azuread.ServicePrincipal
Explore with Pulumi AI
Example Usage
Create a service principal for an application
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const current = azuread.getClientConfig({});
const example = new azuread.Application("example", {
displayName: "example",
owners: [current.then(current => current.objectId)],
});
const exampleServicePrincipal = new azuread.ServicePrincipal("example", {
clientId: example.clientId,
appRoleAssignmentRequired: false,
owners: [current.then(current => current.objectId)],
});
import pulumi
import pulumi_azuread as azuread
current = azuread.get_client_config()
example = azuread.Application("example",
display_name="example",
owners=[current.object_id])
example_service_principal = azuread.ServicePrincipal("example",
client_id=example.client_id,
app_role_assignment_required=False,
owners=[current.object_id])
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := azuread.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
example, err := azuread.NewApplication(ctx, "example", &azuread.ApplicationArgs{
DisplayName: pulumi.String("example"),
Owners: pulumi.StringArray{
pulumi.String(current.ObjectId),
},
})
if err != nil {
return err
}
_, err = azuread.NewServicePrincipal(ctx, "example", &azuread.ServicePrincipalArgs{
ClientId: example.ClientId,
AppRoleAssignmentRequired: pulumi.Bool(false),
Owners: pulumi.StringArray{
pulumi.String(current.ObjectId),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var current = AzureAD.GetClientConfig.Invoke();
var example = new AzureAD.Application("example", new()
{
DisplayName = "example",
Owners = new[]
{
current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
},
});
var exampleServicePrincipal = new AzureAD.ServicePrincipal("example", new()
{
ClientId = example.ClientId,
AppRoleAssignmentRequired = false,
Owners = new[]
{
current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AzureadFunctions.getClientConfig();
var example = new Application("example", ApplicationArgs.builder()
.displayName("example")
.owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.build());
var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()
.clientId(example.clientId())
.appRoleAssignmentRequired(false)
.owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.build());
}
}
resources:
example:
type: azuread:Application
properties:
displayName: example
owners:
- ${current.objectId}
exampleServicePrincipal:
type: azuread:ServicePrincipal
name: example
properties:
clientId: ${example.clientId}
appRoleAssignmentRequired: false
owners:
- ${current.objectId}
variables:
current:
fn::invoke:
Function: azuread:getClientConfig
Arguments: {}
Create a service principal for an enterprise application
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const current = azuread.getClientConfig({});
const example = new azuread.Application("example", {
displayName: "example",
owners: [current.then(current => current.objectId)],
});
const exampleServicePrincipal = new azuread.ServicePrincipal("example", {
clientId: example.clientId,
appRoleAssignmentRequired: false,
owners: [current.then(current => current.objectId)],
featureTags: [{
enterprise: true,
gallery: true,
}],
});
import pulumi
import pulumi_azuread as azuread
current = azuread.get_client_config()
example = azuread.Application("example",
display_name="example",
owners=[current.object_id])
example_service_principal = azuread.ServicePrincipal("example",
client_id=example.client_id,
app_role_assignment_required=False,
owners=[current.object_id],
feature_tags=[{
"enterprise": True,
"gallery": True,
}])
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := azuread.GetClientConfig(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
example, err := azuread.NewApplication(ctx, "example", &azuread.ApplicationArgs{
DisplayName: pulumi.String("example"),
Owners: pulumi.StringArray{
pulumi.String(current.ObjectId),
},
})
if err != nil {
return err
}
_, err = azuread.NewServicePrincipal(ctx, "example", &azuread.ServicePrincipalArgs{
ClientId: example.ClientId,
AppRoleAssignmentRequired: pulumi.Bool(false),
Owners: pulumi.StringArray{
pulumi.String(current.ObjectId),
},
FeatureTags: azuread.ServicePrincipalFeatureTagArray{
&azuread.ServicePrincipalFeatureTagArgs{
Enterprise: pulumi.Bool(true),
Gallery: pulumi.Bool(true),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var current = AzureAD.GetClientConfig.Invoke();
var example = new AzureAD.Application("example", new()
{
DisplayName = "example",
Owners = new[]
{
current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
},
});
var exampleServicePrincipal = new AzureAD.ServicePrincipal("example", new()
{
ClientId = example.ClientId,
AppRoleAssignmentRequired = false,
Owners = new[]
{
current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
},
FeatureTags = new[]
{
new AzureAD.Inputs.ServicePrincipalFeatureTagArgs
{
Enterprise = true,
Gallery = true,
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import com.pulumi.azuread.inputs.ServicePrincipalFeatureTagArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AzureadFunctions.getClientConfig();
var example = new Application("example", ApplicationArgs.builder()
.displayName("example")
.owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.build());
var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()
.clientId(example.clientId())
.appRoleAssignmentRequired(false)
.owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
.featureTags(ServicePrincipalFeatureTagArgs.builder()
.enterprise(true)
.gallery(true)
.build())
.build());
}
}
resources:
example:
type: azuread:Application
properties:
displayName: example
owners:
- ${current.objectId}
exampleServicePrincipal:
type: azuread:ServicePrincipal
name: example
properties:
clientId: ${example.clientId}
appRoleAssignmentRequired: false
owners:
- ${current.objectId}
featureTags:
- enterprise: true
gallery: true
variables:
current:
fn::invoke:
Function: azuread:getClientConfig
Arguments: {}
Manage a service principal for a first-party Microsoft application
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const wellKnown = azuread.getApplicationPublishedAppIds({});
const msgraph = new azuread.ServicePrincipal("msgraph", {
clientId: wellKnown.then(wellKnown => wellKnown.result?.microsoftGraph),
useExisting: true,
});
import pulumi
import pulumi_azuread as azuread
well_known = azuread.get_application_published_app_ids()
msgraph = azuread.ServicePrincipal("msgraph",
client_id=well_known.result["microsoftGraph"],
use_existing=True)
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
wellKnown, err := azuread.GetApplicationPublishedAppIds(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
_, err = azuread.NewServicePrincipal(ctx, "msgraph", &azuread.ServicePrincipalArgs{
ClientId: pulumi.String(wellKnown.Result.MicrosoftGraph),
UseExisting: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var wellKnown = AzureAD.GetApplicationPublishedAppIds.Invoke();
var msgraph = new AzureAD.ServicePrincipal("msgraph", new()
{
ClientId = wellKnown.Apply(getApplicationPublishedAppIdsResult => getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
UseExisting = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();
var msgraph = new ServicePrincipal("msgraph", ServicePrincipalArgs.builder()
.clientId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -> getApplicationPublishedAppIdsResult.result().microsoftGraph()))
.useExisting(true)
.build());
}
}
resources:
msgraph:
type: azuread:ServicePrincipal
properties:
clientId: ${wellKnown.result.microsoftGraph}
useExisting: true
variables:
wellKnown:
fn::invoke:
Function: azuread:getApplicationPublishedAppIds
Arguments: {}
Create a service principal for an application created from a gallery template
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const example = azuread.getApplicationTemplate({
displayName: "Marketo",
});
const exampleApplication = new azuread.Application("example", {
displayName: "example",
templateId: example.then(example => example.templateId),
});
const exampleServicePrincipal = new azuread.ServicePrincipal("example", {
clientId: exampleApplication.clientId,
useExisting: true,
});
import pulumi
import pulumi_azuread as azuread
example = azuread.get_application_template(display_name="Marketo")
example_application = azuread.Application("example",
display_name="example",
template_id=example.template_id)
example_service_principal = azuread.ServicePrincipal("example",
client_id=example_application.client_id,
use_existing=True)
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := azuread.GetApplicationTemplate(ctx, &azuread.GetApplicationTemplateArgs{
DisplayName: pulumi.StringRef("Marketo"),
}, nil)
if err != nil {
return err
}
exampleApplication, err := azuread.NewApplication(ctx, "example", &azuread.ApplicationArgs{
DisplayName: pulumi.String("example"),
TemplateId: pulumi.String(example.TemplateId),
})
if err != nil {
return err
}
_, err = azuread.NewServicePrincipal(ctx, "example", &azuread.ServicePrincipalArgs{
ClientId: exampleApplication.ClientId,
UseExisting: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var example = AzureAD.GetApplicationTemplate.Invoke(new()
{
DisplayName = "Marketo",
});
var exampleApplication = new AzureAD.Application("example", new()
{
DisplayName = "example",
TemplateId = example.Apply(getApplicationTemplateResult => getApplicationTemplateResult.TemplateId),
});
var exampleServicePrincipal = new AzureAD.ServicePrincipal("example", new()
{
ClientId = exampleApplication.ClientId,
UseExisting = true,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.inputs.GetApplicationTemplateArgs;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var example = AzureadFunctions.getApplicationTemplate(GetApplicationTemplateArgs.builder()
.displayName("Marketo")
.build());
var exampleApplication = new Application("exampleApplication", ApplicationArgs.builder()
.displayName("example")
.templateId(example.applyValue(getApplicationTemplateResult -> getApplicationTemplateResult.templateId()))
.build());
var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()
.clientId(exampleApplication.clientId())
.useExisting(true)
.build());
}
}
resources:
exampleApplication:
type: azuread:Application
name: example
properties:
displayName: example
templateId: ${example.templateId}
exampleServicePrincipal:
type: azuread:ServicePrincipal
name: example
properties:
clientId: ${exampleApplication.clientId}
useExisting: true
variables:
example:
fn::invoke:
Function: azuread:getApplicationTemplate
Arguments:
displayName: Marketo
Create ServicePrincipal Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ServicePrincipal(name: string, args: ServicePrincipalArgs, opts?: CustomResourceOptions);
@overload
def ServicePrincipal(resource_name: str,
args: ServicePrincipalArgs,
opts: Optional[ResourceOptions] = None)
@overload
def ServicePrincipal(resource_name: str,
opts: Optional[ResourceOptions] = None,
client_id: Optional[str] = None,
features: Optional[Sequence[ServicePrincipalFeatureArgs]] = None,
notes: Optional[str] = None,
alternative_names: Optional[Sequence[str]] = None,
description: Optional[str] = None,
feature_tags: Optional[Sequence[ServicePrincipalFeatureTagArgs]] = None,
account_enabled: Optional[bool] = None,
login_url: Optional[str] = None,
app_role_assignment_required: Optional[bool] = None,
notification_email_addresses: Optional[Sequence[str]] = None,
owners: Optional[Sequence[str]] = None,
preferred_single_sign_on_mode: Optional[str] = None,
saml_single_sign_on: Optional[ServicePrincipalSamlSingleSignOnArgs] = None,
tags: Optional[Sequence[str]] = None,
use_existing: Optional[bool] = None)
func NewServicePrincipal(ctx *Context, name string, args ServicePrincipalArgs, opts ...ResourceOption) (*ServicePrincipal, error)
public ServicePrincipal(string name, ServicePrincipalArgs args, CustomResourceOptions? opts = null)
public ServicePrincipal(String name, ServicePrincipalArgs args)
public ServicePrincipal(String name, ServicePrincipalArgs args, CustomResourceOptions options)
type: azuread:ServicePrincipal
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ServicePrincipalArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ServicePrincipalArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ServicePrincipalArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ServicePrincipalArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ServicePrincipalArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var servicePrincipalResource = new AzureAD.ServicePrincipal("servicePrincipalResource", new()
{
ClientId = "string",
Notes = "string",
AlternativeNames = new[]
{
"string",
},
Description = "string",
FeatureTags = new[]
{
new AzureAD.Inputs.ServicePrincipalFeatureTagArgs
{
CustomSingleSignOn = false,
Enterprise = false,
Gallery = false,
Hide = false,
},
},
AccountEnabled = false,
LoginUrl = "string",
AppRoleAssignmentRequired = false,
NotificationEmailAddresses = new[]
{
"string",
},
Owners = new[]
{
"string",
},
PreferredSingleSignOnMode = "string",
SamlSingleSignOn = new AzureAD.Inputs.ServicePrincipalSamlSingleSignOnArgs
{
RelayState = "string",
},
Tags = new[]
{
"string",
},
UseExisting = false,
});
example, err := azuread.NewServicePrincipal(ctx, "servicePrincipalResource", &azuread.ServicePrincipalArgs{
ClientId: pulumi.String("string"),
Notes: pulumi.String("string"),
AlternativeNames: pulumi.StringArray{
pulumi.String("string"),
},
Description: pulumi.String("string"),
FeatureTags: azuread.ServicePrincipalFeatureTagArray{
&azuread.ServicePrincipalFeatureTagArgs{
CustomSingleSignOn: pulumi.Bool(false),
Enterprise: pulumi.Bool(false),
Gallery: pulumi.Bool(false),
Hide: pulumi.Bool(false),
},
},
AccountEnabled: pulumi.Bool(false),
LoginUrl: pulumi.String("string"),
AppRoleAssignmentRequired: pulumi.Bool(false),
NotificationEmailAddresses: pulumi.StringArray{
pulumi.String("string"),
},
Owners: pulumi.StringArray{
pulumi.String("string"),
},
PreferredSingleSignOnMode: pulumi.String("string"),
SamlSingleSignOn: &azuread.ServicePrincipalSamlSingleSignOnArgs{
RelayState: pulumi.String("string"),
},
Tags: pulumi.StringArray{
pulumi.String("string"),
},
UseExisting: pulumi.Bool(false),
})
var servicePrincipalResource = new ServicePrincipal("servicePrincipalResource", ServicePrincipalArgs.builder()
.clientId("string")
.notes("string")
.alternativeNames("string")
.description("string")
.featureTags(ServicePrincipalFeatureTagArgs.builder()
.customSingleSignOn(false)
.enterprise(false)
.gallery(false)
.hide(false)
.build())
.accountEnabled(false)
.loginUrl("string")
.appRoleAssignmentRequired(false)
.notificationEmailAddresses("string")
.owners("string")
.preferredSingleSignOnMode("string")
.samlSingleSignOn(ServicePrincipalSamlSingleSignOnArgs.builder()
.relayState("string")
.build())
.tags("string")
.useExisting(false)
.build());
service_principal_resource = azuread.ServicePrincipal("servicePrincipalResource",
client_id="string",
notes="string",
alternative_names=["string"],
description="string",
feature_tags=[{
"custom_single_sign_on": False,
"enterprise": False,
"gallery": False,
"hide": False,
}],
account_enabled=False,
login_url="string",
app_role_assignment_required=False,
notification_email_addresses=["string"],
owners=["string"],
preferred_single_sign_on_mode="string",
saml_single_sign_on={
"relay_state": "string",
},
tags=["string"],
use_existing=False)
const servicePrincipalResource = new azuread.ServicePrincipal("servicePrincipalResource", {
clientId: "string",
notes: "string",
alternativeNames: ["string"],
description: "string",
featureTags: [{
customSingleSignOn: false,
enterprise: false,
gallery: false,
hide: false,
}],
accountEnabled: false,
loginUrl: "string",
appRoleAssignmentRequired: false,
notificationEmailAddresses: ["string"],
owners: ["string"],
preferredSingleSignOnMode: "string",
samlSingleSignOn: {
relayState: "string",
},
tags: ["string"],
useExisting: false,
});
type: azuread:ServicePrincipal
properties:
accountEnabled: false
alternativeNames:
- string
appRoleAssignmentRequired: false
clientId: string
description: string
featureTags:
- customSingleSignOn: false
enterprise: false
gallery: false
hide: false
loginUrl: string
notes: string
notificationEmailAddresses:
- string
owners:
- string
preferredSingleSignOnMode: string
samlSingleSignOn:
relayState: string
tags:
- string
useExisting: false
ServicePrincipal Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The ServicePrincipal resource accepts the following input properties:
- Client
Id string - The client ID of the application for which to create a service principal.
- Account
Enabled bool - Whether or not the service principal account is enabled. Defaults to
true
. - Alternative
Names List<string> - A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
- App
Role boolAssignment Required - Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to
false
. - Description string
- A description of the service principal provided for internal end-users.
- List<Pulumi.
Azure AD. Inputs. Service Principal Feature Tag> A
feature_tags
block as described below. Cannot be used together with thetags
property.Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure
feature_tags
andtags
for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use thetags
property instead. Any tags configured for the linked application will propagate to this service principal.- Features
List<Pulumi.
Azure AD. Inputs. Service Principal Feature> - Block of features to configure for this service principal using tags
- Login
Url string - The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
- Notes string
- A free text field to capture information about the service principal, typically used for operational purposes.
- Notification
Email List<string>Addresses - A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
- Owners List<string>
- A list of object IDs of principals that will be granted ownership of the service principal
- Preferred
Single stringSign On Mode - The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are
oidc
,password
,saml
ornotSupported
. Omit this property or specify a blank string to unset. - Saml
Single Pulumi.Sign On Azure AD. Inputs. Service Principal Saml Single Sign On - A
saml_single_sign_on
block as documented below. - List<string>
A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the
feature_tags
block.Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the
tags
property or with thefeature_tags
block. If you need to set any custom tag values not supported by thefeature_tags
block, it's recommended to use thetags
property. Tag values set for the linked application will also propagate to this service principal.- Use
Existing bool - When true, the resource will return an existing service principal instead of failing with an error
- Client
Id string - The client ID of the application for which to create a service principal.
- Account
Enabled bool - Whether or not the service principal account is enabled. Defaults to
true
. - Alternative
Names []string - A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
- App
Role boolAssignment Required - Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to
false
. - Description string
- A description of the service principal provided for internal end-users.
- []Service
Principal Feature Tag Args A
feature_tags
block as described below. Cannot be used together with thetags
property.Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure
feature_tags
andtags
for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use thetags
property instead. Any tags configured for the linked application will propagate to this service principal.- Features
[]Service
Principal Feature Args - Block of features to configure for this service principal using tags
- Login
Url string - The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
- Notes string
- A free text field to capture information about the service principal, typically used for operational purposes.
- Notification
Email []stringAddresses - A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
- Owners []string
- A list of object IDs of principals that will be granted ownership of the service principal
- Preferred
Single stringSign On Mode - The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are
oidc
,password
,saml
ornotSupported
. Omit this property or specify a blank string to unset. - Saml
Single ServiceSign On Principal Saml Single Sign On Args - A
saml_single_sign_on
block as documented below. - []string
A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the
feature_tags
block.Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the
tags
property or with thefeature_tags
block. If you need to set any custom tag values not supported by thefeature_tags
block, it's recommended to use thetags
property. Tag values set for the linked application will also propagate to this service principal.- Use
Existing bool - When true, the resource will return an existing service principal instead of failing with an error
- client
Id String - The client ID of the application for which to create a service principal.
- account
Enabled Boolean - Whether or not the service principal account is enabled. Defaults to
true
. - alternative
Names List<String> - A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
- app
Role BooleanAssignment Required - Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to
false
. - description String
- A description of the service principal provided for internal end-users.
- List<Service
Principal Feature Tag> A
feature_tags
block as described below. Cannot be used together with thetags
property.Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure
feature_tags
andtags
for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use thetags
property instead. Any tags configured for the linked application will propagate to this service principal.- features
List<Service
Principal Feature> - Block of features to configure for this service principal using tags
- login
Url String - The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
- notes String
- A free text field to capture information about the service principal, typically used for operational purposes.
- notification
Email List<String>Addresses - A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
- owners List<String>
- A list of object IDs of principals that will be granted ownership of the service principal
- preferred
Single StringSign On Mode - The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are
oidc
,password
,saml
ornotSupported
. Omit this property or specify a blank string to unset. - saml
Single ServiceSign On Principal Saml Single Sign On - A
saml_single_sign_on
block as documented below. - List<String>
A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the
feature_tags
block.Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the
tags
property or with thefeature_tags
block. If you need to set any custom tag values not supported by thefeature_tags
block, it's recommended to use thetags
property. Tag values set for the linked application will also propagate to this service principal.- use
Existing Boolean - When true, the resource will return an existing service principal instead of failing with an error
- client
Id string - The client ID of the application for which to create a service principal.
- account
Enabled boolean - Whether or not the service principal account is enabled. Defaults to
true
. - alternative
Names string[] - A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
- app
Role booleanAssignment Required - Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to
false
. - description string
- A description of the service principal provided for internal end-users.
- Service
Principal Feature Tag[] A
feature_tags
block as described below. Cannot be used together with thetags
property.Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure
feature_tags
andtags
for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use thetags
property instead. Any tags configured for the linked application will propagate to this service principal.- features
Service
Principal Feature[] - Block of features to configure for this service principal using tags
- login
Url string - The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
- notes string
- A free text field to capture information about the service principal, typically used for operational purposes.
- notification
Email string[]Addresses - A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
- owners string[]
- A list of object IDs of principals that will be granted ownership of the service principal
- preferred
Single stringSign On Mode - The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are
oidc
,password
,saml
ornotSupported
. Omit this property or specify a blank string to unset. - saml
Single ServiceSign On Principal Saml Single Sign On - A
saml_single_sign_on
block as documented below. - string[]
A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the
feature_tags
block.Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the
tags
property or with thefeature_tags
block. If you need to set any custom tag values not supported by thefeature_tags
block, it's recommended to use thetags
property. Tag values set for the linked application will also propagate to this service principal.- use
Existing boolean - When true, the resource will return an existing service principal instead of failing with an error
- client_
id str - The client ID of the application for which to create a service principal.
- account_
enabled bool - Whether or not the service principal account is enabled. Defaults to
true
. - alternative_
names Sequence[str] - A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
- app_
role_ boolassignment_ required - Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to
false
. - description str
- A description of the service principal provided for internal end-users.
- Sequence[Service
Principal Feature Tag Args] A
feature_tags
block as described below. Cannot be used together with thetags
property.Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure
feature_tags
andtags
for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use thetags
property instead. Any tags configured for the linked application will propagate to this service principal.- features
Sequence[Service
Principal Feature Args] - Block of features to configure for this service principal using tags
- login_
url str - The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
- notes str
- A free text field to capture information about the service principal, typically used for operational purposes.
- notification_
email_ Sequence[str]addresses - A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
- owners Sequence[str]
- A list of object IDs of principals that will be granted ownership of the service principal
- preferred_
single_ strsign_ on_ mode - The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are
oidc
,password
,saml
ornotSupported
. Omit this property or specify a blank string to unset. - saml_
single_ Servicesign_ on Principal Saml Single Sign On Args - A
saml_single_sign_on
block as documented below. - Sequence[str]
A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the
feature_tags
block.Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the
tags
property or with thefeature_tags
block. If you need to set any custom tag values not supported by thefeature_tags
block, it's recommended to use thetags
property. Tag values set for the linked application will also propagate to this service principal.- use_
existing bool - When true, the resource will return an existing service principal instead of failing with an error
- client
Id String - The client ID of the application for which to create a service principal.
- account
Enabled Boolean - Whether or not the service principal account is enabled. Defaults to
true
. - alternative
Names List<String> - A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
- app
Role BooleanAssignment Required - Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to
false
. - description String
- A description of the service principal provided for internal end-users.
- List<Property Map>
A
feature_tags
block as described below. Cannot be used together with thetags
property.Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure
feature_tags
andtags
for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use thetags
property instead. Any tags configured for the linked application will propagate to this service principal.- features List<Property Map>
- Block of features to configure for this service principal using tags
- login
Url String - The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
- notes String
- A free text field to capture information about the service principal, typically used for operational purposes.
- notification
Email List<String>Addresses - A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
- owners List<String>
- A list of object IDs of principals that will be granted ownership of the service principal
- preferred
Single StringSign On Mode - The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are
oidc
,password
,saml
ornotSupported
. Omit this property or specify a blank string to unset. - saml
Single Property MapSign On - A
saml_single_sign_on
block as documented below. - List<String>
A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the
feature_tags
block.Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the
tags
property or with thefeature_tags
block. If you need to set any custom tag values not supported by thefeature_tags
block, it's recommended to use thetags
property. Tag values set for the linked application will also propagate to this service principal.- use
Existing Boolean - When true, the resource will return an existing service principal instead of failing with an error
Outputs
All input properties are implicitly available as output properties. Additionally, the ServicePrincipal resource produces the following output properties:
- App
Role Dictionary<string, string>Ids - A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
- App
Roles List<Pulumi.Azure AD. Outputs. Service Principal App Role> - A list of app roles published by the associated application, as documented below. For more information official documentation.
- Application
Tenant stringId - The tenant ID where the associated application is registered.
- Display
Name string - Display name for the app role that appears during app role assignment and in consent experiences.
- Homepage
Url string - Home page or landing page of the associated application.
- Id string
- The provider-assigned unique ID for this managed resource.
- Logout
Url string - The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
- Oauth2Permission
Scope Dictionary<string, string>Ids - A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
- Oauth2Permission
Scopes List<Pulumi.Azure AD. Outputs. Service Principal Oauth2Permission Scope> - A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
- Object
Id string - The object ID of the service principal.
- Redirect
Uris List<string> - A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
- Saml
Metadata stringUrl - The URL where the service exposes SAML metadata for federation.
- Service
Principal List<string>Names - A list of identifier URI(s), copied over from the associated application.
- Sign
In stringAudience - The Microsoft account types that are supported for the associated application. Possible values include
AzureADMyOrg
,AzureADMultipleOrgs
,AzureADandPersonalMicrosoftAccount
orPersonalMicrosoftAccount
. - Type string
- Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
.
- App
Role map[string]stringIds - A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
- App
Roles []ServicePrincipal App Role - A list of app roles published by the associated application, as documented below. For more information official documentation.
- Application
Tenant stringId - The tenant ID where the associated application is registered.
- Display
Name string - Display name for the app role that appears during app role assignment and in consent experiences.
- Homepage
Url string - Home page or landing page of the associated application.
- Id string
- The provider-assigned unique ID for this managed resource.
- Logout
Url string - The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
- Oauth2Permission
Scope map[string]stringIds - A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
- Oauth2Permission
Scopes []ServicePrincipal Oauth2Permission Scope - A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
- Object
Id string - The object ID of the service principal.
- Redirect
Uris []string - A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
- Saml
Metadata stringUrl - The URL where the service exposes SAML metadata for federation.
- Service
Principal []stringNames - A list of identifier URI(s), copied over from the associated application.
- Sign
In stringAudience - The Microsoft account types that are supported for the associated application. Possible values include
AzureADMyOrg
,AzureADMultipleOrgs
,AzureADandPersonalMicrosoftAccount
orPersonalMicrosoftAccount
. - Type string
- Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
.
- app
Role Map<String,String>Ids - A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
- app
Roles List<ServicePrincipal App Role> - A list of app roles published by the associated application, as documented below. For more information official documentation.
- application
Tenant StringId - The tenant ID where the associated application is registered.
- display
Name String - Display name for the app role that appears during app role assignment and in consent experiences.
- homepage
Url String - Home page or landing page of the associated application.
- id String
- The provider-assigned unique ID for this managed resource.
- logout
Url String - The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
- oauth2Permission
Scope Map<String,String>Ids - A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
- oauth2Permission
Scopes List<ServicePrincipal Oauth2Permission Scope> - A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
- object
Id String - The object ID of the service principal.
- redirect
Uris List<String> - A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
- saml
Metadata StringUrl - The URL where the service exposes SAML metadata for federation.
- service
Principal List<String>Names - A list of identifier URI(s), copied over from the associated application.
- sign
In StringAudience - The Microsoft account types that are supported for the associated application. Possible values include
AzureADMyOrg
,AzureADMultipleOrgs
,AzureADandPersonalMicrosoftAccount
orPersonalMicrosoftAccount
. - type String
- Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
.
- app
Role {[key: string]: string}Ids - A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
- app
Roles ServicePrincipal App Role[] - A list of app roles published by the associated application, as documented below. For more information official documentation.
- application
Tenant stringId - The tenant ID where the associated application is registered.
- display
Name string - Display name for the app role that appears during app role assignment and in consent experiences.
- homepage
Url string - Home page or landing page of the associated application.
- id string
- The provider-assigned unique ID for this managed resource.
- logout
Url string - The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
- oauth2Permission
Scope {[key: string]: string}Ids - A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
- oauth2Permission
Scopes ServicePrincipal Oauth2Permission Scope[] - A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
- object
Id string - The object ID of the service principal.
- redirect
Uris string[] - A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
- saml
Metadata stringUrl - The URL where the service exposes SAML metadata for federation.
- service
Principal string[]Names - A list of identifier URI(s), copied over from the associated application.
- sign
In stringAudience - The Microsoft account types that are supported for the associated application. Possible values include
AzureADMyOrg
,AzureADMultipleOrgs
,AzureADandPersonalMicrosoftAccount
orPersonalMicrosoftAccount
. - type string
- Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
.
- app_
role_ Mapping[str, str]ids - A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
- app_
roles Sequence[ServicePrincipal App Role] - A list of app roles published by the associated application, as documented below. For more information official documentation.
- application_
tenant_ strid - The tenant ID where the associated application is registered.
- display_
name str - Display name for the app role that appears during app role assignment and in consent experiences.
- homepage_
url str - Home page or landing page of the associated application.
- id str
- The provider-assigned unique ID for this managed resource.
- logout_
url str - The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
- oauth2_
permission_ Mapping[str, str]scope_ ids - A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
- oauth2_
permission_ Sequence[Servicescopes Principal Oauth2Permission Scope] - A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
- object_
id str - The object ID of the service principal.
- redirect_
uris Sequence[str] - A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
- saml_
metadata_ strurl - The URL where the service exposes SAML metadata for federation.
- service_
principal_ Sequence[str]names - A list of identifier URI(s), copied over from the associated application.
- sign_
in_ straudience - The Microsoft account types that are supported for the associated application. Possible values include
AzureADMyOrg
,AzureADMultipleOrgs
,AzureADandPersonalMicrosoftAccount
orPersonalMicrosoftAccount
. - type str
- Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
.
- app
Role Map<String>Ids - A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
- app
Roles List<Property Map> - A list of app roles published by the associated application, as documented below. For more information official documentation.
- application
Tenant StringId - The tenant ID where the associated application is registered.
- display
Name String - Display name for the app role that appears during app role assignment and in consent experiences.
- homepage
Url String - Home page or landing page of the associated application.
- id String
- The provider-assigned unique ID for this managed resource.
- logout
Url String - The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
- oauth2Permission
Scope Map<String>Ids - A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
- oauth2Permission
Scopes List<Property Map> - A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
- object
Id String - The object ID of the service principal.
- redirect
Uris List<String> - A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
- saml
Metadata StringUrl - The URL where the service exposes SAML metadata for federation.
- service
Principal List<String>Names - A list of identifier URI(s), copied over from the associated application.
- sign
In StringAudience - The Microsoft account types that are supported for the associated application. Possible values include
AzureADMyOrg
,AzureADMultipleOrgs
,AzureADandPersonalMicrosoftAccount
orPersonalMicrosoftAccount
. - type String
- Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
.
Look up Existing ServicePrincipal Resource
Get an existing ServicePrincipal resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ServicePrincipalState, opts?: CustomResourceOptions): ServicePrincipal
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
account_enabled: Optional[bool] = None,
alternative_names: Optional[Sequence[str]] = None,
app_role_assignment_required: Optional[bool] = None,
app_role_ids: Optional[Mapping[str, str]] = None,
app_roles: Optional[Sequence[ServicePrincipalAppRoleArgs]] = None,
application_tenant_id: Optional[str] = None,
client_id: Optional[str] = None,
description: Optional[str] = None,
display_name: Optional[str] = None,
feature_tags: Optional[Sequence[ServicePrincipalFeatureTagArgs]] = None,
features: Optional[Sequence[ServicePrincipalFeatureArgs]] = None,
homepage_url: Optional[str] = None,
login_url: Optional[str] = None,
logout_url: Optional[str] = None,
notes: Optional[str] = None,
notification_email_addresses: Optional[Sequence[str]] = None,
oauth2_permission_scope_ids: Optional[Mapping[str, str]] = None,
oauth2_permission_scopes: Optional[Sequence[ServicePrincipalOauth2PermissionScopeArgs]] = None,
object_id: Optional[str] = None,
owners: Optional[Sequence[str]] = None,
preferred_single_sign_on_mode: Optional[str] = None,
redirect_uris: Optional[Sequence[str]] = None,
saml_metadata_url: Optional[str] = None,
saml_single_sign_on: Optional[ServicePrincipalSamlSingleSignOnArgs] = None,
service_principal_names: Optional[Sequence[str]] = None,
sign_in_audience: Optional[str] = None,
tags: Optional[Sequence[str]] = None,
type: Optional[str] = None,
use_existing: Optional[bool] = None) -> ServicePrincipal
func GetServicePrincipal(ctx *Context, name string, id IDInput, state *ServicePrincipalState, opts ...ResourceOption) (*ServicePrincipal, error)
public static ServicePrincipal Get(string name, Input<string> id, ServicePrincipalState? state, CustomResourceOptions? opts = null)
public static ServicePrincipal get(String name, Output<String> id, ServicePrincipalState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Account
Enabled bool - Whether or not the service principal account is enabled. Defaults to
true
. - Alternative
Names List<string> - A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
- App
Role boolAssignment Required - Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to
false
. - App
Role Dictionary<string, string>Ids - A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
- App
Roles List<Pulumi.Azure AD. Inputs. Service Principal App Role> - A list of app roles published by the associated application, as documented below. For more information official documentation.
- Application
Tenant stringId - The tenant ID where the associated application is registered.
- Client
Id string - The client ID of the application for which to create a service principal.
- Description string
- A description of the service principal provided for internal end-users.
- Display
Name string - Display name for the app role that appears during app role assignment and in consent experiences.
- List<Pulumi.
Azure AD. Inputs. Service Principal Feature Tag> A
feature_tags
block as described below. Cannot be used together with thetags
property.Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure
feature_tags
andtags
for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use thetags
property instead. Any tags configured for the linked application will propagate to this service principal.- Features
List<Pulumi.
Azure AD. Inputs. Service Principal Feature> - Block of features to configure for this service principal using tags
- Homepage
Url string - Home page or landing page of the associated application.
- Login
Url string - The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
- Logout
Url string - The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
- Notes string
- A free text field to capture information about the service principal, typically used for operational purposes.
- Notification
Email List<string>Addresses - A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
- Oauth2Permission
Scope Dictionary<string, string>Ids - A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
- Oauth2Permission
Scopes List<Pulumi.Azure AD. Inputs. Service Principal Oauth2Permission Scope> - A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
- Object
Id string - The object ID of the service principal.
- Owners List<string>
- A list of object IDs of principals that will be granted ownership of the service principal
- Preferred
Single stringSign On Mode - The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are
oidc
,password
,saml
ornotSupported
. Omit this property or specify a blank string to unset. - Redirect
Uris List<string> - A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
- Saml
Metadata stringUrl - The URL where the service exposes SAML metadata for federation.
- Saml
Single Pulumi.Sign On Azure AD. Inputs. Service Principal Saml Single Sign On - A
saml_single_sign_on
block as documented below. - Service
Principal List<string>Names - A list of identifier URI(s), copied over from the associated application.
- Sign
In stringAudience - The Microsoft account types that are supported for the associated application. Possible values include
AzureADMyOrg
,AzureADMultipleOrgs
,AzureADandPersonalMicrosoftAccount
orPersonalMicrosoftAccount
. - List<string>
A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the
feature_tags
block.Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the
tags
property or with thefeature_tags
block. If you need to set any custom tag values not supported by thefeature_tags
block, it's recommended to use thetags
property. Tag values set for the linked application will also propagate to this service principal.- Type string
- Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
. - Use
Existing bool - When true, the resource will return an existing service principal instead of failing with an error
- Account
Enabled bool - Whether or not the service principal account is enabled. Defaults to
true
. - Alternative
Names []string - A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
- App
Role boolAssignment Required - Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to
false
. - App
Role map[string]stringIds - A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
- App
Roles []ServicePrincipal App Role Args - A list of app roles published by the associated application, as documented below. For more information official documentation.
- Application
Tenant stringId - The tenant ID where the associated application is registered.
- Client
Id string - The client ID of the application for which to create a service principal.
- Description string
- A description of the service principal provided for internal end-users.
- Display
Name string - Display name for the app role that appears during app role assignment and in consent experiences.
- []Service
Principal Feature Tag Args A
feature_tags
block as described below. Cannot be used together with thetags
property.Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure
feature_tags
andtags
for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use thetags
property instead. Any tags configured for the linked application will propagate to this service principal.- Features
[]Service
Principal Feature Args - Block of features to configure for this service principal using tags
- Homepage
Url string - Home page or landing page of the associated application.
- Login
Url string - The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
- Logout
Url string - The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
- Notes string
- A free text field to capture information about the service principal, typically used for operational purposes.
- Notification
Email []stringAddresses - A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
- Oauth2Permission
Scope map[string]stringIds - A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
- Oauth2Permission
Scopes []ServicePrincipal Oauth2Permission Scope Args - A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
- Object
Id string - The object ID of the service principal.
- Owners []string
- A list of object IDs of principals that will be granted ownership of the service principal
- Preferred
Single stringSign On Mode - The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are
oidc
,password
,saml
ornotSupported
. Omit this property or specify a blank string to unset. - Redirect
Uris []string - A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
- Saml
Metadata stringUrl - The URL where the service exposes SAML metadata for federation.
- Saml
Single ServiceSign On Principal Saml Single Sign On Args - A
saml_single_sign_on
block as documented below. - Service
Principal []stringNames - A list of identifier URI(s), copied over from the associated application.
- Sign
In stringAudience - The Microsoft account types that are supported for the associated application. Possible values include
AzureADMyOrg
,AzureADMultipleOrgs
,AzureADandPersonalMicrosoftAccount
orPersonalMicrosoftAccount
. - []string
A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the
feature_tags
block.Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the
tags
property or with thefeature_tags
block. If you need to set any custom tag values not supported by thefeature_tags
block, it's recommended to use thetags
property. Tag values set for the linked application will also propagate to this service principal.- Type string
- Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
. - Use
Existing bool - When true, the resource will return an existing service principal instead of failing with an error
- account
Enabled Boolean - Whether or not the service principal account is enabled. Defaults to
true
. - alternative
Names List<String> - A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
- app
Role BooleanAssignment Required - Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to
false
. - app
Role Map<String,String>Ids - A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
- app
Roles List<ServicePrincipal App Role> - A list of app roles published by the associated application, as documented below. For more information official documentation.
- application
Tenant StringId - The tenant ID where the associated application is registered.
- client
Id String - The client ID of the application for which to create a service principal.
- description String
- A description of the service principal provided for internal end-users.
- display
Name String - Display name for the app role that appears during app role assignment and in consent experiences.
- List<Service
Principal Feature Tag> A
feature_tags
block as described below. Cannot be used together with thetags
property.Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure
feature_tags
andtags
for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use thetags
property instead. Any tags configured for the linked application will propagate to this service principal.- features
List<Service
Principal Feature> - Block of features to configure for this service principal using tags
- homepage
Url String - Home page or landing page of the associated application.
- login
Url String - The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
- logout
Url String - The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
- notes String
- A free text field to capture information about the service principal, typically used for operational purposes.
- notification
Email List<String>Addresses - A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
- oauth2Permission
Scope Map<String,String>Ids - A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
- oauth2Permission
Scopes List<ServicePrincipal Oauth2Permission Scope> - A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
- object
Id String - The object ID of the service principal.
- owners List<String>
- A list of object IDs of principals that will be granted ownership of the service principal
- preferred
Single StringSign On Mode - The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are
oidc
,password
,saml
ornotSupported
. Omit this property or specify a blank string to unset. - redirect
Uris List<String> - A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
- saml
Metadata StringUrl - The URL where the service exposes SAML metadata for federation.
- saml
Single ServiceSign On Principal Saml Single Sign On - A
saml_single_sign_on
block as documented below. - service
Principal List<String>Names - A list of identifier URI(s), copied over from the associated application.
- sign
In StringAudience - The Microsoft account types that are supported for the associated application. Possible values include
AzureADMyOrg
,AzureADMultipleOrgs
,AzureADandPersonalMicrosoftAccount
orPersonalMicrosoftAccount
. - List<String>
A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the
feature_tags
block.Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the
tags
property or with thefeature_tags
block. If you need to set any custom tag values not supported by thefeature_tags
block, it's recommended to use thetags
property. Tag values set for the linked application will also propagate to this service principal.- type String
- Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
. - use
Existing Boolean - When true, the resource will return an existing service principal instead of failing with an error
- account
Enabled boolean - Whether or not the service principal account is enabled. Defaults to
true
. - alternative
Names string[] - A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
- app
Role booleanAssignment Required - Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to
false
. - app
Role {[key: string]: string}Ids - A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
- app
Roles ServicePrincipal App Role[] - A list of app roles published by the associated application, as documented below. For more information official documentation.
- application
Tenant stringId - The tenant ID where the associated application is registered.
- client
Id string - The client ID of the application for which to create a service principal.
- description string
- A description of the service principal provided for internal end-users.
- display
Name string - Display name for the app role that appears during app role assignment and in consent experiences.
- Service
Principal Feature Tag[] A
feature_tags
block as described below. Cannot be used together with thetags
property.Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure
feature_tags
andtags
for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use thetags
property instead. Any tags configured for the linked application will propagate to this service principal.- features
Service
Principal Feature[] - Block of features to configure for this service principal using tags
- homepage
Url string - Home page or landing page of the associated application.
- login
Url string - The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
- logout
Url string - The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
- notes string
- A free text field to capture information about the service principal, typically used for operational purposes.
- notification
Email string[]Addresses - A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
- oauth2Permission
Scope {[key: string]: string}Ids - A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
- oauth2Permission
Scopes ServicePrincipal Oauth2Permission Scope[] - A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
- object
Id string - The object ID of the service principal.
- owners string[]
- A list of object IDs of principals that will be granted ownership of the service principal
- preferred
Single stringSign On Mode - The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are
oidc
,password
,saml
ornotSupported
. Omit this property or specify a blank string to unset. - redirect
Uris string[] - A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
- saml
Metadata stringUrl - The URL where the service exposes SAML metadata for federation.
- saml
Single ServiceSign On Principal Saml Single Sign On - A
saml_single_sign_on
block as documented below. - service
Principal string[]Names - A list of identifier URI(s), copied over from the associated application.
- sign
In stringAudience - The Microsoft account types that are supported for the associated application. Possible values include
AzureADMyOrg
,AzureADMultipleOrgs
,AzureADandPersonalMicrosoftAccount
orPersonalMicrosoftAccount
. - string[]
A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the
feature_tags
block.Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the
tags
property or with thefeature_tags
block. If you need to set any custom tag values not supported by thefeature_tags
block, it's recommended to use thetags
property. Tag values set for the linked application will also propagate to this service principal.- type string
- Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
. - use
Existing boolean - When true, the resource will return an existing service principal instead of failing with an error
- account_
enabled bool - Whether or not the service principal account is enabled. Defaults to
true
. - alternative_
names Sequence[str] - A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
- app_
role_ boolassignment_ required - Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to
false
. - app_
role_ Mapping[str, str]ids - A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
- app_
roles Sequence[ServicePrincipal App Role Args] - A list of app roles published by the associated application, as documented below. For more information official documentation.
- application_
tenant_ strid - The tenant ID where the associated application is registered.
- client_
id str - The client ID of the application for which to create a service principal.
- description str
- A description of the service principal provided for internal end-users.
- display_
name str - Display name for the app role that appears during app role assignment and in consent experiences.
- Sequence[Service
Principal Feature Tag Args] A
feature_tags
block as described below. Cannot be used together with thetags
property.Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure
feature_tags
andtags
for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use thetags
property instead. Any tags configured for the linked application will propagate to this service principal.- features
Sequence[Service
Principal Feature Args] - Block of features to configure for this service principal using tags
- homepage_
url str - Home page or landing page of the associated application.
- login_
url str - The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
- logout_
url str - The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
- notes str
- A free text field to capture information about the service principal, typically used for operational purposes.
- notification_
email_ Sequence[str]addresses - A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
- oauth2_
permission_ Mapping[str, str]scope_ ids - A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
- oauth2_
permission_ Sequence[Servicescopes Principal Oauth2Permission Scope Args] - A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
- object_
id str - The object ID of the service principal.
- owners Sequence[str]
- A list of object IDs of principals that will be granted ownership of the service principal
- preferred_
single_ strsign_ on_ mode - The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are
oidc
,password
,saml
ornotSupported
. Omit this property or specify a blank string to unset. - redirect_
uris Sequence[str] - A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
- saml_
metadata_ strurl - The URL where the service exposes SAML metadata for federation.
- saml_
single_ Servicesign_ on Principal Saml Single Sign On Args - A
saml_single_sign_on
block as documented below. - service_
principal_ Sequence[str]names - A list of identifier URI(s), copied over from the associated application.
- sign_
in_ straudience - The Microsoft account types that are supported for the associated application. Possible values include
AzureADMyOrg
,AzureADMultipleOrgs
,AzureADandPersonalMicrosoftAccount
orPersonalMicrosoftAccount
. - Sequence[str]
A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the
feature_tags
block.Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the
tags
property or with thefeature_tags
block. If you need to set any custom tag values not supported by thefeature_tags
block, it's recommended to use thetags
property. Tag values set for the linked application will also propagate to this service principal.- type str
- Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
. - use_
existing bool - When true, the resource will return an existing service principal instead of failing with an error
- account
Enabled Boolean - Whether or not the service principal account is enabled. Defaults to
true
. - alternative
Names List<String> - A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
- app
Role BooleanAssignment Required - Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to
false
. - app
Role Map<String>Ids - A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
- app
Roles List<Property Map> - A list of app roles published by the associated application, as documented below. For more information official documentation.
- application
Tenant StringId - The tenant ID where the associated application is registered.
- client
Id String - The client ID of the application for which to create a service principal.
- description String
- A description of the service principal provided for internal end-users.
- display
Name String - Display name for the app role that appears during app role assignment and in consent experiences.
- List<Property Map>
A
feature_tags
block as described below. Cannot be used together with thetags
property.Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure
feature_tags
andtags
for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use thetags
property instead. Any tags configured for the linked application will propagate to this service principal.- features List<Property Map>
- Block of features to configure for this service principal using tags
- homepage
Url String - Home page or landing page of the associated application.
- login
Url String - The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
- logout
Url String - The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
- notes String
- A free text field to capture information about the service principal, typically used for operational purposes.
- notification
Email List<String>Addresses - A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
- oauth2Permission
Scope Map<String>Ids - A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
- oauth2Permission
Scopes List<Property Map> - A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
- object
Id String - The object ID of the service principal.
- owners List<String>
- A list of object IDs of principals that will be granted ownership of the service principal
- preferred
Single StringSign On Mode - The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are
oidc
,password
,saml
ornotSupported
. Omit this property or specify a blank string to unset. - redirect
Uris List<String> - A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
- saml
Metadata StringUrl - The URL where the service exposes SAML metadata for federation.
- saml
Single Property MapSign On - A
saml_single_sign_on
block as documented below. - service
Principal List<String>Names - A list of identifier URI(s), copied over from the associated application.
- sign
In StringAudience - The Microsoft account types that are supported for the associated application. Possible values include
AzureADMyOrg
,AzureADMultipleOrgs
,AzureADandPersonalMicrosoftAccount
orPersonalMicrosoftAccount
. - List<String>
A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the
feature_tags
block.Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the
tags
property or with thefeature_tags
block. If you need to set any custom tag values not supported by thefeature_tags
block, it's recommended to use thetags
property. Tag values set for the linked application will also propagate to this service principal.- type String
- Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
. - use
Existing Boolean - When true, the resource will return an existing service principal instead of failing with an error
Supporting Types
ServicePrincipalAppRole, ServicePrincipalAppRoleArgs
- Allowed
Member List<string>Types - Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are:
User
andApplication
, or both. - Description string
- A description of the service principal provided for internal end-users.
- Display
Name string - Display name for the app role that appears during app role assignment and in consent experiences.
- Enabled bool
- Specifies whether the permission scope is enabled.
- Id string
- The unique identifier of the delegated permission.
- Value string
- The value that is used for the
scp
claim in OAuth 2.0 access tokens.
- Allowed
Member []stringTypes - Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are:
User
andApplication
, or both. - Description string
- A description of the service principal provided for internal end-users.
- Display
Name string - Display name for the app role that appears during app role assignment and in consent experiences.
- Enabled bool
- Specifies whether the permission scope is enabled.
- Id string
- The unique identifier of the delegated permission.
- Value string
- The value that is used for the
scp
claim in OAuth 2.0 access tokens.
- allowed
Member List<String>Types - Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are:
User
andApplication
, or both. - description String
- A description of the service principal provided for internal end-users.
- display
Name String - Display name for the app role that appears during app role assignment and in consent experiences.
- enabled Boolean
- Specifies whether the permission scope is enabled.
- id String
- The unique identifier of the delegated permission.
- value String
- The value that is used for the
scp
claim in OAuth 2.0 access tokens.
- allowed
Member string[]Types - Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are:
User
andApplication
, or both. - description string
- A description of the service principal provided for internal end-users.
- display
Name string - Display name for the app role that appears during app role assignment and in consent experiences.
- enabled boolean
- Specifies whether the permission scope is enabled.
- id string
- The unique identifier of the delegated permission.
- value string
- The value that is used for the
scp
claim in OAuth 2.0 access tokens.
- allowed_
member_ Sequence[str]types - Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are:
User
andApplication
, or both. - description str
- A description of the service principal provided for internal end-users.
- display_
name str - Display name for the app role that appears during app role assignment and in consent experiences.
- enabled bool
- Specifies whether the permission scope is enabled.
- id str
- The unique identifier of the delegated permission.
- value str
- The value that is used for the
scp
claim in OAuth 2.0 access tokens.
- allowed
Member List<String>Types - Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are:
User
andApplication
, or both. - description String
- A description of the service principal provided for internal end-users.
- display
Name String - Display name for the app role that appears during app role assignment and in consent experiences.
- enabled Boolean
- Specifies whether the permission scope is enabled.
- id String
- The unique identifier of the delegated permission.
- value String
- The value that is used for the
scp
claim in OAuth 2.0 access tokens.
ServicePrincipalFeature, ServicePrincipalFeatureArgs
- Custom
Single boolSign On App - Whether this service principal represents a custom SAML application
- Enterprise
Application bool - Whether this service principal represents an Enterprise Application
- Gallery
Application bool - Whether this service principal represents a gallery application
- Visible
To boolUsers - Whether this app is visible to users in My Apps and Office 365 Launcher
- Custom
Single boolSign On App - Whether this service principal represents a custom SAML application
- Enterprise
Application bool - Whether this service principal represents an Enterprise Application
- Gallery
Application bool - Whether this service principal represents a gallery application
- Visible
To boolUsers - Whether this app is visible to users in My Apps and Office 365 Launcher
- custom
Single BooleanSign On App - Whether this service principal represents a custom SAML application
- enterprise
Application Boolean - Whether this service principal represents an Enterprise Application
- gallery
Application Boolean - Whether this service principal represents a gallery application
- visible
To BooleanUsers - Whether this app is visible to users in My Apps and Office 365 Launcher
- custom
Single booleanSign On App - Whether this service principal represents a custom SAML application
- enterprise
Application boolean - Whether this service principal represents an Enterprise Application
- gallery
Application boolean - Whether this service principal represents a gallery application
- visible
To booleanUsers - Whether this app is visible to users in My Apps and Office 365 Launcher
- custom_
single_ boolsign_ on_ app - Whether this service principal represents a custom SAML application
- enterprise_
application bool - Whether this service principal represents an Enterprise Application
- gallery_
application bool - Whether this service principal represents a gallery application
- visible_
to_ boolusers - Whether this app is visible to users in My Apps and Office 365 Launcher
- custom
Single BooleanSign On App - Whether this service principal represents a custom SAML application
- enterprise
Application Boolean - Whether this service principal represents an Enterprise Application
- gallery
Application Boolean - Whether this service principal represents a gallery application
- visible
To BooleanUsers - Whether this app is visible to users in My Apps and Office 365 Launcher
ServicePrincipalFeatureTag, ServicePrincipalFeatureTagArgs
- Custom
Single boolSign On - Whether this service principal represents a custom SAML application. Enabling this will assign the
WindowsAzureActiveDirectoryCustomSingleSignOnApplication
tag. Defaults tofalse
. - Enterprise bool
- Whether this service principal represents an Enterprise Application. Enabling this will assign the
WindowsAzureActiveDirectoryIntegratedApp
tag. Defaults tofalse
. - Gallery bool
- Whether this service principal represents a gallery application. Enabling this will assign the
WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1
tag. Defaults tofalse
. - Hide bool
- Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the
HideApp
tag. Defaults tofalse
.
- Custom
Single boolSign On - Whether this service principal represents a custom SAML application. Enabling this will assign the
WindowsAzureActiveDirectoryCustomSingleSignOnApplication
tag. Defaults tofalse
. - Enterprise bool
- Whether this service principal represents an Enterprise Application. Enabling this will assign the
WindowsAzureActiveDirectoryIntegratedApp
tag. Defaults tofalse
. - Gallery bool
- Whether this service principal represents a gallery application. Enabling this will assign the
WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1
tag. Defaults tofalse
. - Hide bool
- Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the
HideApp
tag. Defaults tofalse
.
- custom
Single BooleanSign On - Whether this service principal represents a custom SAML application. Enabling this will assign the
WindowsAzureActiveDirectoryCustomSingleSignOnApplication
tag. Defaults tofalse
. - enterprise Boolean
- Whether this service principal represents an Enterprise Application. Enabling this will assign the
WindowsAzureActiveDirectoryIntegratedApp
tag. Defaults tofalse
. - gallery Boolean
- Whether this service principal represents a gallery application. Enabling this will assign the
WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1
tag. Defaults tofalse
. - hide Boolean
- Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the
HideApp
tag. Defaults tofalse
.
- custom
Single booleanSign On - Whether this service principal represents a custom SAML application. Enabling this will assign the
WindowsAzureActiveDirectoryCustomSingleSignOnApplication
tag. Defaults tofalse
. - enterprise boolean
- Whether this service principal represents an Enterprise Application. Enabling this will assign the
WindowsAzureActiveDirectoryIntegratedApp
tag. Defaults tofalse
. - gallery boolean
- Whether this service principal represents a gallery application. Enabling this will assign the
WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1
tag. Defaults tofalse
. - hide boolean
- Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the
HideApp
tag. Defaults tofalse
.
- custom_
single_ boolsign_ on - Whether this service principal represents a custom SAML application. Enabling this will assign the
WindowsAzureActiveDirectoryCustomSingleSignOnApplication
tag. Defaults tofalse
. - enterprise bool
- Whether this service principal represents an Enterprise Application. Enabling this will assign the
WindowsAzureActiveDirectoryIntegratedApp
tag. Defaults tofalse
. - gallery bool
- Whether this service principal represents a gallery application. Enabling this will assign the
WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1
tag. Defaults tofalse
. - hide bool
- Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the
HideApp
tag. Defaults tofalse
.
- custom
Single BooleanSign On - Whether this service principal represents a custom SAML application. Enabling this will assign the
WindowsAzureActiveDirectoryCustomSingleSignOnApplication
tag. Defaults tofalse
. - enterprise Boolean
- Whether this service principal represents an Enterprise Application. Enabling this will assign the
WindowsAzureActiveDirectoryIntegratedApp
tag. Defaults tofalse
. - gallery Boolean
- Whether this service principal represents a gallery application. Enabling this will assign the
WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1
tag. Defaults tofalse
. - hide Boolean
- Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the
HideApp
tag. Defaults tofalse
.
ServicePrincipalOauth2PermissionScope, ServicePrincipalOauth2PermissionScopeArgs
- Admin
Consent stringDescription - Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
- Admin
Consent stringDisplay Name - Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
- Enabled bool
- Specifies whether the permission scope is enabled.
- Id string
- The unique identifier of the delegated permission.
- Type string
- Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
. - User
Consent stringDescription - Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
- User
Consent stringDisplay Name - Display name for the delegated permission that appears in the end user consent experience.
- Value string
- The value that is used for the
scp
claim in OAuth 2.0 access tokens.
- Admin
Consent stringDescription - Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
- Admin
Consent stringDisplay Name - Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
- Enabled bool
- Specifies whether the permission scope is enabled.
- Id string
- The unique identifier of the delegated permission.
- Type string
- Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
. - User
Consent stringDescription - Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
- User
Consent stringDisplay Name - Display name for the delegated permission that appears in the end user consent experience.
- Value string
- The value that is used for the
scp
claim in OAuth 2.0 access tokens.
- admin
Consent StringDescription - Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
- admin
Consent StringDisplay Name - Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
- enabled Boolean
- Specifies whether the permission scope is enabled.
- id String
- The unique identifier of the delegated permission.
- type String
- Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
. - user
Consent StringDescription - Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
- user
Consent StringDisplay Name - Display name for the delegated permission that appears in the end user consent experience.
- value String
- The value that is used for the
scp
claim in OAuth 2.0 access tokens.
- admin
Consent stringDescription - Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
- admin
Consent stringDisplay Name - Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
- enabled boolean
- Specifies whether the permission scope is enabled.
- id string
- The unique identifier of the delegated permission.
- type string
- Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
. - user
Consent stringDescription - Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
- user
Consent stringDisplay Name - Display name for the delegated permission that appears in the end user consent experience.
- value string
- The value that is used for the
scp
claim in OAuth 2.0 access tokens.
- admin_
consent_ strdescription - Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
- admin_
consent_ strdisplay_ name - Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
- enabled bool
- Specifies whether the permission scope is enabled.
- id str
- The unique identifier of the delegated permission.
- type str
- Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
. - user_
consent_ strdescription - Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
- user_
consent_ strdisplay_ name - Display name for the delegated permission that appears in the end user consent experience.
- value str
- The value that is used for the
scp
claim in OAuth 2.0 access tokens.
- admin
Consent StringDescription - Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
- admin
Consent StringDisplay Name - Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
- enabled Boolean
- Specifies whether the permission scope is enabled.
- id String
- The unique identifier of the delegated permission.
- type String
- Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are
User
orAdmin
. - user
Consent StringDescription - Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
- user
Consent StringDisplay Name - Display name for the delegated permission that appears in the end user consent experience.
- value String
- The value that is used for the
scp
claim in OAuth 2.0 access tokens.
ServicePrincipalSamlSingleSignOn, ServicePrincipalSamlSingleSignOnArgs
- Relay
State string - The relative URI the service provider would redirect to after completion of the single sign-on flow.
- Relay
State string - The relative URI the service provider would redirect to after completion of the single sign-on flow.
- relay
State String - The relative URI the service provider would redirect to after completion of the single sign-on flow.
- relay
State string - The relative URI the service provider would redirect to after completion of the single sign-on flow.
- relay_
state str - The relative URI the service provider would redirect to after completion of the single sign-on flow.
- relay
State String - The relative URI the service provider would redirect to after completion of the single sign-on flow.
Import
Service principals can be imported using their object ID, e.g.
$ pulumi import azuread:index/servicePrincipal:ServicePrincipal example 00000000-0000-0000-0000-000000000000
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Azure Active Directory (Azure AD) pulumi/pulumi-azuread
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
azuread
Terraform Provider.