Docs
PackagesAzure Active Directory (Azure AD) v5.52.0 published on Friday, Jun 14, 2024 by Pulumi
azuread.ConditionalAccessPolicy
Explore with Pulumi AI
Azure Active Directory (Azure AD) v5.52.0 published on Friday, Jun 14, 2024 by Pulumi
Manages a Conditional Access Policy within Azure Active Directory.
Licensing Requirements Specifying
client_applicationsproperty requires the activation of Microsoft Entra on your tenant and the availability of sufficient Workload Identities Premium licences (one per service principal managed by a conditional access).
API Permissions
The following API permissions are required in order to use this resource.
When authenticated with a service principal, this resource requires the following application roles: Policy.ReadWrite.ConditionalAccess and Policy.Read.All
When authenticated with a user principal, this resource requires one of the following directory roles: Conditional Access Administrator or Global Administrator
Example Usage
All users except guests or external users
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const example = new azuread.ConditionalAccessPolicy("example", {
displayName: "example policy",
state: "disabled",
conditions: {
clientAppTypes: ["all"],
signInRiskLevels: ["medium"],
userRiskLevels: ["medium"],
applications: {
includedApplications: ["All"],
excludedApplications: [],
},
devices: {
filter: {
mode: "exclude",
rule: "device.operatingSystem eq \"Doors\"",
},
},
locations: {
includedLocations: ["All"],
excludedLocations: ["AllTrusted"],
},
platforms: {
includedPlatforms: ["android"],
excludedPlatforms: ["iOS"],
},
users: {
includedUsers: ["All"],
excludedUsers: ["GuestsOrExternalUsers"],
},
},
grantControls: {
operator: "OR",
builtInControls: ["mfa"],
},
sessionControls: {
applicationEnforcedRestrictionsEnabled: true,
disableResilienceDefaults: false,
signInFrequency: 10,
signInFrequencyPeriod: "hours",
cloudAppSecurityPolicy: "monitorOnly",
},
});
import pulumi
import pulumi_azuread as azuread
example = azuread.ConditionalAccessPolicy("example",
display_name="example policy",
state="disabled",
conditions=azuread.ConditionalAccessPolicyConditionsArgs(
client_app_types=["all"],
sign_in_risk_levels=["medium"],
user_risk_levels=["medium"],
applications=azuread.ConditionalAccessPolicyConditionsApplicationsArgs(
included_applications=["All"],
excluded_applications=[],
),
devices=azuread.ConditionalAccessPolicyConditionsDevicesArgs(
filter=azuread.ConditionalAccessPolicyConditionsDevicesFilterArgs(
mode="exclude",
rule="device.operatingSystem eq \"Doors\"",
),
),
locations=azuread.ConditionalAccessPolicyConditionsLocationsArgs(
included_locations=["All"],
excluded_locations=["AllTrusted"],
),
platforms=azuread.ConditionalAccessPolicyConditionsPlatformsArgs(
included_platforms=["android"],
excluded_platforms=["iOS"],
),
users=azuread.ConditionalAccessPolicyConditionsUsersArgs(
included_users=["All"],
excluded_users=["GuestsOrExternalUsers"],
),
),
grant_controls=azuread.ConditionalAccessPolicyGrantControlsArgs(
operator="OR",
built_in_controls=["mfa"],
),
session_controls=azuread.ConditionalAccessPolicySessionControlsArgs(
application_enforced_restrictions_enabled=True,
disable_resilience_defaults=False,
sign_in_frequency=10,
sign_in_frequency_period="hours",
cloud_app_security_policy="monitorOnly",
))
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := azuread.NewConditionalAccessPolicy(ctx, "example", &azuread.ConditionalAccessPolicyArgs{
DisplayName: pulumi.String("example policy"),
State: pulumi.String("disabled"),
Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
ClientAppTypes: pulumi.StringArray{
pulumi.String("all"),
},
SignInRiskLevels: pulumi.StringArray{
pulumi.String("medium"),
},
UserRiskLevels: pulumi.StringArray{
pulumi.String("medium"),
},
Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
IncludedApplications: pulumi.StringArray{
pulumi.String("All"),
},
ExcludedApplications: pulumi.StringArray{},
},
Devices: &azuread.ConditionalAccessPolicyConditionsDevicesArgs{
Filter: &azuread.ConditionalAccessPolicyConditionsDevicesFilterArgs{
Mode: pulumi.String("exclude"),
Rule: pulumi.String("device.operatingSystem eq \"Doors\""),
},
},
Locations: &azuread.ConditionalAccessPolicyConditionsLocationsArgs{
IncludedLocations: pulumi.StringArray{
pulumi.String("All"),
},
ExcludedLocations: pulumi.StringArray{
pulumi.String("AllTrusted"),
},
},
Platforms: &azuread.ConditionalAccessPolicyConditionsPlatformsArgs{
IncludedPlatforms: pulumi.StringArray{
pulumi.String("android"),
},
ExcludedPlatforms: pulumi.StringArray{
pulumi.String("iOS"),
},
},
Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
IncludedUsers: pulumi.StringArray{
pulumi.String("All"),
},
ExcludedUsers: pulumi.StringArray{
pulumi.String("GuestsOrExternalUsers"),
},
},
},
GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
Operator: pulumi.String("OR"),
BuiltInControls: pulumi.StringArray{
pulumi.String("mfa"),
},
},
SessionControls: &azuread.ConditionalAccessPolicySessionControlsArgs{
ApplicationEnforcedRestrictionsEnabled: pulumi.Bool(true),
DisableResilienceDefaults: pulumi.Bool(false),
SignInFrequency: pulumi.Int(10),
SignInFrequencyPeriod: pulumi.String("hours"),
CloudAppSecurityPolicy: pulumi.String("monitorOnly"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var example = new AzureAD.ConditionalAccessPolicy("example", new()
{
DisplayName = "example policy",
State = "disabled",
Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
{
ClientAppTypes = new[]
{
"all",
},
SignInRiskLevels = new[]
{
"medium",
},
UserRiskLevels = new[]
{
"medium",
},
Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
{
IncludedApplications = new[]
{
"All",
},
ExcludedApplications = new() { },
},
Devices = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesArgs
{
Filter = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesFilterArgs
{
Mode = "exclude",
Rule = "device.operatingSystem eq \"Doors\"",
},
},
Locations = new AzureAD.Inputs.ConditionalAccessPolicyConditionsLocationsArgs
{
IncludedLocations = new[]
{
"All",
},
ExcludedLocations = new[]
{
"AllTrusted",
},
},
Platforms = new AzureAD.Inputs.ConditionalAccessPolicyConditionsPlatformsArgs
{
IncludedPlatforms = new[]
{
"android",
},
ExcludedPlatforms = new[]
{
"iOS",
},
},
Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
{
IncludedUsers = new[]
{
"All",
},
ExcludedUsers = new[]
{
"GuestsOrExternalUsers",
},
},
},
GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
{
Operator = "OR",
BuiltInControls = new[]
{
"mfa",
},
},
SessionControls = new AzureAD.Inputs.ConditionalAccessPolicySessionControlsArgs
{
ApplicationEnforcedRestrictionsEnabled = true,
DisableResilienceDefaults = false,
SignInFrequency = 10,
SignInFrequencyPeriod = "hours",
CloudAppSecurityPolicy = "monitorOnly",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.ConditionalAccessPolicy;
import com.pulumi.azuread.ConditionalAccessPolicyArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsDevicesArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsDevicesFilterArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsLocationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsPlatformsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyGrantControlsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicySessionControlsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new ConditionalAccessPolicy("example", ConditionalAccessPolicyArgs.builder()
.displayName("example policy")
.state("disabled")
.conditions(ConditionalAccessPolicyConditionsArgs.builder()
.clientAppTypes("all")
.signInRiskLevels("medium")
.userRiskLevels("medium")
.applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
.includedApplications("All")
.excludedApplications()
.build())
.devices(ConditionalAccessPolicyConditionsDevicesArgs.builder()
.filter(ConditionalAccessPolicyConditionsDevicesFilterArgs.builder()
.mode("exclude")
.rule("device.operatingSystem eq \"Doors\"")
.build())
.build())
.locations(ConditionalAccessPolicyConditionsLocationsArgs.builder()
.includedLocations("All")
.excludedLocations("AllTrusted")
.build())
.platforms(ConditionalAccessPolicyConditionsPlatformsArgs.builder()
.includedPlatforms("android")
.excludedPlatforms("iOS")
.build())
.users(ConditionalAccessPolicyConditionsUsersArgs.builder()
.includedUsers("All")
.excludedUsers("GuestsOrExternalUsers")
.build())
.build())
.grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
.operator("OR")
.builtInControls("mfa")
.build())
.sessionControls(ConditionalAccessPolicySessionControlsArgs.builder()
.applicationEnforcedRestrictionsEnabled(true)
.disableResilienceDefaults(false)
.signInFrequency(10)
.signInFrequencyPeriod("hours")
.cloudAppSecurityPolicy("monitorOnly")
.build())
.build());
}
}
resources:
example:
type: azuread:ConditionalAccessPolicy
properties:
displayName: example policy
state: disabled
conditions:
clientAppTypes:
- all
signInRiskLevels:
- medium
userRiskLevels:
- medium
applications:
includedApplications:
- All
excludedApplications: []
devices:
filter:
mode: exclude
rule: device.operatingSystem eq "Doors"
locations:
includedLocations:
- All
excludedLocations:
- AllTrusted
platforms:
includedPlatforms:
- android
excludedPlatforms:
- iOS
users:
includedUsers:
- All
excludedUsers:
- GuestsOrExternalUsers
grantControls:
operator: OR
builtInControls:
- mfa
sessionControls:
applicationEnforcedRestrictionsEnabled: true
disableResilienceDefaults: false
signInFrequency: 10
signInFrequencyPeriod: hours
cloudAppSecurityPolicy: monitorOnly
Included client applications / service principals
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const current = azuread.getClientConfig({});
const example = new azuread.ConditionalAccessPolicy("example", {
displayName: "example policy",
state: "disabled",
conditions: {
clientAppTypes: ["all"],
applications: {
includedApplications: ["All"],
},
clientApplications: {
includedServicePrincipals: [current.then(current => current.objectId)],
excludedServicePrincipals: [],
},
users: {
includedUsers: ["None"],
},
},
grantControls: {
operator: "OR",
builtInControls: ["block"],
},
});
import pulumi
import pulumi_azuread as azuread
current = azuread.get_client_config()
example = azuread.ConditionalAccessPolicy("example",
display_name="example policy",
state="disabled",
conditions=azuread.ConditionalAccessPolicyConditionsArgs(
client_app_types=["all"],
applications=azuread.ConditionalAccessPolicyConditionsApplicationsArgs(
included_applications=["All"],
),
client_applications=azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs(
included_service_principals=[current.object_id],
excluded_service_principals=[],
),
users=azuread.ConditionalAccessPolicyConditionsUsersArgs(
included_users=["None"],
),
),
grant_controls=azuread.ConditionalAccessPolicyGrantControlsArgs(
operator="OR",
built_in_controls=["block"],
))
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := azuread.GetClientConfig(ctx, nil, nil)
if err != nil {
return err
}
_, err = azuread.NewConditionalAccessPolicy(ctx, "example", &azuread.ConditionalAccessPolicyArgs{
DisplayName: pulumi.String("example policy"),
State: pulumi.String("disabled"),
Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
ClientAppTypes: pulumi.StringArray{
pulumi.String("all"),
},
Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
IncludedApplications: pulumi.StringArray{
pulumi.String("All"),
},
},
ClientApplications: &azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs{
IncludedServicePrincipals: pulumi.StringArray{
pulumi.String(current.ObjectId),
},
ExcludedServicePrincipals: pulumi.StringArray{},
},
Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
IncludedUsers: pulumi.StringArray{
pulumi.String("None"),
},
},
},
GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
Operator: pulumi.String("OR"),
BuiltInControls: pulumi.StringArray{
pulumi.String("block"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var current = AzureAD.GetClientConfig.Invoke();
var example = new AzureAD.ConditionalAccessPolicy("example", new()
{
DisplayName = "example policy",
State = "disabled",
Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
{
ClientAppTypes = new[]
{
"all",
},
Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
{
IncludedApplications = new[]
{
"All",
},
},
ClientApplications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs
{
IncludedServicePrincipals = new[]
{
current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
},
ExcludedServicePrincipals = new() { },
},
Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
{
IncludedUsers = new[]
{
"None",
},
},
},
GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
{
Operator = "OR",
BuiltInControls = new[]
{
"block",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.ConditionalAccessPolicy;
import com.pulumi.azuread.ConditionalAccessPolicyArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyGrantControlsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AzureadFunctions.getClientConfig();
var example = new ConditionalAccessPolicy("example", ConditionalAccessPolicyArgs.builder()
.displayName("example policy")
.state("disabled")
.conditions(ConditionalAccessPolicyConditionsArgs.builder()
.clientAppTypes("all")
.applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
.includedApplications("All")
.build())
.clientApplications(ConditionalAccessPolicyConditionsClientApplicationsArgs.builder()
.includedServicePrincipals(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.excludedServicePrincipals()
.build())
.users(ConditionalAccessPolicyConditionsUsersArgs.builder()
.includedUsers("None")
.build())
.build())
.grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
.operator("OR")
.builtInControls("block")
.build())
.build());
}
}
resources:
example:
type: azuread:ConditionalAccessPolicy
properties:
displayName: example policy
state: disabled
conditions:
clientAppTypes:
- all
applications:
includedApplications:
- All
clientApplications:
includedServicePrincipals:
- ${current.objectId}
excludedServicePrincipals: []
users:
includedUsers:
- None
grantControls:
operator: OR
builtInControls:
- block
variables:
current:
fn::invoke:
Function: azuread:getClientConfig
Arguments: {}
Excluded client applications / service principals
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const current = azuread.getClientConfig({});
const example = new azuread.ConditionalAccessPolicy("example", {
displayName: "example policy",
state: "disabled",
conditions: {
clientAppTypes: ["all"],
applications: {
includedApplications: ["All"],
},
clientApplications: {
includedServicePrincipals: ["ServicePrincipalsInMyTenant"],
excludedServicePrincipals: [current.then(current => current.objectId)],
},
users: {
includedUsers: ["None"],
},
},
grantControls: {
operator: "OR",
builtInControls: ["block"],
},
});
import pulumi
import pulumi_azuread as azuread
current = azuread.get_client_config()
example = azuread.ConditionalAccessPolicy("example",
display_name="example policy",
state="disabled",
conditions=azuread.ConditionalAccessPolicyConditionsArgs(
client_app_types=["all"],
applications=azuread.ConditionalAccessPolicyConditionsApplicationsArgs(
included_applications=["All"],
),
client_applications=azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs(
included_service_principals=["ServicePrincipalsInMyTenant"],
excluded_service_principals=[current.object_id],
),
users=azuread.ConditionalAccessPolicyConditionsUsersArgs(
included_users=["None"],
),
),
grant_controls=azuread.ConditionalAccessPolicyGrantControlsArgs(
operator="OR",
built_in_controls=["block"],
))
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := azuread.GetClientConfig(ctx, nil, nil)
if err != nil {
return err
}
_, err = azuread.NewConditionalAccessPolicy(ctx, "example", &azuread.ConditionalAccessPolicyArgs{
DisplayName: pulumi.String("example policy"),
State: pulumi.String("disabled"),
Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
ClientAppTypes: pulumi.StringArray{
pulumi.String("all"),
},
Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
IncludedApplications: pulumi.StringArray{
pulumi.String("All"),
},
},
ClientApplications: &azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs{
IncludedServicePrincipals: pulumi.StringArray{
pulumi.String("ServicePrincipalsInMyTenant"),
},
ExcludedServicePrincipals: pulumi.StringArray{
pulumi.String(current.ObjectId),
},
},
Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
IncludedUsers: pulumi.StringArray{
pulumi.String("None"),
},
},
},
GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
Operator: pulumi.String("OR"),
BuiltInControls: pulumi.StringArray{
pulumi.String("block"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var current = AzureAD.GetClientConfig.Invoke();
var example = new AzureAD.ConditionalAccessPolicy("example", new()
{
DisplayName = "example policy",
State = "disabled",
Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
{
ClientAppTypes = new[]
{
"all",
},
Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
{
IncludedApplications = new[]
{
"All",
},
},
ClientApplications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs
{
IncludedServicePrincipals = new[]
{
"ServicePrincipalsInMyTenant",
},
ExcludedServicePrincipals = new[]
{
current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
},
},
Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
{
IncludedUsers = new[]
{
"None",
},
},
},
GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
{
Operator = "OR",
BuiltInControls = new[]
{
"block",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.ConditionalAccessPolicy;
import com.pulumi.azuread.ConditionalAccessPolicyArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyGrantControlsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AzureadFunctions.getClientConfig();
var example = new ConditionalAccessPolicy("example", ConditionalAccessPolicyArgs.builder()
.displayName("example policy")
.state("disabled")
.conditions(ConditionalAccessPolicyConditionsArgs.builder()
.clientAppTypes("all")
.applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
.includedApplications("All")
.build())
.clientApplications(ConditionalAccessPolicyConditionsClientApplicationsArgs.builder()
.includedServicePrincipals("ServicePrincipalsInMyTenant")
.excludedServicePrincipals(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.build())
.users(ConditionalAccessPolicyConditionsUsersArgs.builder()
.includedUsers("None")
.build())
.build())
.grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
.operator("OR")
.builtInControls("block")
.build())
.build());
}
}
resources:
example:
type: azuread:ConditionalAccessPolicy
properties:
displayName: example policy
state: disabled
conditions:
clientAppTypes:
- all
applications:
includedApplications:
- All
clientApplications:
includedServicePrincipals:
- ServicePrincipalsInMyTenant
excludedServicePrincipals:
- ${current.objectId}
users:
includedUsers:
- None
grantControls:
operator: OR
builtInControls:
- block
variables:
current:
fn::invoke:
Function: azuread:getClientConfig
Arguments: {}
Create ConditionalAccessPolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ConditionalAccessPolicy(name: string, args: ConditionalAccessPolicyArgs, opts?: CustomResourceOptions);@overload
def ConditionalAccessPolicy(resource_name: str,
args: ConditionalAccessPolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def ConditionalAccessPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
conditions: Optional[ConditionalAccessPolicyConditionsArgs] = None,
display_name: Optional[str] = None,
state: Optional[str] = None,
grant_controls: Optional[ConditionalAccessPolicyGrantControlsArgs] = None,
session_controls: Optional[ConditionalAccessPolicySessionControlsArgs] = None)func NewConditionalAccessPolicy(ctx *Context, name string, args ConditionalAccessPolicyArgs, opts ...ResourceOption) (*ConditionalAccessPolicy, error)public ConditionalAccessPolicy(string name, ConditionalAccessPolicyArgs args, CustomResourceOptions? opts = null)
public ConditionalAccessPolicy(String name, ConditionalAccessPolicyArgs args)
public ConditionalAccessPolicy(String name, ConditionalAccessPolicyArgs args, CustomResourceOptions options)
type: azuread:ConditionalAccessPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ConditionalAccessPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ConditionalAccessPolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ConditionalAccessPolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ConditionalAccessPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ConditionalAccessPolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var conditionalAccessPolicyResource = new AzureAD.ConditionalAccessPolicy("conditionalAccessPolicyResource", new()
{
Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
{
Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
{
ExcludedApplications = new[]
{
"string",
},
IncludedApplications = new[]
{
"string",
},
IncludedUserActions = new[]
{
"string",
},
},
ClientAppTypes = new[]
{
"string",
},
Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
{
ExcludedGroups = new[]
{
"string",
},
ExcludedGuestsOrExternalUsers = new[]
{
new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs
{
GuestOrExternalUserTypes = new[]
{
"string",
},
ExternalTenants = new[]
{
new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs
{
MembershipKind = "string",
Members = new[]
{
"string",
},
},
},
},
},
ExcludedRoles = new[]
{
"string",
},
ExcludedUsers = new[]
{
"string",
},
IncludedGroups = new[]
{
"string",
},
IncludedGuestsOrExternalUsers = new[]
{
new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs
{
GuestOrExternalUserTypes = new[]
{
"string",
},
ExternalTenants = new[]
{
new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs
{
MembershipKind = "string",
Members = new[]
{
"string",
},
},
},
},
},
IncludedRoles = new[]
{
"string",
},
IncludedUsers = new[]
{
"string",
},
},
ClientApplications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs
{
ExcludedServicePrincipals = new[]
{
"string",
},
IncludedServicePrincipals = new[]
{
"string",
},
},
Devices = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesArgs
{
Filter = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesFilterArgs
{
Mode = "string",
Rule = "string",
},
},
Locations = new AzureAD.Inputs.ConditionalAccessPolicyConditionsLocationsArgs
{
IncludedLocations = new[]
{
"string",
},
ExcludedLocations = new[]
{
"string",
},
},
Platforms = new AzureAD.Inputs.ConditionalAccessPolicyConditionsPlatformsArgs
{
IncludedPlatforms = new[]
{
"string",
},
ExcludedPlatforms = new[]
{
"string",
},
},
ServicePrincipalRiskLevels = new[]
{
"string",
},
SignInRiskLevels = new[]
{
"string",
},
UserRiskLevels = new[]
{
"string",
},
},
DisplayName = "string",
State = "string",
GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
{
Operator = "string",
AuthenticationStrengthPolicyId = "string",
BuiltInControls = new[]
{
"string",
},
CustomAuthenticationFactors = new[]
{
"string",
},
TermsOfUses = new[]
{
"string",
},
},
SessionControls = new AzureAD.Inputs.ConditionalAccessPolicySessionControlsArgs
{
ApplicationEnforcedRestrictionsEnabled = false,
CloudAppSecurityPolicy = "string",
DisableResilienceDefaults = false,
PersistentBrowserMode = "string",
SignInFrequency = 0,
SignInFrequencyAuthenticationType = "string",
SignInFrequencyInterval = "string",
SignInFrequencyPeriod = "string",
},
});
example, err := azuread.NewConditionalAccessPolicy(ctx, "conditionalAccessPolicyResource", &azuread.ConditionalAccessPolicyArgs{
Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
ExcludedApplications: pulumi.StringArray{
pulumi.String("string"),
},
IncludedApplications: pulumi.StringArray{
pulumi.String("string"),
},
IncludedUserActions: pulumi.StringArray{
pulumi.String("string"),
},
},
ClientAppTypes: pulumi.StringArray{
pulumi.String("string"),
},
Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
ExcludedGroups: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedGuestsOrExternalUsers: azuread.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArray{
&azuread.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs{
GuestOrExternalUserTypes: pulumi.StringArray{
pulumi.String("string"),
},
ExternalTenants: azuread.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArray{
&azuread.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs{
MembershipKind: pulumi.String("string"),
Members: pulumi.StringArray{
pulumi.String("string"),
},
},
},
},
},
ExcludedRoles: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedUsers: pulumi.StringArray{
pulumi.String("string"),
},
IncludedGroups: pulumi.StringArray{
pulumi.String("string"),
},
IncludedGuestsOrExternalUsers: azuread.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArray{
&azuread.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs{
GuestOrExternalUserTypes: pulumi.StringArray{
pulumi.String("string"),
},
ExternalTenants: azuread.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArray{
&azuread.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs{
MembershipKind: pulumi.String("string"),
Members: pulumi.StringArray{
pulumi.String("string"),
},
},
},
},
},
IncludedRoles: pulumi.StringArray{
pulumi.String("string"),
},
IncludedUsers: pulumi.StringArray{
pulumi.String("string"),
},
},
ClientApplications: &azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs{
ExcludedServicePrincipals: pulumi.StringArray{
pulumi.String("string"),
},
IncludedServicePrincipals: pulumi.StringArray{
pulumi.String("string"),
},
},
Devices: &azuread.ConditionalAccessPolicyConditionsDevicesArgs{
Filter: &azuread.ConditionalAccessPolicyConditionsDevicesFilterArgs{
Mode: pulumi.String("string"),
Rule: pulumi.String("string"),
},
},
Locations: &azuread.ConditionalAccessPolicyConditionsLocationsArgs{
IncludedLocations: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedLocations: pulumi.StringArray{
pulumi.String("string"),
},
},
Platforms: &azuread.ConditionalAccessPolicyConditionsPlatformsArgs{
IncludedPlatforms: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedPlatforms: pulumi.StringArray{
pulumi.String("string"),
},
},
ServicePrincipalRiskLevels: pulumi.StringArray{
pulumi.String("string"),
},
SignInRiskLevels: pulumi.StringArray{
pulumi.String("string"),
},
UserRiskLevels: pulumi.StringArray{
pulumi.String("string"),
},
},
DisplayName: pulumi.String("string"),
State: pulumi.String("string"),
GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
Operator: pulumi.String("string"),
AuthenticationStrengthPolicyId: pulumi.String("string"),
BuiltInControls: pulumi.StringArray{
pulumi.String("string"),
},
CustomAuthenticationFactors: pulumi.StringArray{
pulumi.String("string"),
},
TermsOfUses: pulumi.StringArray{
pulumi.String("string"),
},
},
SessionControls: &azuread.ConditionalAccessPolicySessionControlsArgs{
ApplicationEnforcedRestrictionsEnabled: pulumi.Bool(false),
CloudAppSecurityPolicy: pulumi.String("string"),
DisableResilienceDefaults: pulumi.Bool(false),
PersistentBrowserMode: pulumi.String("string"),
SignInFrequency: pulumi.Int(0),
SignInFrequencyAuthenticationType: pulumi.String("string"),
SignInFrequencyInterval: pulumi.String("string"),
SignInFrequencyPeriod: pulumi.String("string"),
},
})
var conditionalAccessPolicyResource = new ConditionalAccessPolicy("conditionalAccessPolicyResource", ConditionalAccessPolicyArgs.builder()
.conditions(ConditionalAccessPolicyConditionsArgs.builder()
.applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
.excludedApplications("string")
.includedApplications("string")
.includedUserActions("string")
.build())
.clientAppTypes("string")
.users(ConditionalAccessPolicyConditionsUsersArgs.builder()
.excludedGroups("string")
.excludedGuestsOrExternalUsers(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs.builder()
.guestOrExternalUserTypes("string")
.externalTenants(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs.builder()
.membershipKind("string")
.members("string")
.build())
.build())
.excludedRoles("string")
.excludedUsers("string")
.includedGroups("string")
.includedGuestsOrExternalUsers(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs.builder()
.guestOrExternalUserTypes("string")
.externalTenants(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs.builder()
.membershipKind("string")
.members("string")
.build())
.build())
.includedRoles("string")
.includedUsers("string")
.build())
.clientApplications(ConditionalAccessPolicyConditionsClientApplicationsArgs.builder()
.excludedServicePrincipals("string")
.includedServicePrincipals("string")
.build())
.devices(ConditionalAccessPolicyConditionsDevicesArgs.builder()
.filter(ConditionalAccessPolicyConditionsDevicesFilterArgs.builder()
.mode("string")
.rule("string")
.build())
.build())
.locations(ConditionalAccessPolicyConditionsLocationsArgs.builder()
.includedLocations("string")
.excludedLocations("string")
.build())
.platforms(ConditionalAccessPolicyConditionsPlatformsArgs.builder()
.includedPlatforms("string")
.excludedPlatforms("string")
.build())
.servicePrincipalRiskLevels("string")
.signInRiskLevels("string")
.userRiskLevels("string")
.build())
.displayName("string")
.state("string")
.grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
.operator("string")
.authenticationStrengthPolicyId("string")
.builtInControls("string")
.customAuthenticationFactors("string")
.termsOfUses("string")
.build())
.sessionControls(ConditionalAccessPolicySessionControlsArgs.builder()
.applicationEnforcedRestrictionsEnabled(false)
.cloudAppSecurityPolicy("string")
.disableResilienceDefaults(false)
.persistentBrowserMode("string")
.signInFrequency(0)
.signInFrequencyAuthenticationType("string")
.signInFrequencyInterval("string")
.signInFrequencyPeriod("string")
.build())
.build());
conditional_access_policy_resource = azuread.ConditionalAccessPolicy("conditionalAccessPolicyResource",
conditions=azuread.ConditionalAccessPolicyConditionsArgs(
applications=azuread.ConditionalAccessPolicyConditionsApplicationsArgs(
excluded_applications=["string"],
included_applications=["string"],
included_user_actions=["string"],
),
client_app_types=["string"],
users=azuread.ConditionalAccessPolicyConditionsUsersArgs(
excluded_groups=["string"],
excluded_guests_or_external_users=[azuread.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs(
guest_or_external_user_types=["string"],
external_tenants=[azuread.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs(
membership_kind="string",
members=["string"],
)],
)],
excluded_roles=["string"],
excluded_users=["string"],
included_groups=["string"],
included_guests_or_external_users=[azuread.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs(
guest_or_external_user_types=["string"],
external_tenants=[azuread.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs(
membership_kind="string",
members=["string"],
)],
)],
included_roles=["string"],
included_users=["string"],
),
client_applications=azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs(
excluded_service_principals=["string"],
included_service_principals=["string"],
),
devices=azuread.ConditionalAccessPolicyConditionsDevicesArgs(
filter=azuread.ConditionalAccessPolicyConditionsDevicesFilterArgs(
mode="string",
rule="string",
),
),
locations=azuread.ConditionalAccessPolicyConditionsLocationsArgs(
included_locations=["string"],
excluded_locations=["string"],
),
platforms=azuread.ConditionalAccessPolicyConditionsPlatformsArgs(
included_platforms=["string"],
excluded_platforms=["string"],
),
service_principal_risk_levels=["string"],
sign_in_risk_levels=["string"],
user_risk_levels=["string"],
),
display_name="string",
state="string",
grant_controls=azuread.ConditionalAccessPolicyGrantControlsArgs(
operator="string",
authentication_strength_policy_id="string",
built_in_controls=["string"],
custom_authentication_factors=["string"],
terms_of_uses=["string"],
),
session_controls=azuread.ConditionalAccessPolicySessionControlsArgs(
application_enforced_restrictions_enabled=False,
cloud_app_security_policy="string",
disable_resilience_defaults=False,
persistent_browser_mode="string",
sign_in_frequency=0,
sign_in_frequency_authentication_type="string",
sign_in_frequency_interval="string",
sign_in_frequency_period="string",
))
const conditionalAccessPolicyResource = new azuread.ConditionalAccessPolicy("conditionalAccessPolicyResource", {
conditions: {
applications: {
excludedApplications: ["string"],
includedApplications: ["string"],
includedUserActions: ["string"],
},
clientAppTypes: ["string"],
users: {
excludedGroups: ["string"],
excludedGuestsOrExternalUsers: [{
guestOrExternalUserTypes: ["string"],
externalTenants: [{
membershipKind: "string",
members: ["string"],
}],
}],
excludedRoles: ["string"],
excludedUsers: ["string"],
includedGroups: ["string"],
includedGuestsOrExternalUsers: [{
guestOrExternalUserTypes: ["string"],
externalTenants: [{
membershipKind: "string",
members: ["string"],
}],
}],
includedRoles: ["string"],
includedUsers: ["string"],
},
clientApplications: {
excludedServicePrincipals: ["string"],
includedServicePrincipals: ["string"],
},
devices: {
filter: {
mode: "string",
rule: "string",
},
},
locations: {
includedLocations: ["string"],
excludedLocations: ["string"],
},
platforms: {
includedPlatforms: ["string"],
excludedPlatforms: ["string"],
},
servicePrincipalRiskLevels: ["string"],
signInRiskLevels: ["string"],
userRiskLevels: ["string"],
},
displayName: "string",
state: "string",
grantControls: {
operator: "string",
authenticationStrengthPolicyId: "string",
builtInControls: ["string"],
customAuthenticationFactors: ["string"],
termsOfUses: ["string"],
},
sessionControls: {
applicationEnforcedRestrictionsEnabled: false,
cloudAppSecurityPolicy: "string",
disableResilienceDefaults: false,
persistentBrowserMode: "string",
signInFrequency: 0,
signInFrequencyAuthenticationType: "string",
signInFrequencyInterval: "string",
signInFrequencyPeriod: "string",
},
});
type: azuread:ConditionalAccessPolicy
properties:
conditions:
applications:
excludedApplications:
- string
includedApplications:
- string
includedUserActions:
- string
clientAppTypes:
- string
clientApplications:
excludedServicePrincipals:
- string
includedServicePrincipals:
- string
devices:
filter:
mode: string
rule: string
locations:
excludedLocations:
- string
includedLocations:
- string
platforms:
excludedPlatforms:
- string
includedPlatforms:
- string
servicePrincipalRiskLevels:
- string
signInRiskLevels:
- string
userRiskLevels:
- string
users:
excludedGroups:
- string
excludedGuestsOrExternalUsers:
- externalTenants:
- members:
- string
membershipKind: string
guestOrExternalUserTypes:
- string
excludedRoles:
- string
excludedUsers:
- string
includedGroups:
- string
includedGuestsOrExternalUsers:
- externalTenants:
- members:
- string
membershipKind: string
guestOrExternalUserTypes:
- string
includedRoles:
- string
includedUsers:
- string
displayName: string
grantControls:
authenticationStrengthPolicyId: string
builtInControls:
- string
customAuthenticationFactors:
- string
operator: string
termsOfUses:
- string
sessionControls:
applicationEnforcedRestrictionsEnabled: false
cloudAppSecurityPolicy: string
disableResilienceDefaults: false
persistentBrowserMode: string
signInFrequency: 0
signInFrequencyAuthenticationType: string
signInFrequencyInterval: string
signInFrequencyPeriod: string
state: string
ConditionalAccessPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The ConditionalAccessPolicy resource accepts the following input properties:
- Conditions
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions - A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply. - Display
Name string - The friendly name for this Conditional Access Policy.
- State string
- Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced - Grant
Controls Pulumi.Azure AD. Inputs. Conditional Access Policy Grant Controls - A
grant_controlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - Session
Controls Pulumi.Azure AD. Inputs. Conditional Access Policy Session Controls A
session_controlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controlsand/orsession_controlsblocks must be specified.
- Conditions
Conditional
Access Policy Conditions Args - A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply. - Display
Name string - The friendly name for this Conditional Access Policy.
- State string
- Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced - Grant
Controls ConditionalAccess Policy Grant Controls Args - A
grant_controlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - Session
Controls ConditionalAccess Policy Session Controls Args A
session_controlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controlsand/orsession_controlsblocks must be specified.
- conditions
Conditional
Access Policy Conditions - A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply. - display
Name String - The friendly name for this Conditional Access Policy.
- state String
- Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced - grant
Controls ConditionalAccess Policy Grant Controls - A
grant_controlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - session
Controls ConditionalAccess Policy Session Controls A
session_controlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controlsand/orsession_controlsblocks must be specified.
- conditions
Conditional
Access Policy Conditions - A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply. - display
Name string - The friendly name for this Conditional Access Policy.
- state string
- Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced - grant
Controls ConditionalAccess Policy Grant Controls - A
grant_controlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - session
Controls ConditionalAccess Policy Session Controls A
session_controlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controlsand/orsession_controlsblocks must be specified.
- conditions
Conditional
Access Policy Conditions Args - A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply. - display_
name str - The friendly name for this Conditional Access Policy.
- state str
- Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced - grant_
controls ConditionalAccess Policy Grant Controls Args - A
grant_controlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - session_
controls ConditionalAccess Policy Session Controls Args A
session_controlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controlsand/orsession_controlsblocks must be specified.
- conditions Property Map
- A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply. - display
Name String - The friendly name for this Conditional Access Policy.
- state String
- Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced - grant
Controls Property Map - A
grant_controlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - session
Controls Property Map A
session_controlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controlsand/orsession_controlsblocks must be specified.
Outputs
All input properties are implicitly available as output properties. Additionally, the ConditionalAccessPolicy resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing ConditionalAccessPolicy Resource
Get an existing ConditionalAccessPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ConditionalAccessPolicyState, opts?: CustomResourceOptions): ConditionalAccessPolicy@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
conditions: Optional[ConditionalAccessPolicyConditionsArgs] = None,
display_name: Optional[str] = None,
grant_controls: Optional[ConditionalAccessPolicyGrantControlsArgs] = None,
session_controls: Optional[ConditionalAccessPolicySessionControlsArgs] = None,
state: Optional[str] = None) -> ConditionalAccessPolicyfunc GetConditionalAccessPolicy(ctx *Context, name string, id IDInput, state *ConditionalAccessPolicyState, opts ...ResourceOption) (*ConditionalAccessPolicy, error)public static ConditionalAccessPolicy Get(string name, Input<string> id, ConditionalAccessPolicyState? state, CustomResourceOptions? opts = null)public static ConditionalAccessPolicy get(String name, Output<String> id, ConditionalAccessPolicyState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Conditions
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions - A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply. - Display
Name string - The friendly name for this Conditional Access Policy.
- Grant
Controls Pulumi.Azure AD. Inputs. Conditional Access Policy Grant Controls - A
grant_controlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - Session
Controls Pulumi.Azure AD. Inputs. Conditional Access Policy Session Controls A
session_controlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controlsand/orsession_controlsblocks must be specified.- State string
- Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced
- Conditions
Conditional
Access Policy Conditions Args - A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply. - Display
Name string - The friendly name for this Conditional Access Policy.
- Grant
Controls ConditionalAccess Policy Grant Controls Args - A
grant_controlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - Session
Controls ConditionalAccess Policy Session Controls Args A
session_controlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controlsand/orsession_controlsblocks must be specified.- State string
- Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced
- conditions
Conditional
Access Policy Conditions - A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply. - display
Name String - The friendly name for this Conditional Access Policy.
- grant
Controls ConditionalAccess Policy Grant Controls - A
grant_controlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - session
Controls ConditionalAccess Policy Session Controls A
session_controlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controlsand/orsession_controlsblocks must be specified.- state String
- Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced
- conditions
Conditional
Access Policy Conditions - A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply. - display
Name string - The friendly name for this Conditional Access Policy.
- grant
Controls ConditionalAccess Policy Grant Controls - A
grant_controlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - session
Controls ConditionalAccess Policy Session Controls A
session_controlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controlsand/orsession_controlsblocks must be specified.- state string
- Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced
- conditions
Conditional
Access Policy Conditions Args - A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply. - display_
name str - The friendly name for this Conditional Access Policy.
- grant_
controls ConditionalAccess Policy Grant Controls Args - A
grant_controlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - session_
controls ConditionalAccess Policy Session Controls Args A
session_controlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controlsand/orsession_controlsblocks must be specified.- state str
- Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced
- conditions Property Map
- A
conditionsblock as documented below, which specifies the rules that must be met for the policy to apply. - display
Name String - The friendly name for this Conditional Access Policy.
- grant
Controls Property Map - A
grant_controlsblock as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - session
Controls Property Map A
session_controlsblock as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controlsand/orsession_controlsblocks must be specified.- state String
- Specifies the state of the policy object. Possible values are:
enabled,disabledandenabledForReportingButNotEnforced
Supporting Types
ConditionalAccessPolicyConditions, ConditionalAccessPolicyConditionsArgs
- Applications
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Applications - An
applicationsblock as documented below, which specifies applications and user actions included in and excluded from the policy. - Client
App List<string>Types - A list of client application types included in the policy. Possible values are:
all,browser,mobileAppsAndDesktopClients,exchangeActiveSync,easSupportedandother. - Users
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Users - A
usersblock as documented below, which specifies users, groups, and roles included in and excluded from the policy. - Client
Applications Pulumi.Azure AD. Inputs. Conditional Access Policy Conditions Client Applications - An
client_applicationsblock as documented below, which specifies service principals included in and excluded from the policy. - Devices
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Devices - A
devicesblock as documented below, which describes devices to be included in and excluded from the policy. Adevicesblock can be added to an existing policy, but removing thedevicesblock forces a new resource to be created. - Locations
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Locations - A
locationsblock as documented below, which specifies locations included in and excluded from the policy. - Platforms
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Platforms - A
platformsblock as documented below, which specifies platforms included in and excluded from the policy. - Service
Principal List<string>Risk Levels - A list of service principal sign-in risk levels included in the policy. Possible values are:
low,medium,high,none,unknownFutureValue. - Sign
In List<string>Risk Levels - A list of user sign-in risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue. - User
Risk List<string>Levels - A list of user risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue.
- Applications
Conditional
Access Policy Conditions Applications - An
applicationsblock as documented below, which specifies applications and user actions included in and excluded from the policy. - Client
App []stringTypes - A list of client application types included in the policy. Possible values are:
all,browser,mobileAppsAndDesktopClients,exchangeActiveSync,easSupportedandother. - Users
Conditional
Access Policy Conditions Users - A
usersblock as documented below, which specifies users, groups, and roles included in and excluded from the policy. - Client
Applications ConditionalAccess Policy Conditions Client Applications - An
client_applicationsblock as documented below, which specifies service principals included in and excluded from the policy. - Devices
Conditional
Access Policy Conditions Devices - A
devicesblock as documented below, which describes devices to be included in and excluded from the policy. Adevicesblock can be added to an existing policy, but removing thedevicesblock forces a new resource to be created. - Locations
Conditional
Access Policy Conditions Locations - A
locationsblock as documented below, which specifies locations included in and excluded from the policy. - Platforms
Conditional
Access Policy Conditions Platforms - A
platformsblock as documented below, which specifies platforms included in and excluded from the policy. - Service
Principal []stringRisk Levels - A list of service principal sign-in risk levels included in the policy. Possible values are:
low,medium,high,none,unknownFutureValue. - Sign
In []stringRisk Levels - A list of user sign-in risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue. - User
Risk []stringLevels - A list of user risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue.
- applications
Conditional
Access Policy Conditions Applications - An
applicationsblock as documented below, which specifies applications and user actions included in and excluded from the policy. - client
App List<String>Types - A list of client application types included in the policy. Possible values are:
all,browser,mobileAppsAndDesktopClients,exchangeActiveSync,easSupportedandother. - users
Conditional
Access Policy Conditions Users - A
usersblock as documented below, which specifies users, groups, and roles included in and excluded from the policy. - client
Applications ConditionalAccess Policy Conditions Client Applications - An
client_applicationsblock as documented below, which specifies service principals included in and excluded from the policy. - devices
Conditional
Access Policy Conditions Devices - A
devicesblock as documented below, which describes devices to be included in and excluded from the policy. Adevicesblock can be added to an existing policy, but removing thedevicesblock forces a new resource to be created. - locations
Conditional
Access Policy Conditions Locations - A
locationsblock as documented below, which specifies locations included in and excluded from the policy. - platforms
Conditional
Access Policy Conditions Platforms - A
platformsblock as documented below, which specifies platforms included in and excluded from the policy. - service
Principal List<String>Risk Levels - A list of service principal sign-in risk levels included in the policy. Possible values are:
low,medium,high,none,unknownFutureValue. - sign
In List<String>Risk Levels - A list of user sign-in risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue. - user
Risk List<String>Levels - A list of user risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue.
- applications
Conditional
Access Policy Conditions Applications - An
applicationsblock as documented below, which specifies applications and user actions included in and excluded from the policy. - client
App string[]Types - A list of client application types included in the policy. Possible values are:
all,browser,mobileAppsAndDesktopClients,exchangeActiveSync,easSupportedandother. - users
Conditional
Access Policy Conditions Users - A
usersblock as documented below, which specifies users, groups, and roles included in and excluded from the policy. - client
Applications ConditionalAccess Policy Conditions Client Applications - An
client_applicationsblock as documented below, which specifies service principals included in and excluded from the policy. - devices
Conditional
Access Policy Conditions Devices - A
devicesblock as documented below, which describes devices to be included in and excluded from the policy. Adevicesblock can be added to an existing policy, but removing thedevicesblock forces a new resource to be created. - locations
Conditional
Access Policy Conditions Locations - A
locationsblock as documented below, which specifies locations included in and excluded from the policy. - platforms
Conditional
Access Policy Conditions Platforms - A
platformsblock as documented below, which specifies platforms included in and excluded from the policy. - service
Principal string[]Risk Levels - A list of service principal sign-in risk levels included in the policy. Possible values are:
low,medium,high,none,unknownFutureValue. - sign
In string[]Risk Levels - A list of user sign-in risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue. - user
Risk string[]Levels - A list of user risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue.
- applications
Conditional
Access Policy Conditions Applications - An
applicationsblock as documented below, which specifies applications and user actions included in and excluded from the policy. - client_
app_ Sequence[str]types - A list of client application types included in the policy. Possible values are:
all,browser,mobileAppsAndDesktopClients,exchangeActiveSync,easSupportedandother. - users
Conditional
Access Policy Conditions Users - A
usersblock as documented below, which specifies users, groups, and roles included in and excluded from the policy. - client_
applications ConditionalAccess Policy Conditions Client Applications - An
client_applicationsblock as documented below, which specifies service principals included in and excluded from the policy. - devices
Conditional
Access Policy Conditions Devices - A
devicesblock as documented below, which describes devices to be included in and excluded from the policy. Adevicesblock can be added to an existing policy, but removing thedevicesblock forces a new resource to be created. - locations
Conditional
Access Policy Conditions Locations - A
locationsblock as documented below, which specifies locations included in and excluded from the policy. - platforms
Conditional
Access Policy Conditions Platforms - A
platformsblock as documented below, which specifies platforms included in and excluded from the policy. - service_
principal_ Sequence[str]risk_ levels - A list of service principal sign-in risk levels included in the policy. Possible values are:
low,medium,high,none,unknownFutureValue. - sign_
in_ Sequence[str]risk_ levels - A list of user sign-in risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue. - user_
risk_ Sequence[str]levels - A list of user risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue.
- applications Property Map
- An
applicationsblock as documented below, which specifies applications and user actions included in and excluded from the policy. - client
App List<String>Types - A list of client application types included in the policy. Possible values are:
all,browser,mobileAppsAndDesktopClients,exchangeActiveSync,easSupportedandother. - users Property Map
- A
usersblock as documented below, which specifies users, groups, and roles included in and excluded from the policy. - client
Applications Property Map - An
client_applicationsblock as documented below, which specifies service principals included in and excluded from the policy. - devices Property Map
- A
devicesblock as documented below, which describes devices to be included in and excluded from the policy. Adevicesblock can be added to an existing policy, but removing thedevicesblock forces a new resource to be created. - locations Property Map
- A
locationsblock as documented below, which specifies locations included in and excluded from the policy. - platforms Property Map
- A
platformsblock as documented below, which specifies platforms included in and excluded from the policy. - service
Principal List<String>Risk Levels - A list of service principal sign-in risk levels included in the policy. Possible values are:
low,medium,high,none,unknownFutureValue. - sign
In List<String>Risk Levels - A list of user sign-in risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue. - user
Risk List<String>Levels - A list of user risk levels included in the policy. Possible values are:
low,medium,high,hidden,none,unknownFutureValue.
ConditionalAccessPolicyConditionsApplications, ConditionalAccessPolicyConditionsApplicationsArgs
- Excluded
Applications List<string> - A list of application IDs explicitly excluded from the policy. Can also be set to
Office365. - Included
Applications List<string> - A list of application IDs the policy applies to, unless explicitly excluded (in
excluded_applications). Can also be set toAll,NoneorOffice365. Cannot be specified withincluded_user_actions. One ofincluded_applicationsorincluded_user_actionsmust be specified. - Included
User List<string>Actions - A list of user actions to include. Supported values are
urn:user:registerdeviceandurn:user:registersecurityinfo. Cannot be specified withincluded_applications. One ofincluded_applicationsorincluded_user_actionsmust be specified.
- Excluded
Applications []string - A list of application IDs explicitly excluded from the policy. Can also be set to
Office365. - Included
Applications []string - A list of application IDs the policy applies to, unless explicitly excluded (in
excluded_applications). Can also be set toAll,NoneorOffice365. Cannot be specified withincluded_user_actions. One ofincluded_applicationsorincluded_user_actionsmust be specified. - Included
User []stringActions - A list of user actions to include. Supported values are
urn:user:registerdeviceandurn:user:registersecurityinfo. Cannot be specified withincluded_applications. One ofincluded_applicationsorincluded_user_actionsmust be specified.
- excluded
Applications List<String> - A list of application IDs explicitly excluded from the policy. Can also be set to
Office365. - included
Applications List<String> - A list of application IDs the policy applies to, unless explicitly excluded (in
excluded_applications). Can also be set toAll,NoneorOffice365. Cannot be specified withincluded_user_actions. One ofincluded_applicationsorincluded_user_actionsmust be specified. - included
User List<String>Actions - A list of user actions to include. Supported values are
urn:user:registerdeviceandurn:user:registersecurityinfo. Cannot be specified withincluded_applications. One ofincluded_applicationsorincluded_user_actionsmust be specified.
- excluded
Applications string[] - A list of application IDs explicitly excluded from the policy. Can also be set to
Office365. - included
Applications string[] - A list of application IDs the policy applies to, unless explicitly excluded (in
excluded_applications). Can also be set toAll,NoneorOffice365. Cannot be specified withincluded_user_actions. One ofincluded_applicationsorincluded_user_actionsmust be specified. - included
User string[]Actions - A list of user actions to include. Supported values are
urn:user:registerdeviceandurn:user:registersecurityinfo. Cannot be specified withincluded_applications. One ofincluded_applicationsorincluded_user_actionsmust be specified.
- excluded_
applications Sequence[str] - A list of application IDs explicitly excluded from the policy. Can also be set to
Office365. - included_
applications Sequence[str] - A list of application IDs the policy applies to, unless explicitly excluded (in
excluded_applications). Can also be set toAll,NoneorOffice365. Cannot be specified withincluded_user_actions. One ofincluded_applicationsorincluded_user_actionsmust be specified. - included_
user_ Sequence[str]actions - A list of user actions to include. Supported values are
urn:user:registerdeviceandurn:user:registersecurityinfo. Cannot be specified withincluded_applications. One ofincluded_applicationsorincluded_user_actionsmust be specified.
- excluded
Applications List<String> - A list of application IDs explicitly excluded from the policy. Can also be set to
Office365. - included
Applications List<String> - A list of application IDs the policy applies to, unless explicitly excluded (in
excluded_applications). Can also be set toAll,NoneorOffice365. Cannot be specified withincluded_user_actions. One ofincluded_applicationsorincluded_user_actionsmust be specified. - included
User List<String>Actions - A list of user actions to include. Supported values are
urn:user:registerdeviceandurn:user:registersecurityinfo. Cannot be specified withincluded_applications. One ofincluded_applicationsorincluded_user_actionsmust be specified.
ConditionalAccessPolicyConditionsClientApplications, ConditionalAccessPolicyConditionsClientApplicationsArgs
- Excluded
Service List<string>Principals - A list of service principal IDs explicitly excluded in the policy.
- Included
Service List<string>Principals - A list of service principal IDs explicitly included in the policy. Can be set to
ServicePrincipalsInMyTenantto include all service principals. This is mandatory value when at least oneexcluded_service_principalsis set.
- Excluded
Service []stringPrincipals - A list of service principal IDs explicitly excluded in the policy.
- Included
Service []stringPrincipals - A list of service principal IDs explicitly included in the policy. Can be set to
ServicePrincipalsInMyTenantto include all service principals. This is mandatory value when at least oneexcluded_service_principalsis set.
- excluded
Service List<String>Principals - A list of service principal IDs explicitly excluded in the policy.
- included
Service List<String>Principals - A list of service principal IDs explicitly included in the policy. Can be set to
ServicePrincipalsInMyTenantto include all service principals. This is mandatory value when at least oneexcluded_service_principalsis set.
- excluded
Service string[]Principals - A list of service principal IDs explicitly excluded in the policy.
- included
Service string[]Principals - A list of service principal IDs explicitly included in the policy. Can be set to
ServicePrincipalsInMyTenantto include all service principals. This is mandatory value when at least oneexcluded_service_principalsis set.
- excluded_
service_ Sequence[str]principals - A list of service principal IDs explicitly excluded in the policy.
- included_
service_ Sequence[str]principals - A list of service principal IDs explicitly included in the policy. Can be set to
ServicePrincipalsInMyTenantto include all service principals. This is mandatory value when at least oneexcluded_service_principalsis set.
- excluded
Service List<String>Principals - A list of service principal IDs explicitly excluded in the policy.
- included
Service List<String>Principals - A list of service principal IDs explicitly included in the policy. Can be set to
ServicePrincipalsInMyTenantto include all service principals. This is mandatory value when at least oneexcluded_service_principalsis set.
ConditionalAccessPolicyConditionsDevices, ConditionalAccessPolicyConditionsDevicesArgs
- Filter
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Devices Filter - A
filterblock as described below.
- Filter
Conditional
Access Policy Conditions Devices Filter - A
filterblock as described below.
- filter
Conditional
Access Policy Conditions Devices Filter - A
filterblock as described below.
- filter
Conditional
Access Policy Conditions Devices Filter - A
filterblock as described below.
- filter
Conditional
Access Policy Conditions Devices Filter - A
filterblock as described below.
- filter Property Map
- A
filterblock as described below.
ConditionalAccessPolicyConditionsDevicesFilter, ConditionalAccessPolicyConditionsDevicesFilterArgs
- Mode string
- Whether to include in, or exclude from, matching devices from the policy. Supported values are
includeorexclude. - Rule string
- Condition filter to match devices. For more information, see official documentation.
- Mode string
- Whether to include in, or exclude from, matching devices from the policy. Supported values are
includeorexclude. - Rule string
- Condition filter to match devices. For more information, see official documentation.
- mode String
- Whether to include in, or exclude from, matching devices from the policy. Supported values are
includeorexclude. - rule String
- Condition filter to match devices. For more information, see official documentation.
- mode string
- Whether to include in, or exclude from, matching devices from the policy. Supported values are
includeorexclude. - rule string
- Condition filter to match devices. For more information, see official documentation.
- mode str
- Whether to include in, or exclude from, matching devices from the policy. Supported values are
includeorexclude. - rule str
- Condition filter to match devices. For more information, see official documentation.
- mode String
- Whether to include in, or exclude from, matching devices from the policy. Supported values are
includeorexclude. - rule String
- Condition filter to match devices. For more information, see official documentation.
ConditionalAccessPolicyConditionsLocations, ConditionalAccessPolicyConditionsLocationsArgs
- Included
Locations List<string> - A list of location IDs in scope of policy unless explicitly excluded. Can also be set to
All, orAllTrusted. - Excluded
Locations List<string> - A list of location IDs excluded from scope of policy. Can also be set to
AllTrusted.
- Included
Locations []string - A list of location IDs in scope of policy unless explicitly excluded. Can also be set to
All, orAllTrusted. - Excluded
Locations []string - A list of location IDs excluded from scope of policy. Can also be set to
AllTrusted.
- included
Locations List<String> - A list of location IDs in scope of policy unless explicitly excluded. Can also be set to
All, orAllTrusted. - excluded
Locations List<String> - A list of location IDs excluded from scope of policy. Can also be set to
AllTrusted.
- included
Locations string[] - A list of location IDs in scope of policy unless explicitly excluded. Can also be set to
All, orAllTrusted. - excluded
Locations string[] - A list of location IDs excluded from scope of policy. Can also be set to
AllTrusted.
- included_
locations Sequence[str] - A list of location IDs in scope of policy unless explicitly excluded. Can also be set to
All, orAllTrusted. - excluded_
locations Sequence[str] - A list of location IDs excluded from scope of policy. Can also be set to
AllTrusted.
- included
Locations List<String> - A list of location IDs in scope of policy unless explicitly excluded. Can also be set to
All, orAllTrusted. - excluded
Locations List<String> - A list of location IDs excluded from scope of policy. Can also be set to
AllTrusted.
ConditionalAccessPolicyConditionsPlatforms, ConditionalAccessPolicyConditionsPlatformsArgs
- Included
Platforms List<string> - A list of platforms the policy applies to, unless explicitly excluded. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue. - Excluded
Platforms List<string> - A list of platforms explicitly excluded from the policy. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue.
- Included
Platforms []string - A list of platforms the policy applies to, unless explicitly excluded. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue. - Excluded
Platforms []string - A list of platforms explicitly excluded from the policy. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue.
- included
Platforms List<String> - A list of platforms the policy applies to, unless explicitly excluded. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue. - excluded
Platforms List<String> - A list of platforms explicitly excluded from the policy. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue.
- included
Platforms string[] - A list of platforms the policy applies to, unless explicitly excluded. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue. - excluded
Platforms string[] - A list of platforms explicitly excluded from the policy. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue.
- included_
platforms Sequence[str] - A list of platforms the policy applies to, unless explicitly excluded. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue. - excluded_
platforms Sequence[str] - A list of platforms explicitly excluded from the policy. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue.
- included
Platforms List<String> - A list of platforms the policy applies to, unless explicitly excluded. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue. - excluded
Platforms List<String> - A list of platforms explicitly excluded from the policy. Possible values are:
all,android,iOS,linux,macOS,windows,windowsPhoneorunknownFutureValue.
ConditionalAccessPolicyConditionsUsers, ConditionalAccessPolicyConditionsUsersArgs
- Excluded
Groups List<string> - A list of group IDs excluded from scope of policy.
- Excluded
Guests List<Pulumi.Or External Users Azure AD. Inputs. Conditional Access Policy Conditions Users Excluded Guests Or External User> - A
guests_or_external_usersblock as documented below, which specifies internal guests and external users excluded from scope of policy. - Excluded
Roles List<string> - A list of role IDs excluded from scope of policy.
- Excluded
Users List<string> - A list of user IDs excluded from scope of policy and/or
GuestsOrExternalUsers. - Included
Groups List<string> - A list of group IDs in scope of policy unless explicitly excluded.
- Included
Guests List<Pulumi.Or External Users Azure AD. Inputs. Conditional Access Policy Conditions Users Included Guests Or External User> - A
guests_or_external_usersblock as documented below, which specifies internal guests and external users in scope of policy. - Included
Roles List<string> - A list of role IDs in scope of policy unless explicitly excluded.
- Included
Users List<string> A list of user IDs in scope of policy unless explicitly excluded, or
NoneorAllorGuestsOrExternalUsers.At least one of
included_groups,included_guests_or_external_users,included_rolesorincluded_usersmust be specified.
- Excluded
Groups []string - A list of group IDs excluded from scope of policy.
- Excluded
Guests []ConditionalOr External Users Access Policy Conditions Users Excluded Guests Or External User - A
guests_or_external_usersblock as documented below, which specifies internal guests and external users excluded from scope of policy. - Excluded
Roles []string - A list of role IDs excluded from scope of policy.
- Excluded
Users []string - A list of user IDs excluded from scope of policy and/or
GuestsOrExternalUsers. - Included
Groups []string - A list of group IDs in scope of policy unless explicitly excluded.
- Included
Guests []ConditionalOr External Users Access Policy Conditions Users Included Guests Or External User - A
guests_or_external_usersblock as documented below, which specifies internal guests and external users in scope of policy. - Included
Roles []string - A list of role IDs in scope of policy unless explicitly excluded.
- Included
Users []string A list of user IDs in scope of policy unless explicitly excluded, or
NoneorAllorGuestsOrExternalUsers.At least one of
included_groups,included_guests_or_external_users,included_rolesorincluded_usersmust be specified.
- excluded
Groups List<String> - A list of group IDs excluded from scope of policy.
- excluded
Guests List<ConditionalOr External Users Access Policy Conditions Users Excluded Guests Or External User> - A
guests_or_external_usersblock as documented below, which specifies internal guests and external users excluded from scope of policy. - excluded
Roles List<String> - A list of role IDs excluded from scope of policy.
- excluded
Users List<String> - A list of user IDs excluded from scope of policy and/or
GuestsOrExternalUsers. - included
Groups List<String> - A list of group IDs in scope of policy unless explicitly excluded.
- included
Guests List<ConditionalOr External Users Access Policy Conditions Users Included Guests Or External User> - A
guests_or_external_usersblock as documented below, which specifies internal guests and external users in scope of policy. - included
Roles List<String> - A list of role IDs in scope of policy unless explicitly excluded.
- included
Users List<String> A list of user IDs in scope of policy unless explicitly excluded, or
NoneorAllorGuestsOrExternalUsers.At least one of
included_groups,included_guests_or_external_users,included_rolesorincluded_usersmust be specified.
- excluded
Groups string[] - A list of group IDs excluded from scope of policy.
- excluded
Guests ConditionalOr External Users Access Policy Conditions Users Excluded Guests Or External User[] - A
guests_or_external_usersblock as documented below, which specifies internal guests and external users excluded from scope of policy. - excluded
Roles string[] - A list of role IDs excluded from scope of policy.
- excluded
Users string[] - A list of user IDs excluded from scope of policy and/or
GuestsOrExternalUsers. - included
Groups string[] - A list of group IDs in scope of policy unless explicitly excluded.
- included
Guests ConditionalOr External Users Access Policy Conditions Users Included Guests Or External User[] - A
guests_or_external_usersblock as documented below, which specifies internal guests and external users in scope of policy. - included
Roles string[] - A list of role IDs in scope of policy unless explicitly excluded.
- included
Users string[] A list of user IDs in scope of policy unless explicitly excluded, or
NoneorAllorGuestsOrExternalUsers.At least one of
included_groups,included_guests_or_external_users,included_rolesorincluded_usersmust be specified.
- excluded_
groups Sequence[str] - A list of group IDs excluded from scope of policy.
- excluded_
guests_ Sequence[Conditionalor_ external_ users Access Policy Conditions Users Excluded Guests Or External User] - A
guests_or_external_usersblock as documented below, which specifies internal guests and external users excluded from scope of policy. - excluded_
roles Sequence[str] - A list of role IDs excluded from scope of policy.
- excluded_
users Sequence[str] - A list of user IDs excluded from scope of policy and/or
GuestsOrExternalUsers. - included_
groups Sequence[str] - A list of group IDs in scope of policy unless explicitly excluded.
- included_
guests_ Sequence[Conditionalor_ external_ users Access Policy Conditions Users Included Guests Or External User] - A
guests_or_external_usersblock as documented below, which specifies internal guests and external users in scope of policy. - included_
roles Sequence[str] - A list of role IDs in scope of policy unless explicitly excluded.
- included_
users Sequence[str] A list of user IDs in scope of policy unless explicitly excluded, or
NoneorAllorGuestsOrExternalUsers.At least one of
included_groups,included_guests_or_external_users,included_rolesorincluded_usersmust be specified.
- excluded
Groups List<String> - A list of group IDs excluded from scope of policy.
- excluded
Guests List<Property Map>Or External Users - A
guests_or_external_usersblock as documented below, which specifies internal guests and external users excluded from scope of policy. - excluded
Roles List<String> - A list of role IDs excluded from scope of policy.
- excluded
Users List<String> - A list of user IDs excluded from scope of policy and/or
GuestsOrExternalUsers. - included
Groups List<String> - A list of group IDs in scope of policy unless explicitly excluded.
- included
Guests List<Property Map>Or External Users - A
guests_or_external_usersblock as documented below, which specifies internal guests and external users in scope of policy. - included
Roles List<String> - A list of role IDs in scope of policy unless explicitly excluded.
- included
Users List<String> A list of user IDs in scope of policy unless explicitly excluded, or
NoneorAllorGuestsOrExternalUsers.At least one of
included_groups,included_guests_or_external_users,included_rolesorincluded_usersmust be specified.
ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser, ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs
ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant, ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs
- Membership
Kind string - The external tenant membership kind. Possible values are:
all,enumerated,unknownFutureValue. - Members List<string>
- A list tenant IDs. Can only be specified if
membership_kindisenumerated.
- Membership
Kind string - The external tenant membership kind. Possible values are:
all,enumerated,unknownFutureValue. - Members []string
- A list tenant IDs. Can only be specified if
membership_kindisenumerated.
- membership
Kind String - The external tenant membership kind. Possible values are:
all,enumerated,unknownFutureValue. - members List<String>
- A list tenant IDs. Can only be specified if
membership_kindisenumerated.
- membership
Kind string - The external tenant membership kind. Possible values are:
all,enumerated,unknownFutureValue. - members string[]
- A list tenant IDs. Can only be specified if
membership_kindisenumerated.
- membership_
kind str - The external tenant membership kind. Possible values are:
all,enumerated,unknownFutureValue. - members Sequence[str]
- A list tenant IDs. Can only be specified if
membership_kindisenumerated.
- membership
Kind String - The external tenant membership kind. Possible values are:
all,enumerated,unknownFutureValue. - members List<String>
- A list tenant IDs. Can only be specified if
membership_kindisenumerated.
ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser, ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs
ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant, ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs
- Membership
Kind string - The external tenant membership kind. Possible values are:
all,enumerated,unknownFutureValue. - Members List<string>
- A list tenant IDs. Can only be specified if
membership_kindisenumerated.
- Membership
Kind string - The external tenant membership kind. Possible values are:
all,enumerated,unknownFutureValue. - Members []string
- A list tenant IDs. Can only be specified if
membership_kindisenumerated.
- membership
Kind String - The external tenant membership kind. Possible values are:
all,enumerated,unknownFutureValue. - members List<String>
- A list tenant IDs. Can only be specified if
membership_kindisenumerated.
- membership
Kind string - The external tenant membership kind. Possible values are:
all,enumerated,unknownFutureValue. - members string[]
- A list tenant IDs. Can only be specified if
membership_kindisenumerated.
- membership_
kind str - The external tenant membership kind. Possible values are:
all,enumerated,unknownFutureValue. - members Sequence[str]
- A list tenant IDs. Can only be specified if
membership_kindisenumerated.
- membership
Kind String - The external tenant membership kind. Possible values are:
all,enumerated,unknownFutureValue. - members List<String>
- A list tenant IDs. Can only be specified if
membership_kindisenumerated.
ConditionalAccessPolicyGrantControls, ConditionalAccessPolicyGrantControlsArgs
- Operator string
- Defines the relationship of the grant controls. Possible values are:
AND,OR. - Authentication
Strength stringPolicy Id - ID of an Authentication Strength Policy to use in this policy.
- Built
In List<string>Controls - List of built-in controls required by the policy. Possible values are:
block,mfa,approvedApplication,compliantApplication,compliantDevice,domainJoinedDevice,passwordChangeorunknownFutureValue. - Custom
Authentication List<string>Factors - List of custom controls IDs required by the policy.
- Terms
Of List<string>Uses List of terms of use IDs required by the policy.
At least one of
authentication_strength_policy_id,built_in_controlsorterms_of_usemust be specified.
- Operator string
- Defines the relationship of the grant controls. Possible values are:
AND,OR. - Authentication
Strength stringPolicy Id - ID of an Authentication Strength Policy to use in this policy.
- Built
In []stringControls - List of built-in controls required by the policy. Possible values are:
block,mfa,approvedApplication,compliantApplication,compliantDevice,domainJoinedDevice,passwordChangeorunknownFutureValue. - Custom
Authentication []stringFactors - List of custom controls IDs required by the policy.
- Terms
Of []stringUses List of terms of use IDs required by the policy.
At least one of
authentication_strength_policy_id,built_in_controlsorterms_of_usemust be specified.
- operator String
- Defines the relationship of the grant controls. Possible values are:
AND,OR. - authentication
Strength StringPolicy Id - ID of an Authentication Strength Policy to use in this policy.
- built
In List<String>Controls - List of built-in controls required by the policy. Possible values are:
block,mfa,approvedApplication,compliantApplication,compliantDevice,domainJoinedDevice,passwordChangeorunknownFutureValue. - custom
Authentication List<String>Factors - List of custom controls IDs required by the policy.
- terms
Of List<String>Uses List of terms of use IDs required by the policy.
At least one of
authentication_strength_policy_id,built_in_controlsorterms_of_usemust be specified.
- operator string
- Defines the relationship of the grant controls. Possible values are:
AND,OR. - authentication
Strength stringPolicy Id - ID of an Authentication Strength Policy to use in this policy.
- built
In string[]Controls - List of built-in controls required by the policy. Possible values are:
block,mfa,approvedApplication,compliantApplication,compliantDevice,domainJoinedDevice,passwordChangeorunknownFutureValue. - custom
Authentication string[]Factors - List of custom controls IDs required by the policy.
- terms
Of string[]Uses List of terms of use IDs required by the policy.
At least one of
authentication_strength_policy_id,built_in_controlsorterms_of_usemust be specified.
- operator str
- Defines the relationship of the grant controls. Possible values are:
AND,OR. - authentication_
strength_ strpolicy_ id - ID of an Authentication Strength Policy to use in this policy.
- built_
in_ Sequence[str]controls - List of built-in controls required by the policy. Possible values are:
block,mfa,approvedApplication,compliantApplication,compliantDevice,domainJoinedDevice,passwordChangeorunknownFutureValue. - custom_
authentication_ Sequence[str]factors - List of custom controls IDs required by the policy.
- terms_
of_ Sequence[str]uses List of terms of use IDs required by the policy.
At least one of
authentication_strength_policy_id,built_in_controlsorterms_of_usemust be specified.
- operator String
- Defines the relationship of the grant controls. Possible values are:
AND,OR. - authentication
Strength StringPolicy Id - ID of an Authentication Strength Policy to use in this policy.
- built
In List<String>Controls - List of built-in controls required by the policy. Possible values are:
block,mfa,approvedApplication,compliantApplication,compliantDevice,domainJoinedDevice,passwordChangeorunknownFutureValue. - custom
Authentication List<String>Factors - List of custom controls IDs required by the policy.
- terms
Of List<String>Uses List of terms of use IDs required by the policy.
At least one of
authentication_strength_policy_id,built_in_controlsorterms_of_usemust be specified.
ConditionalAccessPolicySessionControls, ConditionalAccessPolicySessionControlsArgs
- Application
Enforced boolRestrictions Enabled Whether application enforced restrictions are enabled. Defaults to
false.Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
- Cloud
App stringSecurity Policy - Enables cloud app security and specifies the cloud app security policy to use. Possible values are:
blockDownloads,mcasConfigured,monitorOnlyorunknownFutureValue. - Disable
Resilience boolDefaults - Disables resilience defaults. Defaults to
false. - Persistent
Browser stringMode - Session control to define whether to persist cookies. Possible values are:
alwaysornever. - Sign
In intFrequency - Number of days or hours to enforce sign-in frequency. Required when
sign_in_frequency_periodis specified. - Sign
In stringFrequency Authentication Type - Authentication type for enforcing sign-in frequency. Possible values are:
primaryAndSecondaryAuthenticationorsecondaryAuthentication. Defaults toprimaryAndSecondaryAuthentication. - Sign
In stringFrequency Interval - The interval to apply to sign-in frequency control. Possible values are:
timeBasedoreveryTime. Defaults totimeBased. - Sign
In stringFrequency Period - The time period to enforce sign-in frequency. Possible values are:
hoursordays. Required whensign_in_frequency_periodis specified.
- Application
Enforced boolRestrictions Enabled Whether application enforced restrictions are enabled. Defaults to
false.Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
- Cloud
App stringSecurity Policy - Enables cloud app security and specifies the cloud app security policy to use. Possible values are:
blockDownloads,mcasConfigured,monitorOnlyorunknownFutureValue. - Disable
Resilience boolDefaults - Disables resilience defaults. Defaults to
false. - Persistent
Browser stringMode - Session control to define whether to persist cookies. Possible values are:
alwaysornever. - Sign
In intFrequency - Number of days or hours to enforce sign-in frequency. Required when
sign_in_frequency_periodis specified. - Sign
In stringFrequency Authentication Type - Authentication type for enforcing sign-in frequency. Possible values are:
primaryAndSecondaryAuthenticationorsecondaryAuthentication. Defaults toprimaryAndSecondaryAuthentication. - Sign
In stringFrequency Interval - The interval to apply to sign-in frequency control. Possible values are:
timeBasedoreveryTime. Defaults totimeBased. - Sign
In stringFrequency Period - The time period to enforce sign-in frequency. Possible values are:
hoursordays. Required whensign_in_frequency_periodis specified.
- application
Enforced BooleanRestrictions Enabled Whether application enforced restrictions are enabled. Defaults to
false.Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
- cloud
App StringSecurity Policy - Enables cloud app security and specifies the cloud app security policy to use. Possible values are:
blockDownloads,mcasConfigured,monitorOnlyorunknownFutureValue. - disable
Resilience BooleanDefaults - Disables resilience defaults. Defaults to
false. - persistent
Browser StringMode - Session control to define whether to persist cookies. Possible values are:
alwaysornever. - sign
In IntegerFrequency - Number of days or hours to enforce sign-in frequency. Required when
sign_in_frequency_periodis specified. - sign
In StringFrequency Authentication Type - Authentication type for enforcing sign-in frequency. Possible values are:
primaryAndSecondaryAuthenticationorsecondaryAuthentication. Defaults toprimaryAndSecondaryAuthentication. - sign
In StringFrequency Interval - The interval to apply to sign-in frequency control. Possible values are:
timeBasedoreveryTime. Defaults totimeBased. - sign
In StringFrequency Period - The time period to enforce sign-in frequency. Possible values are:
hoursordays. Required whensign_in_frequency_periodis specified.
- application
Enforced booleanRestrictions Enabled Whether application enforced restrictions are enabled. Defaults to
false.Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
- cloud
App stringSecurity Policy - Enables cloud app security and specifies the cloud app security policy to use. Possible values are:
blockDownloads,mcasConfigured,monitorOnlyorunknownFutureValue. - disable
Resilience booleanDefaults - Disables resilience defaults. Defaults to
false. - persistent
Browser stringMode - Session control to define whether to persist cookies. Possible values are:
alwaysornever. - sign
In numberFrequency - Number of days or hours to enforce sign-in frequency. Required when
sign_in_frequency_periodis specified. - sign
In stringFrequency Authentication Type - Authentication type for enforcing sign-in frequency. Possible values are:
primaryAndSecondaryAuthenticationorsecondaryAuthentication. Defaults toprimaryAndSecondaryAuthentication. - sign
In stringFrequency Interval - The interval to apply to sign-in frequency control. Possible values are:
timeBasedoreveryTime. Defaults totimeBased. - sign
In stringFrequency Period - The time period to enforce sign-in frequency. Possible values are:
hoursordays. Required whensign_in_frequency_periodis specified.
- application_
enforced_ boolrestrictions_ enabled Whether application enforced restrictions are enabled. Defaults to
false.Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
- cloud_
app_ strsecurity_ policy - Enables cloud app security and specifies the cloud app security policy to use. Possible values are:
blockDownloads,mcasConfigured,monitorOnlyorunknownFutureValue. - disable_
resilience_ booldefaults - Disables resilience defaults. Defaults to
false. - persistent_
browser_ strmode - Session control to define whether to persist cookies. Possible values are:
alwaysornever. - sign_
in_ intfrequency - Number of days or hours to enforce sign-in frequency. Required when
sign_in_frequency_periodis specified. - sign_
in_ strfrequency_ authentication_ type - Authentication type for enforcing sign-in frequency. Possible values are:
primaryAndSecondaryAuthenticationorsecondaryAuthentication. Defaults toprimaryAndSecondaryAuthentication. - sign_
in_ strfrequency_ interval - The interval to apply to sign-in frequency control. Possible values are:
timeBasedoreveryTime. Defaults totimeBased. - sign_
in_ strfrequency_ period - The time period to enforce sign-in frequency. Possible values are:
hoursordays. Required whensign_in_frequency_periodis specified.
- application
Enforced BooleanRestrictions Enabled Whether application enforced restrictions are enabled. Defaults to
false.Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
- cloud
App StringSecurity Policy - Enables cloud app security and specifies the cloud app security policy to use. Possible values are:
blockDownloads,mcasConfigured,monitorOnlyorunknownFutureValue. - disable
Resilience BooleanDefaults - Disables resilience defaults. Defaults to
false. - persistent
Browser StringMode - Session control to define whether to persist cookies. Possible values are:
alwaysornever. - sign
In NumberFrequency - Number of days or hours to enforce sign-in frequency. Required when
sign_in_frequency_periodis specified. - sign
In StringFrequency Authentication Type - Authentication type for enforcing sign-in frequency. Possible values are:
primaryAndSecondaryAuthenticationorsecondaryAuthentication. Defaults toprimaryAndSecondaryAuthentication. - sign
In StringFrequency Interval - The interval to apply to sign-in frequency control. Possible values are:
timeBasedoreveryTime. Defaults totimeBased. - sign
In StringFrequency Period - The time period to enforce sign-in frequency. Possible values are:
hoursordays. Required whensign_in_frequency_periodis specified.
Import
Conditional Access Policies can be imported using the id, e.g.
$ pulumi import azuread:index/conditionalAccessPolicy:ConditionalAccessPolicy my_location 00000000-0000-0000-0000-000000000000
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Azure Active Directory (Azure AD) pulumi/pulumi-azuread
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
azureadTerraform Provider.
Azure Active Directory (Azure AD) v5.52.0 published on Friday, Jun 14, 2024 by Pulumi