azuread logo
Azure Active Directory (Azure AD) v5.38.0, May 17 23

azuread.ServicePrincipal

Explore with Pulumi AI

Import

Service principals can be imported using their object ID, e.g.

 $ pulumi import azuread:index/servicePrincipal:ServicePrincipal test 00000000-0000-0000-0000-000000000000

Example Usage

Create a service principal for an application

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var current = AzureAD.GetClientConfig.Invoke();

    var exampleApplication = new AzureAD.Application("exampleApplication", new()
    {
        DisplayName = "example",
        Owners = new[]
        {
            current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
        },
    });

    var exampleServicePrincipal = new AzureAD.ServicePrincipal("exampleServicePrincipal", new()
    {
        ApplicationId = exampleApplication.ApplicationId,
        AppRoleAssignmentRequired = false,
        Owners = new[]
        {
            current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
        },
    });

});
package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		current, err := azuread.GetClientConfig(ctx, nil, nil)
		if err != nil {
			return err
		}
		exampleApplication, err := azuread.NewApplication(ctx, "exampleApplication", &azuread.ApplicationArgs{
			DisplayName: pulumi.String("example"),
			Owners: pulumi.StringArray{
				*pulumi.String(current.ObjectId),
			},
		})
		if err != nil {
			return err
		}
		_, err = azuread.NewServicePrincipal(ctx, "exampleServicePrincipal", &azuread.ServicePrincipalArgs{
			ApplicationId:             exampleApplication.ApplicationId,
			AppRoleAssignmentRequired: pulumi.Bool(false),
			Owners: pulumi.StringArray{
				*pulumi.String(current.ObjectId),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var current = AzureadFunctions.getClientConfig();

        var exampleApplication = new Application("exampleApplication", ApplicationArgs.builder()        
            .displayName("example")
            .owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
            .build());

        var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()        
            .applicationId(exampleApplication.applicationId())
            .appRoleAssignmentRequired(false)
            .owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
            .build());

    }
}
import pulumi
import pulumi_azuread as azuread

current = azuread.get_client_config()
example_application = azuread.Application("exampleApplication",
    display_name="example",
    owners=[current.object_id])
example_service_principal = azuread.ServicePrincipal("exampleServicePrincipal",
    application_id=example_application.application_id,
    app_role_assignment_required=False,
    owners=[current.object_id])
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const current = azuread.getClientConfig({});
const exampleApplication = new azuread.Application("exampleApplication", {
    displayName: "example",
    owners: [current.then(current => current.objectId)],
});
const exampleServicePrincipal = new azuread.ServicePrincipal("exampleServicePrincipal", {
    applicationId: exampleApplication.applicationId,
    appRoleAssignmentRequired: false,
    owners: [current.then(current => current.objectId)],
});
resources:
  exampleApplication:
    type: azuread:Application
    properties:
      displayName: example
      owners:
        - ${current.objectId}
  exampleServicePrincipal:
    type: azuread:ServicePrincipal
    properties:
      applicationId: ${exampleApplication.applicationId}
      appRoleAssignmentRequired: false
      owners:
        - ${current.objectId}
variables:
  current:
    fn::invoke:
      Function: azuread:getClientConfig
      Arguments: {}

Create a service principal for an enterprise application

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var current = AzureAD.GetClientConfig.Invoke();

    var exampleApplication = new AzureAD.Application("exampleApplication", new()
    {
        DisplayName = "example",
        Owners = new[]
        {
            current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
        },
    });

    var exampleServicePrincipal = new AzureAD.ServicePrincipal("exampleServicePrincipal", new()
    {
        ApplicationId = exampleApplication.ApplicationId,
        AppRoleAssignmentRequired = false,
        Owners = new[]
        {
            current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
        },
        FeatureTags = new[]
        {
            new AzureAD.Inputs.ServicePrincipalFeatureTagArgs
            {
                Enterprise = true,
                Gallery = true,
            },
        },
    });

});
package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		current, err := azuread.GetClientConfig(ctx, nil, nil)
		if err != nil {
			return err
		}
		exampleApplication, err := azuread.NewApplication(ctx, "exampleApplication", &azuread.ApplicationArgs{
			DisplayName: pulumi.String("example"),
			Owners: pulumi.StringArray{
				*pulumi.String(current.ObjectId),
			},
		})
		if err != nil {
			return err
		}
		_, err = azuread.NewServicePrincipal(ctx, "exampleServicePrincipal", &azuread.ServicePrincipalArgs{
			ApplicationId:             exampleApplication.ApplicationId,
			AppRoleAssignmentRequired: pulumi.Bool(false),
			Owners: pulumi.StringArray{
				*pulumi.String(current.ObjectId),
			},
			FeatureTags: azuread.ServicePrincipalFeatureTagArray{
				&azuread.ServicePrincipalFeatureTagArgs{
					Enterprise: pulumi.Bool(true),
					Gallery:    pulumi.Bool(true),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import com.pulumi.azuread.inputs.ServicePrincipalFeatureTagArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var current = AzureadFunctions.getClientConfig();

        var exampleApplication = new Application("exampleApplication", ApplicationArgs.builder()        
            .displayName("example")
            .owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
            .build());

        var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()        
            .applicationId(exampleApplication.applicationId())
            .appRoleAssignmentRequired(false)
            .owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
            .featureTags(ServicePrincipalFeatureTagArgs.builder()
                .enterprise(true)
                .gallery(true)
                .build())
            .build());

    }
}
import pulumi
import pulumi_azuread as azuread

current = azuread.get_client_config()
example_application = azuread.Application("exampleApplication",
    display_name="example",
    owners=[current.object_id])
example_service_principal = azuread.ServicePrincipal("exampleServicePrincipal",
    application_id=example_application.application_id,
    app_role_assignment_required=False,
    owners=[current.object_id],
    feature_tags=[azuread.ServicePrincipalFeatureTagArgs(
        enterprise=True,
        gallery=True,
    )])
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const current = azuread.getClientConfig({});
const exampleApplication = new azuread.Application("exampleApplication", {
    displayName: "example",
    owners: [current.then(current => current.objectId)],
});
const exampleServicePrincipal = new azuread.ServicePrincipal("exampleServicePrincipal", {
    applicationId: exampleApplication.applicationId,
    appRoleAssignmentRequired: false,
    owners: [current.then(current => current.objectId)],
    featureTags: [{
        enterprise: true,
        gallery: true,
    }],
});
resources:
  exampleApplication:
    type: azuread:Application
    properties:
      displayName: example
      owners:
        - ${current.objectId}
  exampleServicePrincipal:
    type: azuread:ServicePrincipal
    properties:
      applicationId: ${exampleApplication.applicationId}
      appRoleAssignmentRequired: false
      owners:
        - ${current.objectId}
      featureTags:
        - enterprise: true
          gallery: true
variables:
  current:
    fn::invoke:
      Function: azuread:getClientConfig
      Arguments: {}

Manage a service principal for a first-party Microsoft application

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var wellKnown = AzureAD.GetApplicationPublishedAppIds.Invoke();

    var msgraph = new AzureAD.ServicePrincipal("msgraph", new()
    {
        ApplicationId = wellKnown.Apply(getApplicationPublishedAppIdsResult => getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
        UseExisting = true,
    });

});
package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		wellKnown, err := azuread.GetApplicationPublishedAppIds(ctx, nil, nil)
		if err != nil {
			return err
		}
		_, err = azuread.NewServicePrincipal(ctx, "msgraph", &azuread.ServicePrincipalArgs{
			ApplicationId: *pulumi.String(wellKnown.Result.MicrosoftGraph),
			UseExisting:   pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();

        var msgraph = new ServicePrincipal("msgraph", ServicePrincipalArgs.builder()        
            .applicationId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -> getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))
            .useExisting(true)
            .build());

    }
}
import pulumi
import pulumi_azuread as azuread

well_known = azuread.get_application_published_app_ids()
msgraph = azuread.ServicePrincipal("msgraph",
    application_id=well_known.result["MicrosoftGraph"],
    use_existing=True)
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const wellKnown = azuread.getApplicationPublishedAppIds({});
const msgraph = new azuread.ServicePrincipal("msgraph", {
    applicationId: wellKnown.then(wellKnown => wellKnown.result?.MicrosoftGraph),
    useExisting: true,
});
resources:
  msgraph:
    type: azuread:ServicePrincipal
    properties:
      applicationId: ${wellKnown.result.MicrosoftGraph}
      useExisting: true
variables:
  wellKnown:
    fn::invoke:
      Function: azuread:getApplicationPublishedAppIds
      Arguments: {}

Create a service principal for an application created from a gallery template

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var exampleApplicationTemplate = AzureAD.GetApplicationTemplate.Invoke(new()
    {
        DisplayName = "Marketo",
    });

    var exampleApplication = new AzureAD.Application("exampleApplication", new()
    {
        DisplayName = "example",
        TemplateId = exampleApplicationTemplate.Apply(getApplicationTemplateResult => getApplicationTemplateResult.TemplateId),
    });

    var exampleServicePrincipal = new AzureAD.ServicePrincipal("exampleServicePrincipal", new()
    {
        ApplicationId = exampleApplication.ApplicationId,
        UseExisting = true,
    });

});
package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		exampleApplicationTemplate, err := azuread.GetApplicationTemplate(ctx, &azuread.GetApplicationTemplateArgs{
			DisplayName: pulumi.StringRef("Marketo"),
		}, nil)
		if err != nil {
			return err
		}
		exampleApplication, err := azuread.NewApplication(ctx, "exampleApplication", &azuread.ApplicationArgs{
			DisplayName: pulumi.String("example"),
			TemplateId:  *pulumi.String(exampleApplicationTemplate.TemplateId),
		})
		if err != nil {
			return err
		}
		_, err = azuread.NewServicePrincipal(ctx, "exampleServicePrincipal", &azuread.ServicePrincipalArgs{
			ApplicationId: exampleApplication.ApplicationId,
			UseExisting:   pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.inputs.GetApplicationTemplateArgs;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var exampleApplicationTemplate = AzureadFunctions.getApplicationTemplate(GetApplicationTemplateArgs.builder()
            .displayName("Marketo")
            .build());

        var exampleApplication = new Application("exampleApplication", ApplicationArgs.builder()        
            .displayName("example")
            .templateId(exampleApplicationTemplate.applyValue(getApplicationTemplateResult -> getApplicationTemplateResult.templateId()))
            .build());

        var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()        
            .applicationId(exampleApplication.applicationId())
            .useExisting(true)
            .build());

    }
}
import pulumi
import pulumi_azuread as azuread

example_application_template = azuread.get_application_template(display_name="Marketo")
example_application = azuread.Application("exampleApplication",
    display_name="example",
    template_id=example_application_template.template_id)
example_service_principal = azuread.ServicePrincipal("exampleServicePrincipal",
    application_id=example_application.application_id,
    use_existing=True)
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const exampleApplicationTemplate = azuread.getApplicationTemplate({
    displayName: "Marketo",
});
const exampleApplication = new azuread.Application("exampleApplication", {
    displayName: "example",
    templateId: exampleApplicationTemplate.then(exampleApplicationTemplate => exampleApplicationTemplate.templateId),
});
const exampleServicePrincipal = new azuread.ServicePrincipal("exampleServicePrincipal", {
    applicationId: exampleApplication.applicationId,
    useExisting: true,
});
resources:
  exampleApplication:
    type: azuread:Application
    properties:
      displayName: example
      templateId: ${exampleApplicationTemplate.templateId}
  exampleServicePrincipal:
    type: azuread:ServicePrincipal
    properties:
      applicationId: ${exampleApplication.applicationId}
      useExisting: true
variables:
  exampleApplicationTemplate:
    fn::invoke:
      Function: azuread:getApplicationTemplate
      Arguments:
        displayName: Marketo

Create ServicePrincipal Resource

new ServicePrincipal(name: string, args: ServicePrincipalArgs, opts?: CustomResourceOptions);
@overload
def ServicePrincipal(resource_name: str,
                     opts: Optional[ResourceOptions] = None,
                     account_enabled: Optional[bool] = None,
                     alternative_names: Optional[Sequence[str]] = None,
                     app_role_assignment_required: Optional[bool] = None,
                     application_id: Optional[str] = None,
                     description: Optional[str] = None,
                     feature_tags: Optional[Sequence[ServicePrincipalFeatureTagArgs]] = None,
                     features: Optional[Sequence[ServicePrincipalFeatureArgs]] = None,
                     login_url: Optional[str] = None,
                     notes: Optional[str] = None,
                     notification_email_addresses: Optional[Sequence[str]] = None,
                     owners: Optional[Sequence[str]] = None,
                     preferred_single_sign_on_mode: Optional[str] = None,
                     saml_single_sign_on: Optional[ServicePrincipalSamlSingleSignOnArgs] = None,
                     tags: Optional[Sequence[str]] = None,
                     use_existing: Optional[bool] = None)
@overload
def ServicePrincipal(resource_name: str,
                     args: ServicePrincipalArgs,
                     opts: Optional[ResourceOptions] = None)
func NewServicePrincipal(ctx *Context, name string, args ServicePrincipalArgs, opts ...ResourceOption) (*ServicePrincipal, error)
public ServicePrincipal(string name, ServicePrincipalArgs args, CustomResourceOptions? opts = null)
public ServicePrincipal(String name, ServicePrincipalArgs args)
public ServicePrincipal(String name, ServicePrincipalArgs args, CustomResourceOptions options)
type: azuread:ServicePrincipal
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args ServicePrincipalArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args ServicePrincipalArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args ServicePrincipalArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args ServicePrincipalArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args ServicePrincipalArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

ServicePrincipal Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The ServicePrincipal resource accepts the following input properties:

ApplicationId string

The application ID (client ID) of the application for which to create a service principal.

AccountEnabled bool

Whether or not the service principal account is enabled. Defaults to true.

AlternativeNames List<string>

A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.

AppRoleAssignmentRequired bool

Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.

Description string

A description of the service principal provided for internal end-users.

FeatureTags List<Pulumi.AzureAD.Inputs.ServicePrincipalFeatureTagArgs>

A feature_tags block as described below. Cannot be used together with the tags property.

Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.

Features List<Pulumi.AzureAD.Inputs.ServicePrincipalFeatureArgs>

Block of features to configure for this service principal using tags

Deprecated:

This block has been renamed to feature_tags and will be removed in version 3.0 of the provider

LoginUrl string

The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.

Notes string

A free text field to capture information about the service principal, typically used for operational purposes.

NotificationEmailAddresses List<string>

A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.

Owners List<string>

A list of object IDs of principals that will be granted ownership of the service principal

PreferredSingleSignOnMode string

The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.

SamlSingleSignOn Pulumi.AzureAD.Inputs.ServicePrincipalSamlSingleSignOnArgs

A saml_single_sign_on block as documented below.

Tags List<string>

A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.

Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.

UseExisting bool

When true, the resource will return an existing service principal instead of failing with an error

ApplicationId string

The application ID (client ID) of the application for which to create a service principal.

AccountEnabled bool

Whether or not the service principal account is enabled. Defaults to true.

AlternativeNames []string

A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.

AppRoleAssignmentRequired bool

Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.

Description string

A description of the service principal provided for internal end-users.

FeatureTags []ServicePrincipalFeatureTagArgs

A feature_tags block as described below. Cannot be used together with the tags property.

Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.

Features []ServicePrincipalFeatureArgs

Block of features to configure for this service principal using tags

Deprecated:

This block has been renamed to feature_tags and will be removed in version 3.0 of the provider

LoginUrl string

The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.

Notes string

A free text field to capture information about the service principal, typically used for operational purposes.

NotificationEmailAddresses []string

A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.

Owners []string

A list of object IDs of principals that will be granted ownership of the service principal

PreferredSingleSignOnMode string

The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.

SamlSingleSignOn ServicePrincipalSamlSingleSignOnArgs

A saml_single_sign_on block as documented below.

Tags []string

A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.

Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.

UseExisting bool

When true, the resource will return an existing service principal instead of failing with an error

applicationId String

The application ID (client ID) of the application for which to create a service principal.

accountEnabled Boolean

Whether or not the service principal account is enabled. Defaults to true.

alternativeNames List<String>

A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.

appRoleAssignmentRequired Boolean

Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.

description String

A description of the service principal provided for internal end-users.

featureTags List<ServicePrincipalFeatureTagArgs>

A feature_tags block as described below. Cannot be used together with the tags property.

Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.

features List<ServicePrincipalFeatureArgs>

Block of features to configure for this service principal using tags

Deprecated:

This block has been renamed to feature_tags and will be removed in version 3.0 of the provider

loginUrl String

The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.

notes String

A free text field to capture information about the service principal, typically used for operational purposes.

notificationEmailAddresses List<String>

A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.

owners List<String>

A list of object IDs of principals that will be granted ownership of the service principal

preferredSingleSignOnMode String

The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.

samlSingleSignOn ServicePrincipalSamlSingleSignOnArgs

A saml_single_sign_on block as documented below.

tags List<String>

A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.

Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.

useExisting Boolean

When true, the resource will return an existing service principal instead of failing with an error

applicationId string

The application ID (client ID) of the application for which to create a service principal.

accountEnabled boolean

Whether or not the service principal account is enabled. Defaults to true.

alternativeNames string[]

A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.

appRoleAssignmentRequired boolean

Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.

description string

A description of the service principal provided for internal end-users.

featureTags ServicePrincipalFeatureTagArgs[]

A feature_tags block as described below. Cannot be used together with the tags property.

Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.

features ServicePrincipalFeatureArgs[]

Block of features to configure for this service principal using tags

Deprecated:

This block has been renamed to feature_tags and will be removed in version 3.0 of the provider

loginUrl string

The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.

notes string

A free text field to capture information about the service principal, typically used for operational purposes.

notificationEmailAddresses string[]

A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.

owners string[]

A list of object IDs of principals that will be granted ownership of the service principal

preferredSingleSignOnMode string

The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.

samlSingleSignOn ServicePrincipalSamlSingleSignOnArgs

A saml_single_sign_on block as documented below.

tags string[]

A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.

Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.

useExisting boolean

When true, the resource will return an existing service principal instead of failing with an error

application_id str

The application ID (client ID) of the application for which to create a service principal.

account_enabled bool

Whether or not the service principal account is enabled. Defaults to true.

alternative_names Sequence[str]

A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.

app_role_assignment_required bool

Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.

description str

A description of the service principal provided for internal end-users.

feature_tags Sequence[ServicePrincipalFeatureTagArgs]

A feature_tags block as described below. Cannot be used together with the tags property.

Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.

features Sequence[ServicePrincipalFeatureArgs]

Block of features to configure for this service principal using tags

Deprecated:

This block has been renamed to feature_tags and will be removed in version 3.0 of the provider

login_url str

The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.

notes str

A free text field to capture information about the service principal, typically used for operational purposes.

notification_email_addresses Sequence[str]

A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.

owners Sequence[str]

A list of object IDs of principals that will be granted ownership of the service principal

preferred_single_sign_on_mode str

The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.

saml_single_sign_on ServicePrincipalSamlSingleSignOnArgs

A saml_single_sign_on block as documented below.

tags Sequence[str]

A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.

Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.

use_existing bool

When true, the resource will return an existing service principal instead of failing with an error

applicationId String

The application ID (client ID) of the application for which to create a service principal.

accountEnabled Boolean

Whether or not the service principal account is enabled. Defaults to true.

alternativeNames List<String>

A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.

appRoleAssignmentRequired Boolean

Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.

description String

A description of the service principal provided for internal end-users.

featureTags List<Property Map>

A feature_tags block as described below. Cannot be used together with the tags property.

Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.

features List<Property Map>

Block of features to configure for this service principal using tags

Deprecated:

This block has been renamed to feature_tags and will be removed in version 3.0 of the provider

loginUrl String

The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.

notes String

A free text field to capture information about the service principal, typically used for operational purposes.

notificationEmailAddresses List<String>

A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.

owners List<String>

A list of object IDs of principals that will be granted ownership of the service principal

preferredSingleSignOnMode String

The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.

samlSingleSignOn Property Map

A saml_single_sign_on block as documented below.

tags List<String>

A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.

Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.

useExisting Boolean

When true, the resource will return an existing service principal instead of failing with an error

Outputs

All input properties are implicitly available as output properties. Additionally, the ServicePrincipal resource produces the following output properties:

AppRoleIds Dictionary<string, string>

A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.

AppRoles List<Pulumi.AzureAD.Outputs.ServicePrincipalAppRole>

A list of app roles published by the associated application, as documented below. For more information official documentation.

ApplicationTenantId string

The tenant ID where the associated application is registered.

DisplayName string

Display name for the app role that appears during app role assignment and in consent experiences.

HomepageUrl string

Home page or landing page of the associated application.

Id string

The provider-assigned unique ID for this managed resource.

LogoutUrl string

The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.

Oauth2PermissionScopeIds Dictionary<string, string>

A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.

Oauth2PermissionScopes List<Pulumi.AzureAD.Outputs.ServicePrincipalOauth2PermissionScope>

A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.

ObjectId string

The object ID of the service principal.

RedirectUris List<string>

A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.

SamlMetadataUrl string

The URL where the service exposes SAML metadata for federation.

ServicePrincipalNames List<string>

A list of identifier URI(s), copied over from the associated application.

SignInAudience string

The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.

Type string

Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

AppRoleIds map[string]string

A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.

AppRoles []ServicePrincipalAppRole

A list of app roles published by the associated application, as documented below. For more information official documentation.

ApplicationTenantId string

The tenant ID where the associated application is registered.

DisplayName string

Display name for the app role that appears during app role assignment and in consent experiences.

HomepageUrl string

Home page or landing page of the associated application.

Id string

The provider-assigned unique ID for this managed resource.

LogoutUrl string

The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.

Oauth2PermissionScopeIds map[string]string

A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.

Oauth2PermissionScopes []ServicePrincipalOauth2PermissionScope

A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.

ObjectId string

The object ID of the service principal.

RedirectUris []string

A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.

SamlMetadataUrl string

The URL where the service exposes SAML metadata for federation.

ServicePrincipalNames []string

A list of identifier URI(s), copied over from the associated application.

SignInAudience string

The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.

Type string

Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

appRoleIds Map<String,String>

A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.

appRoles List<ServicePrincipalAppRole>

A list of app roles published by the associated application, as documented below. For more information official documentation.

applicationTenantId String

The tenant ID where the associated application is registered.

displayName String

Display name for the app role that appears during app role assignment and in consent experiences.

homepageUrl String

Home page or landing page of the associated application.

id String

The provider-assigned unique ID for this managed resource.

logoutUrl String

The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.

oauth2PermissionScopeIds Map<String,String>

A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.

oauth2PermissionScopes List<ServicePrincipalOauth2PermissionScope>

A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.

objectId String

The object ID of the service principal.

redirectUris List<String>

A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.

samlMetadataUrl String

The URL where the service exposes SAML metadata for federation.

servicePrincipalNames List<String>

A list of identifier URI(s), copied over from the associated application.

signInAudience String

The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.

type String

Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

appRoleIds {[key: string]: string}

A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.

appRoles ServicePrincipalAppRole[]

A list of app roles published by the associated application, as documented below. For more information official documentation.

applicationTenantId string

The tenant ID where the associated application is registered.

displayName string

Display name for the app role that appears during app role assignment and in consent experiences.

homepageUrl string

Home page or landing page of the associated application.

id string

The provider-assigned unique ID for this managed resource.

logoutUrl string

The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.

oauth2PermissionScopeIds {[key: string]: string}

A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.

oauth2PermissionScopes ServicePrincipalOauth2PermissionScope[]

A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.

objectId string

The object ID of the service principal.

redirectUris string[]

A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.

samlMetadataUrl string

The URL where the service exposes SAML metadata for federation.

servicePrincipalNames string[]

A list of identifier URI(s), copied over from the associated application.

signInAudience string

The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.

type string

Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

app_role_ids Mapping[str, str]

A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.

app_roles Sequence[ServicePrincipalAppRole]

A list of app roles published by the associated application, as documented below. For more information official documentation.

application_tenant_id str

The tenant ID where the associated application is registered.

display_name str

Display name for the app role that appears during app role assignment and in consent experiences.

homepage_url str

Home page or landing page of the associated application.

id str

The provider-assigned unique ID for this managed resource.

logout_url str

The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.

oauth2_permission_scope_ids Mapping[str, str]

A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.

oauth2_permission_scopes Sequence[ServicePrincipalOauth2PermissionScope]

A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.

object_id str

The object ID of the service principal.

redirect_uris Sequence[str]

A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.

saml_metadata_url str

The URL where the service exposes SAML metadata for federation.

service_principal_names Sequence[str]

A list of identifier URI(s), copied over from the associated application.

sign_in_audience str

The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.

type str

Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

appRoleIds Map<String>

A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.

appRoles List<Property Map>

A list of app roles published by the associated application, as documented below. For more information official documentation.

applicationTenantId String

The tenant ID where the associated application is registered.

displayName String

Display name for the app role that appears during app role assignment and in consent experiences.

homepageUrl String

Home page or landing page of the associated application.

id String

The provider-assigned unique ID for this managed resource.

logoutUrl String

The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.

oauth2PermissionScopeIds Map<String>

A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.

oauth2PermissionScopes List<Property Map>

A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.

objectId String

The object ID of the service principal.

redirectUris List<String>

A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.

samlMetadataUrl String

The URL where the service exposes SAML metadata for federation.

servicePrincipalNames List<String>

A list of identifier URI(s), copied over from the associated application.

signInAudience String

The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.

type String

Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

Look up Existing ServicePrincipal Resource

Get an existing ServicePrincipal resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ServicePrincipalState, opts?: CustomResourceOptions): ServicePrincipal
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        account_enabled: Optional[bool] = None,
        alternative_names: Optional[Sequence[str]] = None,
        app_role_assignment_required: Optional[bool] = None,
        app_role_ids: Optional[Mapping[str, str]] = None,
        app_roles: Optional[Sequence[ServicePrincipalAppRoleArgs]] = None,
        application_id: Optional[str] = None,
        application_tenant_id: Optional[str] = None,
        description: Optional[str] = None,
        display_name: Optional[str] = None,
        feature_tags: Optional[Sequence[ServicePrincipalFeatureTagArgs]] = None,
        features: Optional[Sequence[ServicePrincipalFeatureArgs]] = None,
        homepage_url: Optional[str] = None,
        login_url: Optional[str] = None,
        logout_url: Optional[str] = None,
        notes: Optional[str] = None,
        notification_email_addresses: Optional[Sequence[str]] = None,
        oauth2_permission_scope_ids: Optional[Mapping[str, str]] = None,
        oauth2_permission_scopes: Optional[Sequence[ServicePrincipalOauth2PermissionScopeArgs]] = None,
        object_id: Optional[str] = None,
        owners: Optional[Sequence[str]] = None,
        preferred_single_sign_on_mode: Optional[str] = None,
        redirect_uris: Optional[Sequence[str]] = None,
        saml_metadata_url: Optional[str] = None,
        saml_single_sign_on: Optional[ServicePrincipalSamlSingleSignOnArgs] = None,
        service_principal_names: Optional[Sequence[str]] = None,
        sign_in_audience: Optional[str] = None,
        tags: Optional[Sequence[str]] = None,
        type: Optional[str] = None,
        use_existing: Optional[bool] = None) -> ServicePrincipal
func GetServicePrincipal(ctx *Context, name string, id IDInput, state *ServicePrincipalState, opts ...ResourceOption) (*ServicePrincipal, error)
public static ServicePrincipal Get(string name, Input<string> id, ServicePrincipalState? state, CustomResourceOptions? opts = null)
public static ServicePrincipal get(String name, Output<String> id, ServicePrincipalState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AccountEnabled bool

Whether or not the service principal account is enabled. Defaults to true.

AlternativeNames List<string>

A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.

AppRoleAssignmentRequired bool

Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.

AppRoleIds Dictionary<string, string>

A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.

AppRoles List<Pulumi.AzureAD.Inputs.ServicePrincipalAppRoleArgs>

A list of app roles published by the associated application, as documented below. For more information official documentation.

ApplicationId string

The application ID (client ID) of the application for which to create a service principal.

ApplicationTenantId string

The tenant ID where the associated application is registered.

Description string

A description of the service principal provided for internal end-users.

DisplayName string

Display name for the app role that appears during app role assignment and in consent experiences.

FeatureTags List<Pulumi.AzureAD.Inputs.ServicePrincipalFeatureTagArgs>

A feature_tags block as described below. Cannot be used together with the tags property.

Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.

Features List<Pulumi.AzureAD.Inputs.ServicePrincipalFeatureArgs>

Block of features to configure for this service principal using tags

Deprecated:

This block has been renamed to feature_tags and will be removed in version 3.0 of the provider

HomepageUrl string

Home page or landing page of the associated application.

LoginUrl string

The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.

LogoutUrl string

The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.

Notes string

A free text field to capture information about the service principal, typically used for operational purposes.

NotificationEmailAddresses List<string>

A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.

Oauth2PermissionScopeIds Dictionary<string, string>

A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.

Oauth2PermissionScopes List<Pulumi.AzureAD.Inputs.ServicePrincipalOauth2PermissionScopeArgs>

A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.

ObjectId string

The object ID of the service principal.

Owners List<string>

A list of object IDs of principals that will be granted ownership of the service principal

PreferredSingleSignOnMode string

The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.

RedirectUris List<string>

A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.

SamlMetadataUrl string

The URL where the service exposes SAML metadata for federation.

SamlSingleSignOn Pulumi.AzureAD.Inputs.ServicePrincipalSamlSingleSignOnArgs

A saml_single_sign_on block as documented below.

ServicePrincipalNames List<string>

A list of identifier URI(s), copied over from the associated application.

SignInAudience string

The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.

Tags List<string>

A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.

Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.

Type string

Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

UseExisting bool

When true, the resource will return an existing service principal instead of failing with an error

AccountEnabled bool

Whether or not the service principal account is enabled. Defaults to true.

AlternativeNames []string

A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.

AppRoleAssignmentRequired bool

Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.

AppRoleIds map[string]string

A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.

AppRoles []ServicePrincipalAppRoleArgs

A list of app roles published by the associated application, as documented below. For more information official documentation.

ApplicationId string

The application ID (client ID) of the application for which to create a service principal.

ApplicationTenantId string

The tenant ID where the associated application is registered.

Description string

A description of the service principal provided for internal end-users.

DisplayName string

Display name for the app role that appears during app role assignment and in consent experiences.

FeatureTags []ServicePrincipalFeatureTagArgs

A feature_tags block as described below. Cannot be used together with the tags property.

Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.

Features []ServicePrincipalFeatureArgs

Block of features to configure for this service principal using tags

Deprecated:

This block has been renamed to feature_tags and will be removed in version 3.0 of the provider

HomepageUrl string

Home page or landing page of the associated application.

LoginUrl string

The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.

LogoutUrl string

The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.

Notes string

A free text field to capture information about the service principal, typically used for operational purposes.

NotificationEmailAddresses []string

A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.

Oauth2PermissionScopeIds map[string]string

A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.

Oauth2PermissionScopes []ServicePrincipalOauth2PermissionScopeArgs

A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.

ObjectId string

The object ID of the service principal.

Owners []string

A list of object IDs of principals that will be granted ownership of the service principal

PreferredSingleSignOnMode string

The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.

RedirectUris []string

A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.

SamlMetadataUrl string

The URL where the service exposes SAML metadata for federation.

SamlSingleSignOn ServicePrincipalSamlSingleSignOnArgs

A saml_single_sign_on block as documented below.

ServicePrincipalNames []string

A list of identifier URI(s), copied over from the associated application.

SignInAudience string

The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.

Tags []string

A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.

Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.

Type string

Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

UseExisting bool

When true, the resource will return an existing service principal instead of failing with an error

accountEnabled Boolean

Whether or not the service principal account is enabled. Defaults to true.

alternativeNames List<String>

A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.

appRoleAssignmentRequired Boolean

Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.

appRoleIds Map<String,String>

A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.

appRoles List<ServicePrincipalAppRoleArgs>

A list of app roles published by the associated application, as documented below. For more information official documentation.

applicationId String

The application ID (client ID) of the application for which to create a service principal.

applicationTenantId String

The tenant ID where the associated application is registered.

description String

A description of the service principal provided for internal end-users.

displayName String

Display name for the app role that appears during app role assignment and in consent experiences.

featureTags List<ServicePrincipalFeatureTagArgs>

A feature_tags block as described below. Cannot be used together with the tags property.

Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.

features List<ServicePrincipalFeatureArgs>

Block of features to configure for this service principal using tags

Deprecated:

This block has been renamed to feature_tags and will be removed in version 3.0 of the provider

homepageUrl String

Home page or landing page of the associated application.

loginUrl String

The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.

logoutUrl String

The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.

notes String

A free text field to capture information about the service principal, typically used for operational purposes.

notificationEmailAddresses List<String>

A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.

oauth2PermissionScopeIds Map<String,String>

A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.

oauth2PermissionScopes List<ServicePrincipalOauth2PermissionScopeArgs>

A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.

objectId String

The object ID of the service principal.

owners List<String>

A list of object IDs of principals that will be granted ownership of the service principal

preferredSingleSignOnMode String

The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.

redirectUris List<String>

A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.

samlMetadataUrl String

The URL where the service exposes SAML metadata for federation.

samlSingleSignOn ServicePrincipalSamlSingleSignOnArgs

A saml_single_sign_on block as documented below.

servicePrincipalNames List<String>

A list of identifier URI(s), copied over from the associated application.

signInAudience String

The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.

tags List<String>

A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.

Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.

type String

Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

useExisting Boolean

When true, the resource will return an existing service principal instead of failing with an error

accountEnabled boolean

Whether or not the service principal account is enabled. Defaults to true.

alternativeNames string[]

A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.

appRoleAssignmentRequired boolean

Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.

appRoleIds {[key: string]: string}

A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.

appRoles ServicePrincipalAppRoleArgs[]

A list of app roles published by the associated application, as documented below. For more information official documentation.

applicationId string

The application ID (client ID) of the application for which to create a service principal.

applicationTenantId string

The tenant ID where the associated application is registered.

description string

A description of the service principal provided for internal end-users.

displayName string

Display name for the app role that appears during app role assignment and in consent experiences.

featureTags ServicePrincipalFeatureTagArgs[]

A feature_tags block as described below. Cannot be used together with the tags property.

Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.

features ServicePrincipalFeatureArgs[]

Block of features to configure for this service principal using tags

Deprecated:

This block has been renamed to feature_tags and will be removed in version 3.0 of the provider

homepageUrl string

Home page or landing page of the associated application.

loginUrl string

The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.

logoutUrl string

The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.

notes string

A free text field to capture information about the service principal, typically used for operational purposes.

notificationEmailAddresses string[]

A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.

oauth2PermissionScopeIds {[key: string]: string}

A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.

oauth2PermissionScopes ServicePrincipalOauth2PermissionScopeArgs[]

A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.

objectId string

The object ID of the service principal.

owners string[]

A list of object IDs of principals that will be granted ownership of the service principal

preferredSingleSignOnMode string

The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.

redirectUris string[]

A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.

samlMetadataUrl string

The URL where the service exposes SAML metadata for federation.

samlSingleSignOn ServicePrincipalSamlSingleSignOnArgs

A saml_single_sign_on block as documented below.

servicePrincipalNames string[]

A list of identifier URI(s), copied over from the associated application.

signInAudience string

The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.

tags string[]

A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.

Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.

type string

Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

useExisting boolean

When true, the resource will return an existing service principal instead of failing with an error

account_enabled bool

Whether or not the service principal account is enabled. Defaults to true.

alternative_names Sequence[str]

A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.

app_role_assignment_required bool

Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.

app_role_ids Mapping[str, str]

A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.

app_roles Sequence[ServicePrincipalAppRoleArgs]

A list of app roles published by the associated application, as documented below. For more information official documentation.

application_id str

The application ID (client ID) of the application for which to create a service principal.

application_tenant_id str

The tenant ID where the associated application is registered.

description str

A description of the service principal provided for internal end-users.

display_name str

Display name for the app role that appears during app role assignment and in consent experiences.

feature_tags Sequence[ServicePrincipalFeatureTagArgs]

A feature_tags block as described below. Cannot be used together with the tags property.

Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.

features Sequence[ServicePrincipalFeatureArgs]

Block of features to configure for this service principal using tags

Deprecated:

This block has been renamed to feature_tags and will be removed in version 3.0 of the provider

homepage_url str

Home page or landing page of the associated application.

login_url str

The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.

logout_url str

The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.

notes str

A free text field to capture information about the service principal, typically used for operational purposes.

notification_email_addresses Sequence[str]

A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.

oauth2_permission_scope_ids Mapping[str, str]

A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.

oauth2_permission_scopes Sequence[ServicePrincipalOauth2PermissionScopeArgs]

A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.

object_id str

The object ID of the service principal.

owners Sequence[str]

A list of object IDs of principals that will be granted ownership of the service principal

preferred_single_sign_on_mode str

The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.

redirect_uris Sequence[str]

A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.

saml_metadata_url str

The URL where the service exposes SAML metadata for federation.

saml_single_sign_on ServicePrincipalSamlSingleSignOnArgs

A saml_single_sign_on block as documented below.

service_principal_names Sequence[str]

A list of identifier URI(s), copied over from the associated application.

sign_in_audience str

The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.

tags Sequence[str]

A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.

Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.

type str

Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

use_existing bool

When true, the resource will return an existing service principal instead of failing with an error

accountEnabled Boolean

Whether or not the service principal account is enabled. Defaults to true.

alternativeNames List<String>

A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.

appRoleAssignmentRequired Boolean

Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.

appRoleIds Map<String>

A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.

appRoles List<Property Map>

A list of app roles published by the associated application, as documented below. For more information official documentation.

applicationId String

The application ID (client ID) of the application for which to create a service principal.

applicationTenantId String

The tenant ID where the associated application is registered.

description String

A description of the service principal provided for internal end-users.

displayName String

Display name for the app role that appears during app role assignment and in consent experiences.

featureTags List<Property Map>

A feature_tags block as described below. Cannot be used together with the tags property.

Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.

features List<Property Map>

Block of features to configure for this service principal using tags

Deprecated:

This block has been renamed to feature_tags and will be removed in version 3.0 of the provider

homepageUrl String

Home page or landing page of the associated application.

loginUrl String

The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.

logoutUrl String

The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.

notes String

A free text field to capture information about the service principal, typically used for operational purposes.

notificationEmailAddresses List<String>

A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.

oauth2PermissionScopeIds Map<String>

A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.

oauth2PermissionScopes List<Property Map>

A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.

objectId String

The object ID of the service principal.

owners List<String>

A list of object IDs of principals that will be granted ownership of the service principal

preferredSingleSignOnMode String

The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.

redirectUris List<String>

A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.

samlMetadataUrl String

The URL where the service exposes SAML metadata for federation.

samlSingleSignOn Property Map

A saml_single_sign_on block as documented below.

servicePrincipalNames List<String>

A list of identifier URI(s), copied over from the associated application.

signInAudience String

The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.

tags List<String>

A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.

Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.

type String

Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

useExisting Boolean

When true, the resource will return an existing service principal instead of failing with an error

Supporting Types

ServicePrincipalAppRole

AllowedMemberTypes List<string>

Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are: User and Application, or both.

Description string

A description of the service principal provided for internal end-users.

DisplayName string

Display name for the app role that appears during app role assignment and in consent experiences.

Enabled bool

Specifies whether the permission scope is enabled.

Id string

The unique identifier of the delegated permission.

Value string

The value that is used for the scp claim in OAuth 2.0 access tokens.

AllowedMemberTypes []string

Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are: User and Application, or both.

Description string

A description of the service principal provided for internal end-users.

DisplayName string

Display name for the app role that appears during app role assignment and in consent experiences.

Enabled bool

Specifies whether the permission scope is enabled.

Id string

The unique identifier of the delegated permission.

Value string

The value that is used for the scp claim in OAuth 2.0 access tokens.

allowedMemberTypes List<String>

Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are: User and Application, or both.

description String

A description of the service principal provided for internal end-users.

displayName String

Display name for the app role that appears during app role assignment and in consent experiences.

enabled Boolean

Specifies whether the permission scope is enabled.

id String

The unique identifier of the delegated permission.

value String

The value that is used for the scp claim in OAuth 2.0 access tokens.

allowedMemberTypes string[]

Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are: User and Application, or both.

description string

A description of the service principal provided for internal end-users.

displayName string

Display name for the app role that appears during app role assignment and in consent experiences.

enabled boolean

Specifies whether the permission scope is enabled.

id string

The unique identifier of the delegated permission.

value string

The value that is used for the scp claim in OAuth 2.0 access tokens.

allowed_member_types Sequence[str]

Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are: User and Application, or both.

description str

A description of the service principal provided for internal end-users.

display_name str

Display name for the app role that appears during app role assignment and in consent experiences.

enabled bool

Specifies whether the permission scope is enabled.

id str

The unique identifier of the delegated permission.

value str

The value that is used for the scp claim in OAuth 2.0 access tokens.

allowedMemberTypes List<String>

Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are: User and Application, or both.

description String

A description of the service principal provided for internal end-users.

displayName String

Display name for the app role that appears during app role assignment and in consent experiences.

enabled Boolean

Specifies whether the permission scope is enabled.

id String

The unique identifier of the delegated permission.

value String

The value that is used for the scp claim in OAuth 2.0 access tokens.

ServicePrincipalFeature

ServicePrincipalFeatureTag

CustomSingleSignOn bool

Whether this service principal represents a custom SAML application. Enabling this will assign the WindowsAzureActiveDirectoryCustomSingleSignOnApplication tag. Defaults to false.

Enterprise bool

Whether this service principal represents an Enterprise Application. Enabling this will assign the WindowsAzureActiveDirectoryIntegratedApp tag. Defaults to false.

Gallery bool

Whether this service principal represents a gallery application. Enabling this will assign the WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1 tag. Defaults to false.

Hide bool

Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the HideApp tag. Defaults to false.

CustomSingleSignOn bool

Whether this service principal represents a custom SAML application. Enabling this will assign the WindowsAzureActiveDirectoryCustomSingleSignOnApplication tag. Defaults to false.

Enterprise bool

Whether this service principal represents an Enterprise Application. Enabling this will assign the WindowsAzureActiveDirectoryIntegratedApp tag. Defaults to false.

Gallery bool

Whether this service principal represents a gallery application. Enabling this will assign the WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1 tag. Defaults to false.

Hide bool

Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the HideApp tag. Defaults to false.

customSingleSignOn Boolean

Whether this service principal represents a custom SAML application. Enabling this will assign the WindowsAzureActiveDirectoryCustomSingleSignOnApplication tag. Defaults to false.

enterprise Boolean

Whether this service principal represents an Enterprise Application. Enabling this will assign the WindowsAzureActiveDirectoryIntegratedApp tag. Defaults to false.

gallery Boolean

Whether this service principal represents a gallery application. Enabling this will assign the WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1 tag. Defaults to false.

hide Boolean

Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the HideApp tag. Defaults to false.

customSingleSignOn boolean

Whether this service principal represents a custom SAML application. Enabling this will assign the WindowsAzureActiveDirectoryCustomSingleSignOnApplication tag. Defaults to false.

enterprise boolean

Whether this service principal represents an Enterprise Application. Enabling this will assign the WindowsAzureActiveDirectoryIntegratedApp tag. Defaults to false.

gallery boolean

Whether this service principal represents a gallery application. Enabling this will assign the WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1 tag. Defaults to false.

hide boolean

Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the HideApp tag. Defaults to false.

custom_single_sign_on bool

Whether this service principal represents a custom SAML application. Enabling this will assign the WindowsAzureActiveDirectoryCustomSingleSignOnApplication tag. Defaults to false.

enterprise bool

Whether this service principal represents an Enterprise Application. Enabling this will assign the WindowsAzureActiveDirectoryIntegratedApp tag. Defaults to false.

gallery bool

Whether this service principal represents a gallery application. Enabling this will assign the WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1 tag. Defaults to false.

hide bool

Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the HideApp tag. Defaults to false.

customSingleSignOn Boolean

Whether this service principal represents a custom SAML application. Enabling this will assign the WindowsAzureActiveDirectoryCustomSingleSignOnApplication tag. Defaults to false.

enterprise Boolean

Whether this service principal represents an Enterprise Application. Enabling this will assign the WindowsAzureActiveDirectoryIntegratedApp tag. Defaults to false.

gallery Boolean

Whether this service principal represents a gallery application. Enabling this will assign the WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1 tag. Defaults to false.

hide Boolean

Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the HideApp tag. Defaults to false.

ServicePrincipalOauth2PermissionScope

AdminConsentDescription string

Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.

AdminConsentDisplayName string

Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.

Enabled bool

Specifies whether the permission scope is enabled.

Id string

The unique identifier of the delegated permission.

Type string

Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

UserConsentDescription string

Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.

UserConsentDisplayName string

Display name for the delegated permission that appears in the end user consent experience.

Value string

The value that is used for the scp claim in OAuth 2.0 access tokens.

AdminConsentDescription string

Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.

AdminConsentDisplayName string

Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.

Enabled bool

Specifies whether the permission scope is enabled.

Id string

The unique identifier of the delegated permission.

Type string

Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

UserConsentDescription string

Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.

UserConsentDisplayName string

Display name for the delegated permission that appears in the end user consent experience.

Value string

The value that is used for the scp claim in OAuth 2.0 access tokens.

adminConsentDescription String

Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.

adminConsentDisplayName String

Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.

enabled Boolean

Specifies whether the permission scope is enabled.

id String

The unique identifier of the delegated permission.

type String

Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

userConsentDescription String

Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.

userConsentDisplayName String

Display name for the delegated permission that appears in the end user consent experience.

value String

The value that is used for the scp claim in OAuth 2.0 access tokens.

adminConsentDescription string

Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.

adminConsentDisplayName string

Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.

enabled boolean

Specifies whether the permission scope is enabled.

id string

The unique identifier of the delegated permission.

type string

Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

userConsentDescription string

Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.

userConsentDisplayName string

Display name for the delegated permission that appears in the end user consent experience.

value string

The value that is used for the scp claim in OAuth 2.0 access tokens.

admin_consent_description str

Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.

admin_consent_display_name str

Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.

enabled bool

Specifies whether the permission scope is enabled.

id str

The unique identifier of the delegated permission.

type str

Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

user_consent_description str

Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.

user_consent_display_name str

Display name for the delegated permission that appears in the end user consent experience.

value str

The value that is used for the scp claim in OAuth 2.0 access tokens.

adminConsentDescription String

Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.

adminConsentDisplayName String

Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.

enabled Boolean

Specifies whether the permission scope is enabled.

id String

The unique identifier of the delegated permission.

type String

Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

userConsentDescription String

Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.

userConsentDisplayName String

Display name for the delegated permission that appears in the end user consent experience.

value String

The value that is used for the scp claim in OAuth 2.0 access tokens.

ServicePrincipalSamlSingleSignOn

RelayState string

The relative URI the service provider would redirect to after completion of the single sign-on flow.

RelayState string

The relative URI the service provider would redirect to after completion of the single sign-on flow.

relayState String

The relative URI the service provider would redirect to after completion of the single sign-on flow.

relayState string

The relative URI the service provider would redirect to after completion of the single sign-on flow.

relay_state str

The relative URI the service provider would redirect to after completion of the single sign-on flow.

relayState String

The relative URI the service provider would redirect to after completion of the single sign-on flow.

Package Details

Repository
Azure Active Directory (Azure AD) pulumi/pulumi-azuread
License
Apache-2.0
Notes

This Pulumi package is based on the azuread Terraform Provider.