Docs Home Pulumi IaC Pulumi ESC Pulumi Insights Pulumi Cloud Packages Tutorials
  1. Packages
  2. Azure Active Directory (Azure AD)
  3. API Docs
  4. ServicePrincipal
Azure Active Directory (Azure AD) v6.4.0 published on Monday, Apr 7, 2025 by Pulumi
pulumi/pulumi-azuread

azuread.ServicePrincipal

Explore with Pulumi AI

azuread logo
Azure Active Directory (Azure AD) v6.4.0 published on Monday, Apr 7, 2025 by Pulumi
pulumi/pulumi-azuread

    Example Usage

    Create a service principal for an application

    import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const current = azuread.getClientConfig({});
const example = new azuread.Application("example", {
    displayName: "example",
    owners: [current.then(current => current.objectId)],
});
const exampleServicePrincipal = new azuread.ServicePrincipal("example", {
    clientId: example.clientId,
    appRoleAssignmentRequired: false,
    owners: [current.then(current => current.objectId)],
});

    import pulumi
import pulumi_azuread as azuread

current = azuread.get_client_config()
example = azuread.Application("example",
    display_name="example",
    owners=[current.object_id])
example_service_principal = azuread.ServicePrincipal("example",
    client_id=example.client_id,
    app_role_assignment_required=False,
    owners=[current.object_id])

    package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		current, err := azuread.GetClientConfig(ctx, map[string]interface{}{}, nil)
		if err != nil {
			return err
		}
		example, err := azuread.NewApplication(ctx, "example", &azuread.ApplicationArgs{
			DisplayName: pulumi.String("example"),
			Owners: pulumi.StringArray{
				pulumi.String(current.ObjectId),
			},
		})
		if err != nil {
			return err
		}
		_, err = azuread.NewServicePrincipal(ctx, "example", &azuread.ServicePrincipalArgs{
			ClientId:                  example.ClientId,
			AppRoleAssignmentRequired: pulumi.Bool(false),
			Owners: pulumi.StringArray{
				pulumi.String(current.ObjectId),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

    using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var current = AzureAD.GetClientConfig.Invoke();

    var example = new AzureAD.Application("example", new()
    {
        DisplayName = "example",
        Owners = new[]
        {
            current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
        },
    });

    var exampleServicePrincipal = new AzureAD.ServicePrincipal("example", new()
    {
        ClientId = example.ClientId,
        AppRoleAssignmentRequired = false,
        Owners = new[]
        {
            current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
        },
    });

});

    package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var current = AzureadFunctions.getClientConfig();

        var example = new Application("example", ApplicationArgs.builder()
            .displayName("example")
            .owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
            .build());

        var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()
            .clientId(example.clientId())
            .appRoleAssignmentRequired(false)
            .owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
            .build());

    }
}

    resources:
  example:
    type: azuread:Application
    properties:
      displayName: example
      owners:
        - ${current.objectId}
  exampleServicePrincipal:
    type: azuread:ServicePrincipal
    name: example
    properties:
      clientId: ${example.clientId}
      appRoleAssignmentRequired: false
      owners:
        - ${current.objectId}
variables:
  current:
    fn::invoke:
      function: azuread:getClientConfig
      arguments: {}

    Create a service principal for an enterprise application

    import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const current = azuread.getClientConfig({});
const example = new azuread.Application("example", {
    displayName: "example",
    owners: [current.then(current => current.objectId)],
});
const exampleServicePrincipal = new azuread.ServicePrincipal("example", {
    clientId: example.clientId,
    appRoleAssignmentRequired: false,
    owners: [current.then(current => current.objectId)],
    featureTags: [{
        enterprise: true,
        gallery: true,
    }],
});

    import pulumi
import pulumi_azuread as azuread

current = azuread.get_client_config()
example = azuread.Application("example",
    display_name="example",
    owners=[current.object_id])
example_service_principal = azuread.ServicePrincipal("example",
    client_id=example.client_id,
    app_role_assignment_required=False,
    owners=[current.object_id],
    feature_tags=[{
        "enterprise": True,
        "gallery": True,
    }])

    package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		current, err := azuread.GetClientConfig(ctx, map[string]interface{}{}, nil)
		if err != nil {
			return err
		}
		example, err := azuread.NewApplication(ctx, "example", &azuread.ApplicationArgs{
			DisplayName: pulumi.String("example"),
			Owners: pulumi.StringArray{
				pulumi.String(current.ObjectId),
			},
		})
		if err != nil {
			return err
		}
		_, err = azuread.NewServicePrincipal(ctx, "example", &azuread.ServicePrincipalArgs{
			ClientId:                  example.ClientId,
			AppRoleAssignmentRequired: pulumi.Bool(false),
			Owners: pulumi.StringArray{
				pulumi.String(current.ObjectId),
			},
			FeatureTags: azuread.ServicePrincipalFeatureTagArray{
				&azuread.ServicePrincipalFeatureTagArgs{
					Enterprise: pulumi.Bool(true),
					Gallery:    pulumi.Bool(true),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

    using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var current = AzureAD.GetClientConfig.Invoke();

    var example = new AzureAD.Application("example", new()
    {
        DisplayName = "example",
        Owners = new[]
        {
            current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
        },
    });

    var exampleServicePrincipal = new AzureAD.ServicePrincipal("example", new()
    {
        ClientId = example.ClientId,
        AppRoleAssignmentRequired = false,
        Owners = new[]
        {
            current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
        },
        FeatureTags = new[]
        {
            new AzureAD.Inputs.ServicePrincipalFeatureTagArgs
            {
                Enterprise = true,
                Gallery = true,
            },
        },
    });

});

    package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import com.pulumi.azuread.inputs.ServicePrincipalFeatureTagArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var current = AzureadFunctions.getClientConfig();

        var example = new Application("example", ApplicationArgs.builder()
            .displayName("example")
            .owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
            .build());

        var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()
            .clientId(example.clientId())
            .appRoleAssignmentRequired(false)
            .owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
            .featureTags(ServicePrincipalFeatureTagArgs.builder()
                .enterprise(true)
                .gallery(true)
                .build())
            .build());

    }
}

    resources:
  example:
    type: azuread:Application
    properties:
      displayName: example
      owners:
        - ${current.objectId}
  exampleServicePrincipal:
    type: azuread:ServicePrincipal
    name: example
    properties:
      clientId: ${example.clientId}
      appRoleAssignmentRequired: false
      owners:
        - ${current.objectId}
      featureTags:
        - enterprise: true
          gallery: true
variables:
  current:
    fn::invoke:
      function: azuread:getClientConfig
      arguments: {}

    Manage a service principal for a first-party Microsoft application

    import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const wellKnown = azuread.getApplicationPublishedAppIds({});
const msgraph = new azuread.ServicePrincipal("msgraph", {
    clientId: wellKnown.then(wellKnown => wellKnown.result?.microsoftGraph),
    useExisting: true,
});

    import pulumi
import pulumi_azuread as azuread

well_known = azuread.get_application_published_app_ids()
msgraph = azuread.ServicePrincipal("msgraph",
    client_id=well_known.result["microsoftGraph"],
    use_existing=True)

    package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		wellKnown, err := azuread.GetApplicationPublishedAppIds(ctx, map[string]interface{}{}, nil)
		if err != nil {
			return err
		}
		_, err = azuread.NewServicePrincipal(ctx, "msgraph", &azuread.ServicePrincipalArgs{
			ClientId:    pulumi.String(wellKnown.Result.MicrosoftGraph),
			UseExisting: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

    using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var wellKnown = AzureAD.GetApplicationPublishedAppIds.Invoke();

    var msgraph = new AzureAD.ServicePrincipal("msgraph", new()
    {
        ClientId = wellKnown.Apply(getApplicationPublishedAppIdsResult => getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
        UseExisting = true,
    });

});

    package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();

        var msgraph = new ServicePrincipal("msgraph", ServicePrincipalArgs.builder()
            .clientId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -> getApplicationPublishedAppIdsResult.result().microsoftGraph()))
            .useExisting(true)
            .build());

    }
}

    resources:
  msgraph:
    type: azuread:ServicePrincipal
    properties:
      clientId: ${wellKnown.result.microsoftGraph}
      useExisting: true
variables:
  wellKnown:
    fn::invoke:
      function: azuread:getApplicationPublishedAppIds
      arguments: {}

    Create a service principal for an application created from a gallery template

    import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const example = azuread.getApplicationTemplate({
    displayName: "Marketo",
});
const exampleApplication = new azuread.Application("example", {
    displayName: "example",
    templateId: example.then(example => example.templateId),
});
const exampleServicePrincipal = new azuread.ServicePrincipal("example", {
    clientId: exampleApplication.clientId,
    useExisting: true,
});

    import pulumi
import pulumi_azuread as azuread

example = azuread.get_application_template(display_name="Marketo")
example_application = azuread.Application("example",
    display_name="example",
    template_id=example.template_id)
example_service_principal = azuread.ServicePrincipal("example",
    client_id=example_application.client_id,
    use_existing=True)

    package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		example, err := azuread.GetApplicationTemplate(ctx, &azuread.GetApplicationTemplateArgs{
			DisplayName: pulumi.StringRef("Marketo"),
		}, nil)
		if err != nil {
			return err
		}
		exampleApplication, err := azuread.NewApplication(ctx, "example", &azuread.ApplicationArgs{
			DisplayName: pulumi.String("example"),
			TemplateId:  pulumi.String(example.TemplateId),
		})
		if err != nil {
			return err
		}
		_, err = azuread.NewServicePrincipal(ctx, "example", &azuread.ServicePrincipalArgs{
			ClientId:    exampleApplication.ClientId,
			UseExisting: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

    using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var example = AzureAD.GetApplicationTemplate.Invoke(new()
    {
        DisplayName = "Marketo",
    });

    var exampleApplication = new AzureAD.Application("example", new()
    {
        DisplayName = "example",
        TemplateId = example.Apply(getApplicationTemplateResult => getApplicationTemplateResult.TemplateId),
    });

    var exampleServicePrincipal = new AzureAD.ServicePrincipal("example", new()
    {
        ClientId = exampleApplication.ClientId,
        UseExisting = true,
    });

});

    package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.inputs.GetApplicationTemplateArgs;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var example = AzureadFunctions.getApplicationTemplate(GetApplicationTemplateArgs.builder()
            .displayName("Marketo")
            .build());

        var exampleApplication = new Application("exampleApplication", ApplicationArgs.builder()
            .displayName("example")
            .templateId(example.applyValue(getApplicationTemplateResult -> getApplicationTemplateResult.templateId()))
            .build());

        var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()
            .clientId(exampleApplication.clientId())
            .useExisting(true)
            .build());

    }
}

    resources:
  exampleApplication:
    type: azuread:Application
    name: example
    properties:
      displayName: example
      templateId: ${example.templateId}
  exampleServicePrincipal:
    type: azuread:ServicePrincipal
    name: example
    properties:
      clientId: ${exampleApplication.clientId}
      useExisting: true
variables:
  example:
    fn::invoke:
      function: azuread:getApplicationTemplate
      arguments:
        displayName: Marketo

    Create ServicePrincipal Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new ServicePrincipal(name: string, args: ServicePrincipalArgs, opts?: CustomResourceOptions);
    @overload
def ServicePrincipal(resource_name: str,
                     args: ServicePrincipalArgs,
                     opts: Optional[ResourceOptions] = None)

@overload
def ServicePrincipal(resource_name: str,
                     opts: Optional[ResourceOptions] = None,
                     client_id: Optional[str] = None,
                     features: Optional[Sequence[ServicePrincipalFeatureArgs]] = None,
                     notes: Optional[str] = None,
                     alternative_names: Optional[Sequence[str]] = None,
                     description: Optional[str] = None,
                     feature_tags: Optional[Sequence[ServicePrincipalFeatureTagArgs]] = None,
                     account_enabled: Optional[bool] = None,
                     login_url: Optional[str] = None,
                     app_role_assignment_required: Optional[bool] = None,
                     notification_email_addresses: Optional[Sequence[str]] = None,
                     owners: Optional[Sequence[str]] = None,
                     preferred_single_sign_on_mode: Optional[str] = None,
                     saml_single_sign_on: Optional[ServicePrincipalSamlSingleSignOnArgs] = None,
                     tags: Optional[Sequence[str]] = None,
                     use_existing: Optional[bool] = None)
    func NewServicePrincipal(ctx *Context, name string, args ServicePrincipalArgs, opts ...ResourceOption) (*ServicePrincipal, error)
    public ServicePrincipal(string name, ServicePrincipalArgs args, CustomResourceOptions? opts = null)
    public ServicePrincipal(String name, ServicePrincipalArgs args)
public ServicePrincipal(String name, ServicePrincipalArgs args, CustomResourceOptions options)

    type: azuread:ServicePrincipal
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

    Parameters

    name string
    The unique name of the resource.
    args ServicePrincipalArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args ServicePrincipalArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args ServicePrincipalArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args ServicePrincipalArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args ServicePrincipalArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var servicePrincipalResource = new AzureAD.ServicePrincipal("servicePrincipalResource", new()
{
    ClientId = "string",
    Notes = "string",
    AlternativeNames = new[]
    {
        "string",
    },
    Description = "string",
    FeatureTags = new[]
    {
        new AzureAD.Inputs.ServicePrincipalFeatureTagArgs
        {
            CustomSingleSignOn = false,
            Enterprise = false,
            Gallery = false,
            Hide = false,
        },
    },
    AccountEnabled = false,
    LoginUrl = "string",
    AppRoleAssignmentRequired = false,
    NotificationEmailAddresses = new[]
    {
        "string",
    },
    Owners = new[]
    {
        "string",
    },
    PreferredSingleSignOnMode = "string",
    SamlSingleSignOn = new AzureAD.Inputs.ServicePrincipalSamlSingleSignOnArgs
    {
        RelayState = "string",
    },
    Tags = new[]
    {
        "string",
    },
    UseExisting = false,
});

    example, err := azuread.NewServicePrincipal(ctx, "servicePrincipalResource", &azuread.ServicePrincipalArgs{
	ClientId: pulumi.String("string"),
	Notes:    pulumi.String("string"),
	AlternativeNames: pulumi.StringArray{
		pulumi.String("string"),
	},
	Description: pulumi.String("string"),
	FeatureTags: azuread.ServicePrincipalFeatureTagArray{
		&azuread.ServicePrincipalFeatureTagArgs{
			CustomSingleSignOn: pulumi.Bool(false),
			Enterprise:         pulumi.Bool(false),
			Gallery:            pulumi.Bool(false),
			Hide:               pulumi.Bool(false),
		},
	},
	AccountEnabled:            pulumi.Bool(false),
	LoginUrl:                  pulumi.String("string"),
	AppRoleAssignmentRequired: pulumi.Bool(false),
	NotificationEmailAddresses: pulumi.StringArray{
		pulumi.String("string"),
	},
	Owners: pulumi.StringArray{
		pulumi.String("string"),
	},
	PreferredSingleSignOnMode: pulumi.String("string"),
	SamlSingleSignOn: &azuread.ServicePrincipalSamlSingleSignOnArgs{
		RelayState: pulumi.String("string"),
	},
	Tags: pulumi.StringArray{
		pulumi.String("string"),
	},
	UseExisting: pulumi.Bool(false),
})

    var servicePrincipalResource = new ServicePrincipal("servicePrincipalResource", ServicePrincipalArgs.builder()
    .clientId("string")
    .notes("string")
    .alternativeNames("string")
    .description("string")
    .featureTags(ServicePrincipalFeatureTagArgs.builder()
        .customSingleSignOn(false)
        .enterprise(false)
        .gallery(false)
        .hide(false)
        .build())
    .accountEnabled(false)
    .loginUrl("string")
    .appRoleAssignmentRequired(false)
    .notificationEmailAddresses("string")
    .owners("string")
    .preferredSingleSignOnMode("string")
    .samlSingleSignOn(ServicePrincipalSamlSingleSignOnArgs.builder()
        .relayState("string")
        .build())
    .tags("string")
    .useExisting(false)
    .build());

    service_principal_resource = azuread.ServicePrincipal("servicePrincipalResource",
    client_id="string",
    notes="string",
    alternative_names=["string"],
    description="string",
    feature_tags=[{
        "custom_single_sign_on": False,
        "enterprise": False,
        "gallery": False,
        "hide": False,
    }],
    account_enabled=False,
    login_url="string",
    app_role_assignment_required=False,
    notification_email_addresses=["string"],
    owners=["string"],
    preferred_single_sign_on_mode="string",
    saml_single_sign_on={
        "relay_state": "string",
    },
    tags=["string"],
    use_existing=False)

    const servicePrincipalResource = new azuread.ServicePrincipal("servicePrincipalResource", {
    clientId: "string",
    notes: "string",
    alternativeNames: ["string"],
    description: "string",
    featureTags: [{
        customSingleSignOn: false,
        enterprise: false,
        gallery: false,
        hide: false,
    }],
    accountEnabled: false,
    loginUrl: "string",
    appRoleAssignmentRequired: false,
    notificationEmailAddresses: ["string"],
    owners: ["string"],
    preferredSingleSignOnMode: "string",
    samlSingleSignOn: {
        relayState: "string",
    },
    tags: ["string"],
    useExisting: false,
});

    type: azuread:ServicePrincipal
properties:
    accountEnabled: false
    alternativeNames:
        - string
    appRoleAssignmentRequired: false
    clientId: string
    description: string
    featureTags:
        - customSingleSignOn: false
          enterprise: false
          gallery: false
          hide: false
    loginUrl: string
    notes: string
    notificationEmailAddresses:
        - string
    owners:
        - string
    preferredSingleSignOnMode: string
    samlSingleSignOn:
        relayState: string
    tags:
        - string
    useExisting: false

    ServicePrincipal Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The ServicePrincipal resource accepts the following input properties:

    ClientId string
    The client ID of the application for which to create a service principal.
    AccountEnabled bool
    Whether or not the service principal account is enabled. Defaults to true.
    AlternativeNames List<string>
    A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
    AppRoleAssignmentRequired bool
    Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.
    Description string
    A description of the service principal provided for internal end-users.
    FeatureTags List<Pulumi.AzureAD.Inputs.ServicePrincipalFeatureTag>

    A feature_tags block as described below. Cannot be used together with the tags property.

    Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.

    Features List<Pulumi.AzureAD.Inputs.ServicePrincipalFeature>
    Block of features to configure for this service principal using tags

    Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider

    LoginUrl string
    The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
    Notes string
    A free text field to capture information about the service principal, typically used for operational purposes.
    NotificationEmailAddresses List<string>
    A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
    Owners List<string>
    A list of object IDs of principals that will be granted ownership of the service principal
    PreferredSingleSignOnMode string
    The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.
    SamlSingleSignOn Pulumi.AzureAD.Inputs.ServicePrincipalSamlSingleSignOn
    A saml_single_sign_on block as documented below.
    Tags List<string>

    A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.

    Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.

    UseExisting bool
    When true, the resource will return an existing service principal instead of failing with an error
    ClientId string
    The client ID of the application for which to create a service principal.
    AccountEnabled bool
    Whether or not the service principal account is enabled. Defaults to true.
    AlternativeNames []string
    A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
    AppRoleAssignmentRequired bool
    Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.
    Description string
    A description of the service principal provided for internal end-users.
    FeatureTags []ServicePrincipalFeatureTagArgs

    A feature_tags block as described below. Cannot be used together with the tags property.

    Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.

    Features []ServicePrincipalFeatureArgs
    Block of features to configure for this service principal using tags

    Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider

    LoginUrl string
    The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
    Notes string
    A free text field to capture information about the service principal, typically used for operational purposes.
    NotificationEmailAddresses []string
    A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
    Owners []string
    A list of object IDs of principals that will be granted ownership of the service principal
    PreferredSingleSignOnMode string
    The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.
    SamlSingleSignOn ServicePrincipalSamlSingleSignOnArgs
    A saml_single_sign_on block as documented below.
    Tags []string

    A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.

    Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.

    UseExisting bool
    When true, the resource will return an existing service principal instead of failing with an error
    clientId String
    The client ID of the application for which to create a service principal.
    accountEnabled Boolean
    Whether or not the service principal account is enabled. Defaults to true.
    alternativeNames List<String>
    A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
    appRoleAssignmentRequired Boolean
    Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.
    description String
    A description of the service principal provided for internal end-users.
    featureTags List<ServicePrincipalFeatureTag>

    A feature_tags block as described below. Cannot be used together with the tags property.

    Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.

    features List<ServicePrincipalFeature>
    Block of features to configure for this service principal using tags

    Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider

    loginUrl String
    The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
    notes String
    A free text field to capture information about the service principal, typically used for operational purposes.
    notificationEmailAddresses List<String>
    A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
    owners List<String>
    A list of object IDs of principals that will be granted ownership of the service principal
    preferredSingleSignOnMode String
    The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.
    samlSingleSignOn ServicePrincipalSamlSingleSignOn
    A saml_single_sign_on block as documented below.
    tags List<String>

    A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.

    Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.

    useExisting Boolean
    When true, the resource will return an existing service principal instead of failing with an error
    clientId string
    The client ID of the application for which to create a service principal.
    accountEnabled boolean
    Whether or not the service principal account is enabled. Defaults to true.
    alternativeNames string[]
    A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
    appRoleAssignmentRequired boolean
    Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.
    description string
    A description of the service principal provided for internal end-users.
    featureTags ServicePrincipalFeatureTag[]

    A feature_tags block as described below. Cannot be used together with the tags property.

    Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.

    features ServicePrincipalFeature[]
    Block of features to configure for this service principal using tags

    Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider

    loginUrl string
    The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
    notes string
    A free text field to capture information about the service principal, typically used for operational purposes.
    notificationEmailAddresses string[]
    A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
    owners string[]
    A list of object IDs of principals that will be granted ownership of the service principal
    preferredSingleSignOnMode string
    The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.
    samlSingleSignOn ServicePrincipalSamlSingleSignOn
    A saml_single_sign_on block as documented below.
    tags string[]

    A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.

    Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.

    useExisting boolean
    When true, the resource will return an existing service principal instead of failing with an error
    client_id str
    The client ID of the application for which to create a service principal.
    account_enabled bool
    Whether or not the service principal account is enabled. Defaults to true.
    alternative_names Sequence[str]
    A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
    app_role_assignment_required bool
    Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.
    description str
    A description of the service principal provided for internal end-users.
    feature_tags Sequence[ServicePrincipalFeatureTagArgs]

    A feature_tags block as described below. Cannot be used together with the tags property.

    Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.

    features Sequence[ServicePrincipalFeatureArgs]
    Block of features to configure for this service principal using tags

    Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider

    login_url str
    The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
    notes str
    A free text field to capture information about the service principal, typically used for operational purposes.
    notification_email_addresses Sequence[str]
    A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
    owners Sequence[str]
    A list of object IDs of principals that will be granted ownership of the service principal
    preferred_single_sign_on_mode str
    The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.
    saml_single_sign_on ServicePrincipalSamlSingleSignOnArgs
    A saml_single_sign_on block as documented below.
    tags Sequence[str]

    A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.

    Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.

    use_existing bool
    When true, the resource will return an existing service principal instead of failing with an error
    clientId String
    The client ID of the application for which to create a service principal.
    accountEnabled Boolean
    Whether or not the service principal account is enabled. Defaults to true.
    alternativeNames List<String>
    A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
    appRoleAssignmentRequired Boolean
    Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.
    description String
    A description of the service principal provided for internal end-users.
    featureTags List<Property Map>

    A feature_tags block as described below. Cannot be used together with the tags property.

    Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.

    features List<Property Map>
    Block of features to configure for this service principal using tags

    Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider

    loginUrl String
    The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
    notes String
    A free text field to capture information about the service principal, typically used for operational purposes.
    notificationEmailAddresses List<String>
    A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
    owners List<String>
    A list of object IDs of principals that will be granted ownership of the service principal
    preferredSingleSignOnMode String
    The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.
    samlSingleSignOn Property Map
    A saml_single_sign_on block as documented below.
    tags List<String>

    A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.

    Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.

    useExisting Boolean
    When true, the resource will return an existing service principal instead of failing with an error

    Outputs

    All input properties are implicitly available as output properties. Additionally, the ServicePrincipal resource produces the following output properties:

    AppRoleIds Dictionary<string, string>
    A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
    AppRoles List<Pulumi.AzureAD.Outputs.ServicePrincipalAppRole>
    A list of app roles published by the associated application, as documented below. For more information official documentation.
    ApplicationTenantId string
    The tenant ID where the associated application is registered.
    DisplayName string
    Display name for the app role that appears during app role assignment and in consent experiences.
    HomepageUrl string
    Home page or landing page of the associated application.
    Id string
    The provider-assigned unique ID for this managed resource.
    LogoutUrl string
    The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
    Oauth2PermissionScopeIds Dictionary<string, string>
    A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
    Oauth2PermissionScopes List<Pulumi.AzureAD.Outputs.ServicePrincipalOauth2PermissionScope>
    A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
    ObjectId string
    The object ID of the service principal.
    RedirectUris List<string>
    A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
    SamlMetadataUrl string
    The URL where the service exposes SAML metadata for federation.
    ServicePrincipalNames List<string>
    A list of identifier URI(s), copied over from the associated application.
    SignInAudience string
    The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
    Type string
    Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
    AppRoleIds map[string]string
    A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
    AppRoles []ServicePrincipalAppRole
    A list of app roles published by the associated application, as documented below. For more information official documentation.
    ApplicationTenantId string
    The tenant ID where the associated application is registered.
    DisplayName string
    Display name for the app role that appears during app role assignment and in consent experiences.
    HomepageUrl string
    Home page or landing page of the associated application.
    Id string
    The provider-assigned unique ID for this managed resource.
    LogoutUrl string
    The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
    Oauth2PermissionScopeIds map[string]string
    A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
    Oauth2PermissionScopes []ServicePrincipalOauth2PermissionScope
    A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
    ObjectId string
    The object ID of the service principal.
    RedirectUris []string
    A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
    SamlMetadataUrl string
    The URL where the service exposes SAML metadata for federation.
    ServicePrincipalNames []string
    A list of identifier URI(s), copied over from the associated application.
    SignInAudience string
    The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
    Type string
    Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
    appRoleIds Map<String,String>
    A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
    appRoles List<ServicePrincipalAppRole>
    A list of app roles published by the associated application, as documented below. For more information official documentation.
    applicationTenantId String
    The tenant ID where the associated application is registered.
    displayName String
    Display name for the app role that appears during app role assignment and in consent experiences.
    homepageUrl String
    Home page or landing page of the associated application.
    id String
    The provider-assigned unique ID for this managed resource.
    logoutUrl String
    The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
    oauth2PermissionScopeIds Map<String,String>
    A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
    oauth2PermissionScopes List<ServicePrincipalOauth2PermissionScope>
    A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
    objectId String
    The object ID of the service principal.
    redirectUris List<String>
    A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
    samlMetadataUrl String
    The URL where the service exposes SAML metadata for federation.
    servicePrincipalNames List<String>
    A list of identifier URI(s), copied over from the associated application.
    signInAudience String
    The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
    type String
    Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
    appRoleIds {[key: string]: string}
    A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
    appRoles ServicePrincipalAppRole[]
    A list of app roles published by the associated application, as documented below. For more information official documentation.
    applicationTenantId string
    The tenant ID where the associated application is registered.
    displayName string
    Display name for the app role that appears during app role assignment and in consent experiences.
    homepageUrl string
    Home page or landing page of the associated application.
    id string
    The provider-assigned unique ID for this managed resource.
    logoutUrl string
    The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
    oauth2PermissionScopeIds {[key: string]: string}
    A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
    oauth2PermissionScopes ServicePrincipalOauth2PermissionScope[]
    A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
    objectId string
    The object ID of the service principal.
    redirectUris string[]
    A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
    samlMetadataUrl string
    The URL where the service exposes SAML metadata for federation.
    servicePrincipalNames string[]
    A list of identifier URI(s), copied over from the associated application.
    signInAudience string
    The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
    type string
    Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
    app_role_ids Mapping[str, str]
    A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
    app_roles Sequence[ServicePrincipalAppRole]
    A list of app roles published by the associated application, as documented below. For more information official documentation.
    application_tenant_id str
    The tenant ID where the associated application is registered.
    display_name str
    Display name for the app role that appears during app role assignment and in consent experiences.
    homepage_url str
    Home page or landing page of the associated application.
    id str
    The provider-assigned unique ID for this managed resource.
    logout_url str
    The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
    oauth2_permission_scope_ids Mapping[str, str]
    A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
    oauth2_permission_scopes Sequence[ServicePrincipalOauth2PermissionScope]
    A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
    object_id str
    The object ID of the service principal.
    redirect_uris Sequence[str]
    A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
    saml_metadata_url str
    The URL where the service exposes SAML metadata for federation.
    service_principal_names Sequence[str]
    A list of identifier URI(s), copied over from the associated application.
    sign_in_audience str
    The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
    type str
    Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
    appRoleIds Map<String>
    A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
    appRoles List<Property Map>
    A list of app roles published by the associated application, as documented below. For more information official documentation.
    applicationTenantId String
    The tenant ID where the associated application is registered.
    displayName String
    Display name for the app role that appears during app role assignment and in consent experiences.
    homepageUrl String
    Home page or landing page of the associated application.
    id String
    The provider-assigned unique ID for this managed resource.
    logoutUrl String
    The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
    oauth2PermissionScopeIds Map<String>
    A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
    oauth2PermissionScopes List<Property Map>
    A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
    objectId String
    The object ID of the service principal.
    redirectUris List<String>
    A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
    samlMetadataUrl String
    The URL where the service exposes SAML metadata for federation.
    servicePrincipalNames List<String>
    A list of identifier URI(s), copied over from the associated application.
    signInAudience String
    The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
    type String
    Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

    Look up Existing ServicePrincipal Resource

    Get an existing ServicePrincipal resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: ServicePrincipalState, opts?: CustomResourceOptions): ServicePrincipal
    @staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        account_enabled: Optional[bool] = None,
        alternative_names: Optional[Sequence[str]] = None,
        app_role_assignment_required: Optional[bool] = None,
        app_role_ids: Optional[Mapping[str, str]] = None,
        app_roles: Optional[Sequence[ServicePrincipalAppRoleArgs]] = None,
        application_tenant_id: Optional[str] = None,
        client_id: Optional[str] = None,
        description: Optional[str] = None,
        display_name: Optional[str] = None,
        feature_tags: Optional[Sequence[ServicePrincipalFeatureTagArgs]] = None,
        features: Optional[Sequence[ServicePrincipalFeatureArgs]] = None,
        homepage_url: Optional[str] = None,
        login_url: Optional[str] = None,
        logout_url: Optional[str] = None,
        notes: Optional[str] = None,
        notification_email_addresses: Optional[Sequence[str]] = None,
        oauth2_permission_scope_ids: Optional[Mapping[str, str]] = None,
        oauth2_permission_scopes: Optional[Sequence[ServicePrincipalOauth2PermissionScopeArgs]] = None,
        object_id: Optional[str] = None,
        owners: Optional[Sequence[str]] = None,
        preferred_single_sign_on_mode: Optional[str] = None,
        redirect_uris: Optional[Sequence[str]] = None,
        saml_metadata_url: Optional[str] = None,
        saml_single_sign_on: Optional[ServicePrincipalSamlSingleSignOnArgs] = None,
        service_principal_names: Optional[Sequence[str]] = None,
        sign_in_audience: Optional[str] = None,
        tags: Optional[Sequence[str]] = None,
        type: Optional[str] = None,
        use_existing: Optional[bool] = None) -> ServicePrincipal
    func GetServicePrincipal(ctx *Context, name string, id IDInput, state *ServicePrincipalState, opts ...ResourceOption) (*ServicePrincipal, error)
    public static ServicePrincipal Get(string name, Input<string> id, ServicePrincipalState? state, CustomResourceOptions? opts = null)
    public static ServicePrincipal get(String name, Output<String> id, ServicePrincipalState state, CustomResourceOptions options)
    resources:  _:    type: azuread:ServicePrincipal    get:      id: ${id}
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AccountEnabled bool
    Whether or not the service principal account is enabled. Defaults to true.
    AlternativeNames List<string>
    A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
    AppRoleAssignmentRequired bool
    Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.
    AppRoleIds Dictionary<string, string>
    A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
    AppRoles List<Pulumi.AzureAD.Inputs.ServicePrincipalAppRole>
    A list of app roles published by the associated application, as documented below. For more information official documentation.
    ApplicationTenantId string
    The tenant ID where the associated application is registered.
    ClientId string
    The client ID of the application for which to create a service principal.
    Description string
    A description of the service principal provided for internal end-users.
    DisplayName string
    Display name for the app role that appears during app role assignment and in consent experiences.
    FeatureTags List<Pulumi.AzureAD.Inputs.ServicePrincipalFeatureTag>

    A feature_tags block as described below. Cannot be used together with the tags property.

    Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.

    Features List<Pulumi.AzureAD.Inputs.ServicePrincipalFeature>
    Block of features to configure for this service principal using tags

    Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider

    HomepageUrl string
    Home page or landing page of the associated application.
    LoginUrl string
    The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
    LogoutUrl string
    The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
    Notes string
    A free text field to capture information about the service principal, typically used for operational purposes.
    NotificationEmailAddresses List<string>
    A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
    Oauth2PermissionScopeIds Dictionary<string, string>
    A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
    Oauth2PermissionScopes List<Pulumi.AzureAD.Inputs.ServicePrincipalOauth2PermissionScope>
    A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
    ObjectId string
    The object ID of the service principal.
    Owners List<string>
    A list of object IDs of principals that will be granted ownership of the service principal
    PreferredSingleSignOnMode string
    The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.
    RedirectUris List<string>
    A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
    SamlMetadataUrl string
    The URL where the service exposes SAML metadata for federation.
    SamlSingleSignOn Pulumi.AzureAD.Inputs.ServicePrincipalSamlSingleSignOn
    A saml_single_sign_on block as documented below.
    ServicePrincipalNames List<string>
    A list of identifier URI(s), copied over from the associated application.
    SignInAudience string
    The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
    Tags List<string>

    A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.

    Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.

    Type string
    Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
    UseExisting bool
    When true, the resource will return an existing service principal instead of failing with an error
    AccountEnabled bool
    Whether or not the service principal account is enabled. Defaults to true.
    AlternativeNames []string
    A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
    AppRoleAssignmentRequired bool
    Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.
    AppRoleIds map[string]string
    A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
    AppRoles []ServicePrincipalAppRoleArgs
    A list of app roles published by the associated application, as documented below. For more information official documentation.
    ApplicationTenantId string
    The tenant ID where the associated application is registered.
    ClientId string
    The client ID of the application for which to create a service principal.
    Description string
    A description of the service principal provided for internal end-users.
    DisplayName string
    Display name for the app role that appears during app role assignment and in consent experiences.
    FeatureTags []ServicePrincipalFeatureTagArgs

    A feature_tags block as described below. Cannot be used together with the tags property.

    Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.

    Features []ServicePrincipalFeatureArgs
    Block of features to configure for this service principal using tags

    Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider

    HomepageUrl string
    Home page or landing page of the associated application.
    LoginUrl string
    The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
    LogoutUrl string
    The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
    Notes string
    A free text field to capture information about the service principal, typically used for operational purposes.
    NotificationEmailAddresses []string
    A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
    Oauth2PermissionScopeIds map[string]string
    A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
    Oauth2PermissionScopes []ServicePrincipalOauth2PermissionScopeArgs
    A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
    ObjectId string
    The object ID of the service principal.
    Owners []string
    A list of object IDs of principals that will be granted ownership of the service principal
    PreferredSingleSignOnMode string
    The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.
    RedirectUris []string
    A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
    SamlMetadataUrl string
    The URL where the service exposes SAML metadata for federation.
    SamlSingleSignOn ServicePrincipalSamlSingleSignOnArgs
    A saml_single_sign_on block as documented below.
    ServicePrincipalNames []string
    A list of identifier URI(s), copied over from the associated application.
    SignInAudience string
    The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
    Tags []string

    A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.

    Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.

    Type string
    Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
    UseExisting bool
    When true, the resource will return an existing service principal instead of failing with an error
    accountEnabled Boolean
    Whether or not the service principal account is enabled. Defaults to true.
    alternativeNames List<String>
    A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
    appRoleAssignmentRequired Boolean
    Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.
    appRoleIds Map<String,String>
    A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
    appRoles List<ServicePrincipalAppRole>
    A list of app roles published by the associated application, as documented below. For more information official documentation.
    applicationTenantId String
    The tenant ID where the associated application is registered.
    clientId String
    The client ID of the application for which to create a service principal.
    description String
    A description of the service principal provided for internal end-users.
    displayName String
    Display name for the app role that appears during app role assignment and in consent experiences.
    featureTags List<ServicePrincipalFeatureTag>

    A feature_tags block as described below. Cannot be used together with the tags property.

    Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.

    features List<ServicePrincipalFeature>
    Block of features to configure for this service principal using tags

    Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider

    homepageUrl String
    Home page or landing page of the associated application.
    loginUrl String
    The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
    logoutUrl String
    The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
    notes String
    A free text field to capture information about the service principal, typically used for operational purposes.
    notificationEmailAddresses List<String>
    A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
    oauth2PermissionScopeIds Map<String,String>
    A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
    oauth2PermissionScopes List<ServicePrincipalOauth2PermissionScope>
    A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
    objectId String
    The object ID of the service principal.
    owners List<String>
    A list of object IDs of principals that will be granted ownership of the service principal
    preferredSingleSignOnMode String
    The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.
    redirectUris List<String>
    A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
    samlMetadataUrl String
    The URL where the service exposes SAML metadata for federation.
    samlSingleSignOn ServicePrincipalSamlSingleSignOn
    A saml_single_sign_on block as documented below.
    servicePrincipalNames List<String>
    A list of identifier URI(s), copied over from the associated application.
    signInAudience String
    The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
    tags List<String>

    A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.

    Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.

    type String
    Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
    useExisting Boolean
    When true, the resource will return an existing service principal instead of failing with an error
    accountEnabled boolean
    Whether or not the service principal account is enabled. Defaults to true.
    alternativeNames string[]
    A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
    appRoleAssignmentRequired boolean
    Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.
    appRoleIds {[key: string]: string}
    A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
    appRoles ServicePrincipalAppRole[]
    A list of app roles published by the associated application, as documented below. For more information official documentation.
    applicationTenantId string
    The tenant ID where the associated application is registered.
    clientId string
    The client ID of the application for which to create a service principal.
    description string
    A description of the service principal provided for internal end-users.
    displayName string
    Display name for the app role that appears during app role assignment and in consent experiences.
    featureTags ServicePrincipalFeatureTag[]

    A feature_tags block as described below. Cannot be used together with the tags property.

    Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.

    features ServicePrincipalFeature[]
    Block of features to configure for this service principal using tags

    Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider

    homepageUrl string
    Home page or landing page of the associated application.
    loginUrl string
    The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
    logoutUrl string
    The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
    notes string
    A free text field to capture information about the service principal, typically used for operational purposes.
    notificationEmailAddresses string[]
    A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
    oauth2PermissionScopeIds {[key: string]: string}
    A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
    oauth2PermissionScopes ServicePrincipalOauth2PermissionScope[]
    A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
    objectId string
    The object ID of the service principal.
    owners string[]
    A list of object IDs of principals that will be granted ownership of the service principal
    preferredSingleSignOnMode string
    The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.
    redirectUris string[]
    A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
    samlMetadataUrl string
    The URL where the service exposes SAML metadata for federation.
    samlSingleSignOn ServicePrincipalSamlSingleSignOn
    A saml_single_sign_on block as documented below.
    servicePrincipalNames string[]
    A list of identifier URI(s), copied over from the associated application.
    signInAudience string
    The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
    tags string[]

    A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.

    Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.

    type string
    Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
    useExisting boolean
    When true, the resource will return an existing service principal instead of failing with an error
    account_enabled bool
    Whether or not the service principal account is enabled. Defaults to true.
    alternative_names Sequence[str]
    A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
    app_role_assignment_required bool
    Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.
    app_role_ids Mapping[str, str]
    A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
    app_roles Sequence[ServicePrincipalAppRoleArgs]
    A list of app roles published by the associated application, as documented below. For more information official documentation.
    application_tenant_id str
    The tenant ID where the associated application is registered.
    client_id str
    The client ID of the application for which to create a service principal.
    description str
    A description of the service principal provided for internal end-users.
    display_name str
    Display name for the app role that appears during app role assignment and in consent experiences.
    feature_tags Sequence[ServicePrincipalFeatureTagArgs]

    A feature_tags block as described below. Cannot be used together with the tags property.

    Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.

    features Sequence[ServicePrincipalFeatureArgs]
    Block of features to configure for this service principal using tags

    Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider

    homepage_url str
    Home page or landing page of the associated application.
    login_url str
    The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
    logout_url str
    The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
    notes str
    A free text field to capture information about the service principal, typically used for operational purposes.
    notification_email_addresses Sequence[str]
    A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
    oauth2_permission_scope_ids Mapping[str, str]
    A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
    oauth2_permission_scopes Sequence[ServicePrincipalOauth2PermissionScopeArgs]
    A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
    object_id str
    The object ID of the service principal.
    owners Sequence[str]
    A list of object IDs of principals that will be granted ownership of the service principal
    preferred_single_sign_on_mode str
    The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.
    redirect_uris Sequence[str]
    A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
    saml_metadata_url str
    The URL where the service exposes SAML metadata for federation.
    saml_single_sign_on ServicePrincipalSamlSingleSignOnArgs
    A saml_single_sign_on block as documented below.
    service_principal_names Sequence[str]
    A list of identifier URI(s), copied over from the associated application.
    sign_in_audience str
    The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
    tags Sequence[str]

    A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.

    Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.

    type str
    Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
    use_existing bool
    When true, the resource will return an existing service principal instead of failing with an error
    accountEnabled Boolean
    Whether or not the service principal account is enabled. Defaults to true.
    alternativeNames List<String>
    A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
    appRoleAssignmentRequired Boolean
    Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.
    appRoleIds Map<String>
    A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
    appRoles List<Property Map>
    A list of app roles published by the associated application, as documented below. For more information official documentation.
    applicationTenantId String
    The tenant ID where the associated application is registered.
    clientId String
    The client ID of the application for which to create a service principal.
    description String
    A description of the service principal provided for internal end-users.
    displayName String
    Display name for the app role that appears during app role assignment and in consent experiences.
    featureTags List<Property Map>

    A feature_tags block as described below. Cannot be used together with the tags property.

    Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.

    features List<Property Map>
    Block of features to configure for this service principal using tags

    Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider

    homepageUrl String
    Home page or landing page of the associated application.
    loginUrl String
    The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
    logoutUrl String
    The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
    notes String
    A free text field to capture information about the service principal, typically used for operational purposes.
    notificationEmailAddresses List<String>
    A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
    oauth2PermissionScopeIds Map<String>
    A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
    oauth2PermissionScopes List<Property Map>
    A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
    objectId String
    The object ID of the service principal.
    owners List<String>
    A list of object IDs of principals that will be granted ownership of the service principal
    preferredSingleSignOnMode String
    The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.
    redirectUris List<String>
    A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
    samlMetadataUrl String
    The URL where the service exposes SAML metadata for federation.
    samlSingleSignOn Property Map
    A saml_single_sign_on block as documented below.
    servicePrincipalNames List<String>
    A list of identifier URI(s), copied over from the associated application.
    signInAudience String
    The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
    tags List<String>

    A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.

    Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.

    type String
    Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
    useExisting Boolean
    When true, the resource will return an existing service principal instead of failing with an error

    Supporting Types

    ServicePrincipalAppRole, ServicePrincipalAppRoleArgs

    AllowedMemberTypes List<string>
    Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are: User and Application, or both.
    Description string
    A description of the service principal provided for internal end-users.
    DisplayName string
    Display name for the app role that appears during app role assignment and in consent experiences.
    Enabled bool
    Specifies whether the permission scope is enabled.
    Id string
    The unique identifier of the delegated permission.
    Value string
    The value that is used for the scp claim in OAuth 2.0 access tokens.
    AllowedMemberTypes []string
    Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are: User and Application, or both.
    Description string
    A description of the service principal provided for internal end-users.
    DisplayName string
    Display name for the app role that appears during app role assignment and in consent experiences.
    Enabled bool
    Specifies whether the permission scope is enabled.
    Id string
    The unique identifier of the delegated permission.
    Value string
    The value that is used for the scp claim in OAuth 2.0 access tokens.
    allowedMemberTypes List<String>
    Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are: User and Application, or both.
    description String
    A description of the service principal provided for internal end-users.
    displayName String
    Display name for the app role that appears during app role assignment and in consent experiences.
    enabled Boolean
    Specifies whether the permission scope is enabled.
    id String
    The unique identifier of the delegated permission.
    value String
    The value that is used for the scp claim in OAuth 2.0 access tokens.
    allowedMemberTypes string[]
    Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are: User and Application, or both.
    description string
    A description of the service principal provided for internal end-users.
    displayName string
    Display name for the app role that appears during app role assignment and in consent experiences.
    enabled boolean
    Specifies whether the permission scope is enabled.
    id string
    The unique identifier of the delegated permission.
    value string
    The value that is used for the scp claim in OAuth 2.0 access tokens.
    allowed_member_types Sequence[str]
    Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are: User and Application, or both.
    description str
    A description of the service principal provided for internal end-users.
    display_name str
    Display name for the app role that appears during app role assignment and in consent experiences.
    enabled bool
    Specifies whether the permission scope is enabled.
    id str
    The unique identifier of the delegated permission.
    value str
    The value that is used for the scp claim in OAuth 2.0 access tokens.
    allowedMemberTypes List<String>
    Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are: User and Application, or both.
    description String
    A description of the service principal provided for internal end-users.
    displayName String
    Display name for the app role that appears during app role assignment and in consent experiences.
    enabled Boolean
    Specifies whether the permission scope is enabled.
    id String
    The unique identifier of the delegated permission.
    value String
    The value that is used for the scp claim in OAuth 2.0 access tokens.

    ServicePrincipalFeature, ServicePrincipalFeatureArgs

    CustomSingleSignOnApp bool
    Whether this service principal represents a custom SAML application
    EnterpriseApplication bool
    Whether this service principal represents an Enterprise Application
    GalleryApplication bool
    Whether this service principal represents a gallery application
    VisibleToUsers bool
    Whether this app is visible to users in My Apps and Office 365 Launcher
    CustomSingleSignOnApp bool
    Whether this service principal represents a custom SAML application
    EnterpriseApplication bool
    Whether this service principal represents an Enterprise Application
    GalleryApplication bool
    Whether this service principal represents a gallery application
    VisibleToUsers bool
    Whether this app is visible to users in My Apps and Office 365 Launcher
    customSingleSignOnApp Boolean
    Whether this service principal represents a custom SAML application
    enterpriseApplication Boolean
    Whether this service principal represents an Enterprise Application
    galleryApplication Boolean
    Whether this service principal represents a gallery application
    visibleToUsers Boolean
    Whether this app is visible to users in My Apps and Office 365 Launcher
    customSingleSignOnApp boolean
    Whether this service principal represents a custom SAML application
    enterpriseApplication boolean
    Whether this service principal represents an Enterprise Application
    galleryApplication boolean
    Whether this service principal represents a gallery application
    visibleToUsers boolean
    Whether this app is visible to users in My Apps and Office 365 Launcher
    custom_single_sign_on_app bool
    Whether this service principal represents a custom SAML application
    enterprise_application bool
    Whether this service principal represents an Enterprise Application
    gallery_application bool
    Whether this service principal represents a gallery application
    visible_to_users bool
    Whether this app is visible to users in My Apps and Office 365 Launcher
    customSingleSignOnApp Boolean
    Whether this service principal represents a custom SAML application
    enterpriseApplication Boolean
    Whether this service principal represents an Enterprise Application
    galleryApplication Boolean
    Whether this service principal represents a gallery application
    visibleToUsers Boolean
    Whether this app is visible to users in My Apps and Office 365 Launcher

    ServicePrincipalFeatureTag, ServicePrincipalFeatureTagArgs

    CustomSingleSignOn bool
    Whether this service principal represents a custom SAML application. Enabling this will assign the WindowsAzureActiveDirectoryCustomSingleSignOnApplication tag. Defaults to false.
    Enterprise bool
    Whether this service principal represents an Enterprise Application. Enabling this will assign the WindowsAzureActiveDirectoryIntegratedApp tag. Defaults to false.
    Gallery bool
    Whether this service principal represents a gallery application. Enabling this will assign the WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1 tag. Defaults to false.
    Hide bool
    Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the HideApp tag. Defaults to false.
    CustomSingleSignOn bool
    Whether this service principal represents a custom SAML application. Enabling this will assign the WindowsAzureActiveDirectoryCustomSingleSignOnApplication tag. Defaults to false.
    Enterprise bool
    Whether this service principal represents an Enterprise Application. Enabling this will assign the WindowsAzureActiveDirectoryIntegratedApp tag. Defaults to false.
    Gallery bool
    Whether this service principal represents a gallery application. Enabling this will assign the WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1 tag. Defaults to false.
    Hide bool
    Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the HideApp tag. Defaults to false.
    customSingleSignOn Boolean
    Whether this service principal represents a custom SAML application. Enabling this will assign the WindowsAzureActiveDirectoryCustomSingleSignOnApplication tag. Defaults to false.
    enterprise Boolean
    Whether this service principal represents an Enterprise Application. Enabling this will assign the WindowsAzureActiveDirectoryIntegratedApp tag. Defaults to false.
    gallery Boolean
    Whether this service principal represents a gallery application. Enabling this will assign the WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1 tag. Defaults to false.
    hide Boolean
    Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the HideApp tag. Defaults to false.
    customSingleSignOn boolean
    Whether this service principal represents a custom SAML application. Enabling this will assign the WindowsAzureActiveDirectoryCustomSingleSignOnApplication tag. Defaults to false.
    enterprise boolean
    Whether this service principal represents an Enterprise Application. Enabling this will assign the WindowsAzureActiveDirectoryIntegratedApp tag. Defaults to false.
    gallery boolean
    Whether this service principal represents a gallery application. Enabling this will assign the WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1 tag. Defaults to false.
    hide boolean
    Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the HideApp tag. Defaults to false.
    custom_single_sign_on bool
    Whether this service principal represents a custom SAML application. Enabling this will assign the WindowsAzureActiveDirectoryCustomSingleSignOnApplication tag. Defaults to false.
    enterprise bool
    Whether this service principal represents an Enterprise Application. Enabling this will assign the WindowsAzureActiveDirectoryIntegratedApp tag. Defaults to false.
    gallery bool
    Whether this service principal represents a gallery application. Enabling this will assign the WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1 tag. Defaults to false.
    hide bool
    Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the HideApp tag. Defaults to false.
    customSingleSignOn Boolean
    Whether this service principal represents a custom SAML application. Enabling this will assign the WindowsAzureActiveDirectoryCustomSingleSignOnApplication tag. Defaults to false.
    enterprise Boolean
    Whether this service principal represents an Enterprise Application. Enabling this will assign the WindowsAzureActiveDirectoryIntegratedApp tag. Defaults to false.
    gallery Boolean
    Whether this service principal represents a gallery application. Enabling this will assign the WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1 tag. Defaults to false.
    hide Boolean
    Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the HideApp tag. Defaults to false.

    ServicePrincipalOauth2PermissionScope, ServicePrincipalOauth2PermissionScopeArgs

    AdminConsentDescription string
    Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
    AdminConsentDisplayName string
    Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
    Enabled bool
    Specifies whether the permission scope is enabled.
    Id string
    The unique identifier of the delegated permission.
    Type string
    Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
    UserConsentDescription string
    Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
    UserConsentDisplayName string
    Display name for the delegated permission that appears in the end user consent experience.
    Value string
    The value that is used for the scp claim in OAuth 2.0 access tokens.
    AdminConsentDescription string
    Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
    AdminConsentDisplayName string
    Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
    Enabled bool
    Specifies whether the permission scope is enabled.
    Id string
    The unique identifier of the delegated permission.
    Type string
    Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
    UserConsentDescription string
    Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
    UserConsentDisplayName string
    Display name for the delegated permission that appears in the end user consent experience.
    Value string
    The value that is used for the scp claim in OAuth 2.0 access tokens.
    adminConsentDescription String
    Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
    adminConsentDisplayName String
    Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
    enabled Boolean
    Specifies whether the permission scope is enabled.
    id String
    The unique identifier of the delegated permission.
    type String
    Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
    userConsentDescription String
    Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
    userConsentDisplayName String
    Display name for the delegated permission that appears in the end user consent experience.
    value String
    The value that is used for the scp claim in OAuth 2.0 access tokens.
    adminConsentDescription string
    Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
    adminConsentDisplayName string
    Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
    enabled boolean
    Specifies whether the permission scope is enabled.
    id string
    The unique identifier of the delegated permission.
    type string
    Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
    userConsentDescription string
    Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
    userConsentDisplayName string
    Display name for the delegated permission that appears in the end user consent experience.
    value string
    The value that is used for the scp claim in OAuth 2.0 access tokens.
    admin_consent_description str
    Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
    admin_consent_display_name str
    Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
    enabled bool
    Specifies whether the permission scope is enabled.
    id str
    The unique identifier of the delegated permission.
    type str
    Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
    user_consent_description str
    Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
    user_consent_display_name str
    Display name for the delegated permission that appears in the end user consent experience.
    value str
    The value that is used for the scp claim in OAuth 2.0 access tokens.
    adminConsentDescription String
    Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
    adminConsentDisplayName String
    Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
    enabled Boolean
    Specifies whether the permission scope is enabled.
    id String
    The unique identifier of the delegated permission.
    type String
    Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
    userConsentDescription String
    Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
    userConsentDisplayName String
    Display name for the delegated permission that appears in the end user consent experience.
    value String
    The value that is used for the scp claim in OAuth 2.0 access tokens.

    ServicePrincipalSamlSingleSignOn, ServicePrincipalSamlSingleSignOnArgs

    RelayState string
    The relative URI the service provider would redirect to after completion of the single sign-on flow.
    RelayState string
    The relative URI the service provider would redirect to after completion of the single sign-on flow.
    relayState String
    The relative URI the service provider would redirect to after completion of the single sign-on flow.
    relayState string
    The relative URI the service provider would redirect to after completion of the single sign-on flow.
    relay_state str
    The relative URI the service provider would redirect to after completion of the single sign-on flow.
    relayState String
    The relative URI the service provider would redirect to after completion of the single sign-on flow.

    Import

    Service principals can be imported using their object ID, e.g.

    $ pulumi import azuread:index/servicePrincipal:ServicePrincipal example /servicePrincipals/00000000-0000-0000-0000-000000000000

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Azure Active Directory (Azure AD) pulumi/pulumi-azuread
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the azuread Terraform Provider.
    azuread logo
    Azure Active Directory (Azure AD) v6.4.0 published on Monday, Apr 7, 2025 by Pulumi
    pulumi/pulumi-azuread