1. Packages
  2. Azure Active Directory (Azure AD)
  3. API Docs
  4. ServicePrincipalDelegatedPermissionGrant
Azure Active Directory (Azure AD) v5.52.0 published on Friday, Jun 14, 2024 by Pulumi

azuread.ServicePrincipalDelegatedPermissionGrant

Explore with Pulumi AI

azuread logo
Azure Active Directory (Azure AD) v5.52.0 published on Friday, Jun 14, 2024 by Pulumi

    Manages a delegated permission grant for a service principal, on behalf of a single user, or all users.

    API Permissions

    The following API permissions are required in order to use this resource.

    When authenticated with a service principal, this resource requires the following application role: Directory.ReadWrite.All

    When authenticated with a user principal, this resource requires one the following directory role: Global Administrator

    Example Usage

    Delegated permission grant for all users

    import * as pulumi from "@pulumi/pulumi";
    import * as azuread from "@pulumi/azuread";
    
    const wellKnown = azuread.getApplicationPublishedAppIds({});
    const msgraph = new azuread.ServicePrincipal("msgraph", {
        applicationId: wellKnown.then(wellKnown => wellKnown.result?.microsoftGraph),
        useExisting: true,
    });
    const example = new azuread.Application("example", {
        displayName: "example",
        requiredResourceAccesses: [{
            resourceAppId: wellKnown.then(wellKnown => wellKnown.result?.microsoftGraph),
            resourceAccesses: [
                {
                    id: msgraph.oauth2PermissionScopeIds.openid,
                    type: "Scope",
                },
                {
                    id: msgraph.oauth2PermissionScopeIds["User.Read"],
                    type: "Scope",
                },
            ],
        }],
    });
    const exampleServicePrincipal = new azuread.ServicePrincipal("example", {applicationId: example.applicationId});
    const exampleServicePrincipalDelegatedPermissionGrant = new azuread.ServicePrincipalDelegatedPermissionGrant("example", {
        servicePrincipalObjectId: exampleServicePrincipal.objectId,
        resourceServicePrincipalObjectId: msgraph.objectId,
        claimValues: [
            "openid",
            "User.Read.All",
        ],
    });
    
    import pulumi
    import pulumi_azuread as azuread
    
    well_known = azuread.get_application_published_app_ids()
    msgraph = azuread.ServicePrincipal("msgraph",
        application_id=well_known.result["microsoftGraph"],
        use_existing=True)
    example = azuread.Application("example",
        display_name="example",
        required_resource_accesses=[azuread.ApplicationRequiredResourceAccessArgs(
            resource_app_id=well_known.result["microsoftGraph"],
            resource_accesses=[
                azuread.ApplicationRequiredResourceAccessResourceAccessArgs(
                    id=msgraph.oauth2_permission_scope_ids["openid"],
                    type="Scope",
                ),
                azuread.ApplicationRequiredResourceAccessResourceAccessArgs(
                    id=msgraph.oauth2_permission_scope_ids["User.Read"],
                    type="Scope",
                ),
            ],
        )])
    example_service_principal = azuread.ServicePrincipal("example", application_id=example.application_id)
    example_service_principal_delegated_permission_grant = azuread.ServicePrincipalDelegatedPermissionGrant("example",
        service_principal_object_id=example_service_principal.object_id,
        resource_service_principal_object_id=msgraph.object_id,
        claim_values=[
            "openid",
            "User.Read.All",
        ])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		wellKnown, err := azuread.GetApplicationPublishedAppIds(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		msgraph, err := azuread.NewServicePrincipal(ctx, "msgraph", &azuread.ServicePrincipalArgs{
    			ApplicationId: pulumi.String(wellKnown.Result.MicrosoftGraph),
    			UseExisting:   pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		example, err := azuread.NewApplication(ctx, "example", &azuread.ApplicationArgs{
    			DisplayName: pulumi.String("example"),
    			RequiredResourceAccesses: azuread.ApplicationRequiredResourceAccessArray{
    				&azuread.ApplicationRequiredResourceAccessArgs{
    					ResourceAppId: pulumi.String(wellKnown.Result.MicrosoftGraph),
    					ResourceAccesses: azuread.ApplicationRequiredResourceAccessResourceAccessArray{
    						&azuread.ApplicationRequiredResourceAccessResourceAccessArgs{
    							Id: msgraph.Oauth2PermissionScopeIds.ApplyT(func(oauth2PermissionScopeIds map[string]string) (string, error) {
    								return oauth2PermissionScopeIds.Openid, nil
    							}).(pulumi.StringOutput),
    							Type: pulumi.String("Scope"),
    						},
    						&azuread.ApplicationRequiredResourceAccessResourceAccessArgs{
    							Id: msgraph.Oauth2PermissionScopeIds.ApplyT(func(oauth2PermissionScopeIds map[string]string) (string, error) {
    								return oauth2PermissionScopeIds.User.Read, nil
    							}).(pulumi.StringOutput),
    							Type: pulumi.String("Scope"),
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		exampleServicePrincipal, err := azuread.NewServicePrincipal(ctx, "example", &azuread.ServicePrincipalArgs{
    			ApplicationId: example.ApplicationId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = azuread.NewServicePrincipalDelegatedPermissionGrant(ctx, "example", &azuread.ServicePrincipalDelegatedPermissionGrantArgs{
    			ServicePrincipalObjectId:         exampleServicePrincipal.ObjectId,
    			ResourceServicePrincipalObjectId: msgraph.ObjectId,
    			ClaimValues: pulumi.StringArray{
    				pulumi.String("openid"),
    				pulumi.String("User.Read.All"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using AzureAD = Pulumi.AzureAD;
    
    return await Deployment.RunAsync(() => 
    {
        var wellKnown = AzureAD.GetApplicationPublishedAppIds.Invoke();
    
        var msgraph = new AzureAD.ServicePrincipal("msgraph", new()
        {
            ApplicationId = wellKnown.Apply(getApplicationPublishedAppIdsResult => getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
            UseExisting = true,
        });
    
        var example = new AzureAD.Application("example", new()
        {
            DisplayName = "example",
            RequiredResourceAccesses = new[]
            {
                new AzureAD.Inputs.ApplicationRequiredResourceAccessArgs
                {
                    ResourceAppId = wellKnown.Apply(getApplicationPublishedAppIdsResult => getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
                    ResourceAccesses = new[]
                    {
                        new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs
                        {
                            Id = msgraph.Oauth2PermissionScopeIds.Apply(oauth2PermissionScopeIds => oauth2PermissionScopeIds.Openid),
                            Type = "Scope",
                        },
                        new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs
                        {
                            Id = msgraph.Oauth2PermissionScopeIds.Apply(oauth2PermissionScopeIds => oauth2PermissionScopeIds.User_Read),
                            Type = "Scope",
                        },
                    },
                },
            },
        });
    
        var exampleServicePrincipal = new AzureAD.ServicePrincipal("example", new()
        {
            ApplicationId = example.ApplicationId,
        });
    
        var exampleServicePrincipalDelegatedPermissionGrant = new AzureAD.ServicePrincipalDelegatedPermissionGrant("example", new()
        {
            ServicePrincipalObjectId = exampleServicePrincipal.ObjectId,
            ResourceServicePrincipalObjectId = msgraph.ObjectId,
            ClaimValues = new[]
            {
                "openid",
                "User.Read.All",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azuread.AzureadFunctions;
    import com.pulumi.azuread.ServicePrincipal;
    import com.pulumi.azuread.ServicePrincipalArgs;
    import com.pulumi.azuread.Application;
    import com.pulumi.azuread.ApplicationArgs;
    import com.pulumi.azuread.inputs.ApplicationRequiredResourceAccessArgs;
    import com.pulumi.azuread.ServicePrincipalDelegatedPermissionGrant;
    import com.pulumi.azuread.ServicePrincipalDelegatedPermissionGrantArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();
    
            var msgraph = new ServicePrincipal("msgraph", ServicePrincipalArgs.builder()
                .applicationId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -> getApplicationPublishedAppIdsResult.result().microsoftGraph()))
                .useExisting(true)
                .build());
    
            var example = new Application("example", ApplicationArgs.builder()
                .displayName("example")
                .requiredResourceAccesses(ApplicationRequiredResourceAccessArgs.builder()
                    .resourceAppId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -> getApplicationPublishedAppIdsResult.result().microsoftGraph()))
                    .resourceAccesses(                
                        ApplicationRequiredResourceAccessResourceAccessArgs.builder()
                            .id(msgraph.oauth2PermissionScopeIds().applyValue(oauth2PermissionScopeIds -> oauth2PermissionScopeIds.openid()))
                            .type("Scope")
                            .build(),
                        ApplicationRequiredResourceAccessResourceAccessArgs.builder()
                            .id(msgraph.oauth2PermissionScopeIds().applyValue(oauth2PermissionScopeIds -> oauth2PermissionScopeIds.User.Read()))
                            .type("Scope")
                            .build())
                    .build())
                .build());
    
            var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()
                .applicationId(example.applicationId())
                .build());
    
            var exampleServicePrincipalDelegatedPermissionGrant = new ServicePrincipalDelegatedPermissionGrant("exampleServicePrincipalDelegatedPermissionGrant", ServicePrincipalDelegatedPermissionGrantArgs.builder()
                .servicePrincipalObjectId(exampleServicePrincipal.objectId())
                .resourceServicePrincipalObjectId(msgraph.objectId())
                .claimValues(            
                    "openid",
                    "User.Read.All")
                .build());
    
        }
    }
    
    resources:
      msgraph:
        type: azuread:ServicePrincipal
        properties:
          applicationId: ${wellKnown.result.microsoftGraph}
          useExisting: true
      example:
        type: azuread:Application
        properties:
          displayName: example
          requiredResourceAccesses:
            - resourceAppId: ${wellKnown.result.microsoftGraph}
              resourceAccesses:
                - id: ${msgraph.oauth2PermissionScopeIds.openid}
                  type: Scope
                - id: ${msgraph.oauth2PermissionScopeIds"User.Read"[%!s(MISSING)]}
                  type: Scope
      exampleServicePrincipal:
        type: azuread:ServicePrincipal
        name: example
        properties:
          applicationId: ${example.applicationId}
      exampleServicePrincipalDelegatedPermissionGrant:
        type: azuread:ServicePrincipalDelegatedPermissionGrant
        name: example
        properties:
          servicePrincipalObjectId: ${exampleServicePrincipal.objectId}
          resourceServicePrincipalObjectId: ${msgraph.objectId}
          claimValues:
            - openid
            - User.Read.All
    variables:
      wellKnown:
        fn::invoke:
          Function: azuread:getApplicationPublishedAppIds
          Arguments: {}
    

    Delegated permission grant for a single user

    import * as pulumi from "@pulumi/pulumi";
    import * as azuread from "@pulumi/azuread";
    
    const wellKnown = azuread.getApplicationPublishedAppIds({});
    const msgraph = new azuread.ServicePrincipal("msgraph", {
        applicationId: wellKnown.then(wellKnown => wellKnown.result?.microsoftGraph),
        useExisting: true,
    });
    const example = new azuread.Application("example", {
        displayName: "example",
        requiredResourceAccesses: [{
            resourceAppId: wellKnown.then(wellKnown => wellKnown.result?.microsoftGraph),
            resourceAccesses: [
                {
                    id: msgraph.oauth2PermissionScopeIds.openid,
                    type: "Scope",
                },
                {
                    id: msgraph.oauth2PermissionScopeIds["User.Read"],
                    type: "Scope",
                },
            ],
        }],
    });
    const exampleServicePrincipal = new azuread.ServicePrincipal("example", {applicationId: example.applicationId});
    const exampleUser = new azuread.User("example", {
        displayName: "J. Doe",
        userPrincipalName: "jdoe@example.com",
        mailNickname: "jdoe",
        password: "SecretP@sswd99!",
    });
    const exampleServicePrincipalDelegatedPermissionGrant = new azuread.ServicePrincipalDelegatedPermissionGrant("example", {
        servicePrincipalObjectId: exampleServicePrincipal.objectId,
        resourceServicePrincipalObjectId: msgraph.objectId,
        claimValues: [
            "openid",
            "User.Read.All",
        ],
        userObjectId: exampleUser.objectId,
    });
    
    import pulumi
    import pulumi_azuread as azuread
    
    well_known = azuread.get_application_published_app_ids()
    msgraph = azuread.ServicePrincipal("msgraph",
        application_id=well_known.result["microsoftGraph"],
        use_existing=True)
    example = azuread.Application("example",
        display_name="example",
        required_resource_accesses=[azuread.ApplicationRequiredResourceAccessArgs(
            resource_app_id=well_known.result["microsoftGraph"],
            resource_accesses=[
                azuread.ApplicationRequiredResourceAccessResourceAccessArgs(
                    id=msgraph.oauth2_permission_scope_ids["openid"],
                    type="Scope",
                ),
                azuread.ApplicationRequiredResourceAccessResourceAccessArgs(
                    id=msgraph.oauth2_permission_scope_ids["User.Read"],
                    type="Scope",
                ),
            ],
        )])
    example_service_principal = azuread.ServicePrincipal("example", application_id=example.application_id)
    example_user = azuread.User("example",
        display_name="J. Doe",
        user_principal_name="jdoe@example.com",
        mail_nickname="jdoe",
        password="SecretP@sswd99!")
    example_service_principal_delegated_permission_grant = azuread.ServicePrincipalDelegatedPermissionGrant("example",
        service_principal_object_id=example_service_principal.object_id,
        resource_service_principal_object_id=msgraph.object_id,
        claim_values=[
            "openid",
            "User.Read.All",
        ],
        user_object_id=example_user.object_id)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		wellKnown, err := azuread.GetApplicationPublishedAppIds(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		msgraph, err := azuread.NewServicePrincipal(ctx, "msgraph", &azuread.ServicePrincipalArgs{
    			ApplicationId: pulumi.String(wellKnown.Result.MicrosoftGraph),
    			UseExisting:   pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		example, err := azuread.NewApplication(ctx, "example", &azuread.ApplicationArgs{
    			DisplayName: pulumi.String("example"),
    			RequiredResourceAccesses: azuread.ApplicationRequiredResourceAccessArray{
    				&azuread.ApplicationRequiredResourceAccessArgs{
    					ResourceAppId: pulumi.String(wellKnown.Result.MicrosoftGraph),
    					ResourceAccesses: azuread.ApplicationRequiredResourceAccessResourceAccessArray{
    						&azuread.ApplicationRequiredResourceAccessResourceAccessArgs{
    							Id: msgraph.Oauth2PermissionScopeIds.ApplyT(func(oauth2PermissionScopeIds map[string]string) (string, error) {
    								return oauth2PermissionScopeIds.Openid, nil
    							}).(pulumi.StringOutput),
    							Type: pulumi.String("Scope"),
    						},
    						&azuread.ApplicationRequiredResourceAccessResourceAccessArgs{
    							Id: msgraph.Oauth2PermissionScopeIds.ApplyT(func(oauth2PermissionScopeIds map[string]string) (string, error) {
    								return oauth2PermissionScopeIds.User.Read, nil
    							}).(pulumi.StringOutput),
    							Type: pulumi.String("Scope"),
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		exampleServicePrincipal, err := azuread.NewServicePrincipal(ctx, "example", &azuread.ServicePrincipalArgs{
    			ApplicationId: example.ApplicationId,
    		})
    		if err != nil {
    			return err
    		}
    		exampleUser, err := azuread.NewUser(ctx, "example", &azuread.UserArgs{
    			DisplayName:       pulumi.String("J. Doe"),
    			UserPrincipalName: pulumi.String("jdoe@example.com"),
    			MailNickname:      pulumi.String("jdoe"),
    			Password:          pulumi.String("SecretP@sswd99!"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = azuread.NewServicePrincipalDelegatedPermissionGrant(ctx, "example", &azuread.ServicePrincipalDelegatedPermissionGrantArgs{
    			ServicePrincipalObjectId:         exampleServicePrincipal.ObjectId,
    			ResourceServicePrincipalObjectId: msgraph.ObjectId,
    			ClaimValues: pulumi.StringArray{
    				pulumi.String("openid"),
    				pulumi.String("User.Read.All"),
    			},
    			UserObjectId: exampleUser.ObjectId,
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using AzureAD = Pulumi.AzureAD;
    
    return await Deployment.RunAsync(() => 
    {
        var wellKnown = AzureAD.GetApplicationPublishedAppIds.Invoke();
    
        var msgraph = new AzureAD.ServicePrincipal("msgraph", new()
        {
            ApplicationId = wellKnown.Apply(getApplicationPublishedAppIdsResult => getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
            UseExisting = true,
        });
    
        var example = new AzureAD.Application("example", new()
        {
            DisplayName = "example",
            RequiredResourceAccesses = new[]
            {
                new AzureAD.Inputs.ApplicationRequiredResourceAccessArgs
                {
                    ResourceAppId = wellKnown.Apply(getApplicationPublishedAppIdsResult => getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
                    ResourceAccesses = new[]
                    {
                        new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs
                        {
                            Id = msgraph.Oauth2PermissionScopeIds.Apply(oauth2PermissionScopeIds => oauth2PermissionScopeIds.Openid),
                            Type = "Scope",
                        },
                        new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs
                        {
                            Id = msgraph.Oauth2PermissionScopeIds.Apply(oauth2PermissionScopeIds => oauth2PermissionScopeIds.User_Read),
                            Type = "Scope",
                        },
                    },
                },
            },
        });
    
        var exampleServicePrincipal = new AzureAD.ServicePrincipal("example", new()
        {
            ApplicationId = example.ApplicationId,
        });
    
        var exampleUser = new AzureAD.User("example", new()
        {
            DisplayName = "J. Doe",
            UserPrincipalName = "jdoe@example.com",
            MailNickname = "jdoe",
            Password = "SecretP@sswd99!",
        });
    
        var exampleServicePrincipalDelegatedPermissionGrant = new AzureAD.ServicePrincipalDelegatedPermissionGrant("example", new()
        {
            ServicePrincipalObjectId = exampleServicePrincipal.ObjectId,
            ResourceServicePrincipalObjectId = msgraph.ObjectId,
            ClaimValues = new[]
            {
                "openid",
                "User.Read.All",
            },
            UserObjectId = exampleUser.ObjectId,
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azuread.AzureadFunctions;
    import com.pulumi.azuread.ServicePrincipal;
    import com.pulumi.azuread.ServicePrincipalArgs;
    import com.pulumi.azuread.Application;
    import com.pulumi.azuread.ApplicationArgs;
    import com.pulumi.azuread.inputs.ApplicationRequiredResourceAccessArgs;
    import com.pulumi.azuread.User;
    import com.pulumi.azuread.UserArgs;
    import com.pulumi.azuread.ServicePrincipalDelegatedPermissionGrant;
    import com.pulumi.azuread.ServicePrincipalDelegatedPermissionGrantArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();
    
            var msgraph = new ServicePrincipal("msgraph", ServicePrincipalArgs.builder()
                .applicationId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -> getApplicationPublishedAppIdsResult.result().microsoftGraph()))
                .useExisting(true)
                .build());
    
            var example = new Application("example", ApplicationArgs.builder()
                .displayName("example")
                .requiredResourceAccesses(ApplicationRequiredResourceAccessArgs.builder()
                    .resourceAppId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -> getApplicationPublishedAppIdsResult.result().microsoftGraph()))
                    .resourceAccesses(                
                        ApplicationRequiredResourceAccessResourceAccessArgs.builder()
                            .id(msgraph.oauth2PermissionScopeIds().applyValue(oauth2PermissionScopeIds -> oauth2PermissionScopeIds.openid()))
                            .type("Scope")
                            .build(),
                        ApplicationRequiredResourceAccessResourceAccessArgs.builder()
                            .id(msgraph.oauth2PermissionScopeIds().applyValue(oauth2PermissionScopeIds -> oauth2PermissionScopeIds.User.Read()))
                            .type("Scope")
                            .build())
                    .build())
                .build());
    
            var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()
                .applicationId(example.applicationId())
                .build());
    
            var exampleUser = new User("exampleUser", UserArgs.builder()
                .displayName("J. Doe")
                .userPrincipalName("jdoe@example.com")
                .mailNickname("jdoe")
                .password("SecretP@sswd99!")
                .build());
    
            var exampleServicePrincipalDelegatedPermissionGrant = new ServicePrincipalDelegatedPermissionGrant("exampleServicePrincipalDelegatedPermissionGrant", ServicePrincipalDelegatedPermissionGrantArgs.builder()
                .servicePrincipalObjectId(exampleServicePrincipal.objectId())
                .resourceServicePrincipalObjectId(msgraph.objectId())
                .claimValues(            
                    "openid",
                    "User.Read.All")
                .userObjectId(exampleUser.objectId())
                .build());
    
        }
    }
    
    resources:
      msgraph:
        type: azuread:ServicePrincipal
        properties:
          applicationId: ${wellKnown.result.microsoftGraph}
          useExisting: true
      example:
        type: azuread:Application
        properties:
          displayName: example
          requiredResourceAccesses:
            - resourceAppId: ${wellKnown.result.microsoftGraph}
              resourceAccesses:
                - id: ${msgraph.oauth2PermissionScopeIds.openid}
                  type: Scope
                - id: ${msgraph.oauth2PermissionScopeIds"User.Read"[%!s(MISSING)]}
                  type: Scope
      exampleServicePrincipal:
        type: azuread:ServicePrincipal
        name: example
        properties:
          applicationId: ${example.applicationId}
      exampleUser:
        type: azuread:User
        name: example
        properties:
          displayName: J. Doe
          userPrincipalName: jdoe@example.com
          mailNickname: jdoe
          password: SecretP@sswd99!
      exampleServicePrincipalDelegatedPermissionGrant:
        type: azuread:ServicePrincipalDelegatedPermissionGrant
        name: example
        properties:
          servicePrincipalObjectId: ${exampleServicePrincipal.objectId}
          resourceServicePrincipalObjectId: ${msgraph.objectId}
          claimValues:
            - openid
            - User.Read.All
          userObjectId: ${exampleUser.objectId}
    variables:
      wellKnown:
        fn::invoke:
          Function: azuread:getApplicationPublishedAppIds
          Arguments: {}
    

    Create ServicePrincipalDelegatedPermissionGrant Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new ServicePrincipalDelegatedPermissionGrant(name: string, args: ServicePrincipalDelegatedPermissionGrantArgs, opts?: CustomResourceOptions);
    @overload
    def ServicePrincipalDelegatedPermissionGrant(resource_name: str,
                                                 args: ServicePrincipalDelegatedPermissionGrantArgs,
                                                 opts: Optional[ResourceOptions] = None)
    
    @overload
    def ServicePrincipalDelegatedPermissionGrant(resource_name: str,
                                                 opts: Optional[ResourceOptions] = None,
                                                 claim_values: Optional[Sequence[str]] = None,
                                                 resource_service_principal_object_id: Optional[str] = None,
                                                 service_principal_object_id: Optional[str] = None,
                                                 user_object_id: Optional[str] = None)
    func NewServicePrincipalDelegatedPermissionGrant(ctx *Context, name string, args ServicePrincipalDelegatedPermissionGrantArgs, opts ...ResourceOption) (*ServicePrincipalDelegatedPermissionGrant, error)
    public ServicePrincipalDelegatedPermissionGrant(string name, ServicePrincipalDelegatedPermissionGrantArgs args, CustomResourceOptions? opts = null)
    public ServicePrincipalDelegatedPermissionGrant(String name, ServicePrincipalDelegatedPermissionGrantArgs args)
    public ServicePrincipalDelegatedPermissionGrant(String name, ServicePrincipalDelegatedPermissionGrantArgs args, CustomResourceOptions options)
    
    type: azuread:ServicePrincipalDelegatedPermissionGrant
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args ServicePrincipalDelegatedPermissionGrantArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args ServicePrincipalDelegatedPermissionGrantArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args ServicePrincipalDelegatedPermissionGrantArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args ServicePrincipalDelegatedPermissionGrantArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args ServicePrincipalDelegatedPermissionGrantArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Example

    The following reference example uses placeholder values for all input properties.

    var servicePrincipalDelegatedPermissionGrantResource = new AzureAD.ServicePrincipalDelegatedPermissionGrant("servicePrincipalDelegatedPermissionGrantResource", new()
    {
        ClaimValues = new[]
        {
            "string",
        },
        ResourceServicePrincipalObjectId = "string",
        ServicePrincipalObjectId = "string",
        UserObjectId = "string",
    });
    
    example, err := azuread.NewServicePrincipalDelegatedPermissionGrant(ctx, "servicePrincipalDelegatedPermissionGrantResource", &azuread.ServicePrincipalDelegatedPermissionGrantArgs{
    	ClaimValues: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	ResourceServicePrincipalObjectId: pulumi.String("string"),
    	ServicePrincipalObjectId:         pulumi.String("string"),
    	UserObjectId:                     pulumi.String("string"),
    })
    
    var servicePrincipalDelegatedPermissionGrantResource = new ServicePrincipalDelegatedPermissionGrant("servicePrincipalDelegatedPermissionGrantResource", ServicePrincipalDelegatedPermissionGrantArgs.builder()
        .claimValues("string")
        .resourceServicePrincipalObjectId("string")
        .servicePrincipalObjectId("string")
        .userObjectId("string")
        .build());
    
    service_principal_delegated_permission_grant_resource = azuread.ServicePrincipalDelegatedPermissionGrant("servicePrincipalDelegatedPermissionGrantResource",
        claim_values=["string"],
        resource_service_principal_object_id="string",
        service_principal_object_id="string",
        user_object_id="string")
    
    const servicePrincipalDelegatedPermissionGrantResource = new azuread.ServicePrincipalDelegatedPermissionGrant("servicePrincipalDelegatedPermissionGrantResource", {
        claimValues: ["string"],
        resourceServicePrincipalObjectId: "string",
        servicePrincipalObjectId: "string",
        userObjectId: "string",
    });
    
    type: azuread:ServicePrincipalDelegatedPermissionGrant
    properties:
        claimValues:
            - string
        resourceServicePrincipalObjectId: string
        servicePrincipalObjectId: string
        userObjectId: string
    

    ServicePrincipalDelegatedPermissionGrant Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The ServicePrincipalDelegatedPermissionGrant resource accepts the following input properties:

    ClaimValues List<string>
    A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
    ResourceServicePrincipalObjectId string
    The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
    ServicePrincipalObjectId string
    The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
    UserObjectId string

    The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.

    Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the user_object_id property.

    ClaimValues []string
    A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
    ResourceServicePrincipalObjectId string
    The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
    ServicePrincipalObjectId string
    The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
    UserObjectId string

    The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.

    Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the user_object_id property.

    claimValues List<String>
    A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
    resourceServicePrincipalObjectId String
    The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
    servicePrincipalObjectId String
    The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
    userObjectId String

    The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.

    Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the user_object_id property.

    claimValues string[]
    A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
    resourceServicePrincipalObjectId string
    The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
    servicePrincipalObjectId string
    The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
    userObjectId string

    The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.

    Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the user_object_id property.

    claim_values Sequence[str]
    A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
    resource_service_principal_object_id str
    The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
    service_principal_object_id str
    The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
    user_object_id str

    The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.

    Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the user_object_id property.

    claimValues List<String>
    A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
    resourceServicePrincipalObjectId String
    The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
    servicePrincipalObjectId String
    The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
    userObjectId String

    The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.

    Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the user_object_id property.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the ServicePrincipalDelegatedPermissionGrant resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing ServicePrincipalDelegatedPermissionGrant Resource

    Get an existing ServicePrincipalDelegatedPermissionGrant resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: ServicePrincipalDelegatedPermissionGrantState, opts?: CustomResourceOptions): ServicePrincipalDelegatedPermissionGrant
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            claim_values: Optional[Sequence[str]] = None,
            resource_service_principal_object_id: Optional[str] = None,
            service_principal_object_id: Optional[str] = None,
            user_object_id: Optional[str] = None) -> ServicePrincipalDelegatedPermissionGrant
    func GetServicePrincipalDelegatedPermissionGrant(ctx *Context, name string, id IDInput, state *ServicePrincipalDelegatedPermissionGrantState, opts ...ResourceOption) (*ServicePrincipalDelegatedPermissionGrant, error)
    public static ServicePrincipalDelegatedPermissionGrant Get(string name, Input<string> id, ServicePrincipalDelegatedPermissionGrantState? state, CustomResourceOptions? opts = null)
    public static ServicePrincipalDelegatedPermissionGrant get(String name, Output<String> id, ServicePrincipalDelegatedPermissionGrantState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    ClaimValues List<string>
    A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
    ResourceServicePrincipalObjectId string
    The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
    ServicePrincipalObjectId string
    The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
    UserObjectId string

    The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.

    Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the user_object_id property.

    ClaimValues []string
    A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
    ResourceServicePrincipalObjectId string
    The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
    ServicePrincipalObjectId string
    The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
    UserObjectId string

    The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.

    Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the user_object_id property.

    claimValues List<String>
    A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
    resourceServicePrincipalObjectId String
    The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
    servicePrincipalObjectId String
    The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
    userObjectId String

    The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.

    Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the user_object_id property.

    claimValues string[]
    A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
    resourceServicePrincipalObjectId string
    The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
    servicePrincipalObjectId string
    The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
    userObjectId string

    The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.

    Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the user_object_id property.

    claim_values Sequence[str]
    A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
    resource_service_principal_object_id str
    The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
    service_principal_object_id str
    The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
    user_object_id str

    The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.

    Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the user_object_id property.

    claimValues List<String>
    A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
    resourceServicePrincipalObjectId String
    The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
    servicePrincipalObjectId String
    The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
    userObjectId String

    The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.

    Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the user_object_id property.

    Import

    Delegated permission grants can be imported using their ID, e.g.

    $ pulumi import azuread:index/servicePrincipalDelegatedPermissionGrant:ServicePrincipalDelegatedPermissionGrant example aaBBcDDeFG6h5JKLMN2PQrrssTTUUvWWxxxxxyyyzzz
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Azure Active Directory (Azure AD) pulumi/pulumi-azuread
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the azuread Terraform Provider.
    azuread logo
    Azure Active Directory (Azure AD) v5.52.0 published on Friday, Jun 14, 2024 by Pulumi