Defaults tofalse
.- Hide bool
Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the
HideApp
tag. Defaults tofalse
.
- Custom
Single boolSign On Whether this service principal represents a custom SAML application. Enabling this will assign the
WindowsAzureActiveDirectoryCustomSingleSignOnApplication
tag. Defaults tofalse
.- Enterprise bool
Whether this service principal represents an Enterprise Application. Enabling this will assign the
WindowsAzureActiveDirectoryIntegratedApp
tag. Defaults tofalse
.- Gallery bool
Whether this service principal represents a gallery application. Enabling this will assign the
WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1
tag. Defaults tofalse
.- Hide bool
Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the
HideApp
tag. Defaults tofalse
.
- custom
Single BooleanSign On Whether this service principal represents a custom SAML application. Enabling this will assign the
WindowsAzureActiveDirectoryCustomSingleSignOnApplication
tag. Defaults tofalse
.- enterprise Boolean
Whether this service principal represents an Enterprise Application. Enabling this will assign the
WindowsAzureActiveDirectoryIntegratedApp
tag. Defaults tofalse
.- gallery Boolean
Whether this service principal represents a gallery application. Enabling this will assign the
WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1
tag. Defaults tofalse
.- hide Boolean
Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the
HideApp
tag. Defaults tofalse
.
- custom
Single booleanSign On Whether this service principal represents a custom SAML application. Enabling this will assign the
WindowsAzureActiveDirectoryCustomSingleSignOnApplication
tag. Defaults tofalse
.- enterprise boolean
Whether this service principal represents an Enterprise Application. Enabling this will assign the
WindowsAzureActiveDirectoryIntegratedApp
tag. Defaults tofalse
.- gallery boolean
Whether this service principal represents a gallery application. Enabling this will assign the
WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1
tag. Defaults tofalse
.- hide boolean
Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the
HideApp
tag. Defaults tofalse
.
- custom_
single_ boolsign_ on Whether this service principal represents a custom SAML application. Enabling this will assign the
WindowsAzureActiveDirectoryCustomSingleSignOnApplication
tag. Defaults tofalse
.- enterprise bool
Whether this service principal represents an Enterprise Application. Enabling this will assign the
WindowsAzureActiveDirectoryIntegratedApp
tag. Defaults tofalse
.- gallery bool
Whether this service principal represents a gallery application. Enabling this will assign the
WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1
tag. Defaults tofalse
.- hide bool
Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the
HideApp
tag. Defaults tofalse
.
- custom
Single BooleanSign On Whether this service principal represents a custom SAML application. Enabling this will assign the
WindowsAzureActiveDirectoryCustomSingleSignOnApplication
tag. Defaults tofalse
.- enterprise Boolean
Whether this service principal represents an Enterprise Application. Enabling this will assign the
WindowsAzureActiveDirectoryIntegratedApp
tag. Defaults tofalse
.- gallery Boolean
Whether this service principal represents a gallery application. Enabling this will assign the
WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1
tag. Defaults tofalse
.- hide Boolean
Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the
HideApp
tag. Defaults tofalse
.
ServicePrincipalOauth2PermissionScope
- Admin
Consent stringDescription Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
- Admin
Consent stringDisplay Name Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
- Enabled bool
Specifies whether the permission scope is enabled.
- Id string
The unique identifier of the delegated permission.
- Type string
Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
.- User
Consent stringDescription Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
- User
Consent stringDisplay Name Display name for the delegated permission that appears in the end user consent experience.
- Value string
The value that is used for the
scp
claim in OAuth 2.0 access tokens.
- Admin
Consent stringDescription Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
- Admin
Consent stringDisplay Name Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
- Enabled bool
Specifies whether the permission scope is enabled.
- Id string
The unique identifier of the delegated permission.
- Type string
Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
.- User
Consent stringDescription Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
- User
Consent stringDisplay Name Display name for the delegated permission that appears in the end user consent experience.
- Value string
The value that is used for the
scp
claim in OAuth 2.0 access tokens.
- admin
Consent StringDescription Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
- admin
Consent StringDisplay Name Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
- enabled Boolean
Specifies whether the permission scope is enabled.
- id String
The unique identifier of the delegated permission.
- type String
Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
.- user
Consent StringDescription Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
- user
Consent StringDisplay Name Display name for the delegated permission that appears in the end user consent experience.
- value String
The value that is used for the
scp
claim in OAuth 2.0 access tokens.
- admin
Consent stringDescription Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
- admin
Consent stringDisplay Name Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
- enabled boolean
Specifies whether the permission scope is enabled.
- id string
The unique identifier of the delegated permission.
- type string
Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
.- user
Consent stringDescription Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
- user
Consent stringDisplay Name Display name for the delegated permission that appears in the end user consent experience.
- value string
The value that is used for the
scp
claim in OAuth 2.0 access tokens.
- admin_
consent_ strdescription Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
- admin_
consent_ strdisplay_ name Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
- enabled bool
Specifies whether the permission scope is enabled.
- id str
The unique identifier of the delegated permission.
- type str
Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
.- user_
consent_ strdescription Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
- user_
consent_ strdisplay_ name Display name for the delegated permission that appears in the end user consent experience.
- value str
The value that is used for the
scp
claim in OAuth 2.0 access tokens.
- admin
Consent StringDescription Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
- admin
Consent StringDisplay Name Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
- enabled Boolean
Specifies whether the permission scope is enabled.
- id String
The unique identifier of the delegated permission.
- type String
Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
.- user
Consent StringDescription Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
- user
Consent StringDisplay Name Display name for the delegated permission that appears in the end user consent experience.
- value String
The value that is used for the
scp
claim in OAuth 2.0 access tokens.
ServicePrincipalSamlSingleSignOn
- Relay
State string The relative URI the service provider would redirect to after completion of the single sign-on flow.
- Relay
State string The relative URI the service provider would redirect to after completion of the single sign-on flow.
- relay
State String The relative URI the service provider would redirect to after completion of the single sign-on flow.
- relay
State string The relative URI the service provider would redirect to after completion of the single sign-on flow.
- relay_
state str The relative URI the service provider would redirect to after completion of the single sign-on flow.
- relay
State String The relative URI the service provider would redirect to after completion of the single sign-on flow.
Package Details
- Repository
- Azure Active Directory (Azure AD) pulumi/pulumi-azuread
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
azuread
Terraform Provider.