azuread.ApplicationApiAccess
Explore with Pulumi AI
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const wellKnown = azuread.getApplicationPublishedAppIds({});
const msgraph = wellKnown.then(wellKnown => azuread.getServicePrincipal({
clientId: wellKnown.result?.MicrosoftGraph,
}));
const example = new azuread.ApplicationRegistration("example", {displayName: "example"});
const exampleMsgraph = new azuread.ApplicationApiAccess("example_msgraph", {
applicationId: example.id,
apiClientId: wellKnown.then(wellKnown => wellKnown.result?.MicrosoftGraph),
roleIds: [
msgraph.then(msgraph => msgraph.appRoleIds?.["Group.Read.All"]),
msgraph.then(msgraph => msgraph.appRoleIds?.["User.Read.All"]),
],
scopeIds: [msgraph.then(msgraph => msgraph.oauth2PermissionScopeIds?.["User.ReadWrite"])],
});
import pulumi
import pulumi_azuread as azuread
well_known = azuread.get_application_published_app_ids()
msgraph = azuread.get_service_principal(client_id=well_known.result["MicrosoftGraph"])
example = azuread.ApplicationRegistration("example", display_name="example")
example_msgraph = azuread.ApplicationApiAccess("example_msgraph",
application_id=example.id,
api_client_id=well_known.result["MicrosoftGraph"],
role_ids=[
msgraph.app_role_ids["Group.Read.All"],
msgraph.app_role_ids["User.Read.All"],
],
scope_ids=[msgraph.oauth2_permission_scope_ids["User.ReadWrite"]])
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
wellKnown, err := azuread.GetApplicationPublishedAppIds(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
msgraph, err := azuread.LookupServicePrincipal(ctx, &azuread.LookupServicePrincipalArgs{
ClientId: pulumi.StringRef(wellKnown.Result.MicrosoftGraph),
}, nil)
if err != nil {
return err
}
example, err := azuread.NewApplicationRegistration(ctx, "example", &azuread.ApplicationRegistrationArgs{
DisplayName: pulumi.String("example"),
})
if err != nil {
return err
}
_, err = azuread.NewApplicationApiAccess(ctx, "example_msgraph", &azuread.ApplicationApiAccessArgs{
ApplicationId: example.ID(),
ApiClientId: pulumi.String(wellKnown.Result.MicrosoftGraph),
RoleIds: pulumi.StringArray{
pulumi.String(msgraph.AppRoleIds.Group.Read.All),
pulumi.String(msgraph.AppRoleIds.User.Read.All),
},
ScopeIds: pulumi.StringArray{
pulumi.String(msgraph.Oauth2PermissionScopeIds.User.ReadWrite),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var wellKnown = AzureAD.GetApplicationPublishedAppIds.Invoke();
var msgraph = AzureAD.GetServicePrincipal.Invoke(new()
{
ClientId = wellKnown.Apply(getApplicationPublishedAppIdsResult => getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
});
var example = new AzureAD.ApplicationRegistration("example", new()
{
DisplayName = "example",
});
var exampleMsgraph = new AzureAD.ApplicationApiAccess("example_msgraph", new()
{
ApplicationId = example.Id,
ApiClientId = wellKnown.Apply(getApplicationPublishedAppIdsResult => getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
RoleIds = new[]
{
msgraph.Apply(getServicePrincipalResult => getServicePrincipalResult.AppRoleIds?.Group_Read_All),
msgraph.Apply(getServicePrincipalResult => getServicePrincipalResult.AppRoleIds?.User_Read_All),
},
ScopeIds = new[]
{
msgraph.Apply(getServicePrincipalResult => getServicePrincipalResult.Oauth2PermissionScopeIds?.User_ReadWrite),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.inputs.GetServicePrincipalArgs;
import com.pulumi.azuread.ApplicationRegistration;
import com.pulumi.azuread.ApplicationRegistrationArgs;
import com.pulumi.azuread.ApplicationApiAccess;
import com.pulumi.azuread.ApplicationApiAccessArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();
final var msgraph = AzureadFunctions.getServicePrincipal(GetServicePrincipalArgs.builder()
.clientId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -> getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))
.build());
var example = new ApplicationRegistration("example", ApplicationRegistrationArgs.builder()
.displayName("example")
.build());
var exampleMsgraph = new ApplicationApiAccess("exampleMsgraph", ApplicationApiAccessArgs.builder()
.applicationId(example.id())
.apiClientId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -> getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))
.roleIds(
msgraph.applyValue(getServicePrincipalResult -> getServicePrincipalResult.appRoleIds().Group.Read.All()),
msgraph.applyValue(getServicePrincipalResult -> getServicePrincipalResult.appRoleIds().User.Read.All()))
.scopeIds(msgraph.applyValue(getServicePrincipalResult -> getServicePrincipalResult.oauth2PermissionScopeIds().User.ReadWrite()))
.build());
}
}
resources:
example:
type: azuread:ApplicationRegistration
properties:
displayName: example
exampleMsgraph:
type: azuread:ApplicationApiAccess
name: example_msgraph
properties:
applicationId: ${example.id}
apiClientId: ${wellKnown.result.MicrosoftGraph}
roleIds:
- ${msgraph.appRoleIds"Group.Read.All"[%!s(MISSING)]}
- ${msgraph.appRoleIds"User.Read.All"[%!s(MISSING)]}
scopeIds:
- ${msgraph.oauth2PermissionScopeIds"User.ReadWrite"[%!s(MISSING)]}
variables:
wellKnown:
fn::invoke:
Function: azuread:getApplicationPublishedAppIds
Arguments: {}
msgraph:
fn::invoke:
Function: azuread:getServicePrincipal
Arguments:
clientId: ${wellKnown.result.MicrosoftGraph}
Tip For managing permissions for an additional API, create another instance of this resource
Usage with azuread.Application resource
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const example = new azuread.Application("example", {displayName: "example"});
const exampleApplicationApiAccess = new azuread.ApplicationApiAccess("example", {applicationId: example.id});
import pulumi
import pulumi_azuread as azuread
example = azuread.Application("example", display_name="example")
example_application_api_access = azuread.ApplicationApiAccess("example", application_id=example.id)
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := azuread.NewApplication(ctx, "example", &azuread.ApplicationArgs{
DisplayName: pulumi.String("example"),
})
if err != nil {
return err
}
_, err = azuread.NewApplicationApiAccess(ctx, "example", &azuread.ApplicationApiAccessArgs{
ApplicationId: example.ID(),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var example = new AzureAD.Application("example", new()
{
DisplayName = "example",
});
var exampleApplicationApiAccess = new AzureAD.ApplicationApiAccess("example", new()
{
ApplicationId = example.Id,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.ApplicationApiAccess;
import com.pulumi.azuread.ApplicationApiAccessArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Application("example", ApplicationArgs.builder()
.displayName("example")
.build());
var exampleApplicationApiAccess = new ApplicationApiAccess("exampleApplicationApiAccess", ApplicationApiAccessArgs.builder()
.applicationId(example.id())
.build());
}
}
resources:
example:
type: azuread:Application
properties:
displayName: example
exampleApplicationApiAccess:
type: azuread:ApplicationApiAccess
name: example
properties:
applicationId: ${example.id}
Create ApplicationApiAccess Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ApplicationApiAccess(name: string, args: ApplicationApiAccessArgs, opts?: CustomResourceOptions);
@overload
def ApplicationApiAccess(resource_name: str,
args: ApplicationApiAccessArgs,
opts: Optional[ResourceOptions] = None)
@overload
def ApplicationApiAccess(resource_name: str,
opts: Optional[ResourceOptions] = None,
api_client_id: Optional[str] = None,
application_id: Optional[str] = None,
role_ids: Optional[Sequence[str]] = None,
scope_ids: Optional[Sequence[str]] = None)
func NewApplicationApiAccess(ctx *Context, name string, args ApplicationApiAccessArgs, opts ...ResourceOption) (*ApplicationApiAccess, error)
public ApplicationApiAccess(string name, ApplicationApiAccessArgs args, CustomResourceOptions? opts = null)
public ApplicationApiAccess(String name, ApplicationApiAccessArgs args)
public ApplicationApiAccess(String name, ApplicationApiAccessArgs args, CustomResourceOptions options)
type: azuread:ApplicationApiAccess
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ApplicationApiAccessArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ApplicationApiAccessArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ApplicationApiAccessArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ApplicationApiAccessArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ApplicationApiAccessArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var applicationApiAccessResource = new AzureAD.ApplicationApiAccess("applicationApiAccessResource", new()
{
ApiClientId = "string",
ApplicationId = "string",
RoleIds = new[]
{
"string",
},
ScopeIds = new[]
{
"string",
},
});
example, err := azuread.NewApplicationApiAccess(ctx, "applicationApiAccessResource", &azuread.ApplicationApiAccessArgs{
ApiClientId: pulumi.String("string"),
ApplicationId: pulumi.String("string"),
RoleIds: pulumi.StringArray{
pulumi.String("string"),
},
ScopeIds: pulumi.StringArray{
pulumi.String("string"),
},
})
var applicationApiAccessResource = new ApplicationApiAccess("applicationApiAccessResource", ApplicationApiAccessArgs.builder()
.apiClientId("string")
.applicationId("string")
.roleIds("string")
.scopeIds("string")
.build());
application_api_access_resource = azuread.ApplicationApiAccess("applicationApiAccessResource",
api_client_id="string",
application_id="string",
role_ids=["string"],
scope_ids=["string"])
const applicationApiAccessResource = new azuread.ApplicationApiAccess("applicationApiAccessResource", {
apiClientId: "string",
applicationId: "string",
roleIds: ["string"],
scopeIds: ["string"],
});
type: azuread:ApplicationApiAccess
properties:
apiClientId: string
applicationId: string
roleIds:
- string
scopeIds:
- string
ApplicationApiAccess Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The ApplicationApiAccess resource accepts the following input properties:
- Api
Client stringId - The client ID of the API to which access is being granted. Changing this forces a new resource to be created.
- Application
Id string - The resource ID of the application registration. Changing this forces a new resource to be created.
- Role
Ids List<string> - A set of role IDs to be granted to the application, as published by the API.
- Scope
Ids List<string> A set of scope IDs to be granted to the application, as published by the API.
At least one of
role_ids
orscope_ids
must be specified.
- Api
Client stringId - The client ID of the API to which access is being granted. Changing this forces a new resource to be created.
- Application
Id string - The resource ID of the application registration. Changing this forces a new resource to be created.
- Role
Ids []string - A set of role IDs to be granted to the application, as published by the API.
- Scope
Ids []string A set of scope IDs to be granted to the application, as published by the API.
At least one of
role_ids
orscope_ids
must be specified.
- api
Client StringId - The client ID of the API to which access is being granted. Changing this forces a new resource to be created.
- application
Id String - The resource ID of the application registration. Changing this forces a new resource to be created.
- role
Ids List<String> - A set of role IDs to be granted to the application, as published by the API.
- scope
Ids List<String> A set of scope IDs to be granted to the application, as published by the API.
At least one of
role_ids
orscope_ids
must be specified.
- api
Client stringId - The client ID of the API to which access is being granted. Changing this forces a new resource to be created.
- application
Id string - The resource ID of the application registration. Changing this forces a new resource to be created.
- role
Ids string[] - A set of role IDs to be granted to the application, as published by the API.
- scope
Ids string[] A set of scope IDs to be granted to the application, as published by the API.
At least one of
role_ids
orscope_ids
must be specified.
- api_
client_ strid - The client ID of the API to which access is being granted. Changing this forces a new resource to be created.
- application_
id str - The resource ID of the application registration. Changing this forces a new resource to be created.
- role_
ids Sequence[str] - A set of role IDs to be granted to the application, as published by the API.
- scope_
ids Sequence[str] A set of scope IDs to be granted to the application, as published by the API.
At least one of
role_ids
orscope_ids
must be specified.
- api
Client StringId - The client ID of the API to which access is being granted. Changing this forces a new resource to be created.
- application
Id String - The resource ID of the application registration. Changing this forces a new resource to be created.
- role
Ids List<String> - A set of role IDs to be granted to the application, as published by the API.
- scope
Ids List<String> A set of scope IDs to be granted to the application, as published by the API.
At least one of
role_ids
orscope_ids
must be specified.
Outputs
All input properties are implicitly available as output properties. Additionally, the ApplicationApiAccess resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing ApplicationApiAccess Resource
Get an existing ApplicationApiAccess resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ApplicationApiAccessState, opts?: CustomResourceOptions): ApplicationApiAccess
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
api_client_id: Optional[str] = None,
application_id: Optional[str] = None,
role_ids: Optional[Sequence[str]] = None,
scope_ids: Optional[Sequence[str]] = None) -> ApplicationApiAccess
func GetApplicationApiAccess(ctx *Context, name string, id IDInput, state *ApplicationApiAccessState, opts ...ResourceOption) (*ApplicationApiAccess, error)
public static ApplicationApiAccess Get(string name, Input<string> id, ApplicationApiAccessState? state, CustomResourceOptions? opts = null)
public static ApplicationApiAccess get(String name, Output<String> id, ApplicationApiAccessState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Api
Client stringId - The client ID of the API to which access is being granted. Changing this forces a new resource to be created.
- Application
Id string - The resource ID of the application registration. Changing this forces a new resource to be created.
- Role
Ids List<string> - A set of role IDs to be granted to the application, as published by the API.
- Scope
Ids List<string> A set of scope IDs to be granted to the application, as published by the API.
At least one of
role_ids
orscope_ids
must be specified.
- Api
Client stringId - The client ID of the API to which access is being granted. Changing this forces a new resource to be created.
- Application
Id string - The resource ID of the application registration. Changing this forces a new resource to be created.
- Role
Ids []string - A set of role IDs to be granted to the application, as published by the API.
- Scope
Ids []string A set of scope IDs to be granted to the application, as published by the API.
At least one of
role_ids
orscope_ids
must be specified.
- api
Client StringId - The client ID of the API to which access is being granted. Changing this forces a new resource to be created.
- application
Id String - The resource ID of the application registration. Changing this forces a new resource to be created.
- role
Ids List<String> - A set of role IDs to be granted to the application, as published by the API.
- scope
Ids List<String> A set of scope IDs to be granted to the application, as published by the API.
At least one of
role_ids
orscope_ids
must be specified.
- api
Client stringId - The client ID of the API to which access is being granted. Changing this forces a new resource to be created.
- application
Id string - The resource ID of the application registration. Changing this forces a new resource to be created.
- role
Ids string[] - A set of role IDs to be granted to the application, as published by the API.
- scope
Ids string[] A set of scope IDs to be granted to the application, as published by the API.
At least one of
role_ids
orscope_ids
must be specified.
- api_
client_ strid - The client ID of the API to which access is being granted. Changing this forces a new resource to be created.
- application_
id str - The resource ID of the application registration. Changing this forces a new resource to be created.
- role_
ids Sequence[str] - A set of role IDs to be granted to the application, as published by the API.
- scope_
ids Sequence[str] A set of scope IDs to be granted to the application, as published by the API.
At least one of
role_ids
orscope_ids
must be specified.
- api
Client StringId - The client ID of the API to which access is being granted. Changing this forces a new resource to be created.
- application
Id String - The resource ID of the application registration. Changing this forces a new resource to be created.
- role
Ids List<String> - A set of role IDs to be granted to the application, as published by the API.
- scope
Ids List<String> A set of scope IDs to be granted to the application, as published by the API.
At least one of
role_ids
orscope_ids
must be specified.
Import
Application API Access can be imported using the object ID of the application and the client ID of the API, in the following format.
$ pulumi import azuread:index/applicationApiAccess:ApplicationApiAccess example /applications/00000000-0000-0000-0000-000000000000/apiAccess/11111111-1111-1111-1111-111111111111
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Azure Active Directory (Azure AD) pulumi/pulumi-azuread
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
azuread
Terraform Provider.