1. Packages
  2. Azure Active Directory (Azure AD)
  3. API Docs
  4. GroupRoleManagementPolicy
Azure Active Directory (Azure AD) v6.0.1 published on Monday, Oct 14, 2024 by Pulumi

azuread.GroupRoleManagementPolicy

Explore with Pulumi AI

azuread logo
Azure Active Directory (Azure AD) v6.0.1 published on Monday, Oct 14, 2024 by Pulumi

    Manage a role policy for an Azure AD group.

    API Permissions

    The following API permissions are required in order to use this resource.

    When authenticated with a service principal, this resource requires the RoleManagementPolicy.ReadWrite.AzureADGroup Microsoft Graph API permissions.

    When authenticated with a user principal, this resource requires Global Administrator directory role, or the Privileged Role Administrator role in Identity Governance.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as azuread from "@pulumi/azuread";
    
    const example = new azuread.Group("example", {
        displayName: "group-name",
        securityEnabled: true,
    });
    const member = new azuread.User("member", {
        userPrincipalName: "jdoe@example.com",
        displayName: "J. Doe",
        mailNickname: "jdoe",
        password: "SecretP@sswd99!",
    });
    const exampleGroupRoleManagementPolicy = new azuread.GroupRoleManagementPolicy("example", {
        groupId: example.id,
        roleId: "member",
        activeAssignmentRules: {
            expireAfter: "P365D",
        },
        eligibleAssignmentRules: {
            expirationRequired: false,
        },
        notificationRules: {
            eligibleAssignments: {
                approverNotifications: {
                    notificationLevel: "Critical",
                    defaultRecipients: false,
                    additionalRecipients: [
                        "someone@example.com",
                        "someone.else@example.com",
                    ],
                },
            },
        },
    });
    
    import pulumi
    import pulumi_azuread as azuread
    
    example = azuread.Group("example",
        display_name="group-name",
        security_enabled=True)
    member = azuread.User("member",
        user_principal_name="jdoe@example.com",
        display_name="J. Doe",
        mail_nickname="jdoe",
        password="SecretP@sswd99!")
    example_group_role_management_policy = azuread.GroupRoleManagementPolicy("example",
        group_id=example.id,
        role_id="member",
        active_assignment_rules={
            "expire_after": "P365D",
        },
        eligible_assignment_rules={
            "expiration_required": False,
        },
        notification_rules={
            "eligible_assignments": {
                "approver_notifications": {
                    "notification_level": "Critical",
                    "default_recipients": False,
                    "additional_recipients": [
                        "someone@example.com",
                        "someone.else@example.com",
                    ],
                },
            },
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := azuread.NewGroup(ctx, "example", &azuread.GroupArgs{
    			DisplayName:     pulumi.String("group-name"),
    			SecurityEnabled: pulumi.Bool(true),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = azuread.NewUser(ctx, "member", &azuread.UserArgs{
    			UserPrincipalName: pulumi.String("jdoe@example.com"),
    			DisplayName:       pulumi.String("J. Doe"),
    			MailNickname:      pulumi.String("jdoe"),
    			Password:          pulumi.String("SecretP@sswd99!"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = azuread.NewGroupRoleManagementPolicy(ctx, "example", &azuread.GroupRoleManagementPolicyArgs{
    			GroupId: example.ID(),
    			RoleId:  pulumi.String("member"),
    			ActiveAssignmentRules: &azuread.GroupRoleManagementPolicyActiveAssignmentRulesArgs{
    				ExpireAfter: pulumi.String("P365D"),
    			},
    			EligibleAssignmentRules: &azuread.GroupRoleManagementPolicyEligibleAssignmentRulesArgs{
    				ExpirationRequired: pulumi.Bool(false),
    			},
    			NotificationRules: &azuread.GroupRoleManagementPolicyNotificationRulesArgs{
    				EligibleAssignments: &azuread.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsArgs{
    					ApproverNotifications: &azuread.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs{
    						NotificationLevel: pulumi.String("Critical"),
    						DefaultRecipients: pulumi.Bool(false),
    						AdditionalRecipients: pulumi.StringArray{
    							pulumi.String("someone@example.com"),
    							pulumi.String("someone.else@example.com"),
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using AzureAD = Pulumi.AzureAD;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new AzureAD.Group("example", new()
        {
            DisplayName = "group-name",
            SecurityEnabled = true,
        });
    
        var member = new AzureAD.User("member", new()
        {
            UserPrincipalName = "jdoe@example.com",
            DisplayName = "J. Doe",
            MailNickname = "jdoe",
            Password = "SecretP@sswd99!",
        });
    
        var exampleGroupRoleManagementPolicy = new AzureAD.GroupRoleManagementPolicy("example", new()
        {
            GroupId = example.Id,
            RoleId = "member",
            ActiveAssignmentRules = new AzureAD.Inputs.GroupRoleManagementPolicyActiveAssignmentRulesArgs
            {
                ExpireAfter = "P365D",
            },
            EligibleAssignmentRules = new AzureAD.Inputs.GroupRoleManagementPolicyEligibleAssignmentRulesArgs
            {
                ExpirationRequired = false,
            },
            NotificationRules = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesArgs
            {
                EligibleAssignments = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsArgs
                {
                    ApproverNotifications = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs
                    {
                        NotificationLevel = "Critical",
                        DefaultRecipients = false,
                        AdditionalRecipients = new[]
                        {
                            "someone@example.com",
                            "someone.else@example.com",
                        },
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azuread.Group;
    import com.pulumi.azuread.GroupArgs;
    import com.pulumi.azuread.User;
    import com.pulumi.azuread.UserArgs;
    import com.pulumi.azuread.GroupRoleManagementPolicy;
    import com.pulumi.azuread.GroupRoleManagementPolicyArgs;
    import com.pulumi.azuread.inputs.GroupRoleManagementPolicyActiveAssignmentRulesArgs;
    import com.pulumi.azuread.inputs.GroupRoleManagementPolicyEligibleAssignmentRulesArgs;
    import com.pulumi.azuread.inputs.GroupRoleManagementPolicyNotificationRulesArgs;
    import com.pulumi.azuread.inputs.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsArgs;
    import com.pulumi.azuread.inputs.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new Group("example", GroupArgs.builder()
                .displayName("group-name")
                .securityEnabled(true)
                .build());
    
            var member = new User("member", UserArgs.builder()
                .userPrincipalName("jdoe@example.com")
                .displayName("J. Doe")
                .mailNickname("jdoe")
                .password("SecretP@sswd99!")
                .build());
    
            var exampleGroupRoleManagementPolicy = new GroupRoleManagementPolicy("exampleGroupRoleManagementPolicy", GroupRoleManagementPolicyArgs.builder()
                .groupId(example.id())
                .roleId("member")
                .activeAssignmentRules(GroupRoleManagementPolicyActiveAssignmentRulesArgs.builder()
                    .expireAfter("P365D")
                    .build())
                .eligibleAssignmentRules(GroupRoleManagementPolicyEligibleAssignmentRulesArgs.builder()
                    .expirationRequired(false)
                    .build())
                .notificationRules(GroupRoleManagementPolicyNotificationRulesArgs.builder()
                    .eligibleAssignments(GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsArgs.builder()
                        .approverNotifications(GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs.builder()
                            .notificationLevel("Critical")
                            .defaultRecipients(false)
                            .additionalRecipients(                        
                                "someone@example.com",
                                "someone.else@example.com")
                            .build())
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azuread:Group
        properties:
          displayName: group-name
          securityEnabled: true
      member:
        type: azuread:User
        properties:
          userPrincipalName: jdoe@example.com
          displayName: J. Doe
          mailNickname: jdoe
          password: SecretP@sswd99!
      exampleGroupRoleManagementPolicy:
        type: azuread:GroupRoleManagementPolicy
        name: example
        properties:
          groupId: ${example.id}
          roleId: member
          activeAssignmentRules:
            expireAfter: P365D
          eligibleAssignmentRules:
            expirationRequired: false
          notificationRules:
            eligibleAssignments:
              approverNotifications:
                notificationLevel: Critical
                defaultRecipients: false
                additionalRecipients:
                  - someone@example.com
                  - someone.else@example.com
    

    Create GroupRoleManagementPolicy Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new GroupRoleManagementPolicy(name: string, args: GroupRoleManagementPolicyArgs, opts?: CustomResourceOptions);
    @overload
    def GroupRoleManagementPolicy(resource_name: str,
                                  args: GroupRoleManagementPolicyArgs,
                                  opts: Optional[ResourceOptions] = None)
    
    @overload
    def GroupRoleManagementPolicy(resource_name: str,
                                  opts: Optional[ResourceOptions] = None,
                                  group_id: Optional[str] = None,
                                  role_id: Optional[str] = None,
                                  activation_rules: Optional[GroupRoleManagementPolicyActivationRulesArgs] = None,
                                  active_assignment_rules: Optional[GroupRoleManagementPolicyActiveAssignmentRulesArgs] = None,
                                  eligible_assignment_rules: Optional[GroupRoleManagementPolicyEligibleAssignmentRulesArgs] = None,
                                  notification_rules: Optional[GroupRoleManagementPolicyNotificationRulesArgs] = None)
    func NewGroupRoleManagementPolicy(ctx *Context, name string, args GroupRoleManagementPolicyArgs, opts ...ResourceOption) (*GroupRoleManagementPolicy, error)
    public GroupRoleManagementPolicy(string name, GroupRoleManagementPolicyArgs args, CustomResourceOptions? opts = null)
    public GroupRoleManagementPolicy(String name, GroupRoleManagementPolicyArgs args)
    public GroupRoleManagementPolicy(String name, GroupRoleManagementPolicyArgs args, CustomResourceOptions options)
    
    type: azuread:GroupRoleManagementPolicy
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args GroupRoleManagementPolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args GroupRoleManagementPolicyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args GroupRoleManagementPolicyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args GroupRoleManagementPolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args GroupRoleManagementPolicyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var groupRoleManagementPolicyResource = new AzureAD.GroupRoleManagementPolicy("groupRoleManagementPolicyResource", new()
    {
        GroupId = "string",
        RoleId = "string",
        ActivationRules = new AzureAD.Inputs.GroupRoleManagementPolicyActivationRulesArgs
        {
            ApprovalStage = new AzureAD.Inputs.GroupRoleManagementPolicyActivationRulesApprovalStageArgs
            {
                PrimaryApprovers = new[]
                {
                    new AzureAD.Inputs.GroupRoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArgs
                    {
                        ObjectId = "string",
                        Type = "string",
                    },
                },
            },
            MaximumDuration = "string",
            RequireApproval = false,
            RequireJustification = false,
            RequireMultifactorAuthentication = false,
            RequireTicketInfo = false,
            RequiredConditionalAccessAuthenticationContext = "string",
        },
        ActiveAssignmentRules = new AzureAD.Inputs.GroupRoleManagementPolicyActiveAssignmentRulesArgs
        {
            ExpirationRequired = false,
            ExpireAfter = "string",
            RequireJustification = false,
            RequireMultifactorAuthentication = false,
            RequireTicketInfo = false,
        },
        EligibleAssignmentRules = new AzureAD.Inputs.GroupRoleManagementPolicyEligibleAssignmentRulesArgs
        {
            ExpirationRequired = false,
            ExpireAfter = "string",
        },
        NotificationRules = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesArgs
        {
            ActiveAssignments = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesActiveAssignmentsArgs
            {
                AdminNotifications = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs
                {
                    DefaultRecipients = false,
                    NotificationLevel = "string",
                    AdditionalRecipients = new[]
                    {
                        "string",
                    },
                },
                ApproverNotifications = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesActiveAssignmentsApproverNotificationsArgs
                {
                    DefaultRecipients = false,
                    NotificationLevel = "string",
                    AdditionalRecipients = new[]
                    {
                        "string",
                    },
                },
                AssigneeNotifications = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesActiveAssignmentsAssigneeNotificationsArgs
                {
                    DefaultRecipients = false,
                    NotificationLevel = "string",
                    AdditionalRecipients = new[]
                    {
                        "string",
                    },
                },
            },
            EligibleActivations = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesEligibleActivationsArgs
            {
                AdminNotifications = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesEligibleActivationsAdminNotificationsArgs
                {
                    DefaultRecipients = false,
                    NotificationLevel = "string",
                    AdditionalRecipients = new[]
                    {
                        "string",
                    },
                },
                ApproverNotifications = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesEligibleActivationsApproverNotificationsArgs
                {
                    DefaultRecipients = false,
                    NotificationLevel = "string",
                    AdditionalRecipients = new[]
                    {
                        "string",
                    },
                },
                AssigneeNotifications = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs
                {
                    DefaultRecipients = false,
                    NotificationLevel = "string",
                    AdditionalRecipients = new[]
                    {
                        "string",
                    },
                },
            },
            EligibleAssignments = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsArgs
            {
                AdminNotifications = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsAdminNotificationsArgs
                {
                    DefaultRecipients = false,
                    NotificationLevel = "string",
                    AdditionalRecipients = new[]
                    {
                        "string",
                    },
                },
                ApproverNotifications = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs
                {
                    DefaultRecipients = false,
                    NotificationLevel = "string",
                    AdditionalRecipients = new[]
                    {
                        "string",
                    },
                },
                AssigneeNotifications = new AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsAssigneeNotificationsArgs
                {
                    DefaultRecipients = false,
                    NotificationLevel = "string",
                    AdditionalRecipients = new[]
                    {
                        "string",
                    },
                },
            },
        },
    });
    
    example, err := azuread.NewGroupRoleManagementPolicy(ctx, "groupRoleManagementPolicyResource", &azuread.GroupRoleManagementPolicyArgs{
    	GroupId: pulumi.String("string"),
    	RoleId:  pulumi.String("string"),
    	ActivationRules: &azuread.GroupRoleManagementPolicyActivationRulesArgs{
    		ApprovalStage: &azuread.GroupRoleManagementPolicyActivationRulesApprovalStageArgs{
    			PrimaryApprovers: azuread.GroupRoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArray{
    				&azuread.GroupRoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArgs{
    					ObjectId: pulumi.String("string"),
    					Type:     pulumi.String("string"),
    				},
    			},
    		},
    		MaximumDuration:                                pulumi.String("string"),
    		RequireApproval:                                pulumi.Bool(false),
    		RequireJustification:                           pulumi.Bool(false),
    		RequireMultifactorAuthentication:               pulumi.Bool(false),
    		RequireTicketInfo:                              pulumi.Bool(false),
    		RequiredConditionalAccessAuthenticationContext: pulumi.String("string"),
    	},
    	ActiveAssignmentRules: &azuread.GroupRoleManagementPolicyActiveAssignmentRulesArgs{
    		ExpirationRequired:               pulumi.Bool(false),
    		ExpireAfter:                      pulumi.String("string"),
    		RequireJustification:             pulumi.Bool(false),
    		RequireMultifactorAuthentication: pulumi.Bool(false),
    		RequireTicketInfo:                pulumi.Bool(false),
    	},
    	EligibleAssignmentRules: &azuread.GroupRoleManagementPolicyEligibleAssignmentRulesArgs{
    		ExpirationRequired: pulumi.Bool(false),
    		ExpireAfter:        pulumi.String("string"),
    	},
    	NotificationRules: &azuread.GroupRoleManagementPolicyNotificationRulesArgs{
    		ActiveAssignments: &azuread.GroupRoleManagementPolicyNotificationRulesActiveAssignmentsArgs{
    			AdminNotifications: &azuread.GroupRoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs{
    				DefaultRecipients: pulumi.Bool(false),
    				NotificationLevel: pulumi.String("string"),
    				AdditionalRecipients: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    			ApproverNotifications: &azuread.GroupRoleManagementPolicyNotificationRulesActiveAssignmentsApproverNotificationsArgs{
    				DefaultRecipients: pulumi.Bool(false),
    				NotificationLevel: pulumi.String("string"),
    				AdditionalRecipients: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    			AssigneeNotifications: &azuread.GroupRoleManagementPolicyNotificationRulesActiveAssignmentsAssigneeNotificationsArgs{
    				DefaultRecipients: pulumi.Bool(false),
    				NotificationLevel: pulumi.String("string"),
    				AdditionalRecipients: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    		},
    		EligibleActivations: &azuread.GroupRoleManagementPolicyNotificationRulesEligibleActivationsArgs{
    			AdminNotifications: &azuread.GroupRoleManagementPolicyNotificationRulesEligibleActivationsAdminNotificationsArgs{
    				DefaultRecipients: pulumi.Bool(false),
    				NotificationLevel: pulumi.String("string"),
    				AdditionalRecipients: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    			ApproverNotifications: &azuread.GroupRoleManagementPolicyNotificationRulesEligibleActivationsApproverNotificationsArgs{
    				DefaultRecipients: pulumi.Bool(false),
    				NotificationLevel: pulumi.String("string"),
    				AdditionalRecipients: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    			AssigneeNotifications: &azuread.GroupRoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs{
    				DefaultRecipients: pulumi.Bool(false),
    				NotificationLevel: pulumi.String("string"),
    				AdditionalRecipients: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    		},
    		EligibleAssignments: &azuread.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsArgs{
    			AdminNotifications: &azuread.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsAdminNotificationsArgs{
    				DefaultRecipients: pulumi.Bool(false),
    				NotificationLevel: pulumi.String("string"),
    				AdditionalRecipients: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    			ApproverNotifications: &azuread.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs{
    				DefaultRecipients: pulumi.Bool(false),
    				NotificationLevel: pulumi.String("string"),
    				AdditionalRecipients: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    			AssigneeNotifications: &azuread.GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsAssigneeNotificationsArgs{
    				DefaultRecipients: pulumi.Bool(false),
    				NotificationLevel: pulumi.String("string"),
    				AdditionalRecipients: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    		},
    	},
    })
    
    var groupRoleManagementPolicyResource = new GroupRoleManagementPolicy("groupRoleManagementPolicyResource", GroupRoleManagementPolicyArgs.builder()
        .groupId("string")
        .roleId("string")
        .activationRules(GroupRoleManagementPolicyActivationRulesArgs.builder()
            .approvalStage(GroupRoleManagementPolicyActivationRulesApprovalStageArgs.builder()
                .primaryApprovers(GroupRoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArgs.builder()
                    .objectId("string")
                    .type("string")
                    .build())
                .build())
            .maximumDuration("string")
            .requireApproval(false)
            .requireJustification(false)
            .requireMultifactorAuthentication(false)
            .requireTicketInfo(false)
            .requiredConditionalAccessAuthenticationContext("string")
            .build())
        .activeAssignmentRules(GroupRoleManagementPolicyActiveAssignmentRulesArgs.builder()
            .expirationRequired(false)
            .expireAfter("string")
            .requireJustification(false)
            .requireMultifactorAuthentication(false)
            .requireTicketInfo(false)
            .build())
        .eligibleAssignmentRules(GroupRoleManagementPolicyEligibleAssignmentRulesArgs.builder()
            .expirationRequired(false)
            .expireAfter("string")
            .build())
        .notificationRules(GroupRoleManagementPolicyNotificationRulesArgs.builder()
            .activeAssignments(GroupRoleManagementPolicyNotificationRulesActiveAssignmentsArgs.builder()
                .adminNotifications(GroupRoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs.builder()
                    .defaultRecipients(false)
                    .notificationLevel("string")
                    .additionalRecipients("string")
                    .build())
                .approverNotifications(GroupRoleManagementPolicyNotificationRulesActiveAssignmentsApproverNotificationsArgs.builder()
                    .defaultRecipients(false)
                    .notificationLevel("string")
                    .additionalRecipients("string")
                    .build())
                .assigneeNotifications(GroupRoleManagementPolicyNotificationRulesActiveAssignmentsAssigneeNotificationsArgs.builder()
                    .defaultRecipients(false)
                    .notificationLevel("string")
                    .additionalRecipients("string")
                    .build())
                .build())
            .eligibleActivations(GroupRoleManagementPolicyNotificationRulesEligibleActivationsArgs.builder()
                .adminNotifications(GroupRoleManagementPolicyNotificationRulesEligibleActivationsAdminNotificationsArgs.builder()
                    .defaultRecipients(false)
                    .notificationLevel("string")
                    .additionalRecipients("string")
                    .build())
                .approverNotifications(GroupRoleManagementPolicyNotificationRulesEligibleActivationsApproverNotificationsArgs.builder()
                    .defaultRecipients(false)
                    .notificationLevel("string")
                    .additionalRecipients("string")
                    .build())
                .assigneeNotifications(GroupRoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs.builder()
                    .defaultRecipients(false)
                    .notificationLevel("string")
                    .additionalRecipients("string")
                    .build())
                .build())
            .eligibleAssignments(GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsArgs.builder()
                .adminNotifications(GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsAdminNotificationsArgs.builder()
                    .defaultRecipients(false)
                    .notificationLevel("string")
                    .additionalRecipients("string")
                    .build())
                .approverNotifications(GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs.builder()
                    .defaultRecipients(false)
                    .notificationLevel("string")
                    .additionalRecipients("string")
                    .build())
                .assigneeNotifications(GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsAssigneeNotificationsArgs.builder()
                    .defaultRecipients(false)
                    .notificationLevel("string")
                    .additionalRecipients("string")
                    .build())
                .build())
            .build())
        .build());
    
    group_role_management_policy_resource = azuread.GroupRoleManagementPolicy("groupRoleManagementPolicyResource",
        group_id="string",
        role_id="string",
        activation_rules={
            "approval_stage": {
                "primary_approvers": [{
                    "object_id": "string",
                    "type": "string",
                }],
            },
            "maximum_duration": "string",
            "require_approval": False,
            "require_justification": False,
            "require_multifactor_authentication": False,
            "require_ticket_info": False,
            "required_conditional_access_authentication_context": "string",
        },
        active_assignment_rules={
            "expiration_required": False,
            "expire_after": "string",
            "require_justification": False,
            "require_multifactor_authentication": False,
            "require_ticket_info": False,
        },
        eligible_assignment_rules={
            "expiration_required": False,
            "expire_after": "string",
        },
        notification_rules={
            "active_assignments": {
                "admin_notifications": {
                    "default_recipients": False,
                    "notification_level": "string",
                    "additional_recipients": ["string"],
                },
                "approver_notifications": {
                    "default_recipients": False,
                    "notification_level": "string",
                    "additional_recipients": ["string"],
                },
                "assignee_notifications": {
                    "default_recipients": False,
                    "notification_level": "string",
                    "additional_recipients": ["string"],
                },
            },
            "eligible_activations": {
                "admin_notifications": {
                    "default_recipients": False,
                    "notification_level": "string",
                    "additional_recipients": ["string"],
                },
                "approver_notifications": {
                    "default_recipients": False,
                    "notification_level": "string",
                    "additional_recipients": ["string"],
                },
                "assignee_notifications": {
                    "default_recipients": False,
                    "notification_level": "string",
                    "additional_recipients": ["string"],
                },
            },
            "eligible_assignments": {
                "admin_notifications": {
                    "default_recipients": False,
                    "notification_level": "string",
                    "additional_recipients": ["string"],
                },
                "approver_notifications": {
                    "default_recipients": False,
                    "notification_level": "string",
                    "additional_recipients": ["string"],
                },
                "assignee_notifications": {
                    "default_recipients": False,
                    "notification_level": "string",
                    "additional_recipients": ["string"],
                },
            },
        })
    
    const groupRoleManagementPolicyResource = new azuread.GroupRoleManagementPolicy("groupRoleManagementPolicyResource", {
        groupId: "string",
        roleId: "string",
        activationRules: {
            approvalStage: {
                primaryApprovers: [{
                    objectId: "string",
                    type: "string",
                }],
            },
            maximumDuration: "string",
            requireApproval: false,
            requireJustification: false,
            requireMultifactorAuthentication: false,
            requireTicketInfo: false,
            requiredConditionalAccessAuthenticationContext: "string",
        },
        activeAssignmentRules: {
            expirationRequired: false,
            expireAfter: "string",
            requireJustification: false,
            requireMultifactorAuthentication: false,
            requireTicketInfo: false,
        },
        eligibleAssignmentRules: {
            expirationRequired: false,
            expireAfter: "string",
        },
        notificationRules: {
            activeAssignments: {
                adminNotifications: {
                    defaultRecipients: false,
                    notificationLevel: "string",
                    additionalRecipients: ["string"],
                },
                approverNotifications: {
                    defaultRecipients: false,
                    notificationLevel: "string",
                    additionalRecipients: ["string"],
                },
                assigneeNotifications: {
                    defaultRecipients: false,
                    notificationLevel: "string",
                    additionalRecipients: ["string"],
                },
            },
            eligibleActivations: {
                adminNotifications: {
                    defaultRecipients: false,
                    notificationLevel: "string",
                    additionalRecipients: ["string"],
                },
                approverNotifications: {
                    defaultRecipients: false,
                    notificationLevel: "string",
                    additionalRecipients: ["string"],
                },
                assigneeNotifications: {
                    defaultRecipients: false,
                    notificationLevel: "string",
                    additionalRecipients: ["string"],
                },
            },
            eligibleAssignments: {
                adminNotifications: {
                    defaultRecipients: false,
                    notificationLevel: "string",
                    additionalRecipients: ["string"],
                },
                approverNotifications: {
                    defaultRecipients: false,
                    notificationLevel: "string",
                    additionalRecipients: ["string"],
                },
                assigneeNotifications: {
                    defaultRecipients: false,
                    notificationLevel: "string",
                    additionalRecipients: ["string"],
                },
            },
        },
    });
    
    type: azuread:GroupRoleManagementPolicy
    properties:
        activationRules:
            approvalStage:
                primaryApprovers:
                    - objectId: string
                      type: string
            maximumDuration: string
            requireApproval: false
            requireJustification: false
            requireMultifactorAuthentication: false
            requireTicketInfo: false
            requiredConditionalAccessAuthenticationContext: string
        activeAssignmentRules:
            expirationRequired: false
            expireAfter: string
            requireJustification: false
            requireMultifactorAuthentication: false
            requireTicketInfo: false
        eligibleAssignmentRules:
            expirationRequired: false
            expireAfter: string
        groupId: string
        notificationRules:
            activeAssignments:
                adminNotifications:
                    additionalRecipients:
                        - string
                    defaultRecipients: false
                    notificationLevel: string
                approverNotifications:
                    additionalRecipients:
                        - string
                    defaultRecipients: false
                    notificationLevel: string
                assigneeNotifications:
                    additionalRecipients:
                        - string
                    defaultRecipients: false
                    notificationLevel: string
            eligibleActivations:
                adminNotifications:
                    additionalRecipients:
                        - string
                    defaultRecipients: false
                    notificationLevel: string
                approverNotifications:
                    additionalRecipients:
                        - string
                    defaultRecipients: false
                    notificationLevel: string
                assigneeNotifications:
                    additionalRecipients:
                        - string
                    defaultRecipients: false
                    notificationLevel: string
            eligibleAssignments:
                adminNotifications:
                    additionalRecipients:
                        - string
                    defaultRecipients: false
                    notificationLevel: string
                approverNotifications:
                    additionalRecipients:
                        - string
                    defaultRecipients: false
                    notificationLevel: string
                assigneeNotifications:
                    additionalRecipients:
                        - string
                    defaultRecipients: false
                    notificationLevel: string
        roleId: string
    

    GroupRoleManagementPolicy Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The GroupRoleManagementPolicy resource accepts the following input properties:

    GroupId string
    The ID of the Azure AD group for which the policy applies.
    RoleId string
    The type of assignment this policy coveres. Can be either member or owner.
    ActivationRules Pulumi.AzureAD.Inputs.GroupRoleManagementPolicyActivationRules
    An activation_rules block as defined below.
    ActiveAssignmentRules Pulumi.AzureAD.Inputs.GroupRoleManagementPolicyActiveAssignmentRules
    An active_assignment_rules block as defined below.
    EligibleAssignmentRules Pulumi.AzureAD.Inputs.GroupRoleManagementPolicyEligibleAssignmentRules
    An eligible_assignment_rules block as defined below.
    NotificationRules Pulumi.AzureAD.Inputs.GroupRoleManagementPolicyNotificationRules
    A notification_rules block as defined below.
    GroupId string
    The ID of the Azure AD group for which the policy applies.
    RoleId string
    The type of assignment this policy coveres. Can be either member or owner.
    ActivationRules GroupRoleManagementPolicyActivationRulesArgs
    An activation_rules block as defined below.
    ActiveAssignmentRules GroupRoleManagementPolicyActiveAssignmentRulesArgs
    An active_assignment_rules block as defined below.
    EligibleAssignmentRules GroupRoleManagementPolicyEligibleAssignmentRulesArgs
    An eligible_assignment_rules block as defined below.
    NotificationRules GroupRoleManagementPolicyNotificationRulesArgs
    A notification_rules block as defined below.
    groupId String
    The ID of the Azure AD group for which the policy applies.
    roleId String
    The type of assignment this policy coveres. Can be either member or owner.
    activationRules GroupRoleManagementPolicyActivationRules
    An activation_rules block as defined below.
    activeAssignmentRules GroupRoleManagementPolicyActiveAssignmentRules
    An active_assignment_rules block as defined below.
    eligibleAssignmentRules GroupRoleManagementPolicyEligibleAssignmentRules
    An eligible_assignment_rules block as defined below.
    notificationRules GroupRoleManagementPolicyNotificationRules
    A notification_rules block as defined below.
    groupId string
    The ID of the Azure AD group for which the policy applies.
    roleId string
    The type of assignment this policy coveres. Can be either member or owner.
    activationRules GroupRoleManagementPolicyActivationRules
    An activation_rules block as defined below.
    activeAssignmentRules GroupRoleManagementPolicyActiveAssignmentRules
    An active_assignment_rules block as defined below.
    eligibleAssignmentRules GroupRoleManagementPolicyEligibleAssignmentRules
    An eligible_assignment_rules block as defined below.
    notificationRules GroupRoleManagementPolicyNotificationRules
    A notification_rules block as defined below.
    group_id str
    The ID of the Azure AD group for which the policy applies.
    role_id str
    The type of assignment this policy coveres. Can be either member or owner.
    activation_rules GroupRoleManagementPolicyActivationRulesArgs
    An activation_rules block as defined below.
    active_assignment_rules GroupRoleManagementPolicyActiveAssignmentRulesArgs
    An active_assignment_rules block as defined below.
    eligible_assignment_rules GroupRoleManagementPolicyEligibleAssignmentRulesArgs
    An eligible_assignment_rules block as defined below.
    notification_rules GroupRoleManagementPolicyNotificationRulesArgs
    A notification_rules block as defined below.
    groupId String
    The ID of the Azure AD group for which the policy applies.
    roleId String
    The type of assignment this policy coveres. Can be either member or owner.
    activationRules Property Map
    An activation_rules block as defined below.
    activeAssignmentRules Property Map
    An active_assignment_rules block as defined below.
    eligibleAssignmentRules Property Map
    An eligible_assignment_rules block as defined below.
    notificationRules Property Map
    A notification_rules block as defined below.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the GroupRoleManagementPolicy resource produces the following output properties:

    Description string
    (String) The description of this policy.
    DisplayName string
    (String) The display name of this policy.
    Id string
    The provider-assigned unique ID for this managed resource.
    Description string
    (String) The description of this policy.
    DisplayName string
    (String) The display name of this policy.
    Id string
    The provider-assigned unique ID for this managed resource.
    description String
    (String) The description of this policy.
    displayName String
    (String) The display name of this policy.
    id String
    The provider-assigned unique ID for this managed resource.
    description string
    (String) The description of this policy.
    displayName string
    (String) The display name of this policy.
    id string
    The provider-assigned unique ID for this managed resource.
    description str
    (String) The description of this policy.
    display_name str
    (String) The display name of this policy.
    id str
    The provider-assigned unique ID for this managed resource.
    description String
    (String) The description of this policy.
    displayName String
    (String) The display name of this policy.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing GroupRoleManagementPolicy Resource

    Get an existing GroupRoleManagementPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: GroupRoleManagementPolicyState, opts?: CustomResourceOptions): GroupRoleManagementPolicy
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            activation_rules: Optional[GroupRoleManagementPolicyActivationRulesArgs] = None,
            active_assignment_rules: Optional[GroupRoleManagementPolicyActiveAssignmentRulesArgs] = None,
            description: Optional[str] = None,
            display_name: Optional[str] = None,
            eligible_assignment_rules: Optional[GroupRoleManagementPolicyEligibleAssignmentRulesArgs] = None,
            group_id: Optional[str] = None,
            notification_rules: Optional[GroupRoleManagementPolicyNotificationRulesArgs] = None,
            role_id: Optional[str] = None) -> GroupRoleManagementPolicy
    func GetGroupRoleManagementPolicy(ctx *Context, name string, id IDInput, state *GroupRoleManagementPolicyState, opts ...ResourceOption) (*GroupRoleManagementPolicy, error)
    public static GroupRoleManagementPolicy Get(string name, Input<string> id, GroupRoleManagementPolicyState? state, CustomResourceOptions? opts = null)
    public static GroupRoleManagementPolicy get(String name, Output<String> id, GroupRoleManagementPolicyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    ActivationRules Pulumi.AzureAD.Inputs.GroupRoleManagementPolicyActivationRules
    An activation_rules block as defined below.
    ActiveAssignmentRules Pulumi.AzureAD.Inputs.GroupRoleManagementPolicyActiveAssignmentRules
    An active_assignment_rules block as defined below.
    Description string
    (String) The description of this policy.
    DisplayName string
    (String) The display name of this policy.
    EligibleAssignmentRules Pulumi.AzureAD.Inputs.GroupRoleManagementPolicyEligibleAssignmentRules
    An eligible_assignment_rules block as defined below.
    GroupId string
    The ID of the Azure AD group for which the policy applies.
    NotificationRules Pulumi.AzureAD.Inputs.GroupRoleManagementPolicyNotificationRules
    A notification_rules block as defined below.
    RoleId string
    The type of assignment this policy coveres. Can be either member or owner.
    ActivationRules GroupRoleManagementPolicyActivationRulesArgs
    An activation_rules block as defined below.
    ActiveAssignmentRules GroupRoleManagementPolicyActiveAssignmentRulesArgs
    An active_assignment_rules block as defined below.
    Description string
    (String) The description of this policy.
    DisplayName string
    (String) The display name of this policy.
    EligibleAssignmentRules GroupRoleManagementPolicyEligibleAssignmentRulesArgs
    An eligible_assignment_rules block as defined below.
    GroupId string
    The ID of the Azure AD group for which the policy applies.
    NotificationRules GroupRoleManagementPolicyNotificationRulesArgs
    A notification_rules block as defined below.
    RoleId string
    The type of assignment this policy coveres. Can be either member or owner.
    activationRules GroupRoleManagementPolicyActivationRules
    An activation_rules block as defined below.
    activeAssignmentRules GroupRoleManagementPolicyActiveAssignmentRules
    An active_assignment_rules block as defined below.
    description String
    (String) The description of this policy.
    displayName String
    (String) The display name of this policy.
    eligibleAssignmentRules GroupRoleManagementPolicyEligibleAssignmentRules
    An eligible_assignment_rules block as defined below.
    groupId String
    The ID of the Azure AD group for which the policy applies.
    notificationRules GroupRoleManagementPolicyNotificationRules
    A notification_rules block as defined below.
    roleId String
    The type of assignment this policy coveres. Can be either member or owner.
    activationRules GroupRoleManagementPolicyActivationRules
    An activation_rules block as defined below.
    activeAssignmentRules GroupRoleManagementPolicyActiveAssignmentRules
    An active_assignment_rules block as defined below.
    description string
    (String) The description of this policy.
    displayName string
    (String) The display name of this policy.
    eligibleAssignmentRules GroupRoleManagementPolicyEligibleAssignmentRules
    An eligible_assignment_rules block as defined below.
    groupId string
    The ID of the Azure AD group for which the policy applies.
    notificationRules GroupRoleManagementPolicyNotificationRules
    A notification_rules block as defined below.
    roleId string
    The type of assignment this policy coveres. Can be either member or owner.
    activation_rules GroupRoleManagementPolicyActivationRulesArgs
    An activation_rules block as defined below.
    active_assignment_rules GroupRoleManagementPolicyActiveAssignmentRulesArgs
    An active_assignment_rules block as defined below.
    description str
    (String) The description of this policy.
    display_name str
    (String) The display name of this policy.
    eligible_assignment_rules GroupRoleManagementPolicyEligibleAssignmentRulesArgs
    An eligible_assignment_rules block as defined below.
    group_id str
    The ID of the Azure AD group for which the policy applies.
    notification_rules GroupRoleManagementPolicyNotificationRulesArgs
    A notification_rules block as defined below.
    role_id str
    The type of assignment this policy coveres. Can be either member or owner.
    activationRules Property Map
    An activation_rules block as defined below.
    activeAssignmentRules Property Map
    An active_assignment_rules block as defined below.
    description String
    (String) The description of this policy.
    displayName String
    (String) The display name of this policy.
    eligibleAssignmentRules Property Map
    An eligible_assignment_rules block as defined below.
    groupId String
    The ID of the Azure AD group for which the policy applies.
    notificationRules Property Map
    A notification_rules block as defined below.
    roleId String
    The type of assignment this policy coveres. Can be either member or owner.

    Supporting Types

    GroupRoleManagementPolicyActivationRules, GroupRoleManagementPolicyActivationRulesArgs

    ApprovalStage Pulumi.AzureAD.Inputs.GroupRoleManagementPolicyActivationRulesApprovalStage
    An approval_stage block as defined below.
    MaximumDuration string
    The maximum length of time an activated role can be valid, in an ISO8601 Duration format (e.g. PT8H). Valid range is PT30M to PT23H30M, in 30 minute increments, or PT1D.
    RequireApproval bool
    Is approval required for activation. If true an approval_stage block must be provided.
    RequireJustification bool
    Is a justification required during activation of the role.
    RequireMultifactorAuthentication bool
    Is multi-factor authentication required to activate the role. Conflicts with required_conditional_access_authentication_context.
    RequireTicketInfo bool
    Is ticket information requrired during activation of the role.
    RequiredConditionalAccessAuthenticationContext string
    The Entra ID Conditional Access context that must be present for activation (e.g c1). Conflicts with require_multifactor_authentication.
    ApprovalStage GroupRoleManagementPolicyActivationRulesApprovalStage
    An approval_stage block as defined below.
    MaximumDuration string
    The maximum length of time an activated role can be valid, in an ISO8601 Duration format (e.g. PT8H). Valid range is PT30M to PT23H30M, in 30 minute increments, or PT1D.
    RequireApproval bool
    Is approval required for activation. If true an approval_stage block must be provided.
    RequireJustification bool
    Is a justification required during activation of the role.
    RequireMultifactorAuthentication bool
    Is multi-factor authentication required to activate the role. Conflicts with required_conditional_access_authentication_context.
    RequireTicketInfo bool
    Is ticket information requrired during activation of the role.
    RequiredConditionalAccessAuthenticationContext string
    The Entra ID Conditional Access context that must be present for activation (e.g c1). Conflicts with require_multifactor_authentication.
    approvalStage GroupRoleManagementPolicyActivationRulesApprovalStage
    An approval_stage block as defined below.
    maximumDuration String
    The maximum length of time an activated role can be valid, in an ISO8601 Duration format (e.g. PT8H). Valid range is PT30M to PT23H30M, in 30 minute increments, or PT1D.
    requireApproval Boolean
    Is approval required for activation. If true an approval_stage block must be provided.
    requireJustification Boolean
    Is a justification required during activation of the role.
    requireMultifactorAuthentication Boolean
    Is multi-factor authentication required to activate the role. Conflicts with required_conditional_access_authentication_context.
    requireTicketInfo Boolean
    Is ticket information requrired during activation of the role.
    requiredConditionalAccessAuthenticationContext String
    The Entra ID Conditional Access context that must be present for activation (e.g c1). Conflicts with require_multifactor_authentication.
    approvalStage GroupRoleManagementPolicyActivationRulesApprovalStage
    An approval_stage block as defined below.
    maximumDuration string
    The maximum length of time an activated role can be valid, in an ISO8601 Duration format (e.g. PT8H). Valid range is PT30M to PT23H30M, in 30 minute increments, or PT1D.
    requireApproval boolean
    Is approval required for activation. If true an approval_stage block must be provided.
    requireJustification boolean
    Is a justification required during activation of the role.
    requireMultifactorAuthentication boolean
    Is multi-factor authentication required to activate the role. Conflicts with required_conditional_access_authentication_context.
    requireTicketInfo boolean
    Is ticket information requrired during activation of the role.
    requiredConditionalAccessAuthenticationContext string
    The Entra ID Conditional Access context that must be present for activation (e.g c1). Conflicts with require_multifactor_authentication.
    approval_stage GroupRoleManagementPolicyActivationRulesApprovalStage
    An approval_stage block as defined below.
    maximum_duration str
    The maximum length of time an activated role can be valid, in an ISO8601 Duration format (e.g. PT8H). Valid range is PT30M to PT23H30M, in 30 minute increments, or PT1D.
    require_approval bool
    Is approval required for activation. If true an approval_stage block must be provided.
    require_justification bool
    Is a justification required during activation of the role.
    require_multifactor_authentication bool
    Is multi-factor authentication required to activate the role. Conflicts with required_conditional_access_authentication_context.
    require_ticket_info bool
    Is ticket information requrired during activation of the role.
    required_conditional_access_authentication_context str
    The Entra ID Conditional Access context that must be present for activation (e.g c1). Conflicts with require_multifactor_authentication.
    approvalStage Property Map
    An approval_stage block as defined below.
    maximumDuration String
    The maximum length of time an activated role can be valid, in an ISO8601 Duration format (e.g. PT8H). Valid range is PT30M to PT23H30M, in 30 minute increments, or PT1D.
    requireApproval Boolean
    Is approval required for activation. If true an approval_stage block must be provided.
    requireJustification Boolean
    Is a justification required during activation of the role.
    requireMultifactorAuthentication Boolean
    Is multi-factor authentication required to activate the role. Conflicts with required_conditional_access_authentication_context.
    requireTicketInfo Boolean
    Is ticket information requrired during activation of the role.
    requiredConditionalAccessAuthenticationContext String
    The Entra ID Conditional Access context that must be present for activation (e.g c1). Conflicts with require_multifactor_authentication.

    GroupRoleManagementPolicyActivationRulesApprovalStage, GroupRoleManagementPolicyActivationRulesApprovalStageArgs

    PrimaryApprovers []GroupRoleManagementPolicyActivationRulesApprovalStagePrimaryApprover
    The IDs of the users or groups who can approve the activation
    primaryApprovers List<GroupRoleManagementPolicyActivationRulesApprovalStagePrimaryApprover>
    The IDs of the users or groups who can approve the activation
    primaryApprovers GroupRoleManagementPolicyActivationRulesApprovalStagePrimaryApprover[]
    The IDs of the users or groups who can approve the activation
    primaryApprovers List<Property Map>
    The IDs of the users or groups who can approve the activation

    GroupRoleManagementPolicyActivationRulesApprovalStagePrimaryApprover, GroupRoleManagementPolicyActivationRulesApprovalStagePrimaryApproverArgs

    ObjectId string
    The ID of the object which will act as an approver.
    Type string
    The type of object acting as an approver. Possible options are singleUser and groupMembers.
    ObjectId string
    The ID of the object which will act as an approver.
    Type string
    The type of object acting as an approver. Possible options are singleUser and groupMembers.
    objectId String
    The ID of the object which will act as an approver.
    type String
    The type of object acting as an approver. Possible options are singleUser and groupMembers.
    objectId string
    The ID of the object which will act as an approver.
    type string
    The type of object acting as an approver. Possible options are singleUser and groupMembers.
    object_id str
    The ID of the object which will act as an approver.
    type str
    The type of object acting as an approver. Possible options are singleUser and groupMembers.
    objectId String
    The ID of the object which will act as an approver.
    type String
    The type of object acting as an approver. Possible options are singleUser and groupMembers.

    GroupRoleManagementPolicyActiveAssignmentRules, GroupRoleManagementPolicyActiveAssignmentRulesArgs

    ExpirationRequired bool
    Must an assignment have an expiry date. false allows permanent assignment.
    ExpireAfter string
    The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: P15D, P30D, P90D, P180D, or P365D.
    RequireJustification bool
    Is a justification required to create new assignments.
    RequireMultifactorAuthentication bool
    Is multi-factor authentication required to create new assignments.
    RequireTicketInfo bool

    Is ticket information required to create new assignments.

    One of expiration_required or expire_after must be provided.

    ExpirationRequired bool
    Must an assignment have an expiry date. false allows permanent assignment.
    ExpireAfter string
    The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: P15D, P30D, P90D, P180D, or P365D.
    RequireJustification bool
    Is a justification required to create new assignments.
    RequireMultifactorAuthentication bool
    Is multi-factor authentication required to create new assignments.
    RequireTicketInfo bool

    Is ticket information required to create new assignments.

    One of expiration_required or expire_after must be provided.

    expirationRequired Boolean
    Must an assignment have an expiry date. false allows permanent assignment.
    expireAfter String
    The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: P15D, P30D, P90D, P180D, or P365D.
    requireJustification Boolean
    Is a justification required to create new assignments.
    requireMultifactorAuthentication Boolean
    Is multi-factor authentication required to create new assignments.
    requireTicketInfo Boolean

    Is ticket information required to create new assignments.

    One of expiration_required or expire_after must be provided.

    expirationRequired boolean
    Must an assignment have an expiry date. false allows permanent assignment.
    expireAfter string
    The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: P15D, P30D, P90D, P180D, or P365D.
    requireJustification boolean
    Is a justification required to create new assignments.
    requireMultifactorAuthentication boolean
    Is multi-factor authentication required to create new assignments.
    requireTicketInfo boolean

    Is ticket information required to create new assignments.

    One of expiration_required or expire_after must be provided.

    expiration_required bool
    Must an assignment have an expiry date. false allows permanent assignment.
    expire_after str
    The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: P15D, P30D, P90D, P180D, or P365D.
    require_justification bool
    Is a justification required to create new assignments.
    require_multifactor_authentication bool
    Is multi-factor authentication required to create new assignments.
    require_ticket_info bool

    Is ticket information required to create new assignments.

    One of expiration_required or expire_after must be provided.

    expirationRequired Boolean
    Must an assignment have an expiry date. false allows permanent assignment.
    expireAfter String
    The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: P15D, P30D, P90D, P180D, or P365D.
    requireJustification Boolean
    Is a justification required to create new assignments.
    requireMultifactorAuthentication Boolean
    Is multi-factor authentication required to create new assignments.
    requireTicketInfo Boolean

    Is ticket information required to create new assignments.

    One of expiration_required or expire_after must be provided.

    GroupRoleManagementPolicyEligibleAssignmentRules, GroupRoleManagementPolicyEligibleAssignmentRulesArgs

    ExpirationRequired bool
    Must an assignment have an expiry date. false allows permanent assignment.
    ExpireAfter string

    The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: P15D, P30D, P90D, P180D, or P365D.

    One of expiration_required or expire_after must be provided.

    ExpirationRequired bool
    Must an assignment have an expiry date. false allows permanent assignment.
    ExpireAfter string

    The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: P15D, P30D, P90D, P180D, or P365D.

    One of expiration_required or expire_after must be provided.

    expirationRequired Boolean
    Must an assignment have an expiry date. false allows permanent assignment.
    expireAfter String

    The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: P15D, P30D, P90D, P180D, or P365D.

    One of expiration_required or expire_after must be provided.

    expirationRequired boolean
    Must an assignment have an expiry date. false allows permanent assignment.
    expireAfter string

    The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: P15D, P30D, P90D, P180D, or P365D.

    One of expiration_required or expire_after must be provided.

    expiration_required bool
    Must an assignment have an expiry date. false allows permanent assignment.
    expire_after str

    The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: P15D, P30D, P90D, P180D, or P365D.

    One of expiration_required or expire_after must be provided.

    expirationRequired Boolean
    Must an assignment have an expiry date. false allows permanent assignment.
    expireAfter String

    The maximum length of time an assignment can be valid, as an ISO8601 duration. Permitted values: P15D, P30D, P90D, P180D, or P365D.

    One of expiration_required or expire_after must be provided.

    GroupRoleManagementPolicyNotificationRules, GroupRoleManagementPolicyNotificationRulesArgs

    ActiveAssignments Pulumi.AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesActiveAssignments
    A notification_target block as defined below to configure notfications on active role assignments.
    EligibleActivations Pulumi.AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesEligibleActivations
    A notification_target block as defined below for configuring notifications on activation of eligible role.
    EligibleAssignments Pulumi.AzureAD.Inputs.GroupRoleManagementPolicyNotificationRulesEligibleAssignments

    A notification_target block as defined below to configure notification on eligible role assignments.

    At least one notification_target block must be provided.

    ActiveAssignments GroupRoleManagementPolicyNotificationRulesActiveAssignments
    A notification_target block as defined below to configure notfications on active role assignments.
    EligibleActivations GroupRoleManagementPolicyNotificationRulesEligibleActivations
    A notification_target block as defined below for configuring notifications on activation of eligible role.
    EligibleAssignments GroupRoleManagementPolicyNotificationRulesEligibleAssignments

    A notification_target block as defined below to configure notification on eligible role assignments.

    At least one notification_target block must be provided.

    activeAssignments GroupRoleManagementPolicyNotificationRulesActiveAssignments
    A notification_target block as defined below to configure notfications on active role assignments.
    eligibleActivations GroupRoleManagementPolicyNotificationRulesEligibleActivations
    A notification_target block as defined below for configuring notifications on activation of eligible role.
    eligibleAssignments GroupRoleManagementPolicyNotificationRulesEligibleAssignments

    A notification_target block as defined below to configure notification on eligible role assignments.

    At least one notification_target block must be provided.

    activeAssignments GroupRoleManagementPolicyNotificationRulesActiveAssignments
    A notification_target block as defined below to configure notfications on active role assignments.
    eligibleActivations GroupRoleManagementPolicyNotificationRulesEligibleActivations
    A notification_target block as defined below for configuring notifications on activation of eligible role.
    eligibleAssignments GroupRoleManagementPolicyNotificationRulesEligibleAssignments

    A notification_target block as defined below to configure notification on eligible role assignments.

    At least one notification_target block must be provided.

    active_assignments GroupRoleManagementPolicyNotificationRulesActiveAssignments
    A notification_target block as defined below to configure notfications on active role assignments.
    eligible_activations GroupRoleManagementPolicyNotificationRulesEligibleActivations
    A notification_target block as defined below for configuring notifications on activation of eligible role.
    eligible_assignments GroupRoleManagementPolicyNotificationRulesEligibleAssignments

    A notification_target block as defined below to configure notification on eligible role assignments.

    At least one notification_target block must be provided.

    activeAssignments Property Map
    A notification_target block as defined below to configure notfications on active role assignments.
    eligibleActivations Property Map
    A notification_target block as defined below for configuring notifications on activation of eligible role.
    eligibleAssignments Property Map

    A notification_target block as defined below to configure notification on eligible role assignments.

    At least one notification_target block must be provided.

    GroupRoleManagementPolicyNotificationRulesActiveAssignments, GroupRoleManagementPolicyNotificationRulesActiveAssignmentsArgs

    adminNotifications Property Map
    Admin notification settings
    approverNotifications Property Map
    Approver notification settings
    assigneeNotifications Property Map
    Assignee notification settings

    GroupRoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotifications, GroupRoleManagementPolicyNotificationRulesActiveAssignmentsAdminNotificationsArgs

    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients List<string>
    The additional recipients to notify
    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients []string
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify
    defaultRecipients boolean
    Whether the default recipients are notified
    notificationLevel string
    What level of notifications are sent
    additionalRecipients string[]
    The additional recipients to notify
    default_recipients bool
    Whether the default recipients are notified
    notification_level str
    What level of notifications are sent
    additional_recipients Sequence[str]
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify

    GroupRoleManagementPolicyNotificationRulesActiveAssignmentsApproverNotifications, GroupRoleManagementPolicyNotificationRulesActiveAssignmentsApproverNotificationsArgs

    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients List<string>
    The additional recipients to notify
    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients []string
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify
    defaultRecipients boolean
    Whether the default recipients are notified
    notificationLevel string
    What level of notifications are sent
    additionalRecipients string[]
    The additional recipients to notify
    default_recipients bool
    Whether the default recipients are notified
    notification_level str
    What level of notifications are sent
    additional_recipients Sequence[str]
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify

    GroupRoleManagementPolicyNotificationRulesActiveAssignmentsAssigneeNotifications, GroupRoleManagementPolicyNotificationRulesActiveAssignmentsAssigneeNotificationsArgs

    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients List<string>
    The additional recipients to notify
    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients []string
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify
    defaultRecipients boolean
    Whether the default recipients are notified
    notificationLevel string
    What level of notifications are sent
    additionalRecipients string[]
    The additional recipients to notify
    default_recipients bool
    Whether the default recipients are notified
    notification_level str
    What level of notifications are sent
    additional_recipients Sequence[str]
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify

    GroupRoleManagementPolicyNotificationRulesEligibleActivations, GroupRoleManagementPolicyNotificationRulesEligibleActivationsArgs

    adminNotifications Property Map
    Admin notification settings
    approverNotifications Property Map
    Approver notification settings
    assigneeNotifications Property Map
    Assignee notification settings

    GroupRoleManagementPolicyNotificationRulesEligibleActivationsAdminNotifications, GroupRoleManagementPolicyNotificationRulesEligibleActivationsAdminNotificationsArgs

    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients List<string>
    The additional recipients to notify
    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients []string
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify
    defaultRecipients boolean
    Whether the default recipients are notified
    notificationLevel string
    What level of notifications are sent
    additionalRecipients string[]
    The additional recipients to notify
    default_recipients bool
    Whether the default recipients are notified
    notification_level str
    What level of notifications are sent
    additional_recipients Sequence[str]
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify

    GroupRoleManagementPolicyNotificationRulesEligibleActivationsApproverNotifications, GroupRoleManagementPolicyNotificationRulesEligibleActivationsApproverNotificationsArgs

    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients List<string>
    The additional recipients to notify
    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients []string
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify
    defaultRecipients boolean
    Whether the default recipients are notified
    notificationLevel string
    What level of notifications are sent
    additionalRecipients string[]
    The additional recipients to notify
    default_recipients bool
    Whether the default recipients are notified
    notification_level str
    What level of notifications are sent
    additional_recipients Sequence[str]
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify

    GroupRoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotifications, GroupRoleManagementPolicyNotificationRulesEligibleActivationsAssigneeNotificationsArgs

    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients List<string>
    The additional recipients to notify
    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients []string
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify
    defaultRecipients boolean
    Whether the default recipients are notified
    notificationLevel string
    What level of notifications are sent
    additionalRecipients string[]
    The additional recipients to notify
    default_recipients bool
    Whether the default recipients are notified
    notification_level str
    What level of notifications are sent
    additional_recipients Sequence[str]
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify

    GroupRoleManagementPolicyNotificationRulesEligibleAssignments, GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsArgs

    adminNotifications Property Map
    Admin notification settings
    approverNotifications Property Map
    Approver notification settings
    assigneeNotifications Property Map
    Assignee notification settings

    GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsAdminNotifications, GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsAdminNotificationsArgs

    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients List<string>
    The additional recipients to notify
    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients []string
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify
    defaultRecipients boolean
    Whether the default recipients are notified
    notificationLevel string
    What level of notifications are sent
    additionalRecipients string[]
    The additional recipients to notify
    default_recipients bool
    Whether the default recipients are notified
    notification_level str
    What level of notifications are sent
    additional_recipients Sequence[str]
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify

    GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotifications, GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsApproverNotificationsArgs

    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients List<string>
    The additional recipients to notify
    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients []string
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify
    defaultRecipients boolean
    Whether the default recipients are notified
    notificationLevel string
    What level of notifications are sent
    additionalRecipients string[]
    The additional recipients to notify
    default_recipients bool
    Whether the default recipients are notified
    notification_level str
    What level of notifications are sent
    additional_recipients Sequence[str]
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify

    GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsAssigneeNotifications, GroupRoleManagementPolicyNotificationRulesEligibleAssignmentsAssigneeNotificationsArgs

    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients List<string>
    The additional recipients to notify
    DefaultRecipients bool
    Whether the default recipients are notified
    NotificationLevel string
    What level of notifications are sent
    AdditionalRecipients []string
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify
    defaultRecipients boolean
    Whether the default recipients are notified
    notificationLevel string
    What level of notifications are sent
    additionalRecipients string[]
    The additional recipients to notify
    default_recipients bool
    Whether the default recipients are notified
    notification_level str
    What level of notifications are sent
    additional_recipients Sequence[str]
    The additional recipients to notify
    defaultRecipients Boolean
    Whether the default recipients are notified
    notificationLevel String
    What level of notifications are sent
    additionalRecipients List<String>
    The additional recipients to notify

    Import

    Because these policies are created automatically by Entra ID, they will auto-import on first use.

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    Azure Active Directory (Azure AD) pulumi/pulumi-azuread
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the azuread Terraform Provider.
    azuread logo
    Azure Active Directory (Azure AD) v6.0.1 published on Monday, Oct 14, 2024 by Pulumi