1. Packages
  2. Azure Active Directory (Azure AD)
  3. API Docs
  4. ConditionalAccessPolicy
Azure Active Directory (Azure AD) v6.2.0 published on Tuesday, Jan 21, 2025 by Pulumi

azuread.ConditionalAccessPolicy

Explore with Pulumi AI

Example Usage

All users except guests or external users

import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const example = new azuread.ConditionalAccessPolicy("example", {
    displayName: "example policy",
    state: "disabled",
    conditions: {
        clientAppTypes: ["all"],
        signInRiskLevels: ["medium"],
        userRiskLevels: ["medium"],
        applications: {
            includedApplications: ["All"],
            excludedApplications: [],
        },
        devices: {
            filter: {
                mode: "exclude",
                rule: "device.operatingSystem eq \"Doors\"",
            },
        },
        locations: {
            includedLocations: ["All"],
            excludedLocations: ["AllTrusted"],
        },
        platforms: {
            includedPlatforms: ["android"],
            excludedPlatforms: ["iOS"],
        },
        users: {
            includedUsers: ["All"],
            excludedUsers: ["GuestsOrExternalUsers"],
        },
    },
    grantControls: {
        operator: "OR",
        builtInControls: ["mfa"],
    },
    sessionControls: {
        applicationEnforcedRestrictionsEnabled: true,
        disableResilienceDefaults: false,
        signInFrequency: 10,
        signInFrequencyPeriod: "hours",
        cloudAppSecurityPolicy: "monitorOnly",
    },
});
Copy
import pulumi
import pulumi_azuread as azuread

example = azuread.ConditionalAccessPolicy("example",
    display_name="example policy",
    state="disabled",
    conditions={
        "client_app_types": ["all"],
        "sign_in_risk_levels": ["medium"],
        "user_risk_levels": ["medium"],
        "applications": {
            "included_applications": ["All"],
            "excluded_applications": [],
        },
        "devices": {
            "filter": {
                "mode": "exclude",
                "rule": "device.operatingSystem eq \"Doors\"",
            },
        },
        "locations": {
            "included_locations": ["All"],
            "excluded_locations": ["AllTrusted"],
        },
        "platforms": {
            "included_platforms": ["android"],
            "excluded_platforms": ["iOS"],
        },
        "users": {
            "included_users": ["All"],
            "excluded_users": ["GuestsOrExternalUsers"],
        },
    },
    grant_controls={
        "operator": "OR",
        "built_in_controls": ["mfa"],
    },
    session_controls={
        "application_enforced_restrictions_enabled": True,
        "disable_resilience_defaults": False,
        "sign_in_frequency": 10,
        "sign_in_frequency_period": "hours",
        "cloud_app_security_policy": "monitorOnly",
    })
Copy
package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := azuread.NewConditionalAccessPolicy(ctx, "example", &azuread.ConditionalAccessPolicyArgs{
			DisplayName: pulumi.String("example policy"),
			State:       pulumi.String("disabled"),
			Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
				ClientAppTypes: pulumi.StringArray{
					pulumi.String("all"),
				},
				SignInRiskLevels: pulumi.StringArray{
					pulumi.String("medium"),
				},
				UserRiskLevels: pulumi.StringArray{
					pulumi.String("medium"),
				},
				Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
					IncludedApplications: pulumi.StringArray{
						pulumi.String("All"),
					},
					ExcludedApplications: pulumi.StringArray{},
				},
				Devices: &azuread.ConditionalAccessPolicyConditionsDevicesArgs{
					Filter: &azuread.ConditionalAccessPolicyConditionsDevicesFilterArgs{
						Mode: pulumi.String("exclude"),
						Rule: pulumi.String("device.operatingSystem eq \"Doors\""),
					},
				},
				Locations: &azuread.ConditionalAccessPolicyConditionsLocationsArgs{
					IncludedLocations: pulumi.StringArray{
						pulumi.String("All"),
					},
					ExcludedLocations: pulumi.StringArray{
						pulumi.String("AllTrusted"),
					},
				},
				Platforms: &azuread.ConditionalAccessPolicyConditionsPlatformsArgs{
					IncludedPlatforms: pulumi.StringArray{
						pulumi.String("android"),
					},
					ExcludedPlatforms: pulumi.StringArray{
						pulumi.String("iOS"),
					},
				},
				Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
					IncludedUsers: pulumi.StringArray{
						pulumi.String("All"),
					},
					ExcludedUsers: pulumi.StringArray{
						pulumi.String("GuestsOrExternalUsers"),
					},
				},
			},
			GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
				Operator: pulumi.String("OR"),
				BuiltInControls: pulumi.StringArray{
					pulumi.String("mfa"),
				},
			},
			SessionControls: &azuread.ConditionalAccessPolicySessionControlsArgs{
				ApplicationEnforcedRestrictionsEnabled: pulumi.Bool(true),
				DisableResilienceDefaults:              pulumi.Bool(false),
				SignInFrequency:                        pulumi.Int(10),
				SignInFrequencyPeriod:                  pulumi.String("hours"),
				CloudAppSecurityPolicy:                 pulumi.String("monitorOnly"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var example = new AzureAD.ConditionalAccessPolicy("example", new()
    {
        DisplayName = "example policy",
        State = "disabled",
        Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
        {
            ClientAppTypes = new[]
            {
                "all",
            },
            SignInRiskLevels = new[]
            {
                "medium",
            },
            UserRiskLevels = new[]
            {
                "medium",
            },
            Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
            {
                IncludedApplications = new[]
                {
                    "All",
                },
                ExcludedApplications = new() { },
            },
            Devices = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesArgs
            {
                Filter = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesFilterArgs
                {
                    Mode = "exclude",
                    Rule = "device.operatingSystem eq \"Doors\"",
                },
            },
            Locations = new AzureAD.Inputs.ConditionalAccessPolicyConditionsLocationsArgs
            {
                IncludedLocations = new[]
                {
                    "All",
                },
                ExcludedLocations = new[]
                {
                    "AllTrusted",
                },
            },
            Platforms = new AzureAD.Inputs.ConditionalAccessPolicyConditionsPlatformsArgs
            {
                IncludedPlatforms = new[]
                {
                    "android",
                },
                ExcludedPlatforms = new[]
                {
                    "iOS",
                },
            },
            Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
            {
                IncludedUsers = new[]
                {
                    "All",
                },
                ExcludedUsers = new[]
                {
                    "GuestsOrExternalUsers",
                },
            },
        },
        GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
        {
            Operator = "OR",
            BuiltInControls = new[]
            {
                "mfa",
            },
        },
        SessionControls = new AzureAD.Inputs.ConditionalAccessPolicySessionControlsArgs
        {
            ApplicationEnforcedRestrictionsEnabled = true,
            DisableResilienceDefaults = false,
            SignInFrequency = 10,
            SignInFrequencyPeriod = "hours",
            CloudAppSecurityPolicy = "monitorOnly",
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.ConditionalAccessPolicy;
import com.pulumi.azuread.ConditionalAccessPolicyArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsDevicesArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsDevicesFilterArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsLocationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsPlatformsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyGrantControlsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicySessionControlsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new ConditionalAccessPolicy("example", ConditionalAccessPolicyArgs.builder()
            .displayName("example policy")
            .state("disabled")
            .conditions(ConditionalAccessPolicyConditionsArgs.builder()
                .clientAppTypes("all")
                .signInRiskLevels("medium")
                .userRiskLevels("medium")
                .applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
                    .includedApplications("All")
                    .excludedApplications()
                    .build())
                .devices(ConditionalAccessPolicyConditionsDevicesArgs.builder()
                    .filter(ConditionalAccessPolicyConditionsDevicesFilterArgs.builder()
                        .mode("exclude")
                        .rule("device.operatingSystem eq \"Doors\"")
                        .build())
                    .build())
                .locations(ConditionalAccessPolicyConditionsLocationsArgs.builder()
                    .includedLocations("All")
                    .excludedLocations("AllTrusted")
                    .build())
                .platforms(ConditionalAccessPolicyConditionsPlatformsArgs.builder()
                    .includedPlatforms("android")
                    .excludedPlatforms("iOS")
                    .build())
                .users(ConditionalAccessPolicyConditionsUsersArgs.builder()
                    .includedUsers("All")
                    .excludedUsers("GuestsOrExternalUsers")
                    .build())
                .build())
            .grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
                .operator("OR")
                .builtInControls("mfa")
                .build())
            .sessionControls(ConditionalAccessPolicySessionControlsArgs.builder()
                .applicationEnforcedRestrictionsEnabled(true)
                .disableResilienceDefaults(false)
                .signInFrequency(10)
                .signInFrequencyPeriod("hours")
                .cloudAppSecurityPolicy("monitorOnly")
                .build())
            .build());

    }
}
Copy
resources:
  example:
    type: azuread:ConditionalAccessPolicy
    properties:
      displayName: example policy
      state: disabled
      conditions:
        clientAppTypes:
          - all
        signInRiskLevels:
          - medium
        userRiskLevels:
          - medium
        applications:
          includedApplications:
            - All
          excludedApplications: []
        devices:
          filter:
            mode: exclude
            rule: device.operatingSystem eq "Doors"
        locations:
          includedLocations:
            - All
          excludedLocations:
            - AllTrusted
        platforms:
          includedPlatforms:
            - android
          excludedPlatforms:
            - iOS
        users:
          includedUsers:
            - All
          excludedUsers:
            - GuestsOrExternalUsers
      grantControls:
        operator: OR
        builtInControls:
          - mfa
      sessionControls:
        applicationEnforcedRestrictionsEnabled: true
        disableResilienceDefaults: false
        signInFrequency: 10
        signInFrequencyPeriod: hours
        cloudAppSecurityPolicy: monitorOnly
Copy

Included client applications / service principals

import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const current = azuread.getClientConfig({});
const example = new azuread.ConditionalAccessPolicy("example", {
    displayName: "example policy",
    state: "disabled",
    conditions: {
        clientAppTypes: ["all"],
        applications: {
            includedApplications: ["All"],
        },
        clientApplications: {
            includedServicePrincipals: [current.then(current => current.objectId)],
            excludedServicePrincipals: [],
        },
        users: {
            includedUsers: ["None"],
        },
    },
    grantControls: {
        operator: "OR",
        builtInControls: ["block"],
    },
});
Copy
import pulumi
import pulumi_azuread as azuread

current = azuread.get_client_config()
example = azuread.ConditionalAccessPolicy("example",
    display_name="example policy",
    state="disabled",
    conditions={
        "client_app_types": ["all"],
        "applications": {
            "included_applications": ["All"],
        },
        "client_applications": {
            "included_service_principals": [current.object_id],
            "excluded_service_principals": [],
        },
        "users": {
            "included_users": ["None"],
        },
    },
    grant_controls={
        "operator": "OR",
        "built_in_controls": ["block"],
    })
Copy
package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		current, err := azuread.GetClientConfig(ctx, map[string]interface{}{}, nil)
		if err != nil {
			return err
		}
		_, err = azuread.NewConditionalAccessPolicy(ctx, "example", &azuread.ConditionalAccessPolicyArgs{
			DisplayName: pulumi.String("example policy"),
			State:       pulumi.String("disabled"),
			Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
				ClientAppTypes: pulumi.StringArray{
					pulumi.String("all"),
				},
				Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
					IncludedApplications: pulumi.StringArray{
						pulumi.String("All"),
					},
				},
				ClientApplications: &azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs{
					IncludedServicePrincipals: pulumi.StringArray{
						pulumi.String(current.ObjectId),
					},
					ExcludedServicePrincipals: pulumi.StringArray{},
				},
				Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
					IncludedUsers: pulumi.StringArray{
						pulumi.String("None"),
					},
				},
			},
			GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
				Operator: pulumi.String("OR"),
				BuiltInControls: pulumi.StringArray{
					pulumi.String("block"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var current = AzureAD.GetClientConfig.Invoke();

    var example = new AzureAD.ConditionalAccessPolicy("example", new()
    {
        DisplayName = "example policy",
        State = "disabled",
        Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
        {
            ClientAppTypes = new[]
            {
                "all",
            },
            Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
            {
                IncludedApplications = new[]
                {
                    "All",
                },
            },
            ClientApplications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs
            {
                IncludedServicePrincipals = new[]
                {
                    current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
                },
                ExcludedServicePrincipals = new() { },
            },
            Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
            {
                IncludedUsers = new[]
                {
                    "None",
                },
            },
        },
        GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
        {
            Operator = "OR",
            BuiltInControls = new[]
            {
                "block",
            },
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.ConditionalAccessPolicy;
import com.pulumi.azuread.ConditionalAccessPolicyArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyGrantControlsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var current = AzureadFunctions.getClientConfig();

        var example = new ConditionalAccessPolicy("example", ConditionalAccessPolicyArgs.builder()
            .displayName("example policy")
            .state("disabled")
            .conditions(ConditionalAccessPolicyConditionsArgs.builder()
                .clientAppTypes("all")
                .applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
                    .includedApplications("All")
                    .build())
                .clientApplications(ConditionalAccessPolicyConditionsClientApplicationsArgs.builder()
                    .includedServicePrincipals(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
                    .excludedServicePrincipals()
                    .build())
                .users(ConditionalAccessPolicyConditionsUsersArgs.builder()
                    .includedUsers("None")
                    .build())
                .build())
            .grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
                .operator("OR")
                .builtInControls("block")
                .build())
            .build());

    }
}
Copy
resources:
  example:
    type: azuread:ConditionalAccessPolicy
    properties:
      displayName: example policy
      state: disabled
      conditions:
        clientAppTypes:
          - all
        applications:
          includedApplications:
            - All
        clientApplications:
          includedServicePrincipals:
            - ${current.objectId}
          excludedServicePrincipals: []
        users:
          includedUsers:
            - None
      grantControls:
        operator: OR
        builtInControls:
          - block
variables:
  current:
    fn::invoke:
      function: azuread:getClientConfig
      arguments: {}
Copy

Excluded client applications / service principals

import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const current = azuread.getClientConfig({});
const example = new azuread.ConditionalAccessPolicy("example", {
    displayName: "example policy",
    state: "disabled",
    conditions: {
        clientAppTypes: ["all"],
        applications: {
            includedApplications: ["All"],
        },
        clientApplications: {
            includedServicePrincipals: ["ServicePrincipalsInMyTenant"],
            excludedServicePrincipals: [current.then(current => current.objectId)],
        },
        users: {
            includedUsers: ["None"],
        },
    },
    grantControls: {
        operator: "OR",
        builtInControls: ["block"],
    },
});
Copy
import pulumi
import pulumi_azuread as azuread

current = azuread.get_client_config()
example = azuread.ConditionalAccessPolicy("example",
    display_name="example policy",
    state="disabled",
    conditions={
        "client_app_types": ["all"],
        "applications": {
            "included_applications": ["All"],
        },
        "client_applications": {
            "included_service_principals": ["ServicePrincipalsInMyTenant"],
            "excluded_service_principals": [current.object_id],
        },
        "users": {
            "included_users": ["None"],
        },
    },
    grant_controls={
        "operator": "OR",
        "built_in_controls": ["block"],
    })
Copy
package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		current, err := azuread.GetClientConfig(ctx, map[string]interface{}{}, nil)
		if err != nil {
			return err
		}
		_, err = azuread.NewConditionalAccessPolicy(ctx, "example", &azuread.ConditionalAccessPolicyArgs{
			DisplayName: pulumi.String("example policy"),
			State:       pulumi.String("disabled"),
			Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
				ClientAppTypes: pulumi.StringArray{
					pulumi.String("all"),
				},
				Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
					IncludedApplications: pulumi.StringArray{
						pulumi.String("All"),
					},
				},
				ClientApplications: &azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs{
					IncludedServicePrincipals: pulumi.StringArray{
						pulumi.String("ServicePrincipalsInMyTenant"),
					},
					ExcludedServicePrincipals: pulumi.StringArray{
						pulumi.String(current.ObjectId),
					},
				},
				Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
					IncludedUsers: pulumi.StringArray{
						pulumi.String("None"),
					},
				},
			},
			GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
				Operator: pulumi.String("OR"),
				BuiltInControls: pulumi.StringArray{
					pulumi.String("block"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var current = AzureAD.GetClientConfig.Invoke();

    var example = new AzureAD.ConditionalAccessPolicy("example", new()
    {
        DisplayName = "example policy",
        State = "disabled",
        Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
        {
            ClientAppTypes = new[]
            {
                "all",
            },
            Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
            {
                IncludedApplications = new[]
                {
                    "All",
                },
            },
            ClientApplications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs
            {
                IncludedServicePrincipals = new[]
                {
                    "ServicePrincipalsInMyTenant",
                },
                ExcludedServicePrincipals = new[]
                {
                    current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
                },
            },
            Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
            {
                IncludedUsers = new[]
                {
                    "None",
                },
            },
        },
        GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
        {
            Operator = "OR",
            BuiltInControls = new[]
            {
                "block",
            },
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.ConditionalAccessPolicy;
import com.pulumi.azuread.ConditionalAccessPolicyArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersArgs;
import com.pulumi.azuread.inputs.ConditionalAccessPolicyGrantControlsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var current = AzureadFunctions.getClientConfig();

        var example = new ConditionalAccessPolicy("example", ConditionalAccessPolicyArgs.builder()
            .displayName("example policy")
            .state("disabled")
            .conditions(ConditionalAccessPolicyConditionsArgs.builder()
                .clientAppTypes("all")
                .applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
                    .includedApplications("All")
                    .build())
                .clientApplications(ConditionalAccessPolicyConditionsClientApplicationsArgs.builder()
                    .includedServicePrincipals("ServicePrincipalsInMyTenant")
                    .excludedServicePrincipals(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
                    .build())
                .users(ConditionalAccessPolicyConditionsUsersArgs.builder()
                    .includedUsers("None")
                    .build())
                .build())
            .grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
                .operator("OR")
                .builtInControls("block")
                .build())
            .build());

    }
}
Copy
resources:
  example:
    type: azuread:ConditionalAccessPolicy
    properties:
      displayName: example policy
      state: disabled
      conditions:
        clientAppTypes:
          - all
        applications:
          includedApplications:
            - All
        clientApplications:
          includedServicePrincipals:
            - ServicePrincipalsInMyTenant
          excludedServicePrincipals:
            - ${current.objectId}
        users:
          includedUsers:
            - None
      grantControls:
        operator: OR
        builtInControls:
          - block
variables:
  current:
    fn::invoke:
      function: azuread:getClientConfig
      arguments: {}
Copy

Create ConditionalAccessPolicy Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new ConditionalAccessPolicy(name: string, args: ConditionalAccessPolicyArgs, opts?: CustomResourceOptions);
@overload
def ConditionalAccessPolicy(resource_name: str,
                            args: ConditionalAccessPolicyArgs,
                            opts: Optional[ResourceOptions] = None)

@overload
def ConditionalAccessPolicy(resource_name: str,
                            opts: Optional[ResourceOptions] = None,
                            conditions: Optional[ConditionalAccessPolicyConditionsArgs] = None,
                            display_name: Optional[str] = None,
                            state: Optional[str] = None,
                            grant_controls: Optional[ConditionalAccessPolicyGrantControlsArgs] = None,
                            session_controls: Optional[ConditionalAccessPolicySessionControlsArgs] = None)
func NewConditionalAccessPolicy(ctx *Context, name string, args ConditionalAccessPolicyArgs, opts ...ResourceOption) (*ConditionalAccessPolicy, error)
public ConditionalAccessPolicy(string name, ConditionalAccessPolicyArgs args, CustomResourceOptions? opts = null)
public ConditionalAccessPolicy(String name, ConditionalAccessPolicyArgs args)
public ConditionalAccessPolicy(String name, ConditionalAccessPolicyArgs args, CustomResourceOptions options)
type: azuread:ConditionalAccessPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args This property is required. ConditionalAccessPolicyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args This property is required. ConditionalAccessPolicyArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args This property is required. ConditionalAccessPolicyArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args This property is required. ConditionalAccessPolicyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. ConditionalAccessPolicyArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var conditionalAccessPolicyResource = new AzureAD.ConditionalAccessPolicy("conditionalAccessPolicyResource", new()
{
    Conditions = new AzureAD.Inputs.ConditionalAccessPolicyConditionsArgs
    {
        Applications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsApplicationsArgs
        {
            ExcludedApplications = new[]
            {
                "string",
            },
            IncludedApplications = new[]
            {
                "string",
            },
            IncludedUserActions = new[]
            {
                "string",
            },
        },
        ClientAppTypes = new[]
        {
            "string",
        },
        Users = new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersArgs
        {
            ExcludedGroups = new[]
            {
                "string",
            },
            ExcludedGuestsOrExternalUsers = new[]
            {
                new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs
                {
                    GuestOrExternalUserTypes = new[]
                    {
                        "string",
                    },
                    ExternalTenants = new[]
                    {
                        new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs
                        {
                            MembershipKind = "string",
                            Members = new[]
                            {
                                "string",
                            },
                        },
                    },
                },
            },
            ExcludedRoles = new[]
            {
                "string",
            },
            ExcludedUsers = new[]
            {
                "string",
            },
            IncludedGroups = new[]
            {
                "string",
            },
            IncludedGuestsOrExternalUsers = new[]
            {
                new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs
                {
                    GuestOrExternalUserTypes = new[]
                    {
                        "string",
                    },
                    ExternalTenants = new[]
                    {
                        new AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs
                        {
                            MembershipKind = "string",
                            Members = new[]
                            {
                                "string",
                            },
                        },
                    },
                },
            },
            IncludedRoles = new[]
            {
                "string",
            },
            IncludedUsers = new[]
            {
                "string",
            },
        },
        ClientApplications = new AzureAD.Inputs.ConditionalAccessPolicyConditionsClientApplicationsArgs
        {
            ExcludedServicePrincipals = new[]
            {
                "string",
            },
            IncludedServicePrincipals = new[]
            {
                "string",
            },
        },
        Devices = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesArgs
        {
            Filter = new AzureAD.Inputs.ConditionalAccessPolicyConditionsDevicesFilterArgs
            {
                Mode = "string",
                Rule = "string",
            },
        },
        InsiderRiskLevels = "string",
        Locations = new AzureAD.Inputs.ConditionalAccessPolicyConditionsLocationsArgs
        {
            IncludedLocations = new[]
            {
                "string",
            },
            ExcludedLocations = new[]
            {
                "string",
            },
        },
        Platforms = new AzureAD.Inputs.ConditionalAccessPolicyConditionsPlatformsArgs
        {
            IncludedPlatforms = new[]
            {
                "string",
            },
            ExcludedPlatforms = new[]
            {
                "string",
            },
        },
        ServicePrincipalRiskLevels = new[]
        {
            "string",
        },
        SignInRiskLevels = new[]
        {
            "string",
        },
        UserRiskLevels = new[]
        {
            "string",
        },
    },
    DisplayName = "string",
    State = "string",
    GrantControls = new AzureAD.Inputs.ConditionalAccessPolicyGrantControlsArgs
    {
        Operator = "string",
        AuthenticationStrengthPolicyId = "string",
        BuiltInControls = new[]
        {
            "string",
        },
        CustomAuthenticationFactors = new[]
        {
            "string",
        },
        TermsOfUses = new[]
        {
            "string",
        },
    },
    SessionControls = new AzureAD.Inputs.ConditionalAccessPolicySessionControlsArgs
    {
        ApplicationEnforcedRestrictionsEnabled = false,
        CloudAppSecurityPolicy = "string",
        DisableResilienceDefaults = false,
        PersistentBrowserMode = "string",
        SignInFrequency = 0,
        SignInFrequencyAuthenticationType = "string",
        SignInFrequencyInterval = "string",
        SignInFrequencyPeriod = "string",
    },
});
Copy
example, err := azuread.NewConditionalAccessPolicy(ctx, "conditionalAccessPolicyResource", &azuread.ConditionalAccessPolicyArgs{
	Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{
		Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{
			ExcludedApplications: pulumi.StringArray{
				pulumi.String("string"),
			},
			IncludedApplications: pulumi.StringArray{
				pulumi.String("string"),
			},
			IncludedUserActions: pulumi.StringArray{
				pulumi.String("string"),
			},
		},
		ClientAppTypes: pulumi.StringArray{
			pulumi.String("string"),
		},
		Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{
			ExcludedGroups: pulumi.StringArray{
				pulumi.String("string"),
			},
			ExcludedGuestsOrExternalUsers: azuread.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArray{
				&azuread.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs{
					GuestOrExternalUserTypes: pulumi.StringArray{
						pulumi.String("string"),
					},
					ExternalTenants: azuread.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArray{
						&azuread.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs{
							MembershipKind: pulumi.String("string"),
							Members: pulumi.StringArray{
								pulumi.String("string"),
							},
						},
					},
				},
			},
			ExcludedRoles: pulumi.StringArray{
				pulumi.String("string"),
			},
			ExcludedUsers: pulumi.StringArray{
				pulumi.String("string"),
			},
			IncludedGroups: pulumi.StringArray{
				pulumi.String("string"),
			},
			IncludedGuestsOrExternalUsers: azuread.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArray{
				&azuread.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs{
					GuestOrExternalUserTypes: pulumi.StringArray{
						pulumi.String("string"),
					},
					ExternalTenants: azuread.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArray{
						&azuread.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs{
							MembershipKind: pulumi.String("string"),
							Members: pulumi.StringArray{
								pulumi.String("string"),
							},
						},
					},
				},
			},
			IncludedRoles: pulumi.StringArray{
				pulumi.String("string"),
			},
			IncludedUsers: pulumi.StringArray{
				pulumi.String("string"),
			},
		},
		ClientApplications: &azuread.ConditionalAccessPolicyConditionsClientApplicationsArgs{
			ExcludedServicePrincipals: pulumi.StringArray{
				pulumi.String("string"),
			},
			IncludedServicePrincipals: pulumi.StringArray{
				pulumi.String("string"),
			},
		},
		Devices: &azuread.ConditionalAccessPolicyConditionsDevicesArgs{
			Filter: &azuread.ConditionalAccessPolicyConditionsDevicesFilterArgs{
				Mode: pulumi.String("string"),
				Rule: pulumi.String("string"),
			},
		},
		InsiderRiskLevels: pulumi.String("string"),
		Locations: &azuread.ConditionalAccessPolicyConditionsLocationsArgs{
			IncludedLocations: pulumi.StringArray{
				pulumi.String("string"),
			},
			ExcludedLocations: pulumi.StringArray{
				pulumi.String("string"),
			},
		},
		Platforms: &azuread.ConditionalAccessPolicyConditionsPlatformsArgs{
			IncludedPlatforms: pulumi.StringArray{
				pulumi.String("string"),
			},
			ExcludedPlatforms: pulumi.StringArray{
				pulumi.String("string"),
			},
		},
		ServicePrincipalRiskLevels: pulumi.StringArray{
			pulumi.String("string"),
		},
		SignInRiskLevels: pulumi.StringArray{
			pulumi.String("string"),
		},
		UserRiskLevels: pulumi.StringArray{
			pulumi.String("string"),
		},
	},
	DisplayName: pulumi.String("string"),
	State:       pulumi.String("string"),
	GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{
		Operator:                       pulumi.String("string"),
		AuthenticationStrengthPolicyId: pulumi.String("string"),
		BuiltInControls: pulumi.StringArray{
			pulumi.String("string"),
		},
		CustomAuthenticationFactors: pulumi.StringArray{
			pulumi.String("string"),
		},
		TermsOfUses: pulumi.StringArray{
			pulumi.String("string"),
		},
	},
	SessionControls: &azuread.ConditionalAccessPolicySessionControlsArgs{
		ApplicationEnforcedRestrictionsEnabled: pulumi.Bool(false),
		CloudAppSecurityPolicy:                 pulumi.String("string"),
		DisableResilienceDefaults:              pulumi.Bool(false),
		PersistentBrowserMode:                  pulumi.String("string"),
		SignInFrequency:                        pulumi.Int(0),
		SignInFrequencyAuthenticationType:      pulumi.String("string"),
		SignInFrequencyInterval:                pulumi.String("string"),
		SignInFrequencyPeriod:                  pulumi.String("string"),
	},
})
Copy
var conditionalAccessPolicyResource = new ConditionalAccessPolicy("conditionalAccessPolicyResource", ConditionalAccessPolicyArgs.builder()
    .conditions(ConditionalAccessPolicyConditionsArgs.builder()
        .applications(ConditionalAccessPolicyConditionsApplicationsArgs.builder()
            .excludedApplications("string")
            .includedApplications("string")
            .includedUserActions("string")
            .build())
        .clientAppTypes("string")
        .users(ConditionalAccessPolicyConditionsUsersArgs.builder()
            .excludedGroups("string")
            .excludedGuestsOrExternalUsers(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs.builder()
                .guestOrExternalUserTypes("string")
                .externalTenants(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs.builder()
                    .membershipKind("string")
                    .members("string")
                    .build())
                .build())
            .excludedRoles("string")
            .excludedUsers("string")
            .includedGroups("string")
            .includedGuestsOrExternalUsers(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs.builder()
                .guestOrExternalUserTypes("string")
                .externalTenants(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs.builder()
                    .membershipKind("string")
                    .members("string")
                    .build())
                .build())
            .includedRoles("string")
            .includedUsers("string")
            .build())
        .clientApplications(ConditionalAccessPolicyConditionsClientApplicationsArgs.builder()
            .excludedServicePrincipals("string")
            .includedServicePrincipals("string")
            .build())
        .devices(ConditionalAccessPolicyConditionsDevicesArgs.builder()
            .filter(ConditionalAccessPolicyConditionsDevicesFilterArgs.builder()
                .mode("string")
                .rule("string")
                .build())
            .build())
        .insiderRiskLevels("string")
        .locations(ConditionalAccessPolicyConditionsLocationsArgs.builder()
            .includedLocations("string")
            .excludedLocations("string")
            .build())
        .platforms(ConditionalAccessPolicyConditionsPlatformsArgs.builder()
            .includedPlatforms("string")
            .excludedPlatforms("string")
            .build())
        .servicePrincipalRiskLevels("string")
        .signInRiskLevels("string")
        .userRiskLevels("string")
        .build())
    .displayName("string")
    .state("string")
    .grantControls(ConditionalAccessPolicyGrantControlsArgs.builder()
        .operator("string")
        .authenticationStrengthPolicyId("string")
        .builtInControls("string")
        .customAuthenticationFactors("string")
        .termsOfUses("string")
        .build())
    .sessionControls(ConditionalAccessPolicySessionControlsArgs.builder()
        .applicationEnforcedRestrictionsEnabled(false)
        .cloudAppSecurityPolicy("string")
        .disableResilienceDefaults(false)
        .persistentBrowserMode("string")
        .signInFrequency(0)
        .signInFrequencyAuthenticationType("string")
        .signInFrequencyInterval("string")
        .signInFrequencyPeriod("string")
        .build())
    .build());
Copy
conditional_access_policy_resource = azuread.ConditionalAccessPolicy("conditionalAccessPolicyResource",
    conditions={
        "applications": {
            "excluded_applications": ["string"],
            "included_applications": ["string"],
            "included_user_actions": ["string"],
        },
        "client_app_types": ["string"],
        "users": {
            "excluded_groups": ["string"],
            "excluded_guests_or_external_users": [{
                "guest_or_external_user_types": ["string"],
                "external_tenants": [{
                    "membership_kind": "string",
                    "members": ["string"],
                }],
            }],
            "excluded_roles": ["string"],
            "excluded_users": ["string"],
            "included_groups": ["string"],
            "included_guests_or_external_users": [{
                "guest_or_external_user_types": ["string"],
                "external_tenants": [{
                    "membership_kind": "string",
                    "members": ["string"],
                }],
            }],
            "included_roles": ["string"],
            "included_users": ["string"],
        },
        "client_applications": {
            "excluded_service_principals": ["string"],
            "included_service_principals": ["string"],
        },
        "devices": {
            "filter": {
                "mode": "string",
                "rule": "string",
            },
        },
        "insider_risk_levels": "string",
        "locations": {
            "included_locations": ["string"],
            "excluded_locations": ["string"],
        },
        "platforms": {
            "included_platforms": ["string"],
            "excluded_platforms": ["string"],
        },
        "service_principal_risk_levels": ["string"],
        "sign_in_risk_levels": ["string"],
        "user_risk_levels": ["string"],
    },
    display_name="string",
    state="string",
    grant_controls={
        "operator": "string",
        "authentication_strength_policy_id": "string",
        "built_in_controls": ["string"],
        "custom_authentication_factors": ["string"],
        "terms_of_uses": ["string"],
    },
    session_controls={
        "application_enforced_restrictions_enabled": False,
        "cloud_app_security_policy": "string",
        "disable_resilience_defaults": False,
        "persistent_browser_mode": "string",
        "sign_in_frequency": 0,
        "sign_in_frequency_authentication_type": "string",
        "sign_in_frequency_interval": "string",
        "sign_in_frequency_period": "string",
    })
Copy
const conditionalAccessPolicyResource = new azuread.ConditionalAccessPolicy("conditionalAccessPolicyResource", {
    conditions: {
        applications: {
            excludedApplications: ["string"],
            includedApplications: ["string"],
            includedUserActions: ["string"],
        },
        clientAppTypes: ["string"],
        users: {
            excludedGroups: ["string"],
            excludedGuestsOrExternalUsers: [{
                guestOrExternalUserTypes: ["string"],
                externalTenants: [{
                    membershipKind: "string",
                    members: ["string"],
                }],
            }],
            excludedRoles: ["string"],
            excludedUsers: ["string"],
            includedGroups: ["string"],
            includedGuestsOrExternalUsers: [{
                guestOrExternalUserTypes: ["string"],
                externalTenants: [{
                    membershipKind: "string",
                    members: ["string"],
                }],
            }],
            includedRoles: ["string"],
            includedUsers: ["string"],
        },
        clientApplications: {
            excludedServicePrincipals: ["string"],
            includedServicePrincipals: ["string"],
        },
        devices: {
            filter: {
                mode: "string",
                rule: "string",
            },
        },
        insiderRiskLevels: "string",
        locations: {
            includedLocations: ["string"],
            excludedLocations: ["string"],
        },
        platforms: {
            includedPlatforms: ["string"],
            excludedPlatforms: ["string"],
        },
        servicePrincipalRiskLevels: ["string"],
        signInRiskLevels: ["string"],
        userRiskLevels: ["string"],
    },
    displayName: "string",
    state: "string",
    grantControls: {
        operator: "string",
        authenticationStrengthPolicyId: "string",
        builtInControls: ["string"],
        customAuthenticationFactors: ["string"],
        termsOfUses: ["string"],
    },
    sessionControls: {
        applicationEnforcedRestrictionsEnabled: false,
        cloudAppSecurityPolicy: "string",
        disableResilienceDefaults: false,
        persistentBrowserMode: "string",
        signInFrequency: 0,
        signInFrequencyAuthenticationType: "string",
        signInFrequencyInterval: "string",
        signInFrequencyPeriod: "string",
    },
});
Copy
type: azuread:ConditionalAccessPolicy
properties:
    conditions:
        applications:
            excludedApplications:
                - string
            includedApplications:
                - string
            includedUserActions:
                - string
        clientAppTypes:
            - string
        clientApplications:
            excludedServicePrincipals:
                - string
            includedServicePrincipals:
                - string
        devices:
            filter:
                mode: string
                rule: string
        insiderRiskLevels: string
        locations:
            excludedLocations:
                - string
            includedLocations:
                - string
        platforms:
            excludedPlatforms:
                - string
            includedPlatforms:
                - string
        servicePrincipalRiskLevels:
            - string
        signInRiskLevels:
            - string
        userRiskLevels:
            - string
        users:
            excludedGroups:
                - string
            excludedGuestsOrExternalUsers:
                - externalTenants:
                    - members:
                        - string
                      membershipKind: string
                  guestOrExternalUserTypes:
                    - string
            excludedRoles:
                - string
            excludedUsers:
                - string
            includedGroups:
                - string
            includedGuestsOrExternalUsers:
                - externalTenants:
                    - members:
                        - string
                      membershipKind: string
                  guestOrExternalUserTypes:
                    - string
            includedRoles:
                - string
            includedUsers:
                - string
    displayName: string
    grantControls:
        authenticationStrengthPolicyId: string
        builtInControls:
            - string
        customAuthenticationFactors:
            - string
        operator: string
        termsOfUses:
            - string
    sessionControls:
        applicationEnforcedRestrictionsEnabled: false
        cloudAppSecurityPolicy: string
        disableResilienceDefaults: false
        persistentBrowserMode: string
        signInFrequency: 0
        signInFrequencyAuthenticationType: string
        signInFrequencyInterval: string
        signInFrequencyPeriod: string
    state: string
Copy

ConditionalAccessPolicy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The ConditionalAccessPolicy resource accepts the following input properties:

Conditions This property is required. Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditions
A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
DisplayName This property is required. string
The friendly name for this Conditional Access Policy.
State This property is required. string
Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
GrantControls Pulumi.AzureAD.Inputs.ConditionalAccessPolicyGrantControls
A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
SessionControls Pulumi.AzureAD.Inputs.ConditionalAccessPolicySessionControls

A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

Note: At least one of grant_controls and/or session_controls blocks must be specified.

Conditions This property is required. ConditionalAccessPolicyConditionsArgs
A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
DisplayName This property is required. string
The friendly name for this Conditional Access Policy.
State This property is required. string
Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
GrantControls ConditionalAccessPolicyGrantControlsArgs
A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
SessionControls ConditionalAccessPolicySessionControlsArgs

A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

Note: At least one of grant_controls and/or session_controls blocks must be specified.

conditions This property is required. ConditionalAccessPolicyConditions
A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
displayName This property is required. String
The friendly name for this Conditional Access Policy.
state This property is required. String
Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
grantControls ConditionalAccessPolicyGrantControls
A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
sessionControls ConditionalAccessPolicySessionControls

A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

Note: At least one of grant_controls and/or session_controls blocks must be specified.

conditions This property is required. ConditionalAccessPolicyConditions
A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
displayName This property is required. string
The friendly name for this Conditional Access Policy.
state This property is required. string
Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
grantControls ConditionalAccessPolicyGrantControls
A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
sessionControls ConditionalAccessPolicySessionControls

A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

Note: At least one of grant_controls and/or session_controls blocks must be specified.

conditions This property is required. ConditionalAccessPolicyConditionsArgs
A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
display_name This property is required. str
The friendly name for this Conditional Access Policy.
state This property is required. str
Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
grant_controls ConditionalAccessPolicyGrantControlsArgs
A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
session_controls ConditionalAccessPolicySessionControlsArgs

A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

Note: At least one of grant_controls and/or session_controls blocks must be specified.

conditions This property is required. Property Map
A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
displayName This property is required. String
The friendly name for this Conditional Access Policy.
state This property is required. String
Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
grantControls Property Map
A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
sessionControls Property Map

A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

Note: At least one of grant_controls and/or session_controls blocks must be specified.

Outputs

All input properties are implicitly available as output properties. Additionally, the ConditionalAccessPolicy resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
ObjectId string
The object ID of the policy
Id string
The provider-assigned unique ID for this managed resource.
ObjectId string
The object ID of the policy
id String
The provider-assigned unique ID for this managed resource.
objectId String
The object ID of the policy
id string
The provider-assigned unique ID for this managed resource.
objectId string
The object ID of the policy
id str
The provider-assigned unique ID for this managed resource.
object_id str
The object ID of the policy
id String
The provider-assigned unique ID for this managed resource.
objectId String
The object ID of the policy

Look up Existing ConditionalAccessPolicy Resource

Get an existing ConditionalAccessPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ConditionalAccessPolicyState, opts?: CustomResourceOptions): ConditionalAccessPolicy
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        conditions: Optional[ConditionalAccessPolicyConditionsArgs] = None,
        display_name: Optional[str] = None,
        grant_controls: Optional[ConditionalAccessPolicyGrantControlsArgs] = None,
        object_id: Optional[str] = None,
        session_controls: Optional[ConditionalAccessPolicySessionControlsArgs] = None,
        state: Optional[str] = None) -> ConditionalAccessPolicy
func GetConditionalAccessPolicy(ctx *Context, name string, id IDInput, state *ConditionalAccessPolicyState, opts ...ResourceOption) (*ConditionalAccessPolicy, error)
public static ConditionalAccessPolicy Get(string name, Input<string> id, ConditionalAccessPolicyState? state, CustomResourceOptions? opts = null)
public static ConditionalAccessPolicy get(String name, Output<String> id, ConditionalAccessPolicyState state, CustomResourceOptions options)
resources:  _:    type: azuread:ConditionalAccessPolicy    get:      id: ${id}
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
Conditions Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditions
A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
DisplayName string
The friendly name for this Conditional Access Policy.
GrantControls Pulumi.AzureAD.Inputs.ConditionalAccessPolicyGrantControls
A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
ObjectId string
The object ID of the policy
SessionControls Pulumi.AzureAD.Inputs.ConditionalAccessPolicySessionControls

A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

Note: At least one of grant_controls and/or session_controls blocks must be specified.

State string
Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
Conditions ConditionalAccessPolicyConditionsArgs
A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
DisplayName string
The friendly name for this Conditional Access Policy.
GrantControls ConditionalAccessPolicyGrantControlsArgs
A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
ObjectId string
The object ID of the policy
SessionControls ConditionalAccessPolicySessionControlsArgs

A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

Note: At least one of grant_controls and/or session_controls blocks must be specified.

State string
Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
conditions ConditionalAccessPolicyConditions
A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
displayName String
The friendly name for this Conditional Access Policy.
grantControls ConditionalAccessPolicyGrantControls
A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
objectId String
The object ID of the policy
sessionControls ConditionalAccessPolicySessionControls

A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

Note: At least one of grant_controls and/or session_controls blocks must be specified.

state String
Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
conditions ConditionalAccessPolicyConditions
A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
displayName string
The friendly name for this Conditional Access Policy.
grantControls ConditionalAccessPolicyGrantControls
A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
objectId string
The object ID of the policy
sessionControls ConditionalAccessPolicySessionControls

A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

Note: At least one of grant_controls and/or session_controls blocks must be specified.

state string
Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
conditions ConditionalAccessPolicyConditionsArgs
A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
display_name str
The friendly name for this Conditional Access Policy.
grant_controls ConditionalAccessPolicyGrantControlsArgs
A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
object_id str
The object ID of the policy
session_controls ConditionalAccessPolicySessionControlsArgs

A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

Note: At least one of grant_controls and/or session_controls blocks must be specified.

state str
Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced
conditions Property Map
A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
displayName String
The friendly name for this Conditional Access Policy.
grantControls Property Map
A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
objectId String
The object ID of the policy
sessionControls Property Map

A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.

Note: At least one of grant_controls and/or session_controls blocks must be specified.

state String
Specifies the state of the policy object. Possible values are: enabled, disabled and enabledForReportingButNotEnforced

Supporting Types

ConditionalAccessPolicyConditions
, ConditionalAccessPolicyConditionsArgs

Applications This property is required. Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsApplications
An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.
ClientAppTypes This property is required. List<string>
A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.
Users This property is required. Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsUsers
A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.
ClientApplications Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsClientApplications
An client_applications block as documented below, which specifies service principals included in and excluded from the policy.
Devices Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsDevices
A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.
InsiderRiskLevels string
The insider risk level in the policy. Possible values are: minor, moderate, elevated, unknownFutureValue.
Locations Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsLocations
A locations block as documented below, which specifies locations included in and excluded from the policy.
Platforms Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsPlatforms
A platforms block as documented below, which specifies platforms included in and excluded from the policy.
ServicePrincipalRiskLevels List<string>
A list of service principal sign-in risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.
SignInRiskLevels List<string>
A list of user sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
UserRiskLevels List<string>
A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
Applications This property is required. ConditionalAccessPolicyConditionsApplications
An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.
ClientAppTypes This property is required. []string
A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.
Users This property is required. ConditionalAccessPolicyConditionsUsers
A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.
ClientApplications ConditionalAccessPolicyConditionsClientApplications
An client_applications block as documented below, which specifies service principals included in and excluded from the policy.
Devices ConditionalAccessPolicyConditionsDevices
A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.
InsiderRiskLevels string
The insider risk level in the policy. Possible values are: minor, moderate, elevated, unknownFutureValue.
Locations ConditionalAccessPolicyConditionsLocations
A locations block as documented below, which specifies locations included in and excluded from the policy.
Platforms ConditionalAccessPolicyConditionsPlatforms
A platforms block as documented below, which specifies platforms included in and excluded from the policy.
ServicePrincipalRiskLevels []string
A list of service principal sign-in risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.
SignInRiskLevels []string
A list of user sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
UserRiskLevels []string
A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
applications This property is required. ConditionalAccessPolicyConditionsApplications
An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.
clientAppTypes This property is required. List<String>
A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.
users This property is required. ConditionalAccessPolicyConditionsUsers
A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.
clientApplications ConditionalAccessPolicyConditionsClientApplications
An client_applications block as documented below, which specifies service principals included in and excluded from the policy.
devices ConditionalAccessPolicyConditionsDevices
A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.
insiderRiskLevels String
The insider risk level in the policy. Possible values are: minor, moderate, elevated, unknownFutureValue.
locations ConditionalAccessPolicyConditionsLocations
A locations block as documented below, which specifies locations included in and excluded from the policy.
platforms ConditionalAccessPolicyConditionsPlatforms
A platforms block as documented below, which specifies platforms included in and excluded from the policy.
servicePrincipalRiskLevels List<String>
A list of service principal sign-in risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.
signInRiskLevels List<String>
A list of user sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
userRiskLevels List<String>
A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
applications This property is required. ConditionalAccessPolicyConditionsApplications
An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.
clientAppTypes This property is required. string[]
A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.
users This property is required. ConditionalAccessPolicyConditionsUsers
A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.
clientApplications ConditionalAccessPolicyConditionsClientApplications
An client_applications block as documented below, which specifies service principals included in and excluded from the policy.
devices ConditionalAccessPolicyConditionsDevices
A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.
insiderRiskLevels string
The insider risk level in the policy. Possible values are: minor, moderate, elevated, unknownFutureValue.
locations ConditionalAccessPolicyConditionsLocations
A locations block as documented below, which specifies locations included in and excluded from the policy.
platforms ConditionalAccessPolicyConditionsPlatforms
A platforms block as documented below, which specifies platforms included in and excluded from the policy.
servicePrincipalRiskLevels string[]
A list of service principal sign-in risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.
signInRiskLevels string[]
A list of user sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
userRiskLevels string[]
A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
applications This property is required. ConditionalAccessPolicyConditionsApplications
An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.
client_app_types This property is required. Sequence[str]
A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.
users This property is required. ConditionalAccessPolicyConditionsUsers
A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.
client_applications ConditionalAccessPolicyConditionsClientApplications
An client_applications block as documented below, which specifies service principals included in and excluded from the policy.
devices ConditionalAccessPolicyConditionsDevices
A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.
insider_risk_levels str
The insider risk level in the policy. Possible values are: minor, moderate, elevated, unknownFutureValue.
locations ConditionalAccessPolicyConditionsLocations
A locations block as documented below, which specifies locations included in and excluded from the policy.
platforms ConditionalAccessPolicyConditionsPlatforms
A platforms block as documented below, which specifies platforms included in and excluded from the policy.
service_principal_risk_levels Sequence[str]
A list of service principal sign-in risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.
sign_in_risk_levels Sequence[str]
A list of user sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
user_risk_levels Sequence[str]
A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
applications This property is required. Property Map
An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.
clientAppTypes This property is required. List<String>
A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.
users This property is required. Property Map
A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.
clientApplications Property Map
An client_applications block as documented below, which specifies service principals included in and excluded from the policy.
devices Property Map
A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.
insiderRiskLevels String
The insider risk level in the policy. Possible values are: minor, moderate, elevated, unknownFutureValue.
locations Property Map
A locations block as documented below, which specifies locations included in and excluded from the policy.
platforms Property Map
A platforms block as documented below, which specifies platforms included in and excluded from the policy.
servicePrincipalRiskLevels List<String>
A list of service principal sign-in risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.
signInRiskLevels List<String>
A list of user sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
userRiskLevels List<String>
A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.

ConditionalAccessPolicyConditionsApplications
, ConditionalAccessPolicyConditionsApplicationsArgs

ExcludedApplications List<string>
A list of application IDs explicitly excluded from the policy. Can also be set to Office365.
IncludedApplications List<string>
A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.
IncludedUserActions List<string>
A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.
ExcludedApplications []string
A list of application IDs explicitly excluded from the policy. Can also be set to Office365.
IncludedApplications []string
A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.
IncludedUserActions []string
A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.
excludedApplications List<String>
A list of application IDs explicitly excluded from the policy. Can also be set to Office365.
includedApplications List<String>
A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.
includedUserActions List<String>
A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.
excludedApplications string[]
A list of application IDs explicitly excluded from the policy. Can also be set to Office365.
includedApplications string[]
A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.
includedUserActions string[]
A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.
excluded_applications Sequence[str]
A list of application IDs explicitly excluded from the policy. Can also be set to Office365.
included_applications Sequence[str]
A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.
included_user_actions Sequence[str]
A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.
excludedApplications List<String>
A list of application IDs explicitly excluded from the policy. Can also be set to Office365.
includedApplications List<String>
A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.
includedUserActions List<String>
A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.

ConditionalAccessPolicyConditionsClientApplications
, ConditionalAccessPolicyConditionsClientApplicationsArgs

ExcludedServicePrincipals List<string>
A list of service principal IDs explicitly excluded in the policy.
IncludedServicePrincipals List<string>
A list of service principal IDs explicitly included in the policy. Can be set to ServicePrincipalsInMyTenant to include all service principals. This is mandatory value when at least one excluded_service_principals is set.
ExcludedServicePrincipals []string
A list of service principal IDs explicitly excluded in the policy.
IncludedServicePrincipals []string
A list of service principal IDs explicitly included in the policy. Can be set to ServicePrincipalsInMyTenant to include all service principals. This is mandatory value when at least one excluded_service_principals is set.
excludedServicePrincipals List<String>
A list of service principal IDs explicitly excluded in the policy.
includedServicePrincipals List<String>
A list of service principal IDs explicitly included in the policy. Can be set to ServicePrincipalsInMyTenant to include all service principals. This is mandatory value when at least one excluded_service_principals is set.
excludedServicePrincipals string[]
A list of service principal IDs explicitly excluded in the policy.
includedServicePrincipals string[]
A list of service principal IDs explicitly included in the policy. Can be set to ServicePrincipalsInMyTenant to include all service principals. This is mandatory value when at least one excluded_service_principals is set.
excluded_service_principals Sequence[str]
A list of service principal IDs explicitly excluded in the policy.
included_service_principals Sequence[str]
A list of service principal IDs explicitly included in the policy. Can be set to ServicePrincipalsInMyTenant to include all service principals. This is mandatory value when at least one excluded_service_principals is set.
excludedServicePrincipals List<String>
A list of service principal IDs explicitly excluded in the policy.
includedServicePrincipals List<String>
A list of service principal IDs explicitly included in the policy. Can be set to ServicePrincipalsInMyTenant to include all service principals. This is mandatory value when at least one excluded_service_principals is set.

ConditionalAccessPolicyConditionsDevices
, ConditionalAccessPolicyConditionsDevicesArgs

Filter ConditionalAccessPolicyConditionsDevicesFilter
A filter block as described below.
filter ConditionalAccessPolicyConditionsDevicesFilter
A filter block as described below.
filter ConditionalAccessPolicyConditionsDevicesFilter
A filter block as described below.
filter ConditionalAccessPolicyConditionsDevicesFilter
A filter block as described below.
filter Property Map
A filter block as described below.

ConditionalAccessPolicyConditionsDevicesFilter
, ConditionalAccessPolicyConditionsDevicesFilterArgs

Mode This property is required. string
Whether to include in, or exclude from, matching devices from the policy. Supported values are include or exclude.
Rule This property is required. string
Condition filter to match devices. For more information, see official documentation.
Mode This property is required. string
Whether to include in, or exclude from, matching devices from the policy. Supported values are include or exclude.
Rule This property is required. string
Condition filter to match devices. For more information, see official documentation.
mode This property is required. String
Whether to include in, or exclude from, matching devices from the policy. Supported values are include or exclude.
rule This property is required. String
Condition filter to match devices. For more information, see official documentation.
mode This property is required. string
Whether to include in, or exclude from, matching devices from the policy. Supported values are include or exclude.
rule This property is required. string
Condition filter to match devices. For more information, see official documentation.
mode This property is required. str
Whether to include in, or exclude from, matching devices from the policy. Supported values are include or exclude.
rule This property is required. str
Condition filter to match devices. For more information, see official documentation.
mode This property is required. String
Whether to include in, or exclude from, matching devices from the policy. Supported values are include or exclude.
rule This property is required. String
Condition filter to match devices. For more information, see official documentation.

ConditionalAccessPolicyConditionsLocations
, ConditionalAccessPolicyConditionsLocationsArgs

IncludedLocations This property is required. List<string>
A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.
ExcludedLocations List<string>
A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.
IncludedLocations This property is required. []string
A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.
ExcludedLocations []string
A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.
includedLocations This property is required. List<String>
A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.
excludedLocations List<String>
A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.
includedLocations This property is required. string[]
A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.
excludedLocations string[]
A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.
included_locations This property is required. Sequence[str]
A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.
excluded_locations Sequence[str]
A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.
includedLocations This property is required. List<String>
A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.
excludedLocations List<String>
A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.

ConditionalAccessPolicyConditionsPlatforms
, ConditionalAccessPolicyConditionsPlatformsArgs

IncludedPlatforms This property is required. List<string>
A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
ExcludedPlatforms List<string>
A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
IncludedPlatforms This property is required. []string
A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
ExcludedPlatforms []string
A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
includedPlatforms This property is required. List<String>
A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
excludedPlatforms List<String>
A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
includedPlatforms This property is required. string[]
A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
excludedPlatforms string[]
A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
included_platforms This property is required. Sequence[str]
A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
excluded_platforms Sequence[str]
A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
includedPlatforms This property is required. List<String>
A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
excludedPlatforms List<String>
A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.

ConditionalAccessPolicyConditionsUsers
, ConditionalAccessPolicyConditionsUsersArgs

ExcludedGroups List<string>
A list of group IDs excluded from scope of policy.
ExcludedGuestsOrExternalUsers List<Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser>
A guests_or_external_users block as documented below, which specifies internal guests and external users excluded from scope of policy.
ExcludedRoles List<string>
A list of role IDs excluded from scope of policy.
ExcludedUsers List<string>
A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.
IncludedGroups List<string>
A list of group IDs in scope of policy unless explicitly excluded.
IncludedGuestsOrExternalUsers List<Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser>
A guests_or_external_users block as documented below, which specifies internal guests and external users in scope of policy.
IncludedRoles List<string>
A list of role IDs in scope of policy unless explicitly excluded.
IncludedUsers List<string>

A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

At least one of included_groups, included_guests_or_external_users, included_roles or included_users must be specified.

ExcludedGroups []string
A list of group IDs excluded from scope of policy.
ExcludedGuestsOrExternalUsers []ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser
A guests_or_external_users block as documented below, which specifies internal guests and external users excluded from scope of policy.
ExcludedRoles []string
A list of role IDs excluded from scope of policy.
ExcludedUsers []string
A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.
IncludedGroups []string
A list of group IDs in scope of policy unless explicitly excluded.
IncludedGuestsOrExternalUsers []ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser
A guests_or_external_users block as documented below, which specifies internal guests and external users in scope of policy.
IncludedRoles []string
A list of role IDs in scope of policy unless explicitly excluded.
IncludedUsers []string

A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

At least one of included_groups, included_guests_or_external_users, included_roles or included_users must be specified.

excludedGroups List<String>
A list of group IDs excluded from scope of policy.
excludedGuestsOrExternalUsers List<ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser>
A guests_or_external_users block as documented below, which specifies internal guests and external users excluded from scope of policy.
excludedRoles List<String>
A list of role IDs excluded from scope of policy.
excludedUsers List<String>
A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.
includedGroups List<String>
A list of group IDs in scope of policy unless explicitly excluded.
includedGuestsOrExternalUsers List<ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser>
A guests_or_external_users block as documented below, which specifies internal guests and external users in scope of policy.
includedRoles List<String>
A list of role IDs in scope of policy unless explicitly excluded.
includedUsers List<String>

A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

At least one of included_groups, included_guests_or_external_users, included_roles or included_users must be specified.

excludedGroups string[]
A list of group IDs excluded from scope of policy.
excludedGuestsOrExternalUsers ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser[]
A guests_or_external_users block as documented below, which specifies internal guests and external users excluded from scope of policy.
excludedRoles string[]
A list of role IDs excluded from scope of policy.
excludedUsers string[]
A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.
includedGroups string[]
A list of group IDs in scope of policy unless explicitly excluded.
includedGuestsOrExternalUsers ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser[]
A guests_or_external_users block as documented below, which specifies internal guests and external users in scope of policy.
includedRoles string[]
A list of role IDs in scope of policy unless explicitly excluded.
includedUsers string[]

A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

At least one of included_groups, included_guests_or_external_users, included_roles or included_users must be specified.

excluded_groups Sequence[str]
A list of group IDs excluded from scope of policy.
excluded_guests_or_external_users Sequence[ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser]
A guests_or_external_users block as documented below, which specifies internal guests and external users excluded from scope of policy.
excluded_roles Sequence[str]
A list of role IDs excluded from scope of policy.
excluded_users Sequence[str]
A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.
included_groups Sequence[str]
A list of group IDs in scope of policy unless explicitly excluded.
included_guests_or_external_users Sequence[ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser]
A guests_or_external_users block as documented below, which specifies internal guests and external users in scope of policy.
included_roles Sequence[str]
A list of role IDs in scope of policy unless explicitly excluded.
included_users Sequence[str]

A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

At least one of included_groups, included_guests_or_external_users, included_roles or included_users must be specified.

excludedGroups List<String>
A list of group IDs excluded from scope of policy.
excludedGuestsOrExternalUsers List<Property Map>
A guests_or_external_users block as documented below, which specifies internal guests and external users excluded from scope of policy.
excludedRoles List<String>
A list of role IDs excluded from scope of policy.
excludedUsers List<String>
A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.
includedGroups List<String>
A list of group IDs in scope of policy unless explicitly excluded.
includedGuestsOrExternalUsers List<Property Map>
A guests_or_external_users block as documented below, which specifies internal guests and external users in scope of policy.
includedRoles List<String>
A list of role IDs in scope of policy unless explicitly excluded.
includedUsers List<String>

A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.

At least one of included_groups, included_guests_or_external_users, included_roles or included_users must be specified.

ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser
, ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs

GuestOrExternalUserTypes This property is required. List<string>
A list of guest or external user types. Possible values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, none, otherExternalUser, serviceProvider, unknownFutureValue.
ExternalTenants List<Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant>
An external_tenants block as documented below, which specifies external tenants in a policy scope.
GuestOrExternalUserTypes This property is required. []string
A list of guest or external user types. Possible values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, none, otherExternalUser, serviceProvider, unknownFutureValue.
ExternalTenants []ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant
An external_tenants block as documented below, which specifies external tenants in a policy scope.
guestOrExternalUserTypes This property is required. List<String>
A list of guest or external user types. Possible values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, none, otherExternalUser, serviceProvider, unknownFutureValue.
externalTenants List<ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant>
An external_tenants block as documented below, which specifies external tenants in a policy scope.
guestOrExternalUserTypes This property is required. string[]
A list of guest or external user types. Possible values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, none, otherExternalUser, serviceProvider, unknownFutureValue.
externalTenants ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant[]
An external_tenants block as documented below, which specifies external tenants in a policy scope.
guest_or_external_user_types This property is required. Sequence[str]
A list of guest or external user types. Possible values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, none, otherExternalUser, serviceProvider, unknownFutureValue.
external_tenants Sequence[ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant]
An external_tenants block as documented below, which specifies external tenants in a policy scope.
guestOrExternalUserTypes This property is required. List<String>
A list of guest or external user types. Possible values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, none, otherExternalUser, serviceProvider, unknownFutureValue.
externalTenants List<Property Map>
An external_tenants block as documented below, which specifies external tenants in a policy scope.

ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant
, ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs

MembershipKind This property is required. string
The external tenant membership kind. Possible values are: all, enumerated, unknownFutureValue.
Members List<string>
A list tenant IDs. Can only be specified if membership_kind is enumerated.
MembershipKind This property is required. string
The external tenant membership kind. Possible values are: all, enumerated, unknownFutureValue.
Members []string
A list tenant IDs. Can only be specified if membership_kind is enumerated.
membershipKind This property is required. String
The external tenant membership kind. Possible values are: all, enumerated, unknownFutureValue.
members List<String>
A list tenant IDs. Can only be specified if membership_kind is enumerated.
membershipKind This property is required. string
The external tenant membership kind. Possible values are: all, enumerated, unknownFutureValue.
members string[]
A list tenant IDs. Can only be specified if membership_kind is enumerated.
membership_kind This property is required. str
The external tenant membership kind. Possible values are: all, enumerated, unknownFutureValue.
members Sequence[str]
A list tenant IDs. Can only be specified if membership_kind is enumerated.
membershipKind This property is required. String
The external tenant membership kind. Possible values are: all, enumerated, unknownFutureValue.
members List<String>
A list tenant IDs. Can only be specified if membership_kind is enumerated.

ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser
, ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs

GuestOrExternalUserTypes This property is required. List<string>
A list of guest or external user types. Possible values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, none, otherExternalUser, serviceProvider, unknownFutureValue.
ExternalTenants List<Pulumi.AzureAD.Inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant>
An external_tenants block as documented below, which specifies external tenants in a policy scope.
GuestOrExternalUserTypes This property is required. []string
A list of guest or external user types. Possible values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, none, otherExternalUser, serviceProvider, unknownFutureValue.
ExternalTenants []ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant
An external_tenants block as documented below, which specifies external tenants in a policy scope.
guestOrExternalUserTypes This property is required. List<String>
A list of guest or external user types. Possible values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, none, otherExternalUser, serviceProvider, unknownFutureValue.
externalTenants List<ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant>
An external_tenants block as documented below, which specifies external tenants in a policy scope.
guestOrExternalUserTypes This property is required. string[]
A list of guest or external user types. Possible values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, none, otherExternalUser, serviceProvider, unknownFutureValue.
externalTenants ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant[]
An external_tenants block as documented below, which specifies external tenants in a policy scope.
guest_or_external_user_types This property is required. Sequence[str]
A list of guest or external user types. Possible values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, none, otherExternalUser, serviceProvider, unknownFutureValue.
external_tenants Sequence[ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant]
An external_tenants block as documented below, which specifies external tenants in a policy scope.
guestOrExternalUserTypes This property is required. List<String>
A list of guest or external user types. Possible values are: b2bCollaborationGuest, b2bCollaborationMember, b2bDirectConnectUser, internalGuest, none, otherExternalUser, serviceProvider, unknownFutureValue.
externalTenants List<Property Map>
An external_tenants block as documented below, which specifies external tenants in a policy scope.

ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant
, ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs

MembershipKind This property is required. string
The external tenant membership kind. Possible values are: all, enumerated, unknownFutureValue.
Members List<string>
A list tenant IDs. Can only be specified if membership_kind is enumerated.
MembershipKind This property is required. string
The external tenant membership kind. Possible values are: all, enumerated, unknownFutureValue.
Members []string
A list tenant IDs. Can only be specified if membership_kind is enumerated.
membershipKind This property is required. String
The external tenant membership kind. Possible values are: all, enumerated, unknownFutureValue.
members List<String>
A list tenant IDs. Can only be specified if membership_kind is enumerated.
membershipKind This property is required. string
The external tenant membership kind. Possible values are: all, enumerated, unknownFutureValue.
members string[]
A list tenant IDs. Can only be specified if membership_kind is enumerated.
membership_kind This property is required. str
The external tenant membership kind. Possible values are: all, enumerated, unknownFutureValue.
members Sequence[str]
A list tenant IDs. Can only be specified if membership_kind is enumerated.
membershipKind This property is required. String
The external tenant membership kind. Possible values are: all, enumerated, unknownFutureValue.
members List<String>
A list tenant IDs. Can only be specified if membership_kind is enumerated.

ConditionalAccessPolicyGrantControls
, ConditionalAccessPolicyGrantControlsArgs

Operator This property is required. string
Defines the relationship of the grant controls. Possible values are: AND, OR.
AuthenticationStrengthPolicyId string
ID of an Authentication Strength Policy to use in this policy. When using a hard-coded ID, the UUID value should be prefixed with: /policies/authenticationStrengthPolicies/.
BuiltInControls List<string>
List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.
CustomAuthenticationFactors List<string>
List of custom controls IDs required by the policy.
TermsOfUses List<string>

List of terms of use IDs required by the policy.

At least one of authentication_strength_policy_id, built_in_controls or terms_of_use must be specified.

Operator This property is required. string
Defines the relationship of the grant controls. Possible values are: AND, OR.
AuthenticationStrengthPolicyId string
ID of an Authentication Strength Policy to use in this policy. When using a hard-coded ID, the UUID value should be prefixed with: /policies/authenticationStrengthPolicies/.
BuiltInControls []string
List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.
CustomAuthenticationFactors []string
List of custom controls IDs required by the policy.
TermsOfUses []string

List of terms of use IDs required by the policy.

At least one of authentication_strength_policy_id, built_in_controls or terms_of_use must be specified.

operator This property is required. String
Defines the relationship of the grant controls. Possible values are: AND, OR.
authenticationStrengthPolicyId String
ID of an Authentication Strength Policy to use in this policy. When using a hard-coded ID, the UUID value should be prefixed with: /policies/authenticationStrengthPolicies/.
builtInControls List<String>
List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.
customAuthenticationFactors List<String>
List of custom controls IDs required by the policy.
termsOfUses List<String>

List of terms of use IDs required by the policy.

At least one of authentication_strength_policy_id, built_in_controls or terms_of_use must be specified.

operator This property is required. string
Defines the relationship of the grant controls. Possible values are: AND, OR.
authenticationStrengthPolicyId string
ID of an Authentication Strength Policy to use in this policy. When using a hard-coded ID, the UUID value should be prefixed with: /policies/authenticationStrengthPolicies/.
builtInControls string[]
List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.
customAuthenticationFactors string[]
List of custom controls IDs required by the policy.
termsOfUses string[]

List of terms of use IDs required by the policy.

At least one of authentication_strength_policy_id, built_in_controls or terms_of_use must be specified.

operator This property is required. str
Defines the relationship of the grant controls. Possible values are: AND, OR.
authentication_strength_policy_id str
ID of an Authentication Strength Policy to use in this policy. When using a hard-coded ID, the UUID value should be prefixed with: /policies/authenticationStrengthPolicies/.
built_in_controls Sequence[str]
List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.
custom_authentication_factors Sequence[str]
List of custom controls IDs required by the policy.
terms_of_uses Sequence[str]

List of terms of use IDs required by the policy.

At least one of authentication_strength_policy_id, built_in_controls or terms_of_use must be specified.

operator This property is required. String
Defines the relationship of the grant controls. Possible values are: AND, OR.
authenticationStrengthPolicyId String
ID of an Authentication Strength Policy to use in this policy. When using a hard-coded ID, the UUID value should be prefixed with: /policies/authenticationStrengthPolicies/.
builtInControls List<String>
List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.
customAuthenticationFactors List<String>
List of custom controls IDs required by the policy.
termsOfUses List<String>

List of terms of use IDs required by the policy.

At least one of authentication_strength_policy_id, built_in_controls or terms_of_use must be specified.

ConditionalAccessPolicySessionControls
, ConditionalAccessPolicySessionControlsArgs

ApplicationEnforcedRestrictionsEnabled bool

Whether application enforced restrictions are enabled. Defaults to false.

Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.

CloudAppSecurityPolicy string
Enables cloud app security and specifies the cloud app security policy to use. Possible values are: blockDownloads, mcasConfigured, monitorOnly or unknownFutureValue.
DisableResilienceDefaults bool
Disables resilience defaults. Defaults to false.
PersistentBrowserMode string
Session control to define whether to persist cookies. Possible values are: always or never.
SignInFrequency int
Number of days or hours to enforce sign-in frequency. Required when sign_in_frequency_period is specified.
SignInFrequencyAuthenticationType string
Authentication type for enforcing sign-in frequency. Possible values are: primaryAndSecondaryAuthentication or secondaryAuthentication. Defaults to primaryAndSecondaryAuthentication.
SignInFrequencyInterval string
The interval to apply to sign-in frequency control. Possible values are: timeBased or everyTime. Defaults to timeBased.
SignInFrequencyPeriod string
The time period to enforce sign-in frequency. Possible values are: hours or days. Required when sign_in_frequency_period is specified.
ApplicationEnforcedRestrictionsEnabled bool

Whether application enforced restrictions are enabled. Defaults to false.

Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.

CloudAppSecurityPolicy string
Enables cloud app security and specifies the cloud app security policy to use. Possible values are: blockDownloads, mcasConfigured, monitorOnly or unknownFutureValue.
DisableResilienceDefaults bool
Disables resilience defaults. Defaults to false.
PersistentBrowserMode string
Session control to define whether to persist cookies. Possible values are: always or never.
SignInFrequency int
Number of days or hours to enforce sign-in frequency. Required when sign_in_frequency_period is specified.
SignInFrequencyAuthenticationType string
Authentication type for enforcing sign-in frequency. Possible values are: primaryAndSecondaryAuthentication or secondaryAuthentication. Defaults to primaryAndSecondaryAuthentication.
SignInFrequencyInterval string
The interval to apply to sign-in frequency control. Possible values are: timeBased or everyTime. Defaults to timeBased.
SignInFrequencyPeriod string
The time period to enforce sign-in frequency. Possible values are: hours or days. Required when sign_in_frequency_period is specified.
applicationEnforcedRestrictionsEnabled Boolean

Whether application enforced restrictions are enabled. Defaults to false.

Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.

cloudAppSecurityPolicy String
Enables cloud app security and specifies the cloud app security policy to use. Possible values are: blockDownloads, mcasConfigured, monitorOnly or unknownFutureValue.
disableResilienceDefaults Boolean
Disables resilience defaults. Defaults to false.
persistentBrowserMode String
Session control to define whether to persist cookies. Possible values are: always or never.
signInFrequency Integer
Number of days or hours to enforce sign-in frequency. Required when sign_in_frequency_period is specified.
signInFrequencyAuthenticationType String
Authentication type for enforcing sign-in frequency. Possible values are: primaryAndSecondaryAuthentication or secondaryAuthentication. Defaults to primaryAndSecondaryAuthentication.
signInFrequencyInterval String
The interval to apply to sign-in frequency control. Possible values are: timeBased or everyTime. Defaults to timeBased.
signInFrequencyPeriod String
The time period to enforce sign-in frequency. Possible values are: hours or days. Required when sign_in_frequency_period is specified.
applicationEnforcedRestrictionsEnabled boolean

Whether application enforced restrictions are enabled. Defaults to false.

Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.

cloudAppSecurityPolicy string
Enables cloud app security and specifies the cloud app security policy to use. Possible values are: blockDownloads, mcasConfigured, monitorOnly or unknownFutureValue.
disableResilienceDefaults boolean
Disables resilience defaults. Defaults to false.
persistentBrowserMode string
Session control to define whether to persist cookies. Possible values are: always or never.
signInFrequency number
Number of days or hours to enforce sign-in frequency. Required when sign_in_frequency_period is specified.
signInFrequencyAuthenticationType string
Authentication type for enforcing sign-in frequency. Possible values are: primaryAndSecondaryAuthentication or secondaryAuthentication. Defaults to primaryAndSecondaryAuthentication.
signInFrequencyInterval string
The interval to apply to sign-in frequency control. Possible values are: timeBased or everyTime. Defaults to timeBased.
signInFrequencyPeriod string
The time period to enforce sign-in frequency. Possible values are: hours or days. Required when sign_in_frequency_period is specified.
application_enforced_restrictions_enabled bool

Whether application enforced restrictions are enabled. Defaults to false.

Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.

cloud_app_security_policy str
Enables cloud app security and specifies the cloud app security policy to use. Possible values are: blockDownloads, mcasConfigured, monitorOnly or unknownFutureValue.
disable_resilience_defaults bool
Disables resilience defaults. Defaults to false.
persistent_browser_mode str
Session control to define whether to persist cookies. Possible values are: always or never.
sign_in_frequency int
Number of days or hours to enforce sign-in frequency. Required when sign_in_frequency_period is specified.
sign_in_frequency_authentication_type str
Authentication type for enforcing sign-in frequency. Possible values are: primaryAndSecondaryAuthentication or secondaryAuthentication. Defaults to primaryAndSecondaryAuthentication.
sign_in_frequency_interval str
The interval to apply to sign-in frequency control. Possible values are: timeBased or everyTime. Defaults to timeBased.
sign_in_frequency_period str
The time period to enforce sign-in frequency. Possible values are: hours or days. Required when sign_in_frequency_period is specified.
applicationEnforcedRestrictionsEnabled Boolean

Whether application enforced restrictions are enabled. Defaults to false.

Only Office 365, Exchange Online and Sharepoint Online support application enforced restrictions.

cloudAppSecurityPolicy String
Enables cloud app security and specifies the cloud app security policy to use. Possible values are: blockDownloads, mcasConfigured, monitorOnly or unknownFutureValue.
disableResilienceDefaults Boolean
Disables resilience defaults. Defaults to false.
persistentBrowserMode String
Session control to define whether to persist cookies. Possible values are: always or never.
signInFrequency Number
Number of days or hours to enforce sign-in frequency. Required when sign_in_frequency_period is specified.
signInFrequencyAuthenticationType String
Authentication type for enforcing sign-in frequency. Possible values are: primaryAndSecondaryAuthentication or secondaryAuthentication. Defaults to primaryAndSecondaryAuthentication.
signInFrequencyInterval String
The interval to apply to sign-in frequency control. Possible values are: timeBased or everyTime. Defaults to timeBased.
signInFrequencyPeriod String
The time period to enforce sign-in frequency. Possible values are: hours or days. Required when sign_in_frequency_period is specified.

Import

Conditional Access Policies can be imported using the id, e.g.

$ pulumi import azuread:index/conditionalAccessPolicy:ConditionalAccessPolicy my_location /identity/conditionalAccess/policies/00000000-0000-0000-0000-000000000000
Copy

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository
Azure Active Directory (Azure AD) pulumi/pulumi-azuread
License
Apache-2.0
Notes
This Pulumi package is based on the azuread Terraform Provider.