azuread.GroupRoleManagementPolicy
Explore with Pulumi AI
Manage a role policy for an Azure AD group.
API Permissions
The following API permissions are required in order to use this resource.
When authenticated with a service principal, this resource requires the RoleManagementPolicy.ReadWrite.AzureADGroup
Microsoft Graph API permissions.
When authenticated with a user principal, this resource requires Global Administrator
directory role, or the Privileged Role Administrator
role in Identity Governance.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const example = new azuread.Group("example", {
displayName: "group-name",
securityEnabled: true,
});
const member = new azuread.User("member", {
userPrincipalName: "jdoe@example.com",
displayName: "J. Doe",
mailNickname: "jdoe",
password: "SecretP@sswd99!",
});
const exampleGroupRoleManagementPolicy = new azuread.GroupRoleManagementPolicy("example", {
groupId: example.id,
roleId: "member",
activeAssignmentRules: {
expireAfter: "P365D",
},
eligibleAssignmentRules: {
expirationRequired: false,
},
notificationRules: {
eligibleAssignments: {
approverNotifications: {
notificationLevel: "Critical",
defaultRecipients: false,
additionalRecipients: [
"someone@example.com",
"someone.else@example.com",
],
},
},
},
});
import pulumi
import pulumi_azuread as azuread
example = azuread.Group("example",
display_name="group-name",
security_enabled=True)
member = azuread.User("member",
user_principal_name="jdoe@example.com",
display_name="J. Doe",
mail_nickname="jdoe",
password="SecretP@sswd99!")
example_group_role_management_policy = azuread.GroupRoleManagementPolicy("example",
group_id=example.id,
role_id="member",
active_assignment_rules={
"expire_after": "P365D",
},
eligible_assignment_rules={
"expiration_required": False,
},
notification_rules={
"eligible_assignments": {
"approver_notifications": {
"notification_level": "Critical",
"default_recipients": False,
"additional_recipients": [
"someone@example.com",
"someone.else@example.com",
],
},
},
})
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := azuread.NewGroup(ctx, "example", &azuread.GroupArgs{
DisplayName: pulumi.String("group-name"),
SecurityEnabled: pulumi.Bool(true),
})
if err != nil {
return err
}
_, err = azuread.NewUser(ctx, "member", &azuread.UserArgs{
UserPrincipalName: pulumi.String("jdoe@example.com"),
DisplayName: pulumi.String("J. Doe"),
MailNickname: pulumi.String("jdoe"),
Password: pulumi.String("SecretP@sswd99!"),
})
if err != nil {
return err
}
_, err = azuread.NewGroupRoleManagementPolicy(ctx, "example", &azuread.GroupRoleManagementPolicyArgs{
GroupId: example.ID(),
RoleId: pulumi.String("member"),
ActiveAssignmentRules: &azuread.GroupRoleManagementPolicyActiveAssignmentRulesArgs{
ExpireAfter: pulumi.String("P365D"),
},
EligibleAssignmentRules: &azuread.GroupRoleManagementPolicyEligibleAssignmentRulesArgs{
ExpirationRequired: pulumi.Bool(false),
},
NotificationRules: &azuread.GroupRoleManagementPolicyNotificationRulesArgs{
EligibleAssignments: &azuread.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsArgs{
ApproverNotifications: &azuread.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs{
NotificationLevel: pulumi.String("Critical"),
DefaultRecipients: pulumi.Bool(false),
AdditionalRecipients: pulumi.StringArray{
pulumi.String("someone@example.com"),
pulumi.String("someone.else@example.com"),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var example = new AzureAD.Group("example", new()
{
DisplayName = "group-name",
SecurityEnabled = true,
});
var member = new AzureAD.User("member", new()
{
UserPrincipalName = "jdoe@example.com",
DisplayName = "J. Doe",
MailNickname = "jdoe",
Password = "SecretP@sswd99!",
});
var exampleGroupRoleManagementPolicy = new AzureAD.GroupRoleManagementPolicy("example", new()
{
GroupId = example.Id,
RoleId = "member",
ActiveAssignmentRules = new AzureAD.Inputs.GroupRoleManagementPolicyActiveAssignmentRulesArgs
{
ExpireAfter = "P365D",
},
EligibleAssignmentRules = new AzureAD.Inputs.GroupRoleManagementPolicyEligibleAssignmentRulesArgs
{
ExpirationRequired = false,
},
NotificationRules = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesArgs
{
EligibleAssignments = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsArgs
{
ApproverNotifications = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs
{
NotificationLevel = "Critical",
DefaultRecipients = false,
AdditionalRecipients = new[]
{
"someone@example.com",
"someone.else@example.com",
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.Group;
import com.pulumi.azuread.GroupArgs;
import com.pulumi.azuread.User;
import com.pulumi.azuread.UserArgs;
import com.pulumi.azuread.GroupRoleManagementPolicy;
import com.pulumi.azuread.GroupRoleManagementPolicyArgs;
import com.pulumi.azuread.inputs.GroupRoleManagementPolicyActiveAssignmentRulesArgs;
import com.pulumi.azuread.inputs.GroupRoleManagementPolicyEligibleAssignmentRulesArgs;
import com.pulumi.azuread.inputs.GroupRoleManagementPolicyNotificationRulesArgs;
import com.pulumi.azuread.inputs.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsArgs;
import com.pulumi.azuread.inputs.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Group("example", GroupArgs.builder()
.displayName("group-name")
.securityEnabled(true)
.build());
var member = new User("member", UserArgs.builder()
.userPrincipalName("jdoe@example.com")
.displayName("J. Doe")
.mailNickname("jdoe")
.password("SecretP@sswd99!")
.build());
var exampleGroupRoleManagementPolicy = new GroupRoleManagementPolicy("exampleGroupRoleManagementPolicy", GroupRoleManagementPolicyArgs.builder()
.groupId(example.id())
.roleId("member")
.activeAssignmentRules(GroupRoleManagementPolicyActiveAssignmentRulesArgs.builder()
.expireAfter("P365D")
.build())
.eligibleAssignmentRules(GroupRoleManagementPolicyEligibleAssignmentRulesArgs.builder()
.expirationRequired(false)
.build())
.notificationRules(GroupRoleManagementPolicyNotificationRulesArgs.builder()
.eligibleAssignments(GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsArgs.builder()
.approverNotifications(GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs.builder()
.notificationLevel("Critical")
.defaultRecipients(false)
.additionalRecipients(
"someone@example.com",
"someone.else@example.com")
.build())
.build())
.build())
.build());
}
}
resources:
example:
type: azuread:Group
properties:
displayName: group-name
securityEnabled: true
member:
type: azuread:User
properties:
userPrincipalName: jdoe@example.com
displayName: J. Doe
mailNickname: jdoe
password: SecretP@sswd99!
exampleGroupRoleManagementPolicy:
type: azuread:GroupRoleManagementPolicy
name: example
properties:
groupId: ${example.id}
roleId: member
activeAssignmentRules:
expireAfter: P365D
eligibleAssignmentRules:
expirationRequired: false
notificationRules:
eligibleAssignments:
approverNotifications:
notificationLevel: Critical
defaultRecipients: false
additionalRecipients:
- someone@example.com
- someone.else@example.com
Create GroupRoleManagementPolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new GroupRoleManagementPolicy(name: string, args: GroupRoleManagementPolicyArgs, opts?: CustomResourceOptions);
@overload
def GroupRoleManagementPolicy(resource_name: str,
args: GroupRoleManagementPolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def GroupRoleManagementPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
group_id: Optional[str] = None,
role_id: Optional[str] = None,
activation_rules: Optional[GroupRoleManagementPolicyActivationRulesArgs] = None,
active_assignment_rules: Optional[GroupRoleManagementPolicyActiveAssignmentRulesArgs] = None,
eligible_assignment_rules: Optional[GroupRoleManagementPolicyEligibleAssignmentRulesArgs] = None,
notification_rules: Optional[GroupRoleManagementPolicyNotificationRulesArgs] = None)
func NewGroupRoleManagementPolicy(ctx *Context, name string, args GroupRoleManagementPolicyArgs, opts ...ResourceOption) (*GroupRoleManagementPolicy, error)
public GroupRoleManagementPolicy(string name, GroupRoleManagementPolicyArgs args, CustomResourceOptions? opts = null)
public GroupRoleManagementPolicy(String name, GroupRoleManagementPolicyArgs args)
public GroupRoleManagementPolicy(String name, GroupRoleManagementPolicyArgs args, CustomResourceOptions options)
type: azuread:GroupRoleManagementPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args GroupRoleManagementPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args GroupRoleManagementPolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args GroupRoleManagementPolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args GroupRoleManagementPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args GroupRoleManagementPolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var groupRoleManagementPolicyResource = new AzureAD.GroupRoleManagementPolicy("groupRoleManagementPolicyResource", new()
{
GroupId = "string",
RoleId = "string",
ActivationRules = new AzureAD.Inputs.GroupRoleManagementPolicyActivationRulesArgs
{
ApprovalStage = new AzureAD.Inputs.GroupRoleManagementPolicyActivationRulesApprovalStageArgs
{
PrimaryApprovers = new[]
{
new AzureAD.Inputs.GroupRoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArgs
{
ObjectId = "string",
Type = "string",
},
},
},
MaximumDuration = "string",
RequireApproval = false,
RequireJustification = false,
RequireMultifactorAuthentication = false,
RequireTicketInfo = false,
RequiredConditionalAccessAuthenticationContext = "string",
},
ActiveAssignmentRules = new AzureAD.Inputs.GroupRoleManagementPolicyActiveAssignmentRulesArgs
{
ExpirationRequired = false,
ExpireAfter = "string",
RequireJustification = false,
RequireMultifactorAuthentication = false,
RequireTicketInfo = false,
},
EligibleAssignmentRules = new AzureAD.Inputs.GroupRoleManagementPolicyEligibleAssignmentRulesArgs
{
ExpirationRequired = false,
ExpireAfter = "string",
},
NotificationRules = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesArgs
{
ActiveAssignments = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesActiveAssignmentsArgs
{
AdminNotifications = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs
{
DefaultRecipients = false,
NotificationLevel = "string",
AdditionalRecipients = new[]
{
"string",
},
},
ApproverNotifications = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesActiveAssignmentsApproverNotificationsArgs
{
DefaultRecipients = false,
NotificationLevel = "string",
AdditionalRecipients = new[]
{
"string",
},
},
AssigneeNotifications = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesActiveAssignmentsAssigneeNotificationsArgs
{
DefaultRecipients = false,
NotificationLevel = "string",
AdditionalRecipients = new[]
{
"string",
},
},
},
EligibleActivations = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesEligibleActivationsArgs
{
AdminNotifications = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesEligibleActivationsAdminNotificationsArgs
{
DefaultRecipients = false,
NotificationLevel = "string",
AdditionalRecipients = new[]
{
"string",
},
},
ApproverNotifications = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesEligibleActivationsApproverNotificationsArgs
{
DefaultRecipients = false,
NotificationLevel = "string",
AdditionalRecipients = new[]
{
"string",
},
},
AssigneeNotifications = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs
{
DefaultRecipients = false,
NotificationLevel = "string",
AdditionalRecipients = new[]
{
"string",
},
},
},
EligibleAssignments = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsArgs
{
AdminNotifications = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsAdminNotificationsArgs
{
DefaultRecipients = false,
NotificationLevel = "string",
AdditionalRecipients = new[]
{
"string",
},
},
ApproverNotifications = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs
{
DefaultRecipients = false,
NotificationLevel = "string",
AdditionalRecipients = new[]
{
"string",
},
},
AssigneeNotifications = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsAssigneeNotificationsArgs
{
DefaultRecipients = false,
NotificationLevel = "string",
AdditionalRecipients = new[]
{
"string",
},
},
},
},
});
example, err := azuread.NewGroupRoleManagementPolicy(ctx, "groupRoleManagementPolicyResource", &azuread.GroupRoleManagementPolicyArgs{
GroupId: pulumi.String("string"),
RoleId: pulumi.String("string"),
ActivationRules: &azuread.GroupRoleManagementPolicyActivationRulesArgs{
ApprovalStage: &azuread.GroupRoleManagementPolicyActivationRulesApprovalStageArgs{
PrimaryApprovers: azuread.GroupRoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArray{
&azuread.GroupRoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArgs{
ObjectId: pulumi.String("string"),
Type: pulumi.String("string"),
},
},
},
MaximumDuration: pulumi.String("string"),
RequireApproval: pulumi.Bool(false),
RequireJustification: pulumi.Bool(false),
RequireMultifactorAuthentication: pulumi.Bool(false),
RequireTicketInfo: pulumi.Bool(false),
RequiredConditionalAccessAuthenticationContext: pulumi.String("string"),
},
ActiveAssignmentRules: &azuread.GroupRoleManagementPolicyActiveAssignmentRulesArgs{
ExpirationRequired: pulumi.Bool(false),
ExpireAfter: pulumi.String("string"),
RequireJustification: pulumi.Bool(false),
RequireMultifactorAuthentication: pulumi.Bool(false),
RequireTicketInfo: pulumi.Bool(false),
},
EligibleAssignmentRules: &azuread.GroupRoleManagementPolicyEligibleAssignmentRulesArgs{
ExpirationRequired: pulumi.Bool(false),
ExpireAfter: pulumi.String("string"),
},
NotificationRules: &azuread.GroupRoleManagementPolicyNotificationRulesArgs{
ActiveAssignments: &azuread.GroupRoleManagementPolicyNotificationRulesActiveAssignmentsArgs{
AdminNotifications: &azuread.GroupRoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs{
DefaultRecipients: pulumi.Bool(false),
NotificationLevel: pulumi.String("string"),
AdditionalRecipients: pulumi.StringArray{
pulumi.String("string"),
},
},
ApproverNotifications: &azuread.GroupRoleManagementPolicyNotificationRulesActiveAssignmentsApproverNotificationsArgs{
DefaultRecipients: pulumi.Bool(false),
NotificationLevel: pulumi.String("string"),
AdditionalRecipients: pulumi.StringArray{
pulumi.String("string"),
},
},
AssigneeNotifications: &azuread.GroupRoleManagementPolicyNotificationRulesActiveAssignmentsAssigneeNotificationsArgs{
DefaultRecipients: pulumi.Bool(false),
NotificationLevel: pulumi.String("string"),
AdditionalRecipients: pulumi.StringArray{
pulumi.String("string"),
},
},
},
EligibleActivations: &azuread.GroupRoleManagementPolicyNotificationRulesEligibleActivationsArgs{
AdminNotifications: &azuread.GroupRoleManagementPolicyNotificationRulesEligibleActivationsAdminNotificationsArgs{
DefaultRecipients: pulumi.Bool(false),
NotificationLevel: pulumi.String("string"),
AdditionalRecipients: pulumi.StringArray{
pulumi.String("string"),
},
},
ApproverNotifications: &azuread.GroupRoleManagementPolicyNotificationRulesEligibleActivationsApproverNotificationsArgs{
DefaultRecipients: pulumi.Bool(false),
NotificationLevel: pulumi.String("string"),
AdditionalRecipients: pulumi.StringArray{
pulumi.String("string"),
},
},
AssigneeNotifications: &azuread.GroupRoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs{
DefaultRecipients: pulumi.Bool(false),
NotificationLevel: pulumi.String("string"),
AdditionalRecipients: pulumi.StringArray{
pulumi.String("string"),
},
},
},
EligibleAssignments: &azuread.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsArgs{
AdminNotifications: &azuread.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsAdminNotificationsArgs{
DefaultRecipients: pulumi.Bool(false),
NotificationLevel: pulumi.String("string"),
AdditionalRecipients: pulumi.StringArray{
pulumi.String("string"),
},
},
ApproverNotifications: &azuread.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs{
DefaultRecipients: pulumi.Bool(false),
NotificationLevel: pulumi.String("string"),
AdditionalRecipients: pulumi.StringArray{
pulumi.String("string"),
},
},
AssigneeNotifications: &azuread.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsAssigneeNotificationsArgs{
DefaultRecipients: pulumi.Bool(false),
NotificationLevel: pulumi.String("string"),
AdditionalRecipients: pulumi.StringArray{
pulumi.String("string"),
},
},
},
},
})
var groupRoleManagementPolicyResource = new GroupRoleManagementPolicy("groupRoleManagementPolicyResource", GroupRoleManagementPolicyArgs.builder()
.groupId("string")
.roleId("string")
.activationRules(GroupRoleManagementPolicyActivationRulesArgs.builder()
.approvalStage(GroupRoleManagementPolicyActivationRulesApprovalStageArgs.builder()
.primaryApprovers(GroupRoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArgs.builder()
.objectId("string")
.type("string")
.build())
.build())
.maximumDuration("string")
.requireApproval(false)
.requireJustification(false)
.requireMultifactorAuthentication(false)
.requireTicketInfo(false)
.requiredConditionalAccessAuthenticationContext("string")
.build())
.activeAssignmentRules(GroupRoleManagementPolicyActiveAssignmentRulesArgs.builder()
.expirationRequired(false)
.expireAfter("string")
.requireJustification(false)
.requireMultifactorAuthentication(false)
.requireTicketInfo(false)
.build())
.eligibleAssignmentRules(GroupRoleManagementPolicyEligibleAssignmentRulesArgs.builder()
.expirationRequired(false)
.expireAfter("string")
.build())
.notificationRules(GroupRoleManagementPolicyNotificationRulesArgs.builder()
.activeAssignments(GroupRoleManagementPolicyNotificationRulesActiveAssignmentsArgs.builder()
.adminNotifications(GroupRoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs.builder()
.defaultRecipients(false)
.notificationLevel("string")
.additionalRecipients("string")
.build())
.approverNotifications(GroupRoleManagementPolicyNotificationRulesActiveAssignmentsApproverNotificationsArgs.builder()
.defaultRecipients(false)
.notificationLevel("string")
.additionalRecipients("string")
.build())
.assigneeNotifications(GroupRoleManagementPolicyNotificationRulesActiveAssignmentsAssigneeNotificationsArgs.builder()
.defaultRecipients(false)
.notificationLevel("string")
.additionalRecipients("string")
.build())
.build())
.eligibleActivations(GroupRoleManagementPolicyNotificationRulesEligibleActivationsArgs.builder()
.adminNotifications(GroupRoleManagementPolicyNotificationRulesEligibleActivationsAdminNotificationsArgs.builder()
.defaultRecipients(false)
.notificationLevel("string")
.additionalRecipients("string")
.build())
.approverNotifications(GroupRoleManagementPolicyNotificationRulesEligibleActivationsApproverNotificationsArgs.builder()
.defaultRecipients(false)
.notificationLevel("string")
.additionalRecipients("string")
.build())
.assigneeNotifications(GroupRoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs.builder()
.defaultRecipients(false)
.notificationLevel("string")
.additionalRecipients("string")
.build())
.build())
.eligibleAssignments(GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsArgs.builder()
.adminNotifications(GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsAdminNotificationsArgs.builder()
.defaultRecipients(false)
.notificationLevel("string")
.additionalRecipients("string")
.build())
.approverNotifications(GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs.builder()
.defaultRecipients(false)
.notificationLevel("string")
.additionalRecipients("string")
.build())
.assigneeNotifications(GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsAssigneeNotificationsArgs.builder()
.defaultRecipients(false)
.notificationLevel("string")
.additionalRecipients("string")
.build())
.build())
.build())
.build());
group_role_management_policy_resource = azuread.GroupRoleManagementPolicy("groupRoleManagementPolicyResource",
group_id="string",
role_id="string",
activation_rules={
"approval_stage": {
"primary_approvers": [{
"object_id": "string",
"type": "string",
}],
},
"maximum_duration": "string",
"require_approval": False,
"require_justification": False,
"require_multifactor_authentication": False,
"require_ticket_info": False,
"required_conditional_access_authentication_context": "string",
},
active_assignment_rules={
"expiration_required": False,
"expire_after": "string",
"require_justification": False,
"require_multifactor_authentication": False,
"require_ticket_info": False,
},
eligible_assignment_rules={
"expiration_required": False,
"expire_after": "string",
},
notification_rules={
"active_assignments": {
"admin_notifications": {
"default_recipients": False,
"notification_level": "string",
"additional_recipients": ["string"],
},
"approver_notifications": {
"default_recipients": False,
"notification_level": "string",
"additional_recipients": ["string"],
},
"assignee_notifications": {
"default_recipients": False,
"notification_level": "string",
"additional_recipients": ["string"],
},
},
"eligible_activations": {
"admin_notifications": {
"default_recipients": False,
"notification_level": "string",
"additional_recipients": ["string"],
},
"approver_notifications": {
"default_recipients": False,
"notification_level": "string",
"additional_recipients": ["string"],
},
"assignee_notifications": {
"default_recipients": False,
"notification_level": "string",
"additional_recipients": ["string"],
},
},
"eligible_assignments": {
"admin_notifications": {
"default_recipients": False,
"notification_level": "string",
"additional_recipients": ["string"],
},
"approver_notifications": {
"default_recipients": False,
"notification_level": "string",
"additional_recipients": ["string"],
},
"assignee_notifications": {
"default_recipients": False,
"notification_level": "string",
"additional_recipients": ["string"],
},
},
})
const groupRoleManagementPolicyResource = new azuread.GroupRoleManagementPolicy("groupRoleManagementPolicyResource", {
groupId: "string",
roleId: "string",
activationRules: {
approvalStage: {
primaryApprovers: [{
objectId: "string",
type: "string",
}],
},
maximumDuration: "string",
requireApproval: false,
requireJustification: false,
requireMultifactorAuthentication: false,
requireTicketInfo: false,
requiredConditionalAccessAuthenticationContext: "string",
},
activeAssignmentRules: {
expirationRequired: false,
expireAfter: "string",
requireJustification: false,
requireMultifactorAuthentication: false,
requireTicketInfo: false,
},
eligibleAssignmentRules: {
expirationRequired: false,
expireAfter: "string",
},
notificationRules: {
activeAssignments: {
adminNotifications: {
defaultRecipients: false,
notificationLevel: "string",
additionalRecipients: ["string"],
},
approverNotifications: {
defaultRecipients: false,
notificationLevel: "string",
additionalRecipients: ["string"],
},
assigneeNotifications: {
defaultRecipients: false,
notificationLevel: "string",
additionalRecipients: ["string"],
},
},
eligibleActivations: {
adminNotifications: {
defaultRecipients: false,
notificationLevel: "string",
additionalRecipients: ["string"],
},
approverNotifications: {
defaultRecipients: false,
notificationLevel: "string",
additionalRecipients: ["string"],
},
assigneeNotifications: {
defaultRecipients: false,
notificationLevel: "string",
additionalRecipients: ["string"],
},
},
eligibleAssignments: {
adminNotifications: {
defaultRecipients: false,
notificationLevel: "string",
additionalRecipients: ["string"],
},
approverNotifications: {
defaultRecipients: false,
notificationLevel: "string",
additionalRecipients: ["string"],
},
assigneeNotifications: {
defaultRecipients: false,
notificationLevel: "string",
additionalRecipients: ["string"],
},
},
},
});
type: azuread:GroupRoleManagementPolicy
properties:
activationRules:
approvalStage:
primaryApprovers:
- objectId: string
type: string
maximumDuration: string
requireApproval: false
requireJustification: false
requireMultifactorAuthentication: false
requireTicketInfo: false
requiredConditionalAccessAuthenticationContext: string
activeAssignmentRules:
expirationRequired: false
expireAfter: string
requireJustification: false
requireMultifactorAuthentication: false
requireTicketInfo: false
eligibleAssignmentRules:
expirationRequired: false
expireAfter: string
groupId: string
notificationRules:
activeAssignments:
adminNotifications:
additionalRecipients:
- string
defaultRecipients: false
notificationLevel: string
approverNotifications:
additionalRecipients:
- string
defaultRecipients: false
notificationLevel: string
assigneeNotifications:
additionalRecipients:
- string
defaultRecipients: false
notificationLevel: string
eligibleActivations:
adminNotifications:
additionalRecipients:
- string
defaultRecipients: false
notificationLevel: string
approverNotifications:
additionalRecipients:
- string
defaultRecipients: false
notificationLevel: string
assigneeNotifications:
additionalRecipients:
- string
defaultRecipients: false
notificationLevel: string
eligibleAssignments:
adminNotifications:
additionalRecipients:
- string
defaultRecipients: false
notificationLevel: string
approverNotifications:
additionalRecipients:
- string
defaultRecipients: false
notificationLevel: string
assigneeNotifications:
additionalRecipients:
- string
defaultRecipients: false
notificationLevel: string
roleId: string
GroupRoleManagementPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The GroupRoleManagementPolicy resource accepts the following input properties:
- Group
Id string - The ID of the Azure AD group for which the policy applies.
- Role
Id string - The type of assignment this policy coveres. Can be either
member
orowner
. - Activation
Rules Pulumi.Azure AD. Inputs. Group Role Management Policy Activation Rules - An
activation_rules
block as defined below. - Active
Assignment Pulumi.Rules Azure AD. Inputs. Group Role Management Policy Active Assignment Rules - An
active_assignment_rules
block as defined below. - Eligible
Assignment Pulumi.Rules Azure AD. Inputs. Group Role Management Policy Eligible Assignment Rules - An
eligible_assignment_rules
block as defined below. - Notification
Rules Pulumi.Azure AD. Inputs. Group Role Management Policy Notification Rules - A
notification_rules
block as defined below.
- Group
Id string - The ID of the Azure AD group for which the policy applies.
- Role
Id string - The type of assignment this policy coveres. Can be either
member
orowner
. - Activation
Rules GroupRole Management Policy Activation Rules Args - An
activation_rules
block as defined below. - Active
Assignment GroupRules Role Management Policy Active Assignment Rules Args - An
active_assignment_rules
block as defined below. - Eligible
Assignment GroupRules Role Management Policy Eligible Assignment Rules Args - An
eligible_assignment_rules
block as defined below. - Notification
Rules GroupRole Management Policy Notification Rules Args - A
notification_rules
block as defined below.
- group
Id String - The ID of the Azure AD group for which the policy applies.
- role
Id String - The type of assignment this policy coveres. Can be either
member
orowner
. - activation
Rules GroupRole Management Policy Activation Rules - An
activation_rules
block as defined below. - active
Assignment GroupRules Role Management Policy Active Assignment Rules - An
active_assignment_rules
block as defined below. - eligible
Assignment GroupRules Role Management Policy Eligible Assignment Rules - An
eligible_assignment_rules
block as defined below. - notification
Rules GroupRole Management Policy Notification Rules - A
notification_rules
block as defined below.
- group
Id string - The ID of the Azure AD group for which the policy applies.
- role
Id string - The type of assignment this policy coveres. Can be either
member
orowner
. - activation
Rules GroupRole Management Policy Activation Rules - An
activation_rules
block as defined below. - active
Assignment GroupRules Role Management Policy Active Assignment Rules - An
active_assignment_rules
block as defined below. - eligible
Assignment GroupRules Role Management Policy Eligible Assignment Rules - An
eligible_assignment_rules
block as defined below. - notification
Rules GroupRole Management Policy Notification Rules - A
notification_rules
block as defined below.
- group_
id str - The ID of the Azure AD group for which the policy applies.
- role_
id str - The type of assignment this policy coveres. Can be either
member
orowner
. - activation_
rules GroupRole Management Policy Activation Rules Args - An
activation_rules
block as defined below. - active_
assignment_ Grouprules Role Management Policy Active Assignment Rules Args - An
active_assignment_rules
block as defined below. - eligible_
assignment_ Grouprules Role Management Policy Eligible Assignment Rules Args - An
eligible_assignment_rules
block as defined below. - notification_
rules GroupRole Management Policy Notification Rules Args - A
notification_rules
block as defined below.
- group
Id String - The ID of the Azure AD group for which the policy applies.
- role
Id String - The type of assignment this policy coveres. Can be either
member
orowner
. - activation
Rules Property Map - An
activation_rules
block as defined below. - active
Assignment Property MapRules - An
active_assignment_rules
block as defined below. - eligible
Assignment Property MapRules - An
eligible_assignment_rules
block as defined below. - notification
Rules Property Map - A
notification_rules
block as defined below.
Outputs
All input properties are implicitly available as output properties. Additionally, the GroupRoleManagementPolicy resource produces the following output properties:
- Description string
- (String) The description of this policy.
- Display
Name string - (String) The display name of this policy.
- Id string
- The provider-assigned unique ID for this managed resource.
- Description string
- (String) The description of this policy.
- Display
Name string - (String) The display name of this policy.
- Id string
- The provider-assigned unique ID for this managed resource.
- description String
- (String) The description of this policy.
- display
Name String - (String) The display name of this policy.
- id String
- The provider-assigned unique ID for this managed resource.
- description string
- (String) The description of this policy.
- display
Name string - (String) The display name of this policy.
- id string
- The provider-assigned unique ID for this managed resource.
- description str
- (String) The description of this policy.
- display_
name str - (String) The display name of this policy.
- id str
- The provider-assigned unique ID for this managed resource.
- description String
- (String) The description of this policy.
- display
Name String - (String) The display name of this policy.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing GroupRoleManagementPolicy Resource
Get an existing GroupRoleManagementPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: GroupRoleManagementPolicyState, opts?: CustomResourceOptions): GroupRoleManagementPolicy
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
activation_rules: Optional[GroupRoleManagementPolicyActivationRulesArgs] = None,
active_assignment_rules: Optional[GroupRoleManagementPolicyActiveAssignmentRulesArgs] = None,
description: Optional[str] = None,
display_name: Optional[str] = None,
eligible_assignment_rules: Optional[GroupRoleManagementPolicyEligibleAssignmentRulesArgs] = None,
group_id: Optional[str] = None,
notification_rules: Optional[GroupRoleManagementPolicyNotificationRulesArgs] = None,
role_id: Optional[str] = None) -> GroupRoleManagementPolicy
func GetGroupRoleManagementPolicy(ctx *Context, name string, id IDInput, state *GroupRoleManagementPolicyState, opts ...ResourceOption) (*GroupRoleManagementPolicy, error)
public static GroupRoleManagementPolicy Get(string name, Input<string> id, GroupRoleManagementPolicyState? state, CustomResourceOptions? opts = null)
public static GroupRoleManagementPolicy get(String name, Output<String> id, GroupRoleManagementPolicyState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Activation
Rules Pulumi.Azure AD. Inputs. Group Role Management Policy Activation Rules - An
activation_rules
block as defined below. - Active
Assignment Pulumi.Rules Azure AD. Inputs. Group Role Management Policy Active Assignment Rules - An
active_assignment_rules
block as defined below. - Description string
- (String) The description of this policy.
- Display
Name string - (String) The display name of this policy.
- Eligible
Assignment Pulumi.Rules Azure AD. Inputs. Group Role Management Policy Eligible Assignment Rules - An
eligible_assignment_rules
block as defined below. - Group
Id string - The ID of the Azure AD group for which the policy applies.
- Notification
Rules Pulumi.Azure AD. Inputs. Group Role Management Policy Notification Rules - A
notification_rules
block as defined below. - Role
Id string - The type of assignment this policy coveres. Can be either
member
orowner
.
- Activation
Rules GroupRole Management Policy Activation Rules Args - An
activation_rules
block as defined below. - Active
Assignment GroupRules Role Management Policy Active Assignment Rules Args - An
active_assignment_rules
block as defined below. - Description string
- (String) The description of this policy.
- Display
Name string - (String) The display name of this policy.
- Eligible
Assignment GroupRules Role Management Policy Eligible Assignment Rules Args - An
eligible_assignment_rules
block as defined below. - Group
Id string - The ID of the Azure AD group for which the policy applies.
- Notification
Rules GroupRole Management Policy Notification Rules Args - A
notification_rules
block as defined below. - Role
Id string - The type of assignment this policy coveres. Can be either
member
orowner
.
- activation
Rules GroupRole Management Policy Activation Rules - An
activation_rules
block as defined below. - active
Assignment GroupRules Role Management Policy Active Assignment Rules - An
active_assignment_rules
block as defined below. - description String
- (String) The description of this policy.
- display
Name String - (String) The display name of this policy.
- eligible
Assignment GroupRules Role Management Policy Eligible Assignment Rules - An
eligible_assignment_rules
block as defined below. - group
Id String - The ID of the Azure AD group for which the policy applies.
- notification
Rules GroupRole Management Policy Notification Rules - A
notification_rules
block as defined below. - role
Id String - The type of assignment this policy coveres. Can be either
member
orowner
.
- activation
Rules GroupRole Management Policy Activation Rules - An
activation_rules
block as defined below. - active
Assignment GroupRules Role Management Policy Active Assignment Rules - An
active_assignment_rules
block as defined below. - description string
- (String) The description of this policy.
- display
Name string - (String) The display name of this policy.
- eligible
Assignment GroupRules Role Management Policy Eligible Assignment Rules - An
eligible_assignment_rules
block as defined below. - group
Id string - The ID of the Azure AD group for which the policy applies.
- notification
Rules GroupRole Management Policy Notification Rules - A
notification_rules
block as defined below. - role
Id string - The type of assignment this policy coveres. Can be either
member
orowner
.
- activation_
rules GroupRole Management Policy Activation Rules Args - An
activation_rules
block as defined below. - active_
assignment_ Grouprules Role Management Policy Active Assignment Rules Args - An
active_assignment_rules
block as defined below. - description str
- (String) The description of this policy.
- display_
name str - (String) The display name of this policy.
- eligible_
assignment_ Grouprules Role Management Policy Eligible Assignment Rules Args - An
eligible_assignment_rules
block as defined below. - group_
id str - The ID of the Azure AD group for which the policy applies.
- notification_
rules GroupRole Management Policy Notification Rules Args - A
notification_rules
block as defined below. - role_
id str - The type of assignment this policy coveres. Can be either
member
orowner
.
- activation
Rules Property Map - An
activation_rules
block as defined below. - active
Assignment Property MapRules - An
active_assignment_rules
block as defined below. - description String
- (String) The description of this policy.
- display
Name String - (String) The display name of this policy.
- eligible
Assignment Property MapRules - An
eligible_assignment_rules
block as defined below. - group
Id String - The ID of the Azure AD group for which the policy applies.
- notification
Rules Property Map - A
notification_rules
block as defined below. - role
Id String - The type of assignment this policy coveres. Can be either
member
orowner
.
Supporting Types
GroupRoleManagementPolicyActivationRules, GroupRoleManagementPolicyActivationRulesArgs
- Approval
Stage Pulumi.Azure AD. Inputs. Group Role Management Policy Activation Rules Approval Stage - An
approval_stage
block as defined below. - Maximum
Duration string - The maximum length of time an activated role can be valid, in an ISO8601 Duration format (e.g.
PT8H
). Valid range isPT30M
toPT23H30M
, in 30 minute increments, orPT1D
. - Require
Approval bool - Is approval required for activation. If
true
anapproval_stage
block must be provided. - Require
Justification bool - Is a justification required during activation of the role.
- Require
Multifactor boolAuthentication - Is multi-factor authentication required to activate the role. Conflicts with
required_conditional_access_authentication_context
. - Require
Ticket boolInfo - Is ticket information requrired during activation of the role.
- Required
Conditional stringAccess Authentication Context - The Entra ID Conditional Access context that must be present for activation (e.g
c1
). Conflicts withrequire_multifactor_authentication
.
- Approval
Stage GroupRole Management Policy Activation Rules Approval Stage - An
approval_stage
block as defined below. - Maximum
Duration string - The maximum length of time an activated role can be valid, in an ISO8601 Duration format (e.g.
PT8H
). Valid range isPT30M
toPT23H30M
, in 30 minute increments, orPT1D
. - Require
Approval bool - Is approval required for activation. If
true
anapproval_stage
block must be provided. - Require
Justification bool - Is a justification required during activation of the role.
- Require
Multifactor boolAuthentication - Is multi-factor authentication required to activate the role. Conflicts with
required_conditional_access_authentication_context
. - Require
Ticket boolInfo - Is ticket information requrired during activation of the role.
- Required
Conditional stringAccess Authentication Context - The Entra ID Conditional Access context that must be present for activation (e.g
c1
). Conflicts withrequire_multifactor_authentication
.
- approval
Stage GroupRole Management Policy Activation Rules Approval Stage - An
approval_stage
block as defined below. - maximum
Duration String - The maximum length of time an activated role can be valid, in an ISO8601 Duration format (e.g.
PT8H
). Valid range isPT30M
toPT23H30M
, in 30 minute increments, orPT1D
. - require
Approval Boolean - Is approval required for activation. If
true
anapproval_stage
block must be provided. - require
Justification Boolean - Is a justification required during activation of the role.
- require
Multifactor BooleanAuthentication - Is multi-factor authentication required to activate the role. Conflicts with
required_conditional_access_authentication_context
. - require
Ticket BooleanInfo - Is ticket information requrired during activation of the role.
- required
Conditional StringAccess Authentication Context - The Entra ID Conditional Access context that must be present for activation (e.g
c1
). Conflicts withrequire_multifactor_authentication
.
- approval
Stage GroupRole Management Policy Activation Rules Approval Stage - An
approval_stage
block as defined below. - maximum
Duration string - The maximum length of time an activated role can be valid, in an ISO8601 Duration format (e.g.
PT8H
). Valid range isPT30M
toPT23H30M
, in 30 minute increments, orPT1D
. - require
Approval boolean - Is approval required for activation. If
true
anapproval_stage
block must be provided. - require
Justification boolean - Is a justification required during activation of the role.
- require
Multifactor booleanAuthentication - Is multi-factor authentication required to activate the role. Conflicts with
required_conditional_access_authentication_context
. - require
Ticket booleanInfo - Is ticket information requrired during activation of the role.
- required
Conditional stringAccess Authentication Context - The Entra ID Conditional Access context that must be present for activation (e.g
c1
). Conflicts withrequire_multifactor_authentication
.
- approval_
stage GroupRole Management Policy Activation Rules Approval Stage - An
approval_stage
block as defined below. - maximum_
duration str - The maximum length of time an activated role can be valid, in an ISO8601 Duration format (e.g.
PT8H
). Valid range isPT30M
toPT23H30M
, in 30 minute increments, orPT1D
. - require_
approval bool - Is approval required for activation. If
true
anapproval_stage
block must be provided. - require_
justification bool - Is a justification required during activation of the role.
- require_
multifactor_ boolauthentication - Is multi-factor authentication required to activate the role. Conflicts with
required_conditional_access_authentication_context
. - require_
ticket_ boolinfo - Is ticket information requrired during activation of the role.
- required_
conditional_ straccess_ authentication_ context - The Entra ID Conditional Access context that must be present for activation (e.g
c1
). Conflicts withrequire_multifactor_authentication
.
- approval
Stage Property Map - An
approval_stage
block as defined below. - maximum
Duration String - The maximum length of time an activated role can be valid, in an ISO8601 Duration format (e.g.
PT8H
). Valid range isPT30M
toPT23H30M
, in 30 minute increments, orPT1D
. - require
Approval Boolean - Is approval required for activation. If
true
anapproval_stage
block must be provided. - require
Justification Boolean - Is a justification required during activation of the role.
- require
Multifactor BooleanAuthentication - Is multi-factor authentication required to activate the role. Conflicts with
required_conditional_access_authentication_context
. - require
Ticket BooleanInfo - Is ticket information requrired during activation of the role.
- required
Conditional StringAccess Authentication Context - The Entra ID Conditional Access context that must be present for activation (e.g
c1
). Conflicts withrequire_multifactor_authentication
.
GroupRoleManagementPolicyActivationRulesApprovalStage, GroupRoleManagementPolicyActivationRulesApprovalStageArgs
- Primary
Approvers List<Pulumi.Azure AD. Inputs. Group Role Management Policy Activation Rules Approval Stage Primary Approver> - The IDs of the users or groups who can approve the activation
- Primary
Approvers []GroupRole Management Policy Activation Rules Approval Stage Primary Approver - The IDs of the users or groups who can approve the activation
- primary
Approvers List<GroupRole Management Policy Activation Rules Approval Stage Primary Approver> - The IDs of the users or groups who can approve the activation
- primary
Approvers GroupRole Management Policy Activation Rules Approval Stage Primary Approver[] - The IDs of the users or groups who can approve the activation
- primary_
approvers Sequence[GroupRole Management Policy Activation Rules Approval Stage Primary Approver] - The IDs of the users or groups who can approve the activation
- primary
Approvers List<Property Map> - The IDs of the users or groups who can approve the activation
GroupRoleManagementPolicyActivationRulesApprovalStagePrimaryApprover, GroupRoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArgs
GroupRoleManagementPolicyActiveAssignmentRules, GroupRoleManagementPolicyActiveAssignmentRulesArgs
- Expiration
Required bool - Must an assignment have an expiry date.
false
allows permanent assignment. - Expire
After string - The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values:
P15D
,P30D
,P90D
,P180D
, orP365D
. - Require
Justification bool - Is a justification required to create new assignments.
- Require
Multifactor boolAuthentication - Is multi-factor authentication required to create new assignments.
- Require
Ticket boolInfo Is ticket information required to create new assignments.
One of
expiration_required
orexpire_after
must be provided.
- Expiration
Required bool - Must an assignment have an expiry date.
false
allows permanent assignment. - Expire
After string - The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values:
P15D
,P30D
,P90D
,P180D
, orP365D
. - Require
Justification bool - Is a justification required to create new assignments.
- Require
Multifactor boolAuthentication - Is multi-factor authentication required to create new assignments.
- Require
Ticket boolInfo Is ticket information required to create new assignments.
One of
expiration_required
orexpire_after
must be provided.
- expiration
Required Boolean - Must an assignment have an expiry date.
false
allows permanent assignment. - expire
After String - The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values:
P15D
,P30D
,P90D
,P180D
, orP365D
. - require
Justification Boolean - Is a justification required to create new assignments.
- require
Multifactor BooleanAuthentication - Is multi-factor authentication required to create new assignments.
- require
Ticket BooleanInfo Is ticket information required to create new assignments.
One of
expiration_required
orexpire_after
must be provided.
- expiration
Required boolean - Must an assignment have an expiry date.
false
allows permanent assignment. - expire
After string - The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values:
P15D
,P30D
,P90D
,P180D
, orP365D
. - require
Justification boolean - Is a justification required to create new assignments.
- require
Multifactor booleanAuthentication - Is multi-factor authentication required to create new assignments.
- require
Ticket booleanInfo Is ticket information required to create new assignments.
One of
expiration_required
orexpire_after
must be provided.
- expiration_
required bool - Must an assignment have an expiry date.
false
allows permanent assignment. - expire_
after str - The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values:
P15D
,P30D
,P90D
,P180D
, orP365D
. - require_
justification bool - Is a justification required to create new assignments.
- require_
multifactor_ boolauthentication - Is multi-factor authentication required to create new assignments.
- require_
ticket_ boolinfo Is ticket information required to create new assignments.
One of
expiration_required
orexpire_after
must be provided.
- expiration
Required Boolean - Must an assignment have an expiry date.
false
allows permanent assignment. - expire
After String - The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values:
P15D
,P30D
,P90D
,P180D
, orP365D
. - require
Justification Boolean - Is a justification required to create new assignments.
- require
Multifactor BooleanAuthentication - Is multi-factor authentication required to create new assignments.
- require
Ticket BooleanInfo Is ticket information required to create new assignments.
One of
expiration_required
orexpire_after
must be provided.
GroupRoleManagementPolicyEligibleAssignmentRules, GroupRoleManagementPolicyEligibleAssignmentRulesArgs
- Expiration
Required bool - Must an assignment have an expiry date.
false
allows permanent assignment. - Expire
After string The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values:
P15D
,P30D
,P90D
,P180D
, orP365D
.One of
expiration_required
orexpire_after
must be provided.
- Expiration
Required bool - Must an assignment have an expiry date.
false
allows permanent assignment. - Expire
After string The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values:
P15D
,P30D
,P90D
,P180D
, orP365D
.One of
expiration_required
orexpire_after
must be provided.
- expiration
Required Boolean - Must an assignment have an expiry date.
false
allows permanent assignment. - expire
After String The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values:
P15D
,P30D
,P90D
,P180D
, orP365D
.One of
expiration_required
orexpire_after
must be provided.
- expiration
Required boolean - Must an assignment have an expiry date.
false
allows permanent assignment. - expire
After string The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values:
P15D
,P30D
,P90D
,P180D
, orP365D
.One of
expiration_required
orexpire_after
must be provided.
- expiration_
required bool - Must an assignment have an expiry date.
false
allows permanent assignment. - expire_
after str The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values:
P15D
,P30D
,P90D
,P180D
, orP365D
.One of
expiration_required
orexpire_after
must be provided.
- expiration
Required Boolean - Must an assignment have an expiry date.
false
allows permanent assignment. - expire
After String The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values:
P15D
,P30D
,P90D
,P180D
, orP365D
.One of
expiration_required
orexpire_after
must be provided.
GroupRoleManagementPolicyNotificationRules, GroupRoleManagementPolicyNotificationRulesArgs
- Active
Assignments Pulumi.Azure AD. Inputs. Group Role Management Policy Notification Rules Active Assignments - A
notification_target
block as defined below to configure notfications on active role assignments. - Eligible
Activations Pulumi.Azure AD. Inputs. Group Role Management Policy Notification Rules Eligible Activations - A
notification_target
block as defined below for configuring notifications on activation of eligible role. - Eligible
Assignments Pulumi.Azure AD. Inputs. Group Role Management Policy Notification Rules Eligible Assignments A
notification_target
block as defined below to configure notification on eligible role assignments.At least one
notification_target
block must be provided.
- Active
Assignments GroupRole Management Policy Notification Rules Active Assignments - A
notification_target
block as defined below to configure notfications on active role assignments. - Eligible
Activations GroupRole Management Policy Notification Rules Eligible Activations - A
notification_target
block as defined below for configuring notifications on activation of eligible role. - Eligible
Assignments GroupRole Management Policy Notification Rules Eligible Assignments A
notification_target
block as defined below to configure notification on eligible role assignments.At least one
notification_target
block must be provided.
- active
Assignments GroupRole Management Policy Notification Rules Active Assignments - A
notification_target
block as defined below to configure notfications on active role assignments. - eligible
Activations GroupRole Management Policy Notification Rules Eligible Activations - A
notification_target
block as defined below for configuring notifications on activation of eligible role. - eligible
Assignments GroupRole Management Policy Notification Rules Eligible Assignments A
notification_target
block as defined below to configure notification on eligible role assignments.At least one
notification_target
block must be provided.
- active
Assignments GroupRole Management Policy Notification Rules Active Assignments - A
notification_target
block as defined below to configure notfications on active role assignments. - eligible
Activations GroupRole Management Policy Notification Rules Eligible Activations - A
notification_target
block as defined below for configuring notifications on activation of eligible role. - eligible
Assignments GroupRole Management Policy Notification Rules Eligible Assignments A
notification_target
block as defined below to configure notification on eligible role assignments.At least one
notification_target
block must be provided.
- active_
assignments GroupRole Management Policy Notification Rules Active Assignments - A
notification_target
block as defined below to configure notfications on active role assignments. - eligible_
activations GroupRole Management Policy Notification Rules Eligible Activations - A
notification_target
block as defined below for configuring notifications on activation of eligible role. - eligible_
assignments GroupRole Management Policy Notification Rules Eligible Assignments A
notification_target
block as defined below to configure notification on eligible role assignments.At least one
notification_target
block must be provided.
- active
Assignments Property Map - A
notification_target
block as defined below to configure notfications on active role assignments. - eligible
Activations Property Map - A
notification_target
block as defined below for configuring notifications on activation of eligible role. - eligible
Assignments Property Map A
notification_target
block as defined below to configure notification on eligible role assignments.At least one
notification_target
block must be provided.
GroupRoleManagementPolicyNotificationRulesActiveAssignments, GroupRoleManagementPolicyNotificationRulesActiveAssignmentsArgs
- Admin
Notifications Pulumi.Azure AD. Inputs. Group Role Management Policy Notification Rules Active Assignments Admin Notifications - Admin notification settings
- Approver
Notifications Pulumi.Azure AD. Inputs. Group Role Management Policy Notification Rules Active Assignments Approver Notifications - Approver notification settings
- Assignee
Notifications Pulumi.Azure AD. Inputs. Group Role Management Policy Notification Rules Active Assignments Assignee Notifications - Assignee notification settings
- Admin
Notifications GroupRole Management Policy Notification Rules Active Assignments Admin Notifications - Admin notification settings
- Approver
Notifications GroupRole Management Policy Notification Rules Active Assignments Approver Notifications - Approver notification settings
- Assignee
Notifications GroupRole Management Policy Notification Rules Active Assignments Assignee Notifications - Assignee notification settings
- admin
Notifications GroupRole Management Policy Notification Rules Active Assignments Admin Notifications - Admin notification settings
- approver
Notifications GroupRole Management Policy Notification Rules Active Assignments Approver Notifications - Approver notification settings
- assignee
Notifications GroupRole Management Policy Notification Rules Active Assignments Assignee Notifications - Assignee notification settings
- admin
Notifications GroupRole Management Policy Notification Rules Active Assignments Admin Notifications - Admin notification settings
- approver
Notifications GroupRole Management Policy Notification Rules Active Assignments Approver Notifications - Approver notification settings
- assignee
Notifications GroupRole Management Policy Notification Rules Active Assignments Assignee Notifications - Assignee notification settings
- admin_
notifications GroupRole Management Policy Notification Rules Active Assignments Admin Notifications - Admin notification settings
- approver_
notifications GroupRole Management Policy Notification Rules Active Assignments Approver Notifications - Approver notification settings
- assignee_
notifications GroupRole Management Policy Notification Rules Active Assignments Assignee Notifications - Assignee notification settings
- admin
Notifications Property Map - Admin notification settings
- approver
Notifications Property Map - Approver notification settings
- assignee
Notifications Property Map - Assignee notification settings
GroupRoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotifications, GroupRoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs
- Default
Recipients bool - Whether the default recipients are notified
- Notification
Level string - What level of notifications are sent
- Additional
Recipients List<string> - The additional recipients to notify
- Default
Recipients bool - Whether the default recipients are notified
- Notification
Level string - What level of notifications are sent
- Additional
Recipients []string - The additional recipients to notify
- default
Recipients Boolean - Whether the default recipients are notified
- notification
Level String - What level of notifications are sent
- additional
Recipients List<String> - The additional recipients to notify
- default
Recipients boolean - Whether the default recipients are notified
- notification
Level string - What level of notifications are sent
- additional
Recipients string[] - The additional recipients to notify
- default_
recipients bool - Whether the default recipients are notified
- notification_
level str - What level of notifications are sent
- additional_
recipients Sequence[str] - The additional recipients to notify
- default
Recipients Boolean - Whether the default recipients are notified
- notification
Level String - What level of notifications are sent
- additional
Recipients List<String> - The additional recipients to notify
GroupRoleManagementPolicyNotificationRulesActiveAssignmentsApproverNotifications, GroupRoleManagementPolicyNotificationRulesActiveAssignmentsApproverNotificationsArgs
- Default
Recipients bool - Whether the default recipients are notified
- Notification
Level string - What level of notifications are sent
- Additional
Recipients List<string> - The additional recipients to notify
- Default
Recipients bool - Whether the default recipients are notified
- Notification
Level string - What level of notifications are sent
- Additional
Recipients []string - The additional recipients to notify
- default
Recipients Boolean - Whether the default recipients are notified
- notification
Level String - What level of notifications are sent
- additional
Recipients List<String> - The additional recipients to notify
- default
Recipients boolean - Whether the default recipients are notified
- notification
Level string - What level of notifications are sent
- additional
Recipients string[] - The additional recipients to notify
- default_
recipients bool - Whether the default recipients are notified
- notification_
level str - What level of notifications are sent
- additional_
recipients Sequence[str] - The additional recipients to notify
- default
Recipients Boolean - Whether the default recipients are notified
- notification
Level String - What level of notifications are sent
- additional
Recipients List<String> - The additional recipients to notify
GroupRoleManagementPolicyNotificationRulesActiveAssignmentsAssigneeNotifications, GroupRoleManagementPolicyNotificationRulesActiveAssignmentsAssigneeNotificationsArgs
- Default
Recipients bool - Whether the default recipients are notified
- Notification
Level string - What level of notifications are sent
- Additional
Recipients List<string> - The additional recipients to notify
- Default
Recipients bool - Whether the default recipients are notified
- Notification
Level string - What level of notifications are sent
- Additional
Recipients []string - The additional recipients to notify
- default
Recipients Boolean - Whether the default recipients are notified
- notification
Level String - What level of notifications are sent
- additional
Recipients List<String> - The additional recipients to notify
- default
Recipients boolean - Whether the default recipients are notified
- notification
Level string - What level of notifications are sent
- additional
Recipients string[] - The additional recipients to notify
- default_
recipients bool - Whether the default recipients are notified
- notification_
level str - What level of notifications are sent
- additional_
recipients Sequence[str] - The additional recipients to notify
- default
Recipients Boolean - Whether the default recipients are notified
- notification
Level String - What level of notifications are sent
- additional
Recipients List<String> - The additional recipients to notify
GroupRoleManagementPolicyNotificationRulesEligibleActivations, GroupRoleManagementPolicyNotificationRulesEligibleActivationsArgs
- Admin
Notifications Pulumi.Azure AD. Inputs. Group Role Management Policy Notification Rules Eligible Activations Admin Notifications - Admin notification settings
- Approver
Notifications Pulumi.Azure AD. Inputs. Group Role Management Policy Notification Rules Eligible Activations Approver Notifications - Approver notification settings
- Assignee
Notifications Pulumi.Azure AD. Inputs. Group Role Management Policy Notification Rules Eligible Activations Assignee Notifications - Assignee notification settings
- Admin
Notifications GroupRole Management Policy Notification Rules Eligible Activations Admin Notifications - Admin notification settings
- Approver
Notifications GroupRole Management Policy Notification Rules Eligible Activations Approver Notifications - Approver notification settings
- Assignee
Notifications GroupRole Management Policy Notification Rules Eligible Activations Assignee Notifications - Assignee notification settings
- admin
Notifications GroupRole Management Policy Notification Rules Eligible Activations Admin Notifications - Admin notification settings
- approver
Notifications GroupRole Management Policy Notification Rules Eligible Activations Approver Notifications - Approver notification settings
- assignee
Notifications GroupRole Management Policy Notification Rules Eligible Activations Assignee Notifications - Assignee notification settings
- admin
Notifications GroupRole Management Policy Notification Rules Eligible Activations Admin Notifications - Admin notification settings
- approver
Notifications GroupRole Management Policy Notification Rules Eligible Activations Approver Notifications - Approver notification settings
- assignee
Notifications GroupRole Management Policy Notification Rules Eligible Activations Assignee Notifications - Assignee notification settings
- admin_
notifications GroupRole Management Policy Notification Rules Eligible Activations Admin Notifications - Admin notification settings
- approver_
notifications GroupRole Management Policy Notification Rules Eligible Activations Approver Notifications - Approver notification settings
- assignee_
notifications GroupRole Management Policy Notification Rules Eligible Activations Assignee Notifications - Assignee notification settings
- admin
Notifications Property Map - Admin notification settings
- approver
Notifications Property Map - Approver notification settings
- assignee
Notifications Property Map - Assignee notification settings
GroupRoleManagementPolicyNotificationRulesEligibleActivationsAdminNotifications, GroupRoleManagementPolicyNotificationRulesEligibleActivationsAdminNotificationsArgs
- Default
Recipients bool - Whether the default recipients are notified
- Notification
Level string - What level of notifications are sent
- Additional
Recipients List<string> - The additional recipients to notify
- Default
Recipients bool - Whether the default recipients are notified
- Notification
Level string - What level of notifications are sent
- Additional
Recipients []string - The additional recipients to notify
- default
Recipients Boolean - Whether the default recipients are notified
- notification
Level String - What level of notifications are sent
- additional
Recipients List<String> - The additional recipients to notify
- default
Recipients boolean - Whether the default recipients are notified
- notification
Level string - What level of notifications are sent
- additional
Recipients string[] - The additional recipients to notify
- default_
recipients bool - Whether the default recipients are notified
- notification_
level str - What level of notifications are sent
- additional_
recipients Sequence[str] - The additional recipients to notify
- default
Recipients Boolean - Whether the default recipients are notified
- notification
Level String - What level of notifications are sent
- additional
Recipients List<String> - The additional recipients to notify
GroupRoleManagementPolicyNotificationRulesEligibleActivationsApproverNotifications, GroupRoleManagementPolicyNotificationRulesEligibleActivationsApproverNotificationsArgs
- Default
Recipients bool - Whether the default recipients are notified
- Notification
Level string - What level of notifications are sent
- Additional
Recipients List<string> - The additional recipients to notify
- Default
Recipients bool - Whether the default recipients are notified
- Notification
Level string - What level of notifications are sent
- Additional
Recipients []string - The additional recipients to notify
- default
Recipients Boolean - Whether the default recipients are notified
- notification
Level String - What level of notifications are sent
- additional
Recipients List<String> - The additional recipients to notify
- default
Recipients boolean - Whether the default recipients are notified
- notification
Level string - What level of notifications are sent
- additional
Recipients string[] - The additional recipients to notify
- default_
recipients bool - Whether the default recipients are notified
- notification_
level str - What level of notifications are sent
- additional_
recipients Sequence[str] - The additional recipients to notify
- default
Recipients Boolean - Whether the default recipients are notified
- notification
Level String - What level of notifications are sent
- additional
Recipients List<String> - The additional recipients to notify
GroupRoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotifications, GroupRoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs
- Default
Recipients bool - Whether the default recipients are notified
- Notification
Level string - What level of notifications are sent
- Additional
Recipients List<string> - The additional recipients to notify
- Default
Recipients bool - Whether the default recipients are notified
- Notification
Level string - What level of notifications are sent
- Additional
Recipients []string - The additional recipients to notify
- default
Recipients Boolean - Whether the default recipients are notified
- notification
Level String - What level of notifications are sent
- additional
Recipients List<String> - The additional recipients to notify
- default
Recipients boolean - Whether the default recipients are notified
- notification
Level string - What level of notifications are sent
- additional
Recipients string[] - The additional recipients to notify
- default_
recipients bool - Whether the default recipients are notified
- notification_
level str - What level of notifications are sent
- additional_
recipients Sequence[str] - The additional recipients to notify
- default
Recipients Boolean - Whether the default recipients are notified
- notification
Level String - What level of notifications are sent
- additional
Recipients List<String> - The additional recipients to notify
GroupRoleManagementPolicyNotificationRulesEligibleAssignments, GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsArgs
- Admin
Notifications Pulumi.Azure AD. Inputs. Group Role Management Policy Notification Rules Eligible Assignments Admin Notifications - Admin notification settings
- Approver
Notifications Pulumi.Azure AD. Inputs. Group Role Management Policy Notification Rules Eligible Assignments Approver Notifications - Approver notification settings
- Assignee
Notifications Pulumi.Azure AD. Inputs. Group Role Management Policy Notification Rules Eligible Assignments Assignee Notifications - Assignee notification settings
- Admin
Notifications GroupRole Management Policy Notification Rules Eligible Assignments Admin Notifications - Admin notification settings
- Approver
Notifications GroupRole Management Policy Notification Rules Eligible Assignments Approver Notifications - Approver notification settings
- Assignee
Notifications GroupRole Management Policy Notification Rules Eligible Assignments Assignee Notifications - Assignee notification settings
- admin
Notifications GroupRole Management Policy Notification Rules Eligible Assignments Admin Notifications - Admin notification settings
- approver
Notifications GroupRole Management Policy Notification Rules Eligible Assignments Approver Notifications - Approver notification settings
- assignee
Notifications GroupRole Management Policy Notification Rules Eligible Assignments Assignee Notifications - Assignee notification settings
- admin
Notifications GroupRole Management Policy Notification Rules Eligible Assignments Admin Notifications - Admin notification settings
- approver
Notifications GroupRole Management Policy Notification Rules Eligible Assignments Approver Notifications - Approver notification settings
- assignee
Notifications GroupRole Management Policy Notification Rules Eligible Assignments Assignee Notifications - Assignee notification settings
- admin_
notifications GroupRole Management Policy Notification Rules Eligible Assignments Admin Notifications - Admin notification settings
- approver_
notifications GroupRole Management Policy Notification Rules Eligible Assignments Approver Notifications - Approver notification settings
- assignee_
notifications GroupRole Management Policy Notification Rules Eligible Assignments Assignee Notifications - Assignee notification settings
- admin
Notifications Property Map - Admin notification settings
- approver
Notifications Property Map - Approver notification settings
- assignee
Notifications Property Map - Assignee notification settings
GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsAdminNotifications, GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsAdminNotificationsArgs
- Default
Recipients bool - Whether the default recipients are notified
- Notification
Level string - What level of notifications are sent
- Additional
Recipients List<string> - The additional recipients to notify
- Default
Recipients bool - Whether the default recipients are notified
- Notification
Level string - What level of notifications are sent
- Additional
Recipients []string - The additional recipients to notify
- default
Recipients Boolean - Whether the default recipients are notified
- notification
Level String - What level of notifications are sent
- additional
Recipients List<String> - The additional recipients to notify
- default
Recipients boolean - Whether the default recipients are notified
- notification
Level string - What level of notifications are sent
- additional
Recipients string[] - The additional recipients to notify
- default_
recipients bool - Whether the default recipients are notified
- notification_
level str - What level of notifications are sent
- additional_
recipients Sequence[str] - The additional recipients to notify
- default
Recipients Boolean - Whether the default recipients are notified
- notification
Level String - What level of notifications are sent
- additional
Recipients List<String> - The additional recipients to notify
GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotifications, GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs
- Default
Recipients bool - Whether the default recipients are notified
- Notification
Level string - What level of notifications are sent
- Additional
Recipients List<string> - The additional recipients to notify
- Default
Recipients bool - Whether the default recipients are notified
- Notification
Level string - What level of notifications are sent
- Additional
Recipients []string - The additional recipients to notify
- default
Recipients Boolean - Whether the default recipients are notified
- notification
Level String - What level of notifications are sent
- additional
Recipients List<String> - The additional recipients to notify
- default
Recipients boolean - Whether the default recipients are notified
- notification
Level string - What level of notifications are sent
- additional
Recipients string[] - The additional recipients to notify
- default_
recipients bool - Whether the default recipients are notified
- notification_
level str - What level of notifications are sent
- additional_
recipients Sequence[str] - The additional recipients to notify
- default
Recipients Boolean - Whether the default recipients are notified
- notification
Level String - What level of notifications are sent
- additional
Recipients List<String> - The additional recipients to notify
GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsAssigneeNotifications, GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsAssigneeNotificationsArgs
- Default
Recipients bool - Whether the default recipients are notified
- Notification
Level string - What level of notifications are sent
- Additional
Recipients List<string> - The additional recipients to notify
- Default
Recipients bool - Whether the default recipients are notified
- Notification
Level string - What level of notifications are sent
- Additional
Recipients []string - The additional recipients to notify
- default
Recipients Boolean - Whether the default recipients are notified
- notification
Level String - What level of notifications are sent
- additional
Recipients List<String> - The additional recipients to notify
- default
Recipients boolean - Whether the default recipients are notified
- notification
Level string - What level of notifications are sent
- additional
Recipients string[] - The additional recipients to notify
- default_
recipients bool - Whether the default recipients are notified
- notification_
level str - What level of notifications are sent
- additional_
recipients Sequence[str] - The additional recipients to notify
- default
Recipients Boolean - Whether the default recipients are notified
- notification
Level String - What level of notifications are sent
- additional
Recipients List<String> - The additional recipients to notify
Import
Because these policies are created automatically by Entra ID, they will auto-import on first use.
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Azure Active Directory (Azure AD) pulumi/pulumi-azuread
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
azuread
Terraform Provider.