azuread.ConditionalAccessPolicy
Explore with Pulumi AI
Example Usage
All users except guests or external users
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const example = new azuread.ConditionalAccessPolicy("example", {
displayName: "example policy",
state: "disabled",
conditions: {
clientAppTypes: ["all"],
signInRiskLevels: ["medium"],
userRiskLevels: ["medium"],
applications: {
includedApplications: ["All"],
excludedApplications: [],
},
devices: {
filter: {
mode: "exclude",
rule: "device.operatingSystem eq \"Doors\"",
},
},
locations: {
includedLocations: ["All"],
excludedLocations: ["AllTrusted"],
},
platforms: {
includedPlatforms: ["android"],
excludedPlatforms: ["iOS"],
},
users: {
includedUsers: ["All"],
excludedUsers: ["GuestsOrExternalUsers"],
},
},
grantControls: {
operator: "OR",
builtInControls: ["mfa"],
},
sessionControls: {
applicationEnforcedRestrictionsEnabled: true,
disableResilienceDefaults: false,
signInFrequency: 10,
signInFrequencyPeriod: "hours",
cloudAppSecurityPolicy: "monitorOnly",
},
});
import pulumi
import pulumi_azuread as azuread
example = azuread.ConditionalAccessPolicy("example",
display_name="example policy",
state="disabled",
conditions={
"client_app_types": ["all"],
"sign_in_risk_levels": ["medium"],
"user_risk_levels": ["medium"],
"applications": {
"included_applications": ["All"],
"excluded_applications": [],
},
"devices": {
"filter": {
"mode": "exclude",
"rule": "device.operatingSystem eq \"Doors\"",
},
},
"locations": {
"included_locations": ["All"],
"excluded_locations": ["AllTrusted"],
},
"platforms": {
"included_platforms": ["android"],
"excluded_platforms": ["iOS"],
},
"users": {
"included_users": ["All"],
"excluded_users": ["GuestsOrExternalUsers"],
},
},
grant_controls={
"operator": "OR",
"built_in_controls": ["mfa"],
},
session_controls={
"application_enforced_restrictions_enabled": True,
"disable_resilience_defaults": False,
"sign_in_frequency": 10,
"sign_in_frequency_period": "hours",
"cloud_app_security_policy": "monitorOnly",
})
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := azuread.NewConditionalAccessPolicy(ctx, "example", &azuread.ConditionalAccessPolicyArgs{
DisplayName: pulumi.String("example policy"),
State: pulumi.String("disabled"),
Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
ClientAppTypes: pulumi.StringArray{
pulumi.String("all"),
},
SignInRiskLevels: pulumi.StringArray{
pulumi.String("medium"),
},
UserRiskLevels: pulumi.StringArray{
pulumi.String("medium"),
},
Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
IncludedApplications: pulumi.StringArray{
pulumi.String("All"),
},
ExcludedApplications: pulumi.StringArray{},
},
Devices: &azuread.ConditionalAccessPolicyConditionsDevicesArgs{
Filter: &azuread.ConditionalAccessPolicyConditionsDevicesFilterArgs{
Mode: pulumi.String("exclude"),
Rule: pulumi.String("device.operatingSystem eq \"Doors\""),
},
},
Locations: &azuread.ConditionalAccessPolicyConditionsLocationsArgs{
IncludedLocations: pulumi.StringArray{
pulumi.String("All"),
},
ExcludedLocations: pulumi.StringArray{
pulumi.String("AllTrusted"),
},
},
Platforms: &azuread.ConditionalAccessPolicyConditionsPlatformsArgs{
IncludedPlatforms: pulumi.StringArray{
pulumi.String("android"),
},
ExcludedPlatforms: pulumi.StringArray{
pulumi.String("iOS"),
},
},
Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
IncludedUsers: pulumi.StringArray{
pulumi.String("All"),
},
ExcludedUsers: pulumi.StringArray{
pulumi.String("GuestsOrExternalUsers"),
},
},
},
GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
Operator: pulumi.String("OR"),
BuiltInControls: pulumi.StringArray{
pulumi.String("mfa"),
},
},
SessionControls: &azuread.ConditionalAccessPolicySessionControlsArgs{
ApplicationEnforcedRestrictionsEnabled: pulumi.Bool(true),
DisableResilienceDefaults: pulumi.Bool(false),
SignInFrequency: pulumi.Int(10),
SignInFrequencyPeriod: pulumi.String("hours"),
CloudAppSecurityPolicy: pulumi.String("monitorOnly"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var example = new AzureAD.ConditionalAccessPolicy("example", new()
{
DisplayName = "example policy",
State = "disabled",
Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
{
ClientAppTypes = new[]
{
"all",
},
SignInRiskLevels = new[]
{
"medium",
},
UserRiskLevels = new[]
{
"medium",
},
Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
{
IncludedApplications = new[]
{
"All",
},
ExcludedApplications = new() { },
},
Devices = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesArgs
{
Filter = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesFilterArgs
{
Mode = "exclude",
Rule = "device.operatingSystem eq \"Doors\"",
},
},
Locations = new AzureAD.Inputs.ConditionalAccessPolicyConditionsLocationsArgs
{
IncludedLocations = new[]
{
"All",
},
ExcludedLocations = new[]
{
"AllTrusted",
},
},
Platforms = new AzureAD.Inputs.ConditionalAccessPolicyConditionsPlatformsArgs
{
IncludedPlatforms = new[]
{
"android",
},
ExcludedPlatforms = new[]
{
"iOS",
},
},
Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
{
IncludedUsers = new[]
{
"All",
},
ExcludedUsers = new[]
{
"GuestsOrExternalUsers",
},
},
},
GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
{
Operator = "OR",
BuiltInControls = new[]
{
"mfa",
},
},
SessionControls = new AzureAD.Inputs.ConditionalAccessPolicySessionControlsArgs
{
ApplicationEnforcedRestrictionsEnabled = true,
DisableResilienceDefaults = false,
SignInFrequency = 10,
SignInFrequencyPeriod = "hours",
CloudAppSecurityPolicy = "monitorOnly",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.ConditionalAccessPolicy;
import com.pulumi.azuread.ConditionalAccessPolicyArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsDevicesArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsDevicesFilterArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsLocationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsPlatformsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyGrantControlsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicySessionControlsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new ConditionalAccessPolicy("example", ConditionalAccessPolicyArgs.builder()
.displayName("example policy")
.state("disabled")
.conditions(ConditionalAccessPolicyConditionsArgs.builder()
.clientAppTypes("all")
.signInRiskLevels("medium")
.userRiskLevels("medium")
.applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
.includedApplications("All")
.excludedApplications()
.build())
.devices(ConditionalAccessPolicyConditionsDevicesArgs.builder()
.filter(ConditionalAccessPolicyConditionsDevicesFilterArgs.builder()
.mode("exclude")
.rule("device.operatingSystem eq \"Doors\"")
.build())
.build())
.locations(ConditionalAccessPolicyConditionsLocationsArgs.builder()
.includedLocations("All")
.excludedLocations("AllTrusted")
.build())
.platforms(ConditionalAccessPolicyConditionsPlatformsArgs.builder()
.includedPlatforms("android")
.excludedPlatforms("iOS")
.build())
.users(ConditionalAccessPolicyConditionsUsersArgs.builder()
.includedUsers("All")
.excludedUsers("GuestsOrExternalUsers")
.build())
.build())
.grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
.operator("OR")
.builtInControls("mfa")
.build())
.sessionControls(ConditionalAccessPolicySessionControlsArgs.builder()
.applicationEnforcedRestrictionsEnabled(true)
.disableResilienceDefaults(false)
.signInFrequency(10)
.signInFrequencyPeriod("hours")
.cloudAppSecurityPolicy("monitorOnly")
.build())
.build());
}
}
resources:
example:
type: azuread:ConditionalAccessPolicy
properties:
displayName: example policy
state: disabled
conditions:
clientAppTypes:
- all
signInRiskLevels:
- medium
userRiskLevels:
- medium
applications:
includedApplications:
- All
excludedApplications: []
devices:
filter:
mode: exclude
rule: device.operatingSystem eq "Doors"
locations:
includedLocations:
- All
excludedLocations:
- AllTrusted
platforms:
includedPlatforms:
- android
excludedPlatforms:
- iOS
users:
includedUsers:
- All
excludedUsers:
- GuestsOrExternalUsers
grantControls:
operator: OR
builtInControls:
- mfa
sessionControls:
applicationEnforcedRestrictionsEnabled: true
disableResilienceDefaults: false
signInFrequency: 10
signInFrequencyPeriod: hours
cloudAppSecurityPolicy: monitorOnly
Included client applications / service principals
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const current = azuread.getClientConfig({});
const example = new azuread.ConditionalAccessPolicy("example", {
displayName: "example policy",
state: "disabled",
conditions: {
clientAppTypes: ["all"],
applications: {
includedApplications: ["All"],
},
clientApplications: {
includedServicePrincipals: [current.then(current => current.objectId)],
excludedServicePrincipals: [],
},
users: {
includedUsers: ["None"],
},
},
grantControls: {
operator: "OR",
builtInControls: ["block"],
},
});
import pulumi
import pulumi_azuread as azuread
current = azuread.get_client_config()
example = azuread.ConditionalAccessPolicy("example",
display_name="example policy",
state="disabled",
conditions={
"client_app_types": ["all"],
"applications": {
"included_applications": ["All"],
},
"client_applications": {
"included_service_principals": [current.object_id],
"excluded_service_principals": [],
},
"users": {
"included_users": ["None"],
},
},
grant_controls={
"operator": "OR",
"built_in_controls": ["block"],
})
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := azuread.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
_, err = azuread.NewConditionalAccessPolicy(ctx, "example", &azuread.ConditionalAccessPolicyArgs{
DisplayName: pulumi.String("example policy"),
State: pulumi.String("disabled"),
Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
ClientAppTypes: pulumi.StringArray{
pulumi.String("all"),
},
Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
IncludedApplications: pulumi.StringArray{
pulumi.String("All"),
},
},
ClientApplications: &azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs{
IncludedServicePrincipals: pulumi.StringArray{
pulumi.String(current.ObjectId),
},
ExcludedServicePrincipals: pulumi.StringArray{},
},
Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
IncludedUsers: pulumi.StringArray{
pulumi.String("None"),
},
},
},
GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
Operator: pulumi.String("OR"),
BuiltInControls: pulumi.StringArray{
pulumi.String("block"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var current = AzureAD.GetClientConfig.Invoke();
var example = new AzureAD.ConditionalAccessPolicy("example", new()
{
DisplayName = "example policy",
State = "disabled",
Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
{
ClientAppTypes = new[]
{
"all",
},
Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
{
IncludedApplications = new[]
{
"All",
},
},
ClientApplications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs
{
IncludedServicePrincipals = new[]
{
current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
},
ExcludedServicePrincipals = new() { },
},
Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
{
IncludedUsers = new[]
{
"None",
},
},
},
GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
{
Operator = "OR",
BuiltInControls = new[]
{
"block",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.ConditionalAccessPolicy;
import com.pulumi.azuread.ConditionalAccessPolicyArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyGrantControlsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AzureadFunctions.getClientConfig();
var example = new ConditionalAccessPolicy("example", ConditionalAccessPolicyArgs.builder()
.displayName("example policy")
.state("disabled")
.conditions(ConditionalAccessPolicyConditionsArgs.builder()
.clientAppTypes("all")
.applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
.includedApplications("All")
.build())
.clientApplications(ConditionalAccessPolicyConditionsClientApplicationsArgs.builder()
.includedServicePrincipals(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.excludedServicePrincipals()
.build())
.users(ConditionalAccessPolicyConditionsUsersArgs.builder()
.includedUsers("None")
.build())
.build())
.grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
.operator("OR")
.builtInControls("block")
.build())
.build());
}
}
resources:
example:
type: azuread:ConditionalAccessPolicy
properties:
displayName: example policy
state: disabled
conditions:
clientAppTypes:
- all
applications:
includedApplications:
- All
clientApplications:
includedServicePrincipals:
- ${current.objectId}
excludedServicePrincipals: []
users:
includedUsers:
- None
grantControls:
operator: OR
builtInControls:
- block
variables:
current:
fn::invoke:
Function: azuread:getClientConfig
Arguments: {}
Excluded client applications / service principals
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const current = azuread.getClientConfig({});
const example = new azuread.ConditionalAccessPolicy("example", {
displayName: "example policy",
state: "disabled",
conditions: {
clientAppTypes: ["all"],
applications: {
includedApplications: ["All"],
},
clientApplications: {
includedServicePrincipals: ["ServicePrincipalsInMyTenant"],
excludedServicePrincipals: [current.then(current => current.objectId)],
},
users: {
includedUsers: ["None"],
},
},
grantControls: {
operator: "OR",
builtInControls: ["block"],
},
});
import pulumi
import pulumi_azuread as azuread
current = azuread.get_client_config()
example = azuread.ConditionalAccessPolicy("example",
display_name="example policy",
state="disabled",
conditions={
"client_app_types": ["all"],
"applications": {
"included_applications": ["All"],
},
"client_applications": {
"included_service_principals": ["ServicePrincipalsInMyTenant"],
"excluded_service_principals": [current.object_id],
},
"users": {
"included_users": ["None"],
},
},
grant_controls={
"operator": "OR",
"built_in_controls": ["block"],
})
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := azuread.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
_, err = azuread.NewConditionalAccessPolicy(ctx, "example", &azuread.ConditionalAccessPolicyArgs{
DisplayName: pulumi.String("example policy"),
State: pulumi.String("disabled"),
Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
ClientAppTypes: pulumi.StringArray{
pulumi.String("all"),
},
Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
IncludedApplications: pulumi.StringArray{
pulumi.String("All"),
},
},
ClientApplications: &azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs{
IncludedServicePrincipals: pulumi.StringArray{
pulumi.String("ServicePrincipalsInMyTenant"),
},
ExcludedServicePrincipals: pulumi.StringArray{
pulumi.String(current.ObjectId),
},
},
Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
IncludedUsers: pulumi.StringArray{
pulumi.String("None"),
},
},
},
GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
Operator: pulumi.String("OR"),
BuiltInControls: pulumi.StringArray{
pulumi.String("block"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var current = AzureAD.GetClientConfig.Invoke();
var example = new AzureAD.ConditionalAccessPolicy("example", new()
{
DisplayName = "example policy",
State = "disabled",
Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
{
ClientAppTypes = new[]
{
"all",
},
Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
{
IncludedApplications = new[]
{
"All",
},
},
ClientApplications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs
{
IncludedServicePrincipals = new[]
{
"ServicePrincipalsInMyTenant",
},
ExcludedServicePrincipals = new[]
{
current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
},
},
Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
{
IncludedUsers = new[]
{
"None",
},
},
},
GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
{
Operator = "OR",
BuiltInControls = new[]
{
"block",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.ConditionalAccessPolicy;
import com.pulumi.azuread.ConditionalAccessPolicyArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyGrantControlsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AzureadFunctions.getClientConfig();
var example = new ConditionalAccessPolicy("example", ConditionalAccessPolicyArgs.builder()
.displayName("example policy")
.state("disabled")
.conditions(ConditionalAccessPolicyConditionsArgs.builder()
.clientAppTypes("all")
.applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
.includedApplications("All")
.build())
.clientApplications(ConditionalAccessPolicyConditionsClientApplicationsArgs.builder()
.includedServicePrincipals("ServicePrincipalsInMyTenant")
.excludedServicePrincipals(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.build())
.users(ConditionalAccessPolicyConditionsUsersArgs.builder()
.includedUsers("None")
.build())
.build())
.grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
.operator("OR")
.builtInControls("block")
.build())
.build());
}
}
resources:
example:
type: azuread:ConditionalAccessPolicy
properties:
displayName: example policy
state: disabled
conditions:
clientAppTypes:
- all
applications:
includedApplications:
- All
clientApplications:
includedServicePrincipals:
- ServicePrincipalsInMyTenant
excludedServicePrincipals:
- ${current.objectId}
users:
includedUsers:
- None
grantControls:
operator: OR
builtInControls:
- block
variables:
current:
fn::invoke:
Function: azuread:getClientConfig
Arguments: {}
Create ConditionalAccessPolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ConditionalAccessPolicy(name: string, args: ConditionalAccessPolicyArgs, opts?: CustomResourceOptions);
@overload
def ConditionalAccessPolicy(resource_name: str,
args: ConditionalAccessPolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def ConditionalAccessPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
conditions: Optional[ConditionalAccessPolicyConditionsArgs] = None,
display_name: Optional[str] = None,
state: Optional[str] = None,
grant_controls: Optional[ConditionalAccessPolicyGrantControlsArgs] = None,
session_controls: Optional[ConditionalAccessPolicySessionControlsArgs] = None)
func NewConditionalAccessPolicy(ctx *Context, name string, args ConditionalAccessPolicyArgs, opts ...ResourceOption) (*ConditionalAccessPolicy, error)
public ConditionalAccessPolicy(string name, ConditionalAccessPolicyArgs args, CustomResourceOptions? opts = null)
public ConditionalAccessPolicy(String name, ConditionalAccessPolicyArgs args)
public ConditionalAccessPolicy(String name, ConditionalAccessPolicyArgs args, CustomResourceOptions options)
type: azuread:ConditionalAccessPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ConditionalAccessPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ConditionalAccessPolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ConditionalAccessPolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ConditionalAccessPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ConditionalAccessPolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var conditionalAccessPolicyResource = new AzureAD.ConditionalAccessPolicy("conditionalAccessPolicyResource", new()
{
Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
{
Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
{
ExcludedApplications = new[]
{
"string",
},
IncludedApplications = new[]
{
"string",
},
IncludedUserActions = new[]
{
"string",
},
},
ClientAppTypes = new[]
{
"string",
},
Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
{
ExcludedGroups = new[]
{
"string",
},
ExcludedGuestsOrExternalUsers = new[]
{
new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs
{
GuestOrExternalUserTypes = new[]
{
"string",
},
ExternalTenants = new[]
{
new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs
{
MembershipKind = "string",
Members = new[]
{
"string",
},
},
},
},
},
ExcludedRoles = new[]
{
"string",
},
ExcludedUsers = new[]
{
"string",
},
IncludedGroups = new[]
{
"string",
},
IncludedGuestsOrExternalUsers = new[]
{
new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs
{
GuestOrExternalUserTypes = new[]
{
"string",
},
ExternalTenants = new[]
{
new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs
{
MembershipKind = "string",
Members = new[]
{
"string",
},
},
},
},
},
IncludedRoles = new[]
{
"string",
},
IncludedUsers = new[]
{
"string",
},
},
ClientApplications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs
{
ExcludedServicePrincipals = new[]
{
"string",
},
IncludedServicePrincipals = new[]
{
"string",
},
},
Devices = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesArgs
{
Filter = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesFilterArgs
{
Mode = "string",
Rule = "string",
},
},
Locations = new AzureAD.Inputs.ConditionalAccessPolicyConditionsLocationsArgs
{
IncludedLocations = new[]
{
"string",
},
ExcludedLocations = new[]
{
"string",
},
},
Platforms = new AzureAD.Inputs.ConditionalAccessPolicyConditionsPlatformsArgs
{
IncludedPlatforms = new[]
{
"string",
},
ExcludedPlatforms = new[]
{
"string",
},
},
ServicePrincipalRiskLevels = new[]
{
"string",
},
SignInRiskLevels = new[]
{
"string",
},
UserRiskLevels = new[]
{
"string",
},
},
DisplayName = "string",
State = "string",
GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
{
Operator = "string",
AuthenticationStrengthPolicyId = "string",
BuiltInControls = new[]
{
"string",
},
CustomAuthenticationFactors = new[]
{
"string",
},
TermsOfUses = new[]
{
"string",
},
},
SessionControls = new AzureAD.Inputs.ConditionalAccessPolicySessionControlsArgs
{
ApplicationEnforcedRestrictionsEnabled = false,
CloudAppSecurityPolicy = "string",
DisableResilienceDefaults = false,
PersistentBrowserMode = "string",
SignInFrequency = 0,
SignInFrequencyAuthenticationType = "string",
SignInFrequencyInterval = "string",
SignInFrequencyPeriod = "string",
},
});
example, err := azuread.NewConditionalAccessPolicy(ctx, "conditionalAccessPolicyResource", &azuread.ConditionalAccessPolicyArgs{
Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
ExcludedApplications: pulumi.StringArray{
pulumi.String("string"),
},
IncludedApplications: pulumi.StringArray{
pulumi.String("string"),
},
IncludedUserActions: pulumi.StringArray{
pulumi.String("string"),
},
},
ClientAppTypes: pulumi.StringArray{
pulumi.String("string"),
},
Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
ExcludedGroups: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedGuestsOrExternalUsers: azuread.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArray{
&azuread.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs{
GuestOrExternalUserTypes: pulumi.StringArray{
pulumi.String("string"),
},
ExternalTenants: azuread.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArray{
&azuread.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs{
MembershipKind: pulumi.String("string"),
Members: pulumi.StringArray{
pulumi.String("string"),
},
},
},
},
},
ExcludedRoles: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedUsers: pulumi.StringArray{
pulumi.String("string"),
},
IncludedGroups: pulumi.StringArray{
pulumi.String("string"),
},
IncludedGuestsOrExternalUsers: azuread.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArray{
&azuread.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs{
GuestOrExternalUserTypes: pulumi.StringArray{
pulumi.String("string"),
},
ExternalTenants: azuread.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArray{
&azuread.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs{
MembershipKind: pulumi.String("string"),
Members: pulumi.StringArray{
pulumi.String("string"),
},
},
},
},
},
IncludedRoles: pulumi.StringArray{
pulumi.String("string"),
},
IncludedUsers: pulumi.StringArray{
pulumi.String("string"),
},
},
ClientApplications: &azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs{
ExcludedServicePrincipals: pulumi.StringArray{
pulumi.String("string"),
},
IncludedServicePrincipals: pulumi.StringArray{
pulumi.String("string"),
},
},
Devices: &azuread.ConditionalAccessPolicyConditionsDevicesArgs{
Filter: &azuread.ConditionalAccessPolicyConditionsDevicesFilterArgs{
Mode: pulumi.String("string"),
Rule: pulumi.String("string"),
},
},
Locations: &azuread.ConditionalAccessPolicyConditionsLocationsArgs{
IncludedLocations: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedLocations: pulumi.StringArray{
pulumi.String("string"),
},
},
Platforms: &azuread.ConditionalAccessPolicyConditionsPlatformsArgs{
IncludedPlatforms: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedPlatforms: pulumi.StringArray{
pulumi.String("string"),
},
},
ServicePrincipalRiskLevels: pulumi.StringArray{
pulumi.String("string"),
},
SignInRiskLevels: pulumi.StringArray{
pulumi.String("string"),
},
UserRiskLevels: pulumi.StringArray{
pulumi.String("string"),
},
},
DisplayName: pulumi.String("string"),
State: pulumi.String("string"),
GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
Operator: pulumi.String("string"),
AuthenticationStrengthPolicyId: pulumi.String("string"),
BuiltInControls: pulumi.StringArray{
pulumi.String("string"),
},
CustomAuthenticationFactors: pulumi.StringArray{
pulumi.String("string"),
},
TermsOfUses: pulumi.StringArray{
pulumi.String("string"),
},
},
SessionControls: &azuread.ConditionalAccessPolicySessionControlsArgs{
ApplicationEnforcedRestrictionsEnabled: pulumi.Bool(false),
CloudAppSecurityPolicy: pulumi.String("string"),
DisableResilienceDefaults: pulumi.Bool(false),
PersistentBrowserMode: pulumi.String("string"),
SignInFrequency: pulumi.Int(0),
SignInFrequencyAuthenticationType: pulumi.String("string"),
SignInFrequencyInterval: pulumi.String("string"),
SignInFrequencyPeriod: pulumi.String("string"),
},
})
var conditionalAccessPolicyResource = new ConditionalAccessPolicy("conditionalAccessPolicyResource", ConditionalAccessPolicyArgs.builder()
.conditions(ConditionalAccessPolicyConditionsArgs.builder()
.applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
.excludedApplications("string")
.includedApplications("string")
.includedUserActions("string")
.build())
.clientAppTypes("string")
.users(ConditionalAccessPolicyConditionsUsersArgs.builder()
.excludedGroups("string")
.excludedGuestsOrExternalUsers(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs.builder()
.guestOrExternalUserTypes("string")
.externalTenants(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs.builder()
.membershipKind("string")
.members("string")
.build())
.build())
.excludedRoles("string")
.excludedUsers("string")
.includedGroups("string")
.includedGuestsOrExternalUsers(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs.builder()
.guestOrExternalUserTypes("string")
.externalTenants(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs.builder()
.membershipKind("string")
.members("string")
.build())
.build())
.includedRoles("string")
.includedUsers("string")
.build())
.clientApplications(ConditionalAccessPolicyConditionsClientApplicationsArgs.builder()
.excludedServicePrincipals("string")
.includedServicePrincipals("string")
.build())
.devices(ConditionalAccessPolicyConditionsDevicesArgs.builder()
.filter(ConditionalAccessPolicyConditionsDevicesFilterArgs.builder()
.mode("string")
.rule("string")
.build())
.build())
.locations(ConditionalAccessPolicyConditionsLocationsArgs.builder()
.includedLocations("string")
.excludedLocations("string")
.build())
.platforms(ConditionalAccessPolicyConditionsPlatformsArgs.builder()
.includedPlatforms("string")
.excludedPlatforms("string")
.build())
.servicePrincipalRiskLevels("string")
.signInRiskLevels("string")
.userRiskLevels("string")
.build())
.displayName("string")
.state("string")
.grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
.operator("string")
.authenticationStrengthPolicyId("string")
.builtInControls("string")
.customAuthenticationFactors("string")
.termsOfUses("string")
.build())
.sessionControls(ConditionalAccessPolicySessionControlsArgs.builder()
.applicationEnforcedRestrictionsEnabled(false)
.cloudAppSecurityPolicy("string")
.disableResilienceDefaults(false)
.persistentBrowserMode("string")
.signInFrequency(0)
.signInFrequencyAuthenticationType("string")
.signInFrequencyInterval("string")
.signInFrequencyPeriod("string")
.build())
.build());
conditional_access_policy_resource = azuread.ConditionalAccessPolicy("conditionalAccessPolicyResource",
conditions={
"applications": {
"excluded_applications": ["string"],
"included_applications": ["string"],
"included_user_actions": ["string"],
},
"client_app_types": ["string"],
"users": {
"excluded_groups": ["string"],
"excluded_guests_or_external_users": [{
"guest_or_external_user_types": ["string"],
"external_tenants": [{
"membership_kind": "string",
"members": ["string"],
}],
}],
"excluded_roles": ["string"],
"excluded_users": ["string"],
"included_groups": ["string"],
"included_guests_or_external_users": [{
"guest_or_external_user_types": ["string"],
"external_tenants": [{
"membership_kind": "string",
"members": ["string"],
}],
}],
"included_roles": ["string"],
"included_users": ["string"],
},
"client_applications": {
"excluded_service_principals": ["string"],
"included_service_principals": ["string"],
},
"devices": {
"filter": {
"mode": "string",
"rule": "string",
},
},
"locations": {
"included_locations": ["string"],
"excluded_locations": ["string"],
},
"platforms": {
"included_platforms": ["string"],
"excluded_platforms": ["string"],
},
"service_principal_risk_levels": ["string"],
"sign_in_risk_levels": ["string"],
"user_risk_levels": ["string"],
},
display_name="string",
state="string",
grant_controls={
"operator": "string",
"authentication_strength_policy_id": "string",
"built_in_controls": ["string"],
"custom_authentication_factors": ["string"],
"terms_of_uses": ["string"],
},
session_controls={
"application_enforced_restrictions_enabled": False,
"cloud_app_security_policy": "string",
"disable_resilience_defaults": False,
"persistent_browser_mode": "string",
"sign_in_frequency": 0,
"sign_in_frequency_authentication_type": "string",
"sign_in_frequency_interval": "string",
"sign_in_frequency_period": "string",
})
const conditionalAccessPolicyResource = new azuread.ConditionalAccessPolicy("conditionalAccessPolicyResource", {
conditions: {
applications: {
excludedApplications: ["string"],
includedApplications: ["string"],
includedUserActions: ["string"],
},
clientAppTypes: ["string"],
users: {
excludedGroups: ["string"],
excludedGuestsOrExternalUsers: [{
guestOrExternalUserTypes: ["string"],
externalTenants: [{
membershipKind: "string",
members: ["string"],
}],
}],
excludedRoles: ["string"],
excludedUsers: ["string"],
includedGroups: ["string"],
includedGuestsOrExternalUsers: [{
guestOrExternalUserTypes: ["string"],
externalTenants: [{
membershipKind: "string",
members: ["string"],
}],
}],
includedRoles: ["string"],
includedUsers: ["string"],
},
clientApplications: {
excludedServicePrincipals: ["string"],
includedServicePrincipals: ["string"],
},
devices: {
filter: {
mode: "string",
rule: "string",
},
},
locations: {
includedLocations: ["string"],
excludedLocations: ["string"],
},
platforms: {
includedPlatforms: ["string"],
excludedPlatforms: ["string"],
},
servicePrincipalRiskLevels: ["string"],
signInRiskLevels: ["string"],
userRiskLevels: ["string"],
},
displayName: "string",
state: "string",
grantControls: {
operator: "string",
authenticationStrengthPolicyId: "string",
builtInControls: ["string"],
customAuthenticationFactors: ["string"],
termsOfUses: ["string"],
},
sessionControls: {
applicationEnforcedRestrictionsEnabled: false,
cloudAppSecurityPolicy: "string",
disableResilienceDefaults: false,
persistentBrowserMode: "string",
signInFrequency: 0,
signInFrequencyAuthenticationType: "string",
signInFrequencyInterval: "string",
signInFrequencyPeriod: "string",
},
});
type: azuread:ConditionalAccessPolicy
properties:
conditions:
applications:
excludedApplications:
- string
includedApplications:
- string
includedUserActions:
- string
clientAppTypes:
- string
clientApplications:
excludedServicePrincipals:
- string
includedServicePrincipals:
- string
devices:
filter:
mode: string
rule: string
locations:
excludedLocations:
- string
includedLocations:
- string
platforms:
excludedPlatforms:
- string
includedPlatforms:
- string
servicePrincipalRiskLevels:
- string
signInRiskLevels:
- string
userRiskLevels:
- string
users:
excludedGroups:
- string
excludedGuestsOrExternalUsers:
- externalTenants:
- members:
- string
membershipKind: string
guestOrExternalUserTypes:
- string
excludedRoles:
- string
excludedUsers:
- string
includedGroups:
- string
includedGuestsOrExternalUsers:
- externalTenants:
- members:
- string
membershipKind: string
guestOrExternalUserTypes:
- string
includedRoles:
- string
includedUsers:
- string
displayName: string
grantControls:
authenticationStrengthPolicyId: string
builtInControls:
- string
customAuthenticationFactors:
- string
operator: string
termsOfUses:
- string
sessionControls:
applicationEnforcedRestrictionsEnabled: false
cloudAppSecurityPolicy: string
disableResilienceDefaults: false
persistentBrowserMode: string
signInFrequency: 0
signInFrequencyAuthenticationType: string
signInFrequencyInterval: string
signInFrequencyPeriod: string
state: string
ConditionalAccessPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The ConditionalAccessPolicy resource accepts the following input properties:
- Conditions
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions - A
conditions
block as documented below, which specifies the rules that must be met for the policy to apply. - Display
Name string - The friendly name for this Conditional Access Policy.
- State string
- Specifies the state of the policy object. Possible values are:
enabled
,disabled
andenabledForReportingButNotEnforced
- Grant
Controls Pulumi.Azure AD. Inputs. Conditional Access Policy Grant Controls - A
grant_controls
block as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - Session
Controls Pulumi.Azure AD. Inputs. Conditional Access Policy Session Controls A
session_controls
block as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controls
and/orsession_controls
blocks must be specified.
- Conditions
Conditional
Access Policy Conditions Args - A
conditions
block as documented below, which specifies the rules that must be met for the policy to apply. - Display
Name string - The friendly name for this Conditional Access Policy.
- State string
- Specifies the state of the policy object. Possible values are:
enabled
,disabled
andenabledForReportingButNotEnforced
- Grant
Controls ConditionalAccess Policy Grant Controls Args - A
grant_controls
block as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - Session
Controls ConditionalAccess Policy Session Controls Args A
session_controls
block as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controls
and/orsession_controls
blocks must be specified.
- conditions
Conditional
Access Policy Conditions - A
conditions
block as documented below, which specifies the rules that must be met for the policy to apply. - display
Name String - The friendly name for this Conditional Access Policy.
- state String
- Specifies the state of the policy object. Possible values are:
enabled
,disabled
andenabledForReportingButNotEnforced
- grant
Controls ConditionalAccess Policy Grant Controls - A
grant_controls
block as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - session
Controls ConditionalAccess Policy Session Controls A
session_controls
block as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controls
and/orsession_controls
blocks must be specified.
- conditions
Conditional
Access Policy Conditions - A
conditions
block as documented below, which specifies the rules that must be met for the policy to apply. - display
Name string - The friendly name for this Conditional Access Policy.
- state string
- Specifies the state of the policy object. Possible values are:
enabled
,disabled
andenabledForReportingButNotEnforced
- grant
Controls ConditionalAccess Policy Grant Controls - A
grant_controls
block as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - session
Controls ConditionalAccess Policy Session Controls A
session_controls
block as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controls
and/orsession_controls
blocks must be specified.
- conditions
Conditional
Access Policy Conditions Args - A
conditions
block as documented below, which specifies the rules that must be met for the policy to apply. - display_
name str - The friendly name for this Conditional Access Policy.
- state str
- Specifies the state of the policy object. Possible values are:
enabled
,disabled
andenabledForReportingButNotEnforced
- grant_
controls ConditionalAccess Policy Grant Controls Args - A
grant_controls
block as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - session_
controls ConditionalAccess Policy Session Controls Args A
session_controls
block as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controls
and/orsession_controls
blocks must be specified.
- conditions Property Map
- A
conditions
block as documented below, which specifies the rules that must be met for the policy to apply. - display
Name String - The friendly name for this Conditional Access Policy.
- state String
- Specifies the state of the policy object. Possible values are:
enabled
,disabled
andenabledForReportingButNotEnforced
- grant
Controls Property Map - A
grant_controls
block as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - session
Controls Property Map A
session_controls
block as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controls
and/orsession_controls
blocks must be specified.
Outputs
All input properties are implicitly available as output properties. Additionally, the ConditionalAccessPolicy resource produces the following output properties:
Look up Existing ConditionalAccessPolicy Resource
Get an existing ConditionalAccessPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ConditionalAccessPolicyState, opts?: CustomResourceOptions): ConditionalAccessPolicy
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
conditions: Optional[ConditionalAccessPolicyConditionsArgs] = None,
display_name: Optional[str] = None,
grant_controls: Optional[ConditionalAccessPolicyGrantControlsArgs] = None,
object_id: Optional[str] = None,
session_controls: Optional[ConditionalAccessPolicySessionControlsArgs] = None,
state: Optional[str] = None) -> ConditionalAccessPolicy
func GetConditionalAccessPolicy(ctx *Context, name string, id IDInput, state *ConditionalAccessPolicyState, opts ...ResourceOption) (*ConditionalAccessPolicy, error)
public static ConditionalAccessPolicy Get(string name, Input<string> id, ConditionalAccessPolicyState? state, CustomResourceOptions? opts = null)
public static ConditionalAccessPolicy get(String name, Output<String> id, ConditionalAccessPolicyState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Conditions
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions - A
conditions
block as documented below, which specifies the rules that must be met for the policy to apply. - Display
Name string - The friendly name for this Conditional Access Policy.
- Grant
Controls Pulumi.Azure AD. Inputs. Conditional Access Policy Grant Controls - A
grant_controls
block as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - Object
Id string - The object ID of the policy
- Session
Controls Pulumi.Azure AD. Inputs. Conditional Access Policy Session Controls A
session_controls
block as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controls
and/orsession_controls
blocks must be specified.- State string
- Specifies the state of the policy object. Possible values are:
enabled
,disabled
andenabledForReportingButNotEnforced
- Conditions
Conditional
Access Policy Conditions Args - A
conditions
block as documented below, which specifies the rules that must be met for the policy to apply. - Display
Name string - The friendly name for this Conditional Access Policy.
- Grant
Controls ConditionalAccess Policy Grant Controls Args - A
grant_controls
block as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - Object
Id string - The object ID of the policy
- Session
Controls ConditionalAccess Policy Session Controls Args A
session_controls
block as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controls
and/orsession_controls
blocks must be specified.- State string
- Specifies the state of the policy object. Possible values are:
enabled
,disabled
andenabledForReportingButNotEnforced
- conditions
Conditional
Access Policy Conditions - A
conditions
block as documented below, which specifies the rules that must be met for the policy to apply. - display
Name String - The friendly name for this Conditional Access Policy.
- grant
Controls ConditionalAccess Policy Grant Controls - A
grant_controls
block as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - object
Id String - The object ID of the policy
- session
Controls ConditionalAccess Policy Session Controls A
session_controls
block as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controls
and/orsession_controls
blocks must be specified.- state String
- Specifies the state of the policy object. Possible values are:
enabled
,disabled
andenabledForReportingButNotEnforced
- conditions
Conditional
Access Policy Conditions - A
conditions
block as documented below, which specifies the rules that must be met for the policy to apply. - display
Name string - The friendly name for this Conditional Access Policy.
- grant
Controls ConditionalAccess Policy Grant Controls - A
grant_controls
block as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - object
Id string - The object ID of the policy
- session
Controls ConditionalAccess Policy Session Controls A
session_controls
block as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controls
and/orsession_controls
blocks must be specified.- state string
- Specifies the state of the policy object. Possible values are:
enabled
,disabled
andenabledForReportingButNotEnforced
- conditions
Conditional
Access Policy Conditions Args - A
conditions
block as documented below, which specifies the rules that must be met for the policy to apply. - display_
name str - The friendly name for this Conditional Access Policy.
- grant_
controls ConditionalAccess Policy Grant Controls Args - A
grant_controls
block as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - object_
id str - The object ID of the policy
- session_
controls ConditionalAccess Policy Session Controls Args A
session_controls
block as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controls
and/orsession_controls
blocks must be specified.- state str
- Specifies the state of the policy object. Possible values are:
enabled
,disabled
andenabledForReportingButNotEnforced
- conditions Property Map
- A
conditions
block as documented below, which specifies the rules that must be met for the policy to apply. - display
Name String - The friendly name for this Conditional Access Policy.
- grant
Controls Property Map - A
grant_controls
block as documented below, which specifies the grant controls that must be fulfilled to pass the policy. - object
Id String - The object ID of the policy
- session
Controls Property Map A
session_controls
block as documented below, which specifies the session controls that are enforced after sign-in.Note: At least one of
grant_controls
and/orsession_controls
blocks must be specified.- state String
- Specifies the state of the policy object. Possible values are:
enabled
,disabled
andenabledForReportingButNotEnforced
Supporting Types
ConditionalAccessPolicyConditions, ConditionalAccessPolicyConditionsArgs
- Applications
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Applications - An
applications
block as documented below, which specifies applications and user actions included in and excluded from the policy. - Client
App List<string>Types - A list of client application types included in the policy. Possible values are:
all
,browser
,mobileAppsAndDesktopClients
,exchangeActiveSync
,easSupported
andother
. - Users
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Users - A
users
block as documented below, which specifies users, groups, and roles included in and excluded from the policy. - Client
Applications Pulumi.Azure AD. Inputs. Conditional Access Policy Conditions Client Applications - An
client_applications
block as documented below, which specifies service principals included in and excluded from the policy. - Devices
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Devices - A
devices
block as documented below, which describes devices to be included in and excluded from the policy. Adevices
block can be added to an existing policy, but removing thedevices
block forces a new resource to be created. - Locations
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Locations - A
locations
block as documented below, which specifies locations included in and excluded from the policy. - Platforms
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Platforms - A
platforms
block as documented below, which specifies platforms included in and excluded from the policy. - Service
Principal List<string>Risk Levels - A list of service principal sign-in risk levels included in the policy. Possible values are:
low
,medium
,high
,none
,unknownFutureValue
. - Sign
In List<string>Risk Levels - A list of user sign-in risk levels included in the policy. Possible values are:
low
,medium
,high
,hidden
,none
,unknownFutureValue
. - User
Risk List<string>Levels - A list of user risk levels included in the policy. Possible values are:
low
,medium
,high
,hidden
,none
,unknownFutureValue
.
- Applications
Conditional
Access Policy Conditions Applications - An
applications
block as documented below, which specifies applications and user actions included in and excluded from the policy. - Client
App []stringTypes - A list of client application types included in the policy. Possible values are:
all
,browser
,mobileAppsAndDesktopClients
,exchangeActiveSync
,easSupported
andother
. - Users
Conditional
Access Policy Conditions Users - A
users
block as documented below, which specifies users, groups, and roles included in and excluded from the policy. - Client
Applications ConditionalAccess Policy Conditions Client Applications - An
client_applications
block as documented below, which specifies service principals included in and excluded from the policy. - Devices
Conditional
Access Policy Conditions Devices - A
devices
block as documented below, which describes devices to be included in and excluded from the policy. Adevices
block can be added to an existing policy, but removing thedevices
block forces a new resource to be created. - Locations
Conditional
Access Policy Conditions Locations - A
locations
block as documented below, which specifies locations included in and excluded from the policy. - Platforms
Conditional
Access Policy Conditions Platforms - A
platforms
block as documented below, which specifies platforms included in and excluded from the policy. - Service
Principal []stringRisk Levels - A list of service principal sign-in risk levels included in the policy. Possible values are:
low
,medium
,high
,none
,unknownFutureValue
. - Sign
In []stringRisk Levels - A list of user sign-in risk levels included in the policy. Possible values are:
low
,medium
,high
,hidden
,none
,unknownFutureValue
. - User
Risk []stringLevels - A list of user risk levels included in the policy. Possible values are:
low
,medium
,high
,hidden
,none
,unknownFutureValue
.
- applications
Conditional
Access Policy Conditions Applications - An
applications
block as documented below, which specifies applications and user actions included in and excluded from the policy. - client
App List<String>Types - A list of client application types included in the policy. Possible values are:
all
,browser
,mobileAppsAndDesktopClients
,exchangeActiveSync
,easSupported
andother
. - users
Conditional
Access Policy Conditions Users - A
users
block as documented below, which specifies users, groups, and roles included in and excluded from the policy. - client
Applications ConditionalAccess Policy Conditions Client Applications - An
client_applications
block as documented below, which specifies service principals included in and excluded from the policy. - devices
Conditional
Access Policy Conditions Devices - A
devices
block as documented below, which describes devices to be included in and excluded from the policy. Adevices
block can be added to an existing policy, but removing thedevices
block forces a new resource to be created. - locations
Conditional
Access Policy Conditions Locations - A
locations
block as documented below, which specifies locations included in and excluded from the policy. - platforms
Conditional
Access Policy Conditions Platforms - A
platforms
block as documented below, which specifies platforms included in and excluded from the policy. - service
Principal List<String>Risk Levels - A list of service principal sign-in risk levels included in the policy. Possible values are:
low
,medium
,high
,none
,unknownFutureValue
. - sign
In List<String>Risk Levels - A list of user sign-in risk levels included in the policy. Possible values are:
low
,medium
,high
,hidden
,none
,unknownFutureValue
. - user
Risk List<String>Levels - A list of user risk levels included in the policy. Possible values are:
low
,medium
,high
,hidden
,none
,unknownFutureValue
.
- applications
Conditional
Access Policy Conditions Applications - An
applications
block as documented below, which specifies applications and user actions included in and excluded from the policy. - client
App string[]Types - A list of client application types included in the policy. Possible values are:
all
,browser
,mobileAppsAndDesktopClients
,exchangeActiveSync
,easSupported
andother
. - users
Conditional
Access Policy Conditions Users - A
users
block as documented below, which specifies users, groups, and roles included in and excluded from the policy. - client
Applications ConditionalAccess Policy Conditions Client Applications - An
client_applications
block as documented below, which specifies service principals included in and excluded from the policy. - devices
Conditional
Access Policy Conditions Devices - A
devices
block as documented below, which describes devices to be included in and excluded from the policy. Adevices
block can be added to an existing policy, but removing thedevices
block forces a new resource to be created. - locations
Conditional
Access Policy Conditions Locations - A
locations
block as documented below, which specifies locations included in and excluded from the policy. - platforms
Conditional
Access Policy Conditions Platforms - A
platforms
block as documented below, which specifies platforms included in and excluded from the policy. - service
Principal string[]Risk Levels - A list of service principal sign-in risk levels included in the policy. Possible values are:
low
,medium
,high
,none
,unknownFutureValue
. - sign
In string[]Risk Levels - A list of user sign-in risk levels included in the policy. Possible values are:
low
,medium
,high
,hidden
,none
,unknownFutureValue
. - user
Risk string[]Levels - A list of user risk levels included in the policy. Possible values are:
low
,medium
,high
,hidden
,none
,unknownFutureValue
.
- applications
Conditional
Access Policy Conditions Applications - An
applications
block as documented below, which specifies applications and user actions included in and excluded from the policy. - client_
app_ Sequence[str]types - A list of client application types included in the policy. Possible values are:
all
,browser
,mobileAppsAndDesktopClients
,exchangeActiveSync
,easSupported
andother
. - users
Conditional
Access Policy Conditions Users - A
users
block as documented below, which specifies users, groups, and roles included in and excluded from the policy. - client_
applications ConditionalAccess Policy Conditions Client Applications - An
client_applications
block as documented below, which specifies service principals included in and excluded from the policy. - devices
Conditional
Access Policy Conditions Devices - A
devices
block as documented below, which describes devices to be included in and excluded from the policy. Adevices
block can be added to an existing policy, but removing thedevices
block forces a new resource to be created. - locations
Conditional
Access Policy Conditions Locations - A
locations
block as documented below, which specifies locations included in and excluded from the policy. - platforms
Conditional
Access Policy Conditions Platforms - A
platforms
block as documented below, which specifies platforms included in and excluded from the policy. - service_
principal_ Sequence[str]risk_ levels - A list of service principal sign-in risk levels included in the policy. Possible values are:
low
,medium
,high
,none
,unknownFutureValue
. - sign_
in_ Sequence[str]risk_ levels - A list of user sign-in risk levels included in the policy. Possible values are:
low
,medium
,high
,hidden
,none
,unknownFutureValue
. - user_
risk_ Sequence[str]levels - A list of user risk levels included in the policy. Possible values are:
low
,medium
,high
,hidden
,none
,unknownFutureValue
.
- applications Property Map
- An
applications
block as documented below, which specifies applications and user actions included in and excluded from the policy. - client
App List<String>Types - A list of client application types included in the policy. Possible values are:
all
,browser
,mobileAppsAndDesktopClients
,exchangeActiveSync
,easSupported
andother
. - users Property Map
- A
users
block as documented below, which specifies users, groups, and roles included in and excluded from the policy. - client
Applications Property Map - An
client_applications
block as documented below, which specifies service principals included in and excluded from the policy. - devices Property Map
- A
devices
block as documented below, which describes devices to be included in and excluded from the policy. Adevices
block can be added to an existing policy, but removing thedevices
block forces a new resource to be created. - locations Property Map
- A
locations
block as documented below, which specifies locations included in and excluded from the policy. - platforms Property Map
- A
platforms
block as documented below, which specifies platforms included in and excluded from the policy. - service
Principal List<String>Risk Levels - A list of service principal sign-in risk levels included in the policy. Possible values are:
low
,medium
,high
,none
,unknownFutureValue
. - sign
In List<String>Risk Levels - A list of user sign-in risk levels included in the policy. Possible values are:
low
,medium
,high
,hidden
,none
,unknownFutureValue
. - user
Risk List<String>Levels - A list of user risk levels included in the policy. Possible values are:
low
,medium
,high
,hidden
,none
,unknownFutureValue
.
ConditionalAccessPolicyConditionsApplications, ConditionalAccessPolicyConditionsApplicationsArgs
- Excluded
Applications List<string> - A list of application IDs explicitly excluded from the policy. Can also be set to
Office365
. - Included
Applications List<string> - A list of application IDs the policy applies to, unless explicitly excluded (in
excluded_applications
). Can also be set toAll
,None
orOffice365
. Cannot be specified withincluded_user_actions
. One ofincluded_applications
orincluded_user_actions
must be specified. - Included
User List<string>Actions - A list of user actions to include. Supported values are
urn:user:registerdevice
andurn:user:registersecurityinfo
. Cannot be specified withincluded_applications
. One ofincluded_applications
orincluded_user_actions
must be specified.
- Excluded
Applications []string - A list of application IDs explicitly excluded from the policy. Can also be set to
Office365
. - Included
Applications []string - A list of application IDs the policy applies to, unless explicitly excluded (in
excluded_applications
). Can also be set toAll
,None
orOffice365
. Cannot be specified withincluded_user_actions
. One ofincluded_applications
orincluded_user_actions
must be specified. - Included
User []stringActions - A list of user actions to include. Supported values are
urn:user:registerdevice
andurn:user:registersecurityinfo
. Cannot be specified withincluded_applications
. One ofincluded_applications
orincluded_user_actions
must be specified.
- excluded
Applications List<String> - A list of application IDs explicitly excluded from the policy. Can also be set to
Office365
. - included
Applications List<String> - A list of application IDs the policy applies to, unless explicitly excluded (in
excluded_applications
). Can also be set toAll
,None
orOffice365
. Cannot be specified withincluded_user_actions
. One ofincluded_applications
orincluded_user_actions
must be specified. - included
User List<String>Actions - A list of user actions to include. Supported values are
urn:user:registerdevice
andurn:user:registersecurityinfo
. Cannot be specified withincluded_applications
. One ofincluded_applications
orincluded_user_actions
must be specified.
- excluded
Applications string[] - A list of application IDs explicitly excluded from the policy. Can also be set to
Office365
. - included
Applications string[] - A list of application IDs the policy applies to, unless explicitly excluded (in
excluded_applications
). Can also be set toAll
,None
orOffice365
. Cannot be specified withincluded_user_actions
. One ofincluded_applications
orincluded_user_actions
must be specified. - included
User string[]Actions - A list of user actions to include. Supported values are
urn:user:registerdevice
andurn:user:registersecurityinfo
. Cannot be specified withincluded_applications
. One ofincluded_applications
orincluded_user_actions
must be specified.
- excluded_
applications Sequence[str] - A list of application IDs explicitly excluded from the policy. Can also be set to
Office365
. - included_
applications Sequence[str] - A list of application IDs the policy applies to, unless explicitly excluded (in
excluded_applications
). Can also be set toAll
,None
orOffice365
. Cannot be specified withincluded_user_actions
. One ofincluded_applications
orincluded_user_actions
must be specified. - included_
user_ Sequence[str]actions - A list of user actions to include. Supported values are
urn:user:registerdevice
andurn:user:registersecurityinfo
. Cannot be specified withincluded_applications
. One ofincluded_applications
orincluded_user_actions
must be specified.
- excluded
Applications List<String> - A list of application IDs explicitly excluded from the policy. Can also be set to
Office365
. - included
Applications List<String> - A list of application IDs the policy applies to, unless explicitly excluded (in
excluded_applications
). Can also be set toAll
,None
orOffice365
. Cannot be specified withincluded_user_actions
. One ofincluded_applications
orincluded_user_actions
must be specified. - included
User List<String>Actions - A list of user actions to include. Supported values are
urn:user:registerdevice
andurn:user:registersecurityinfo
. Cannot be specified withincluded_applications
. One ofincluded_applications
orincluded_user_actions
must be specified.
ConditionalAccessPolicyConditionsClientApplications, ConditionalAccessPolicyConditionsClientApplicationsArgs
- Excluded
Service List<string>Principals - A list of service principal IDs explicitly excluded in the policy.
- Included
Service List<string>Principals - A list of service principal IDs explicitly included in the policy. Can be set to
ServicePrincipalsInMyTenant
to include all service principals. This is mandatory value when at least oneexcluded_service_principals
is set.
- Excluded
Service []stringPrincipals - A list of service principal IDs explicitly excluded in the policy.
- Included
Service []stringPrincipals - A list of service principal IDs explicitly included in the policy. Can be set to
ServicePrincipalsInMyTenant
to include all service principals. This is mandatory value when at least oneexcluded_service_principals
is set.
- excluded
Service List<String>Principals - A list of service principal IDs explicitly excluded in the policy.
- included
Service List<String>Principals - A list of service principal IDs explicitly included in the policy. Can be set to
ServicePrincipalsInMyTenant
to include all service principals. This is mandatory value when at least oneexcluded_service_principals
is set.
- excluded
Service string[]Principals - A list of service principal IDs explicitly excluded in the policy.
- included
Service string[]Principals - A list of service principal IDs explicitly included in the policy. Can be set to
ServicePrincipalsInMyTenant
to include all service principals. This is mandatory value when at least oneexcluded_service_principals
is set.
- excluded_
service_ Sequence[str]principals - A list of service principal IDs explicitly excluded in the policy.
- included_
service_ Sequence[str]principals - A list of service principal IDs explicitly included in the policy. Can be set to
ServicePrincipalsInMyTenant
to include all service principals. This is mandatory value when at least oneexcluded_service_principals
is set.
- excluded
Service List<String>Principals - A list of service principal IDs explicitly excluded in the policy.
- included
Service List<String>Principals - A list of service principal IDs explicitly included in the policy. Can be set to
ServicePrincipalsInMyTenant
to include all service principals. This is mandatory value when at least oneexcluded_service_principals
is set.
ConditionalAccessPolicyConditionsDevices, ConditionalAccessPolicyConditionsDevicesArgs
- Filter
Pulumi.
Azure AD. Inputs. Conditional Access Policy Conditions Devices Filter - A
filter
block as described below.
- Filter
Conditional
Access Policy Conditions Devices Filter - A
filter
block as described below.
- filter
Conditional
Access Policy Conditions Devices Filter - A
filter
block as described below.
- filter
Conditional
Access Policy Conditions Devices Filter - A
filter
block as described below.
- filter
Conditional
Access Policy Conditions Devices Filter - A
filter
block as described below.
- filter Property Map
- A
filter
block as described below.
ConditionalAccessPolicyConditionsDevicesFilter, ConditionalAccessPolicyConditionsDevicesFilterArgs
- Mode string
- Whether to include in, or exclude from, matching devices from the policy. Supported values are
include
orexclude
. - Rule string
- Condition filter to match devices. For more information, see official documentation.
- Mode string
- Whether to include in, or exclude from, matching devices from the policy. Supported values are
include
orexclude
. - Rule string
- Condition filter to match devices. For more information, see official documentation.
- mode String
- Whether to include in, or exclude from, matching devices from the policy. Supported values are
include
orexclude
. - rule String
- Condition filter to match devices. For more information, see official documentation.
- mode string
- Whether to include in, or exclude from, matching devices from the policy. Supported values are
include
orexclude
. - rule string
- Condition filter to match devices. For more information, see official documentation.
- mode str
- Whether to include in, or exclude from, matching devices from the policy. Supported values are
include
orexclude
. - rule str
- Condition filter to match devices. For more information, see official documentation.
- mode String
- Whether to include in, or exclude from, matching devices from the policy. Supported values are
include
orexclude
. - rule String
- Condition filter to match devices. For more information, see official documentation.
ConditionalAccessPolicyConditionsLocations, ConditionalAccessPolicyConditionsLocationsArgs
- Included
Locations List<string> - A list of location IDs in scope of policy unless explicitly excluded. Can also be set to
All
, orAllTrusted
. - Excluded
Locations List<string> - A list of location IDs excluded from scope of policy. Can also be set to
AllTrusted
.
- Included
Locations []string - A list of location IDs in scope of policy unless explicitly excluded. Can also be set to
All
, orAllTrusted
. - Excluded
Locations []string - A list of location IDs excluded from scope of policy. Can also be set to
AllTrusted
.
- included
Locations List<String> - A list of location IDs in scope of policy unless explicitly excluded. Can also be set to
All
, orAllTrusted
. - excluded
Locations List<String> - A list of location IDs excluded from scope of policy. Can also be set to
AllTrusted
.
- included
Locations string[] - A list of location IDs in scope of policy unless explicitly excluded. Can also be set to
All
, orAllTrusted
. - excluded
Locations string[] - A list of location IDs excluded from scope of policy. Can also be set to
AllTrusted
.
- included_
locations Sequence[str] - A list of location IDs in scope of policy unless explicitly excluded. Can also be set to
All
, orAllTrusted
. - excluded_
locations Sequence[str] - A list of location IDs excluded from scope of policy. Can also be set to
AllTrusted
.
- included
Locations List<String> - A list of location IDs in scope of policy unless explicitly excluded. Can also be set to
All
, orAllTrusted
. - excluded
Locations List<String> - A list of location IDs excluded from scope of policy. Can also be set to
AllTrusted
.
ConditionalAccessPolicyConditionsPlatforms, ConditionalAccessPolicyConditionsPlatformsArgs
- Included
Platforms List<string> - A list of platforms the policy applies to, unless explicitly excluded. Possible values are:
all
,android
,iOS
,linux
,macOS
,windows
,windowsPhone
orunknownFutureValue
. - Excluded
Platforms List<string> - A list of platforms explicitly excluded from the policy. Possible values are:
all
,android
,iOS
,linux
,macOS
,windows
,windowsPhone
orunknownFutureValue
.
- Included
Platforms []string - A list of platforms the policy applies to, unless explicitly excluded. Possible values are:
all
,android
,iOS
,linux
,macOS
,windows
,windowsPhone
orunknownFutureValue
. - Excluded
Platforms []string - A list of platforms explicitly excluded from the policy. Possible values are:
all
,android
,iOS
,linux
,macOS
,windows
,windowsPhone
orunknownFutureValue
.
- included
Platforms List<String> - A list of platforms the policy applies to, unless explicitly excluded. Possible values are:
all
,android
,iOS
,linux
,macOS
,windows
,windowsPhone
orunknownFutureValue
. - excluded
Platforms List<String> - A list of platforms explicitly excluded from the policy. Possible values are:
all
,android
,iOS
,linux
,macOS
,windows
,windowsPhone
orunknownFutureValue
.
- included
Platforms string[] - A list of platforms the policy applies to, unless explicitly excluded. Possible values are:
all
,android
,iOS
,linux
,macOS
,windows
,windowsPhone
orunknownFutureValue
. - excluded
Platforms string[] - A list of platforms explicitly excluded from the policy. Possible values are:
all
,android
,iOS
,linux
,macOS
,windows
,windowsPhone
orunknownFutureValue
.
- included_
platforms Sequence[str] - A list of platforms the policy applies to, unless explicitly excluded. Possible values are:
all
,android
,iOS
,linux
,macOS
,windows
,windowsPhone
orunknownFutureValue
. - excluded_
platforms Sequence[str] - A list of platforms explicitly excluded from the policy. Possible values are:
all
,android
,iOS
,linux
,macOS
,windows
,windowsPhone
orunknownFutureValue
.
- included
Platforms List<String> - A list of platforms the policy applies to, unless explicitly excluded. Possible values are:
all
,android
,iOS
,linux
,macOS
,windows
,windowsPhone
orunknownFutureValue
. - excluded
Platforms List<String> - A list of platforms explicitly excluded from the policy. Possible values are:
all
,android
,iOS
,linux
,macOS
,windows
,windowsPhone
orunknownFutureValue
.
ConditionalAccessPolicyConditionsUsers, ConditionalAccessPolicyConditionsUsersArgs
- Excluded
Groups List<string> - A list of group IDs excluded from scope of policy.
- Excluded
Guests List<Pulumi.Or External Users Azure AD. Inputs. Conditional Access Policy Conditions Users Excluded Guests Or External User> - A
guests_or_external_users
block as documented below, which specifies internal guests and external users excluded from scope of policy. - Excluded
Roles List<string> - A list of role IDs excluded from scope of policy.
- Excluded
Users List<string> - A list of user IDs excluded from scope of policy and/or
GuestsOrExternalUsers
. - Included
Groups List<string> - A list of group IDs in scope of policy unless explicitly excluded.
- Included
Guests List<Pulumi.Or External Users Azure AD. Inputs. Conditional Access Policy Conditions Users Included Guests Or External User> - A
guests_or_external_users
block as documented below, which specifies internal guests and external users in scope of policy. - Included
Roles List<string> - A list of role IDs in scope of policy unless explicitly excluded.
- Included
Users List<string> A list of user IDs in scope of policy unless explicitly excluded, or
None
orAll
orGuestsOrExternalUsers
.At least one of
included_groups
,included_guests_or_external_users
,included_roles
orincluded_users
must be specified.
- Excluded
Groups []string - A list of group IDs excluded from scope of policy.
- Excluded
Guests []ConditionalOr External Users Access Policy Conditions Users Excluded Guests Or External User - A
guests_or_external_users
block as documented below, which specifies internal guests and external users excluded from scope of policy. - Excluded
Roles []string - A list of role IDs excluded from scope of policy.
- Excluded
Users []string - A list of user IDs excluded from scope of policy and/or
GuestsOrExternalUsers
. - Included
Groups []string - A list of group IDs in scope of policy unless explicitly excluded.
- Included
Guests []ConditionalOr External Users Access Policy Conditions Users Included Guests Or External User - A
guests_or_external_users
block as documented below, which specifies internal guests and external users in scope of policy. - Included
Roles []string - A list of role IDs in scope of policy unless explicitly excluded.
- Included
Users []string A list of user IDs in scope of policy unless explicitly excluded, or
None
orAll
orGuestsOrExternalUsers
.At least one of
included_groups
,included_guests_or_external_users
,included_roles
orincluded_users
must be specified.
- excluded
Groups List<String> - A list of group IDs excluded from scope of policy.
- excluded
Guests List<ConditionalOr External Users Access Policy Conditions Users Excluded Guests Or External User> - A
guests_or_external_users
block as documented below, which specifies internal guests and external users excluded from scope of policy. - excluded
Roles List<String> - A list of role IDs excluded from scope of policy.
- excluded
Users List<String> - A list of user IDs excluded from scope of policy and/or
GuestsOrExternalUsers
. - included
Groups List<String> - A list of group IDs in scope of policy unless explicitly excluded.
- included
Guests List<ConditionalOr External Users Access Policy Conditions Users Included Guests Or External User> - A
guests_or_external_users
block as documented below, which specifies internal guests and external users in scope of policy. - included
Roles List<String> - A list of role IDs in scope of policy unless explicitly excluded.
- included
Users List<String> A list of user IDs in scope of policy unless explicitly excluded, or
None
orAll
orGuestsOrExternalUsers
.At least one of
included_groups
,included_guests_or_external_users
,included_roles
orincluded_users
must be specified.
- excluded
Groups string[] - A list of group IDs excluded from scope of policy.
- excluded
Guests ConditionalOr External Users Access Policy Conditions Users Excluded Guests Or External User[] - A
guests_or_external_users
block as documented below, which specifies internal guests and external users excluded from scope of policy. - excluded
Roles string[] - A list of role IDs excluded from scope of policy.
- excluded
Users string[] - A list of user IDs excluded from scope of policy and/or
GuestsOrExternalUsers
. - included
Groups string[] - A list of group IDs in scope of policy unless explicitly excluded.
- included
Guests ConditionalOr External Users Access Policy Conditions Users Included Guests Or External User[] - A
guests_or_external_users
block as documented below, which specifies internal guests and external users in scope of policy. - included
Roles string[] - A list of role IDs in scope of policy unless explicitly excluded.
- included
Users string[] A list of user IDs in scope of policy unless explicitly excluded, or
None
orAll
orGuestsOrExternalUsers
.At least one of
included_groups
,included_guests_or_external_users
,included_roles
orincluded_users
must be specified.
- excluded_
groups Sequence[str] - A list of group IDs excluded from scope of policy.
- excluded_
guests_ Sequence[Conditionalor_ external_ users Access Policy Conditions Users Excluded Guests Or External User] - A
guests_or_external_users
block as documented below, which specifies internal guests and external users excluded from scope of policy. - excluded_
roles Sequence[str] - A list of role IDs excluded from scope of policy.
- excluded_
users Sequence[str] - A list of user IDs excluded from scope of policy and/or
GuestsOrExternalUsers
. - included_
groups Sequence[str] - A list of group IDs in scope of policy unless explicitly excluded.
- included_
guests_ Sequence[Conditionalor_ external_ users Access Policy Conditions Users Included Guests Or External User] - A
guests_or_external_users
block as documented below, which specifies internal guests and external users in scope of policy. - included_
roles Sequence[str] - A list of role IDs in scope of policy unless explicitly excluded.
- included_
users Sequence[str] A list of user IDs in scope of policy unless explicitly excluded, or
None
orAll
orGuestsOrExternalUsers
.At least one of
included_groups
,included_guests_or_external_users
,included_roles
orincluded_users
must be specified.
- excluded
Groups List<String> - A list of group IDs excluded from scope of policy.
- excluded
Guests List<Property Map>Or External Users - A
guests_or_external_users
block as documented below, which specifies internal guests and external users excluded from scope of policy. - excluded
Roles List<String> - A list of role IDs excluded from scope of policy.
- excluded
Users List<String> - A list of user IDs excluded from scope of policy and/or
GuestsOrExternalUsers
. - included
Groups List<String> - A list of group IDs in scope of policy unless explicitly excluded.
- included
Guests List<Property Map>Or External Users - A
guests_or_external_users
block as documented below, which specifies internal guests and external users in scope of policy. - included
Roles List<String> - A list of role IDs in scope of policy unless explicitly excluded.
- included
Users List<String> A list of user IDs in scope of policy unless explicitly excluded, or
None
orAll
orGuestsOrExternalUsers
.At least one of
included_groups
,included_guests_or_external_users
,included_roles
orincluded_users
must be specified.
ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser, ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs
- Guest
Or List<string>External User Types - A list of guest or external user types. Possible values are:
b2bCollaborationGuest
,b2bCollaborationMember
,b2bDirectConnectUser
,internalGuest
,none
,otherExternalUser
,serviceProvider
,unknownFutureValue
. - External
Tenants List<Pulumi.Azure AD. Inputs. Conditional Access Policy Conditions Users Excluded Guests Or External User External Tenant> - An
external_tenants
block as documented below, which specifies external tenants in a policy scope.
- Guest
Or []stringExternal User Types - A list of guest or external user types. Possible values are:
b2bCollaborationGuest
,b2bCollaborationMember
,b2bDirectConnectUser
,internalGuest
,none
,otherExternalUser
,serviceProvider
,unknownFutureValue
. - External
Tenants []ConditionalAccess Policy Conditions Users Excluded Guests Or External User External Tenant - An
external_tenants
block as documented below, which specifies external tenants in a policy scope.
- guest
Or List<String>External User Types - A list of guest or external user types. Possible values are:
b2bCollaborationGuest
,b2bCollaborationMember
,b2bDirectConnectUser
,internalGuest
,none
,otherExternalUser
,serviceProvider
,unknownFutureValue
. - external
Tenants List<ConditionalAccess Policy Conditions Users Excluded Guests Or External User External Tenant> - An
external_tenants
block as documented below, which specifies external tenants in a policy scope.
- guest
Or string[]External User Types - A list of guest or external user types. Possible values are:
b2bCollaborationGuest
,b2bCollaborationMember
,b2bDirectConnectUser
,internalGuest
,none
,otherExternalUser
,serviceProvider
,unknownFutureValue
. - external
Tenants ConditionalAccess Policy Conditions Users Excluded Guests Or External User External Tenant[] - An
external_tenants
block as documented below, which specifies external tenants in a policy scope.
- guest_
or_ Sequence[str]external_ user_ types - A list of guest or external user types. Possible values are:
b2bCollaborationGuest
,b2bCollaborationMember
,b2bDirectConnectUser
,internalGuest
,none
,otherExternalUser
,serviceProvider
,unknownFutureValue
. - external_
tenants Sequence[ConditionalAccess Policy Conditions Users Excluded Guests Or External User External Tenant] - An
external_tenants
block as documented below, which specifies external tenants in a policy scope.
- guest
Or List<String>External User Types - A list of guest or external user types. Possible values are:
b2bCollaborationGuest
,b2bCollaborationMember
,b2bDirectConnectUser
,internalGuest
,none
,otherExternalUser
,serviceProvider
,unknownFutureValue
. - external
Tenants List<Property Map> - An
external_tenants
block as documented below, which specifies external tenants in a policy scope.
ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant, ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs
- Membership
Kind string - The external tenant membership kind. Possible values are:
all
,enumerated
,unknownFutureValue
. - Members List<string>
- A list tenant IDs. Can only be specified if
membership_kind
isenumerated
.
- Membership
Kind string - The external tenant membership kind. Possible values are:
all
,enumerated
,unknownFutureValue
. - Members []string
- A list tenant IDs. Can only be specified if
membership_kind
isenumerated
.
- membership
Kind String - The external tenant membership kind. Possible values are:
all
,enumerated
,unknownFutureValue
. - members List<String>
- A list tenant IDs. Can only be specified if
membership_kind
isenumerated
.
- membership
Kind string - The external tenant membership kind. Possible values are:
all
,enumerated
,unknownFutureValue
. - members string[]
- A list tenant IDs. Can only be specified if
membership_kind
isenumerated
.
- membership_
kind str - The external tenant membership kind. Possible values are:
all
,enumerated
,unknownFutureValue
. - members Sequence[str]
- A list tenant IDs. Can only be specified if
membership_kind
isenumerated
.
- membership
Kind String - The external tenant membership kind. Possible values are:
all
,enumerated
,unknownFutureValue
. - members List<String>
- A list tenant IDs. Can only be specified if
membership_kind
isenumerated
.
ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser, ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs
- Guest
Or List<string>External User Types - A list of guest or external user types. Possible values are:
b2bCollaborationGuest
,b2bCollaborationMember
,b2bDirectConnectUser
,internalGuest
,none
,otherExternalUser
,serviceProvider
,unknownFutureValue
. - External
Tenants List<Pulumi.Azure AD. Inputs. Conditional Access Policy Conditions Users Included Guests Or External User External Tenant> - An
external_tenants
block as documented below, which specifies external tenants in a policy scope.
- Guest
Or []stringExternal User Types - A list of guest or external user types. Possible values are:
b2bCollaborationGuest
,b2bCollaborationMember
,b2bDirectConnectUser
,internalGuest
,none
,otherExternalUser
,serviceProvider
,unknownFutureValue
. - External
Tenants []ConditionalAccess Policy Conditions Users Included Guests Or External User External Tenant - An
external_tenants
block as documented below, which specifies external tenants in a policy scope.
- guest
Or List<String>External User Types - A list of guest or external user types. Possible values are:
b2bCollaborationGuest
,b2bCollaborationMember
,b2bDirectConnectUser
,internalGuest
,none
,otherExternalUser
,serviceProvider
,unknownFutureValue
. - external
Tenants List<ConditionalAccess Policy Conditions Users Included Guests Or External User External Tenant> - An
external_tenants
block as documented below, which specifies external tenants in a policy scope.
- guest
Or string[]External User Types - A list of guest or external user types. Possible values are:
b2bCollaborationGuest
,b2bCollaborationMember
,b2bDirectConnectUser
,internalGuest
,none
,otherExternalUser
,serviceProvider
,unknownFutureValue
. - external
Tenants ConditionalAccess Policy Conditions Users Included Guests Or External User External Tenant[] - An
external_tenants
block as documented below, which specifies external tenants in a policy scope.
- guest_
or_ Sequence[str]external_ user_ types - A list of guest or external user types. Possible values are:
b2bCollaborationGuest
,b2bCollaborationMember
,b2bDirectConnectUser
,internalGuest
,none
,otherExternalUser
,serviceProvider
,unknownFutureValue
. - external_
tenants Sequence[ConditionalAccess Policy Conditions Users Included Guests Or External User External Tenant] - An
external_tenants
block as documented below, which specifies external tenants in a policy scope.
- guest
Or List<String>External User Types - A list of guest or external user types. Possible values are:
b2bCollaborationGuest
,b2bCollaborationMember
,b2bDirectConnectUser
,internalGuest
,none
,otherExternalUser
,serviceProvider
,unknownFutureValue
. - external
Tenants List<Property Map> - An
external_tenants
block as documented below, which specifies external tenants in a policy scope.
ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant, ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs
- Membership
Kind string - The external tenant membership kind. Possible values are:
all
,enumerated
,unknownFutureValue
. - Members List<string>
- A list tenant IDs. Can only be specified if
membership_kind
isenumerated
.
- Membership
Kind string - The external tenant membership kind. Possible values are:
all
,enumerated
,unknownFutureValue
. - Members []string
- A list tenant IDs. Can only be specified if
membership_kind
isenumerated
.
- membership
Kind String - The external tenant membership kind. Possible values are:
all
,enumerated
,unknownFutureValue
. - members List<String>
- A list tenant IDs. Can only be specified if
membership_kind
isenumerated
.
- membership
Kind string - The external tenant membership kind. Possible values are:
all
,enumerated
,unknownFutureValue
. - members string[]
- A list tenant IDs. Can only be specified if
membership_kind
isenumerated
.
- membership_
kind str - The external tenant membership kind. Possible values are:
all
,enumerated
,unknownFutureValue
. - members Sequence[str]
- A list tenant IDs. Can only be specified if
membership_kind
isenumerated
.
- membership
Kind String - The external tenant membership kind. Possible values are:
all
,enumerated
,unknownFutureValue
. - members List<String>
- A list tenant IDs. Can only be specified if
membership_kind
isenumerated
.
ConditionalAccessPolicyGrantControls, ConditionalAccessPolicyGrantControlsArgs
- Operator string
- Defines the relationship of the grant controls. Possible values are:
AND
,OR
. - Authentication
Strength stringPolicy Id - ID of an Authentication Strength Policy to use in this policy.
- Built
In List<string>Controls - List of built-in controls required by the policy. Possible values are:
block
,mfa
,approvedApplication
,compliantApplication
,compliantDevice
,domainJoinedDevice
,passwordChange
orunknownFutureValue
. - Custom
Authentication List<string>Factors - List of custom controls IDs required by the policy.
- Terms
Of List<string>Uses List of terms of use IDs required by the policy.
At least one of
authentication_strength_policy_id
,built_in_controls
orterms_of_use
must be specified.
- Operator string
- Defines the relationship of the grant controls. Possible values are:
AND
,OR
. - Authentication
Strength stringPolicy Id - ID of an Authentication Strength Policy to use in this policy.
- Built
In []stringControls - List of built-in controls required by the policy. Possible values are:
block
,mfa
,approvedApplication
,compliantApplication
,compliantDevice
,domainJoinedDevice
,passwordChange
orunknownFutureValue
. - Custom
Authentication []stringFactors - List of custom controls IDs required by the policy.
- Terms
Of []stringUses List of terms of use IDs required by the policy.
At least one of
authentication_strength_policy_id
,built_in_controls
orterms_of_use
must be specified.
- operator String
- Defines the relationship of the grant controls. Possible values are:
AND
,OR
. - authentication
Strength StringPolicy Id - ID of an Authentication Strength Policy to use in this policy.
- built
In List<String>Controls - List of built-in controls required by the policy. Possible values are:
block
,mfa
,approvedApplication
,compliantApplication
,compliantDevice
,domainJoinedDevice
,passwordChange
orunknownFutureValue
. - custom
Authentication List<String>Factors - List of custom controls IDs required by the policy.
- terms
Of List<String>Uses List of terms of use IDs required by the policy.
At least one of
authentication_strength_policy_id
,built_in_controls
orterms_of_use
must be specified.
- operator string
- Defines the relationship of the grant controls. Possible values are:
AND
,OR
. - authentication
Strength stringPolicy Id - ID of an Authentication Strength Policy to use in this policy.
- built
In string[]Controls - List of built-in controls required by the policy. Possible values are:
block
,mfa
,approvedApplication
,compliantApplication
,compliantDevice
,domainJoinedDevice
,passwordChange
orunknownFutureValue
. - custom
Authentication string[]Factors - List of custom controls IDs required by the policy.
- terms
Of string[]Uses List of terms of use IDs required by the policy.
At least one of
authentication_strength_policy_id
,built_in_controls
orterms_of_use
must be specified.
- operator str
- Defines the relationship of the grant controls. Possible values are:
AND
,OR
. - authentication_
strength_ strpolicy_ id - ID of an Authentication Strength Policy to use in this policy.
- built_
in_ Sequence[str]controls - List of built-in controls required by the policy. Possible values are:
block
,mfa
,approvedApplication
,compliantApplication
,compliantDevice
,domainJoinedDevice
,passwordChange
orunknownFutureValue
. - custom_
authentication_ Sequence[str]factors - List of custom controls IDs required by the policy.
- terms_
of_ Sequence[str]uses List of terms of use IDs required by the policy.
At least one of
authentication_strength_policy_id
,built_in_controls
orterms_of_use
must be specified.
- operator String
- Defines the relationship of the grant controls. Possible values are:
AND
,OR
. - authentication
Strength StringPolicy Id - ID of an Authentication Strength Policy to use in this policy.
- built
In List<String>Controls - List of built-in controls required by the policy. Possible values are:
block
,mfa
,approvedApplication
,compliantApplication
,compliantDevice
,domainJoinedDevice
,passwordChange
orunknownFutureValue
. - custom
Authentication List<String>Factors - List of custom controls IDs required by the policy.
- terms
Of List<String>Uses List of terms of use IDs required by the policy.
At least one of
authentication_strength_policy_id
,built_in_controls
orterms_of_use
must be specified.
ConditionalAccessPolicySessionControls, ConditionalAccessPolicySessionControlsArgs
- Application
Enforced boolRestrictions Enabled Whether application enforced restrictions are enabled. Defaults to
false
.Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
- Cloud
App stringSecurity Policy - Enables cloud app security and specifies the cloud app security policy to use. Possible values are:
blockDownloads
,mcasConfigured
,monitorOnly
orunknownFutureValue
. - Disable
Resilience boolDefaults - Disables resilience defaults. Defaults to
false
. - Persistent
Browser stringMode - Session control to define whether to persist cookies. Possible values are:
always
ornever
. - Sign
In intFrequency - Number of days or hours to enforce sign-in frequency. Required when
sign_in_frequency_period
is specified. - Sign
In stringFrequency Authentication Type - Authentication type for enforcing sign-in frequency. Possible values are:
primaryAndSecondaryAuthentication
orsecondaryAuthentication
. Defaults toprimaryAndSecondaryAuthentication
. - Sign
In stringFrequency Interval - The interval to apply to sign-in frequency control. Possible values are:
timeBased
oreveryTime
. Defaults totimeBased
. - Sign
In stringFrequency Period - The time period to enforce sign-in frequency. Possible values are:
hours
ordays
. Required whensign_in_frequency_period
is specified.
- Application
Enforced boolRestrictions Enabled Whether application enforced restrictions are enabled. Defaults to
false
.Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
- Cloud
App stringSecurity Policy - Enables cloud app security and specifies the cloud app security policy to use. Possible values are:
blockDownloads
,mcasConfigured
,monitorOnly
orunknownFutureValue
. - Disable
Resilience boolDefaults - Disables resilience defaults. Defaults to
false
. - Persistent
Browser stringMode - Session control to define whether to persist cookies. Possible values are:
always
ornever
. - Sign
In intFrequency - Number of days or hours to enforce sign-in frequency. Required when
sign_in_frequency_period
is specified. - Sign
In stringFrequency Authentication Type - Authentication type for enforcing sign-in frequency. Possible values are:
primaryAndSecondaryAuthentication
orsecondaryAuthentication
. Defaults toprimaryAndSecondaryAuthentication
. - Sign
In stringFrequency Interval - The interval to apply to sign-in frequency control. Possible values are:
timeBased
oreveryTime
. Defaults totimeBased
. - Sign
In stringFrequency Period - The time period to enforce sign-in frequency. Possible values are:
hours
ordays
. Required whensign_in_frequency_period
is specified.
- application
Enforced BooleanRestrictions Enabled Whether application enforced restrictions are enabled. Defaults to
false
.Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
- cloud
App StringSecurity Policy - Enables cloud app security and specifies the cloud app security policy to use. Possible values are:
blockDownloads
,mcasConfigured
,monitorOnly
orunknownFutureValue
. - disable
Resilience BooleanDefaults - Disables resilience defaults. Defaults to
false
. - persistent
Browser StringMode - Session control to define whether to persist cookies. Possible values are:
always
ornever
. - sign
In IntegerFrequency - Number of days or hours to enforce sign-in frequency. Required when
sign_in_frequency_period
is specified. - sign
In StringFrequency Authentication Type - Authentication type for enforcing sign-in frequency. Possible values are:
primaryAndSecondaryAuthentication
orsecondaryAuthentication
. Defaults toprimaryAndSecondaryAuthentication
. - sign
In StringFrequency Interval - The interval to apply to sign-in frequency control. Possible values are:
timeBased
oreveryTime
. Defaults totimeBased
. - sign
In StringFrequency Period - The time period to enforce sign-in frequency. Possible values are:
hours
ordays
. Required whensign_in_frequency_period
is specified.
- application
Enforced booleanRestrictions Enabled Whether application enforced restrictions are enabled. Defaults to
false
.Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
- cloud
App stringSecurity Policy - Enables cloud app security and specifies the cloud app security policy to use. Possible values are:
blockDownloads
,mcasConfigured
,monitorOnly
orunknownFutureValue
. - disable
Resilience booleanDefaults - Disables resilience defaults. Defaults to
false
. - persistent
Browser stringMode - Session control to define whether to persist cookies. Possible values are:
always
ornever
. - sign
In numberFrequency - Number of days or hours to enforce sign-in frequency. Required when
sign_in_frequency_period
is specified. - sign
In stringFrequency Authentication Type - Authentication type for enforcing sign-in frequency. Possible values are:
primaryAndSecondaryAuthentication
orsecondaryAuthentication
. Defaults toprimaryAndSecondaryAuthentication
. - sign
In stringFrequency Interval - The interval to apply to sign-in frequency control. Possible values are:
timeBased
oreveryTime
. Defaults totimeBased
. - sign
In stringFrequency Period - The time period to enforce sign-in frequency. Possible values are:
hours
ordays
. Required whensign_in_frequency_period
is specified.
- application_
enforced_ boolrestrictions_ enabled Whether application enforced restrictions are enabled. Defaults to
false
.Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
- cloud_
app_ strsecurity_ policy - Enables cloud app security and specifies the cloud app security policy to use. Possible values are:
blockDownloads
,mcasConfigured
,monitorOnly
orunknownFutureValue
. - disable_
resilience_ booldefaults - Disables resilience defaults. Defaults to
false
. - persistent_
browser_ strmode - Session control to define whether to persist cookies. Possible values are:
always
ornever
. - sign_
in_ intfrequency - Number of days or hours to enforce sign-in frequency. Required when
sign_in_frequency_period
is specified. - sign_
in_ strfrequency_ authentication_ type - Authentication type for enforcing sign-in frequency. Possible values are:
primaryAndSecondaryAuthentication
orsecondaryAuthentication
. Defaults toprimaryAndSecondaryAuthentication
. - sign_
in_ strfrequency_ interval - The interval to apply to sign-in frequency control. Possible values are:
timeBased
oreveryTime
. Defaults totimeBased
. - sign_
in_ strfrequency_ period - The time period to enforce sign-in frequency. Possible values are:
hours
ordays
. Required whensign_in_frequency_period
is specified.
- application
Enforced BooleanRestrictions Enabled Whether application enforced restrictions are enabled. Defaults to
false
.Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.
- cloud
App StringSecurity Policy - Enables cloud app security and specifies the cloud app security policy to use. Possible values are:
blockDownloads
,mcasConfigured
,monitorOnly
orunknownFutureValue
. - disable
Resilience BooleanDefaults - Disables resilience defaults. Defaults to
false
. - persistent
Browser StringMode - Session control to define whether to persist cookies. Possible values are:
always
ornever
. - sign
In NumberFrequency - Number of days or hours to enforce sign-in frequency. Required when
sign_in_frequency_period
is specified. - sign
In StringFrequency Authentication Type - Authentication type for enforcing sign-in frequency. Possible values are:
primaryAndSecondaryAuthentication
orsecondaryAuthentication
. Defaults toprimaryAndSecondaryAuthentication
. - sign
In StringFrequency Interval - The interval to apply to sign-in frequency control. Possible values are:
timeBased
oreveryTime
. Defaults totimeBased
. - sign
In StringFrequency Period - The time period to enforce sign-in frequency. Possible values are:
hours
ordays
. Required whensign_in_frequency_period
is specified.
Import
Conditional Access Policies can be imported using the id
, e.g.
$ pulumi import azuread:index/conditionalAccessPolicy:ConditionalAccessPolicy my_location 00000000-0000-0000-0000-000000000000
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Azure Active Directory (Azure AD) pulumi/pulumi-azuread
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
azuread
Terraform Provider.