Azure Active Directory (Azure AD) v6.2.0, Jan 21 25

Azure Active Directory (Azure AD) v6.2.0 published on Tuesday, Jan 21, 2025 by Pulumi

azuread.ServicePrincipal

Explore with Pulumi AI

Azure Active Directory (Azure AD) v6.2.0 published on Tuesday, Jan 21, 2025 by Pulumi

Example Usage

Create a service principal for an application

TypeScript
Python
Go
C#
Java
YAML

import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const current = azuread.getClientConfig({});
const example = new azuread.Application("example", {
    displayName: "example",
    owners: [current.then(current => current.objectId)],
});
const exampleServicePrincipal = new azuread.ServicePrincipal("example", {
    clientId: example.clientId,
    appRoleAssignmentRequired: false,
    owners: [current.then(current => current.objectId)],
});

import pulumi
import pulumi_azuread as azuread

current = azuread.get_client_config()
example = azuread.Application("example",
    display_name="example",
    owners=[current.object_id])
example_service_principal = azuread.ServicePrincipal("example",
    client_id=example.client_id,
    app_role_assignment_required=False,
    owners=[current.object_id])

package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		current, err := azuread.GetClientConfig(ctx, map[string]interface{}{}, nil)
		if err != nil {
			return err
		}
		example, err := azuread.NewApplication(ctx, "example", &azuread.ApplicationArgs{
			DisplayName: pulumi.String("example"),
			Owners: pulumi.StringArray{
				pulumi.String(current.ObjectId),
			},
		})
		if err != nil {
			return err
		}
		_, err = azuread.NewServicePrincipal(ctx, "example", &azuread.ServicePrincipalArgs{
			ClientId:                  example.ClientId,
			AppRoleAssignmentRequired: pulumi.Bool(false),
			Owners: pulumi.StringArray{
				pulumi.String(current.ObjectId),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var current = AzureAD.GetClientConfig.Invoke();

    var example = new AzureAD.Application("example", new()
    {
        DisplayName = "example",
        Owners = new[]
        {
            current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
        },
    });

    var exampleServicePrincipal = new AzureAD.ServicePrincipal("example", new()
    {
        ClientId = example.ClientId,
        AppRoleAssignmentRequired = false,
        Owners = new[]
        {
            current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var current = AzureadFunctions.getClientConfig();

        var example = new Application("example", ApplicationArgs.builder()
            .displayName("example")
            .owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
            .build());

        var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()
            .clientId(example.clientId())
            .appRoleAssignmentRequired(false)
            .owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
            .build());

    }
}

resources:
  example:
    type: azuread:Application
    properties:
      displayName: example
      owners:
        - ${current.objectId}
  exampleServicePrincipal:
    type: azuread:ServicePrincipal
    name: example
    properties:
      clientId: ${example.clientId}
      appRoleAssignmentRequired: false
      owners:
        - ${current.objectId}
variables:
  current:
    fn::invoke:
      function: azuread:getClientConfig
      arguments: {}

Create a service principal for an enterprise application

TypeScript
Python
Go
C#
Java
YAML

import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const current = azuread.getClientConfig({});
const example = new azuread.Application("example", {
    displayName: "example",
    owners: [current.then(current => current.objectId)],
});
const exampleServicePrincipal = new azuread.ServicePrincipal("example", {
    clientId: example.clientId,
    appRoleAssignmentRequired: false,
    owners: [current.then(current => current.objectId)],
    featureTags: [{
        enterprise: true,
        gallery: true,
    }],
});

import pulumi
import pulumi_azuread as azuread

current = azuread.get_client_config()
example = azuread.Application("example",
    display_name="example",
    owners=[current.object_id])
example_service_principal = azuread.ServicePrincipal("example",
    client_id=example.client_id,
    app_role_assignment_required=False,
    owners=[current.object_id],
    feature_tags=[{
        "enterprise": True,
        "gallery": True,
    }])

package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		current, err := azuread.GetClientConfig(ctx, map[string]interface{}{}, nil)
		if err != nil {
			return err
		}
		example, err := azuread.NewApplication(ctx, "example", &azuread.ApplicationArgs{
			DisplayName: pulumi.String("example"),
			Owners: pulumi.StringArray{
				pulumi.String(current.ObjectId),
			},
		})
		if err != nil {
			return err
		}
		_, err = azuread.NewServicePrincipal(ctx, "example", &azuread.ServicePrincipalArgs{
			ClientId:                  example.ClientId,
			AppRoleAssignmentRequired: pulumi.Bool(false),
			Owners: pulumi.StringArray{
				pulumi.String(current.ObjectId),
			},
			FeatureTags: azuread.ServicePrincipalFeatureTagArray{
				&azuread.ServicePrincipalFeatureTagArgs{
					Enterprise: pulumi.Bool(true),
					Gallery:    pulumi.Bool(true),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var current = AzureAD.GetClientConfig.Invoke();

    var example = new AzureAD.Application("example", new()
    {
        DisplayName = "example",
        Owners = new[]
        {
            current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
        },
    });

    var exampleServicePrincipal = new AzureAD.ServicePrincipal("example", new()
    {
        ClientId = example.ClientId,
        AppRoleAssignmentRequired = false,
        Owners = new[]
        {
            current.Apply(getClientConfigResult => getClientConfigResult.ObjectId),
        },
        FeatureTags = new[]
        {
            new AzureAD.Inputs.ServicePrincipalFeatureTagArgs
            {
                Enterprise = true,
                Gallery = true,
            },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import com.pulumi.azuread.inputs.ServicePrincipalFeatureTagArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var current = AzureadFunctions.getClientConfig();

        var example = new Application("example", ApplicationArgs.builder()
            .displayName("example")
            .owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
            .build());

        var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()
            .clientId(example.clientId())
            .appRoleAssignmentRequired(false)
            .owners(current.applyValue(getClientConfigResult -> getClientConfigResult.objectId()))
            .featureTags(ServicePrincipalFeatureTagArgs.builder()
                .enterprise(true)
                .gallery(true)
                .build())
            .build());

    }
}

resources:
  example:
    type: azuread:Application
    properties:
      displayName: example
      owners:
        - ${current.objectId}
  exampleServicePrincipal:
    type: azuread:ServicePrincipal
    name: example
    properties:
      clientId: ${example.clientId}
      appRoleAssignmentRequired: false
      owners:
        - ${current.objectId}
      featureTags:
        - enterprise: true
          gallery: true
variables:
  current:
    fn::invoke:
      function: azuread:getClientConfig
      arguments: {}

Manage a service principal for a first-party Microsoft application

TypeScript
Python
Go
C#
Java
YAML

import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const wellKnown = azuread.getApplicationPublishedAppIds({});
const msgraph = new azuread.ServicePrincipal("msgraph", {
    clientId: wellKnown.then(wellKnown => wellKnown.result?.microsoftGraph),
    useExisting: true,
});

import pulumi
import pulumi_azuread as azuread

well_known = azuread.get_application_published_app_ids()
msgraph = azuread.ServicePrincipal("msgraph",
    client_id=well_known.result["microsoftGraph"],
    use_existing=True)

package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		wellKnown, err := azuread.GetApplicationPublishedAppIds(ctx, map[string]interface{}{}, nil)
		if err != nil {
			return err
		}
		_, err = azuread.NewServicePrincipal(ctx, "msgraph", &azuread.ServicePrincipalArgs{
			ClientId:    pulumi.String(wellKnown.Result.MicrosoftGraph),
			UseExisting: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var wellKnown = AzureAD.GetApplicationPublishedAppIds.Invoke();

    var msgraph = new AzureAD.ServicePrincipal("msgraph", new()
    {
        ClientId = wellKnown.Apply(getApplicationPublishedAppIdsResult => getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
        UseExisting = true,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();

        var msgraph = new ServicePrincipal("msgraph", ServicePrincipalArgs.builder()
            .clientId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -> getApplicationPublishedAppIdsResult.result().microsoftGraph()))
            .useExisting(true)
            .build());

    }
}

resources:
  msgraph:
    type: azuread:ServicePrincipal
    properties:
      clientId: ${wellKnown.result.microsoftGraph}
      useExisting: true
variables:
  wellKnown:
    fn::invoke:
      function: azuread:getApplicationPublishedAppIds
      arguments: {}

Create a service principal for an application created from a gallery template

TypeScript
Python
Go
C#
Java
YAML

import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const example = azuread.getApplicationTemplate({
    displayName: "Marketo",
});
const exampleApplication = new azuread.Application("example", {
    displayName: "example",
    templateId: example.then(example => example.templateId),
});
const exampleServicePrincipal = new azuread.ServicePrincipal("example", {
    clientId: exampleApplication.clientId,
    useExisting: true,
});

import pulumi
import pulumi_azuread as azuread

example = azuread.get_application_template(display_name="Marketo")
example_application = azuread.Application("example",
    display_name="example",
    template_id=example.template_id)
example_service_principal = azuread.ServicePrincipal("example",
    client_id=example_application.client_id,
    use_existing=True)

package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		example, err := azuread.GetApplicationTemplate(ctx, &azuread.GetApplicationTemplateArgs{
			DisplayName: pulumi.StringRef("Marketo"),
		}, nil)
		if err != nil {
			return err
		}
		exampleApplication, err := azuread.NewApplication(ctx, "example", &azuread.ApplicationArgs{
			DisplayName: pulumi.String("example"),
			TemplateId:  pulumi.String(example.TemplateId),
		})
		if err != nil {
			return err
		}
		_, err = azuread.NewServicePrincipal(ctx, "example", &azuread.ServicePrincipalArgs{
			ClientId:    exampleApplication.ClientId,
			UseExisting: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var example = AzureAD.GetApplicationTemplate.Invoke(new()
    {
        DisplayName = "Marketo",
    });

    var exampleApplication = new AzureAD.Application("example", new()
    {
        DisplayName = "example",
        TemplateId = example.Apply(getApplicationTemplateResult => getApplicationTemplateResult.TemplateId),
    });

    var exampleServicePrincipal = new AzureAD.ServicePrincipal("example", new()
    {
        ClientId = exampleApplication.ClientId,
        UseExisting = true,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.inputs.GetApplicationTemplateArgs;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var example = AzureadFunctions.getApplicationTemplate(GetApplicationTemplateArgs.builder()
            .displayName("Marketo")
            .build());

        var exampleApplication = new Application("exampleApplication", ApplicationArgs.builder()
            .displayName("example")
            .templateId(example.applyValue(getApplicationTemplateResult -> getApplicationTemplateResult.templateId()))
            .build());

        var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()
            .clientId(exampleApplication.clientId())
            .useExisting(true)
            .build());

    }
}

resources:
  exampleApplication:
    type: azuread:Application
    name: example
    properties:
      displayName: example
      templateId: ${example.templateId}
  exampleServicePrincipal:
    type: azuread:ServicePrincipal
    name: example
    properties:
      clientId: ${exampleApplication.clientId}
      useExisting: true
variables:
  example:
    fn::invoke:
      function: azuread:getApplicationTemplate
      arguments:
        displayName: Marketo

Create ServicePrincipal Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

new ServicePrincipal(name: string, args: ServicePrincipalArgs, opts?: CustomResourceOptions);

@overload
def ServicePrincipal(resource_name: str,
                     args: ServicePrincipalArgs,
                     opts: Optional[ResourceOptions] = None)

@overload
def ServicePrincipal(resource_name: str,
                     opts: Optional[ResourceOptions] = None,
                     client_id: Optional[str] = None,
                     features: Optional[Sequence[ServicePrincipalFeatureArgs]] = None,
                     notes: Optional[str] = None,
                     alternative_names: Optional[Sequence[str]] = None,
                     description: Optional[str] = None,
                     feature_tags: Optional[Sequence[ServicePrincipalFeatureTagArgs]] = None,
                     account_enabled: Optional[bool] = None,
                     login_url: Optional[str] = None,
                     app_role_assignment_required: Optional[bool] = None,
                     notification_email_addresses: Optional[Sequence[str]] = None,
                     owners: Optional[Sequence[str]] = None,
                     preferred_single_sign_on_mode: Optional[str] = None,
                     saml_single_sign_on: Optional[ServicePrincipalSamlSingleSignOnArgs] = None,
                     tags: Optional[Sequence[str]] = None,
                     use_existing: Optional[bool] = None)

func NewServicePrincipal(ctx *Context, name string, args ServicePrincipalArgs, opts ...ResourceOption) (*ServicePrincipal, error)

public ServicePrincipal(string name, ServicePrincipalArgs args, CustomResourceOptions? opts = null)

public ServicePrincipal(String name, ServicePrincipalArgs args)
public ServicePrincipal(String name, ServicePrincipalArgs args, CustomResourceOptions options)

type: azuread:ServicePrincipal
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args ServicePrincipalArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args ServicePrincipalArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args ServicePrincipalArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ServicePrincipalArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args ServicePrincipalArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

TypeScript
Python
Go
C#
Java
YAML

var servicePrincipalResource = new AzureAD.ServicePrincipal("servicePrincipalResource", new()
{
    ClientId = "string",
    Notes = "string",
    AlternativeNames = new[]
    {
        "string",
    },
    Description = "string",
    FeatureTags = new[]
    {
        new AzureAD.Inputs.ServicePrincipalFeatureTagArgs
        {
            CustomSingleSignOn = false,
            Enterprise = false,
            Gallery = false,
            Hide = false,
        },
    },
    AccountEnabled = false,
    LoginUrl = "string",
    AppRoleAssignmentRequired = false,
    NotificationEmailAddresses = new[]
    {
        "string",
    },
    Owners = new[]
    {
        "string",
    },
    PreferredSingleSignOnMode = "string",
    SamlSingleSignOn = new AzureAD.Inputs.ServicePrincipalSamlSingleSignOnArgs
    {
        RelayState = "string",
    },
    Tags = new[]
    {
        "string",
    },
    UseExisting = false,
});

example, err := azuread.NewServicePrincipal(ctx, "servicePrincipalResource", &azuread.ServicePrincipalArgs{
	ClientId: pulumi.String("string"),
	Notes:    pulumi.String("string"),
	AlternativeNames: pulumi.StringArray{
		pulumi.String("string"),
	},
	Description: pulumi.String("string"),
	FeatureTags: azuread.ServicePrincipalFeatureTagArray{
		&azuread.ServicePrincipalFeatureTagArgs{
			CustomSingleSignOn: pulumi.Bool(false),
			Enterprise:         pulumi.Bool(false),
			Gallery:            pulumi.Bool(false),
			Hide:               pulumi.Bool(false),
		},
	},
	AccountEnabled:            pulumi.Bool(false),
	LoginUrl:                  pulumi.String("string"),
	AppRoleAssignmentRequired: pulumi.Bool(false),
	NotificationEmailAddresses: pulumi.StringArray{
		pulumi.String("string"),
	},
	Owners: pulumi.StringArray{
		pulumi.String("string"),
	},
	PreferredSingleSignOnMode: pulumi.String("string"),
	SamlSingleSignOn: &azuread.ServicePrincipalSamlSingleSignOnArgs{
		RelayState: pulumi.String("string"),
	},
	Tags: pulumi.StringArray{
		pulumi.String("string"),
	},
	UseExisting: pulumi.Bool(false),
})

var servicePrincipalResource = new ServicePrincipal("servicePrincipalResource", ServicePrincipalArgs.builder()
    .clientId("string")
    .notes("string")
    .alternativeNames("string")
    .description("string")
    .featureTags(ServicePrincipalFeatureTagArgs.builder()
        .customSingleSignOn(false)
        .enterprise(false)
        .gallery(false)
        .hide(false)
        .build())
    .accountEnabled(false)
    .loginUrl("string")
    .appRoleAssignmentRequired(false)
    .notificationEmailAddresses("string")
    .owners("string")
    .preferredSingleSignOnMode("string")
    .samlSingleSignOn(ServicePrincipalSamlSingleSignOnArgs.builder()
        .relayState("string")
        .build())
    .tags("string")
    .useExisting(false)
    .build());

service_principal_resource = azuread.ServicePrincipal("servicePrincipalResource",
    client_id="string",
    notes="string",
    alternative_names=["string"],
    description="string",
    feature_tags=[{
        "custom_single_sign_on": False,
        "enterprise": False,
        "gallery": False,
        "hide": False,
    }],
    account_enabled=False,
    login_url="string",
    app_role_assignment_required=False,
    notification_email_addresses=["string"],
    owners=["string"],
    preferred_single_sign_on_mode="string",
    saml_single_sign_on={
        "relay_state": "string",
    },
    tags=["string"],
    use_existing=False)

const servicePrincipalResource = new azuread.ServicePrincipal("servicePrincipalResource", {
    clientId: "string",
    notes: "string",
    alternativeNames: ["string"],
    description: "string",
    featureTags: [{
        customSingleSignOn: false,
        enterprise: false,
        gallery: false,
        hide: false,
    }],
    accountEnabled: false,
    loginUrl: "string",
    appRoleAssignmentRequired: false,
    notificationEmailAddresses: ["string"],
    owners: ["string"],
    preferredSingleSignOnMode: "string",
    samlSingleSignOn: {
        relayState: "string",
    },
    tags: ["string"],
    useExisting: false,
});

type: azuread:ServicePrincipal
properties:
    accountEnabled: false
    alternativeNames:
        - string
    appRoleAssignmentRequired: false
    clientId: string
    description: string
    featureTags:
        - customSingleSignOn: false
          enterprise: false
          gallery: false
          hide: false
    loginUrl: string
    notes: string
    notificationEmailAddresses:
        - string
    owners:
        - string
    preferredSingleSignOnMode: string
    samlSingleSignOn:
        relayState: string
    tags:
        - string
    useExisting: false

ServicePrincipal Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The ServicePrincipal resource accepts the following input properties:

ClientId string: The client ID of the application for which to create a service principal.
AccountEnabled bool: Whether or not the service principal account is enabled. Defaults to true.
AlternativeNames List<string>: A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
AppRoleAssignmentRequired bool: Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.
Description string: A description of the service principal provided for internal end-users.
FeatureTags List<Pulumi.AzureAD.Inputs.ServicePrincipalFeatureTag>: A feature_tags block as described below. Cannot be used together with the tags property.
Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.
Features List<Pulumi.AzureAD.Inputs.ServicePrincipalFeature>: Block of features to configure for this service principal using tags
Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider
LoginUrl string: The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
Notes string: A free text field to capture information about the service principal, typically used for operational purposes.
NotificationEmailAddresses List<string>: A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
Owners List<string>: A list of object IDs of principals that will be granted ownership of the service principal
PreferredSingleSignOnMode string: The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.
SamlSingleSignOn Pulumi.AzureAD.Inputs.ServicePrincipalSamlSingleSignOn: A saml_single_sign_on block as documented below.
Tags List<string>: A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.
Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.
UseExisting bool: When true, the resource will return an existing service principal instead of failing with an error

ClientId string: The client ID of the application for which to create a service principal.
AccountEnabled bool: Whether or not the service principal account is enabled. Defaults to true.
AlternativeNames []string: A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
AppRoleAssignmentRequired bool: Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.
Description string: A description of the service principal provided for internal end-users.
FeatureTags []ServicePrincipalFeatureTagArgs: A feature_tags block as described below. Cannot be used together with the tags property.
Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.
Features []ServicePrincipalFeatureArgs: Block of features to configure for this service principal using tags
Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider
LoginUrl string: The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
Notes string: A free text field to capture information about the service principal, typically used for operational purposes.
NotificationEmailAddresses []string: A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
Owners []string: A list of object IDs of principals that will be granted ownership of the service principal
PreferredSingleSignOnMode string: The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.
SamlSingleSignOn ServicePrincipalSamlSingleSignOnArgs: A saml_single_sign_on block as documented below.
Tags []string: A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.
Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.
UseExisting bool: When true, the resource will return an existing service principal instead of failing with an error

clientId String: The client ID of the application for which to create a service principal.
accountEnabled Boolean: Whether or not the service principal account is enabled. Defaults to true.
alternativeNames List<String>: A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
appRoleAssignmentRequired Boolean: Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.
description String: A description of the service principal provided for internal end-users.
featureTags List<ServicePrincipalFeatureTag>: A feature_tags block as described below. Cannot be used together with the tags property.
Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.
features List<ServicePrincipalFeature>: Block of features to configure for this service principal using tags
Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider
loginUrl String: The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
notes String: A free text field to capture information about the service principal, typically used for operational purposes.
notificationEmailAddresses List<String>: A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
owners List<String>: A list of object IDs of principals that will be granted ownership of the service principal
preferredSingleSignOnMode String: The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.
samlSingleSignOn ServicePrincipalSamlSingleSignOn: A saml_single_sign_on block as documented below.
tags List<String>: A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.
Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.
useExisting Boolean: When true, the resource will return an existing service principal instead of failing with an error

clientId string: The client ID of the application for which to create a service principal.
accountEnabled boolean: Whether or not the service principal account is enabled. Defaults to true.
alternativeNames string[]: A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
appRoleAssignmentRequired boolean: Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.
description string: A description of the service principal provided for internal end-users.
featureTags ServicePrincipalFeatureTag[]: A feature_tags block as described below. Cannot be used together with the tags property.
Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.
features ServicePrincipalFeature[]: Block of features to configure for this service principal using tags
Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider
loginUrl string: The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
notes string: A free text field to capture information about the service principal, typically used for operational purposes.
notificationEmailAddresses string[]: A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
owners string[]: A list of object IDs of principals that will be granted ownership of the service principal
preferredSingleSignOnMode string: The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.
samlSingleSignOn ServicePrincipalSamlSingleSignOn: A saml_single_sign_on block as documented below.
tags string[]: A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.
Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.
useExisting boolean: When true, the resource will return an existing service principal instead of failing with an error

client_id str: The client ID of the application for which to create a service principal.
account_enabled bool: Whether or not the service principal account is enabled. Defaults to true.
alternative_names Sequence[str]: A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
app_role_assignment_required bool: Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.
description str: A description of the service principal provided for internal end-users.
feature_tags Sequence[ServicePrincipalFeatureTagArgs]: A feature_tags block as described below. Cannot be used together with the tags property.
Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.
features Sequence[ServicePrincipalFeatureArgs]: Block of features to configure for this service principal using tags
Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider
login_url str: The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
notes str: A free text field to capture information about the service principal, typically used for operational purposes.
notification_email_addresses Sequence[str]: A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
owners Sequence[str]: A list of object IDs of principals that will be granted ownership of the service principal
preferred_single_sign_on_mode str: The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.
saml_single_sign_on ServicePrincipalSamlSingleSignOnArgs: A saml_single_sign_on block as documented below.
tags Sequence[str]: A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.
Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.
use_existing bool: When true, the resource will return an existing service principal instead of failing with an error

clientId String: The client ID of the application for which to create a service principal.
accountEnabled Boolean: Whether or not the service principal account is enabled. Defaults to true.
alternativeNames List<String>: A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
appRoleAssignmentRequired Boolean: Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.
description String: A description of the service principal provided for internal end-users.
featureTags List<Property Map>: A feature_tags block as described below. Cannot be used together with the tags property.
Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.
features List<Property Map>: Block of features to configure for this service principal using tags
Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider
loginUrl String: The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
notes String: A free text field to capture information about the service principal, typically used for operational purposes.
notificationEmailAddresses List<String>: A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
owners List<String>: A list of object IDs of principals that will be granted ownership of the service principal
preferredSingleSignOnMode String: The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.
samlSingleSignOn Property Map: A saml_single_sign_on block as documented below.
tags List<String>: A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.
Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.
useExisting Boolean: When true, the resource will return an existing service principal instead of failing with an error

Outputs

All input properties are implicitly available as output properties. Additionally, the ServicePrincipal resource produces the following output properties:

AppRoleIds Dictionary<string, string>: A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
AppRoles List<Pulumi.AzureAD.Outputs.ServicePrincipalAppRole>: A list of app roles published by the associated application, as documented below. For more information official documentation.
ApplicationTenantId string: The tenant ID where the associated application is registered.
DisplayName string: Display name for the app role that appears during app role assignment and in consent experiences.
HomepageUrl string: Home page or landing page of the associated application.
Id string: The provider-assigned unique ID for this managed resource.
LogoutUrl string: The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
Oauth2PermissionScopeIds Dictionary<string, string>: A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
Oauth2PermissionScopes List<Pulumi.AzureAD.Outputs.ServicePrincipalOauth2PermissionScope>: A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
ObjectId string: The object ID of the service principal.
RedirectUris List<string>: A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
SamlMetadataUrl string: The URL where the service exposes SAML metadata for federation.
ServicePrincipalNames List<string>: A list of identifier URI(s), copied over from the associated application.
SignInAudience string: The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
Type string: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

AppRoleIds map[string]string: A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
AppRoles []ServicePrincipalAppRole: A list of app roles published by the associated application, as documented below. For more information official documentation.
ApplicationTenantId string: The tenant ID where the associated application is registered.
DisplayName string: Display name for the app role that appears during app role assignment and in consent experiences.
HomepageUrl string: Home page or landing page of the associated application.
Id string: The provider-assigned unique ID for this managed resource.
LogoutUrl string: The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
Oauth2PermissionScopeIds map[string]string: A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
Oauth2PermissionScopes []ServicePrincipalOauth2PermissionScope: A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
ObjectId string: The object ID of the service principal.
RedirectUris []string: A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
SamlMetadataUrl string: The URL where the service exposes SAML metadata for federation.
ServicePrincipalNames []string: A list of identifier URI(s), copied over from the associated application.
SignInAudience string: The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
Type string: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

appRoleIds Map<String,String>: A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
appRoles List<ServicePrincipalAppRole>: A list of app roles published by the associated application, as documented below. For more information official documentation.
applicationTenantId String: The tenant ID where the associated application is registered.
displayName String: Display name for the app role that appears during app role assignment and in consent experiences.
homepageUrl String: Home page or landing page of the associated application.
id String: The provider-assigned unique ID for this managed resource.
logoutUrl String: The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
oauth2PermissionScopeIds Map<String,String>: A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
oauth2PermissionScopes List<ServicePrincipalOauth2PermissionScope>: A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
objectId String: The object ID of the service principal.
redirectUris List<String>: A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
samlMetadataUrl String: The URL where the service exposes SAML metadata for federation.
servicePrincipalNames List<String>: A list of identifier URI(s), copied over from the associated application.
signInAudience String: The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
type String: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

appRoleIds {[key: string]: string}: A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
appRoles ServicePrincipalAppRole[]: A list of app roles published by the associated application, as documented below. For more information official documentation.
applicationTenantId string: The tenant ID where the associated application is registered.
displayName string: Display name for the app role that appears during app role assignment and in consent experiences.
homepageUrl string: Home page or landing page of the associated application.
id string: The provider-assigned unique ID for this managed resource.
logoutUrl string: The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
oauth2PermissionScopeIds {[key: string]: string}: A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
oauth2PermissionScopes ServicePrincipalOauth2PermissionScope[]: A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
objectId string: The object ID of the service principal.
redirectUris string[]: A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
samlMetadataUrl string: The URL where the service exposes SAML metadata for federation.
servicePrincipalNames string[]: A list of identifier URI(s), copied over from the associated application.
signInAudience string: The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
type string: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

app_role_ids Mapping[str, str]: A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
app_roles Sequence[ServicePrincipalAppRole]: A list of app roles published by the associated application, as documented below. For more information official documentation.
application_tenant_id str: The tenant ID where the associated application is registered.
display_name str: Display name for the app role that appears during app role assignment and in consent experiences.
homepage_url str: Home page or landing page of the associated application.
id str: The provider-assigned unique ID for this managed resource.
logout_url str: The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
oauth2_permission_scope_ids Mapping[str, str]: A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
oauth2_permission_scopes Sequence[ServicePrincipalOauth2PermissionScope]: A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
object_id str: The object ID of the service principal.
redirect_uris Sequence[str]: A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
saml_metadata_url str: The URL where the service exposes SAML metadata for federation.
service_principal_names Sequence[str]: A list of identifier URI(s), copied over from the associated application.
sign_in_audience str: The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
type str: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

appRoleIds Map<String>: A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
appRoles List<Property Map>: A list of app roles published by the associated application, as documented below. For more information official documentation.
applicationTenantId String: The tenant ID where the associated application is registered.
displayName String: Display name for the app role that appears during app role assignment and in consent experiences.
homepageUrl String: Home page or landing page of the associated application.
id String: The provider-assigned unique ID for this managed resource.
logoutUrl String: The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
oauth2PermissionScopeIds Map<String>: A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
oauth2PermissionScopes List<Property Map>: A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
objectId String: The object ID of the service principal.
redirectUris List<String>: A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
samlMetadataUrl String: The URL where the service exposes SAML metadata for federation.
servicePrincipalNames List<String>: A list of identifier URI(s), copied over from the associated application.
signInAudience String: The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
type String: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

Look up Existing ServicePrincipal Resource

Get an existing ServicePrincipal resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

TypeScript
Python
Go
C#
Java
YAML

public static get(name: string, id: Input<ID>, state?: ServicePrincipalState, opts?: CustomResourceOptions): ServicePrincipal

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        account_enabled: Optional[bool] = None,
        alternative_names: Optional[Sequence[str]] = None,
        app_role_assignment_required: Optional[bool] = None,
        app_role_ids: Optional[Mapping[str, str]] = None,
        app_roles: Optional[Sequence[ServicePrincipalAppRoleArgs]] = None,
        application_tenant_id: Optional[str] = None,
        client_id: Optional[str] = None,
        description: Optional[str] = None,
        display_name: Optional[str] = None,
        feature_tags: Optional[Sequence[ServicePrincipalFeatureTagArgs]] = None,
        features: Optional[Sequence[ServicePrincipalFeatureArgs]] = None,
        homepage_url: Optional[str] = None,
        login_url: Optional[str] = None,
        logout_url: Optional[str] = None,
        notes: Optional[str] = None,
        notification_email_addresses: Optional[Sequence[str]] = None,
        oauth2_permission_scope_ids: Optional[Mapping[str, str]] = None,
        oauth2_permission_scopes: Optional[Sequence[ServicePrincipalOauth2PermissionScopeArgs]] = None,
        object_id: Optional[str] = None,
        owners: Optional[Sequence[str]] = None,
        preferred_single_sign_on_mode: Optional[str] = None,
        redirect_uris: Optional[Sequence[str]] = None,
        saml_metadata_url: Optional[str] = None,
        saml_single_sign_on: Optional[ServicePrincipalSamlSingleSignOnArgs] = None,
        service_principal_names: Optional[Sequence[str]] = None,
        sign_in_audience: Optional[str] = None,
        tags: Optional[Sequence[str]] = None,
        type: Optional[str] = None,
        use_existing: Optional[bool] = None) -> ServicePrincipal

func GetServicePrincipal(ctx *Context, name string, id IDInput, state *ServicePrincipalState, opts ...ResourceOption) (*ServicePrincipal, error)

public static ServicePrincipal Get(string name, Input<string> id, ServicePrincipalState? state, CustomResourceOptions? opts = null)

public static ServicePrincipal get(String name, Output<String> id, ServicePrincipalState state, CustomResourceOptions options)

resources:  _:    type: azuread:ServicePrincipal    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AccountEnabled bool: Whether or not the service principal account is enabled. Defaults to true.
AlternativeNames List<string>: A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
AppRoleAssignmentRequired bool: Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.
AppRoleIds Dictionary<string, string>: A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
AppRoles List<Pulumi.AzureAD.Inputs.ServicePrincipalAppRole>: A list of app roles published by the associated application, as documented below. For more information official documentation.
ApplicationTenantId string: The tenant ID where the associated application is registered.
ClientId string: The client ID of the application for which to create a service principal.
Description string: A description of the service principal provided for internal end-users.
DisplayName string: Display name for the app role that appears during app role assignment and in consent experiences.
FeatureTags List<Pulumi.AzureAD.Inputs.ServicePrincipalFeatureTag>: A feature_tags block as described below. Cannot be used together with the tags property.
Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.
Features List<Pulumi.AzureAD.Inputs.ServicePrincipalFeature>: Block of features to configure for this service principal using tags
Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider
HomepageUrl string: Home page or landing page of the associated application.
LoginUrl string: The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
LogoutUrl string: The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
Notes string: A free text field to capture information about the service principal, typically used for operational purposes.
NotificationEmailAddresses List<string>: A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
Oauth2PermissionScopeIds Dictionary<string, string>: A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
Oauth2PermissionScopes List<Pulumi.AzureAD.Inputs.ServicePrincipalOauth2PermissionScope>: A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
ObjectId string: The object ID of the service principal.
Owners List<string>: A list of object IDs of principals that will be granted ownership of the service principal
PreferredSingleSignOnMode string: The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.
RedirectUris List<string>: A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
SamlMetadataUrl string: The URL where the service exposes SAML metadata for federation.
SamlSingleSignOn Pulumi.AzureAD.Inputs.ServicePrincipalSamlSingleSignOn: A saml_single_sign_on block as documented below.
ServicePrincipalNames List<string>: A list of identifier URI(s), copied over from the associated application.
SignInAudience string: The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
Tags List<string>: A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.
Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.
Type string: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
UseExisting bool: When true, the resource will return an existing service principal instead of failing with an error

AccountEnabled bool: Whether or not the service principal account is enabled. Defaults to true.
AlternativeNames []string: A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
AppRoleAssignmentRequired bool: Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.
AppRoleIds map[string]string: A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
AppRoles []ServicePrincipalAppRoleArgs: A list of app roles published by the associated application, as documented below. For more information official documentation.
ApplicationTenantId string: The tenant ID where the associated application is registered.
ClientId string: The client ID of the application for which to create a service principal.
Description string: A description of the service principal provided for internal end-users.
DisplayName string: Display name for the app role that appears during app role assignment and in consent experiences.
FeatureTags []ServicePrincipalFeatureTagArgs: A feature_tags block as described below. Cannot be used together with the tags property.
Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.
Features []ServicePrincipalFeatureArgs: Block of features to configure for this service principal using tags
Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider
HomepageUrl string: Home page or landing page of the associated application.
LoginUrl string: The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
LogoutUrl string: The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
Notes string: A free text field to capture information about the service principal, typically used for operational purposes.
NotificationEmailAddresses []string: A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
Oauth2PermissionScopeIds map[string]string: A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
Oauth2PermissionScopes []ServicePrincipalOauth2PermissionScopeArgs: A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
ObjectId string: The object ID of the service principal.
Owners []string: A list of object IDs of principals that will be granted ownership of the service principal
PreferredSingleSignOnMode string: The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.
RedirectUris []string: A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
SamlMetadataUrl string: The URL where the service exposes SAML metadata for federation.
SamlSingleSignOn ServicePrincipalSamlSingleSignOnArgs: A saml_single_sign_on block as documented below.
ServicePrincipalNames []string: A list of identifier URI(s), copied over from the associated application.
SignInAudience string: The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
Tags []string: A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.
Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.
Type string: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
UseExisting bool: When true, the resource will return an existing service principal instead of failing with an error

accountEnabled Boolean: Whether or not the service principal account is enabled. Defaults to true.
alternativeNames List<String>: A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
appRoleAssignmentRequired Boolean: Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.
appRoleIds Map<String,String>: A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
appRoles List<ServicePrincipalAppRole>: A list of app roles published by the associated application, as documented below. For more information official documentation.
applicationTenantId String: The tenant ID where the associated application is registered.
clientId String: The client ID of the application for which to create a service principal.
description String: A description of the service principal provided for internal end-users.
displayName String: Display name for the app role that appears during app role assignment and in consent experiences.
featureTags List<ServicePrincipalFeatureTag>: A feature_tags block as described below. Cannot be used together with the tags property.
Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.
features List<ServicePrincipalFeature>: Block of features to configure for this service principal using tags
Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider
homepageUrl String: Home page or landing page of the associated application.
loginUrl String: The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
logoutUrl String: The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
notes String: A free text field to capture information about the service principal, typically used for operational purposes.
notificationEmailAddresses List<String>: A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
oauth2PermissionScopeIds Map<String,String>: A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
oauth2PermissionScopes List<ServicePrincipalOauth2PermissionScope>: A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
objectId String: The object ID of the service principal.
owners List<String>: A list of object IDs of principals that will be granted ownership of the service principal
preferredSingleSignOnMode String: The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.
redirectUris List<String>: A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
samlMetadataUrl String: The URL where the service exposes SAML metadata for federation.
samlSingleSignOn ServicePrincipalSamlSingleSignOn: A saml_single_sign_on block as documented below.
servicePrincipalNames List<String>: A list of identifier URI(s), copied over from the associated application.
signInAudience String: The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
tags List<String>: A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.
Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.
type String: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
useExisting Boolean: When true, the resource will return an existing service principal instead of failing with an error

accountEnabled boolean: Whether or not the service principal account is enabled. Defaults to true.
alternativeNames string[]: A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
appRoleAssignmentRequired boolean: Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.
appRoleIds {[key: string]: string}: A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
appRoles ServicePrincipalAppRole[]: A list of app roles published by the associated application, as documented below. For more information official documentation.
applicationTenantId string: The tenant ID where the associated application is registered.
clientId string: The client ID of the application for which to create a service principal.
description string: A description of the service principal provided for internal end-users.
displayName string: Display name for the app role that appears during app role assignment and in consent experiences.
featureTags ServicePrincipalFeatureTag[]: A feature_tags block as described below. Cannot be used together with the tags property.
Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.
features ServicePrincipalFeature[]: Block of features to configure for this service principal using tags
Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider
homepageUrl string: Home page or landing page of the associated application.
loginUrl string: The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
logoutUrl string: The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
notes string: A free text field to capture information about the service principal, typically used for operational purposes.
notificationEmailAddresses string[]: A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
oauth2PermissionScopeIds {[key: string]: string}: A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
oauth2PermissionScopes ServicePrincipalOauth2PermissionScope[]: A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
objectId string: The object ID of the service principal.
owners string[]: A list of object IDs of principals that will be granted ownership of the service principal
preferredSingleSignOnMode string: The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.
redirectUris string[]: A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
samlMetadataUrl string: The URL where the service exposes SAML metadata for federation.
samlSingleSignOn ServicePrincipalSamlSingleSignOn: A saml_single_sign_on block as documented below.
servicePrincipalNames string[]: A list of identifier URI(s), copied over from the associated application.
signInAudience string: The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
tags string[]: A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.
Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.
type string: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
useExisting boolean: When true, the resource will return an existing service principal instead of failing with an error

account_enabled bool: Whether or not the service principal account is enabled. Defaults to true.
alternative_names Sequence[str]: A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
app_role_assignment_required bool: Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.
app_role_ids Mapping[str, str]: A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
app_roles Sequence[ServicePrincipalAppRoleArgs]: A list of app roles published by the associated application, as documented below. For more information official documentation.
application_tenant_id str: The tenant ID where the associated application is registered.
client_id str: The client ID of the application for which to create a service principal.
description str: A description of the service principal provided for internal end-users.
display_name str: Display name for the app role that appears during app role assignment and in consent experiences.
feature_tags Sequence[ServicePrincipalFeatureTagArgs]: A feature_tags block as described below. Cannot be used together with the tags property.
Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.
features Sequence[ServicePrincipalFeatureArgs]: Block of features to configure for this service principal using tags
Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider
homepage_url str: Home page or landing page of the associated application.
login_url str: The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
logout_url str: The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
notes str: A free text field to capture information about the service principal, typically used for operational purposes.
notification_email_addresses Sequence[str]: A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
oauth2_permission_scope_ids Mapping[str, str]: A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
oauth2_permission_scopes Sequence[ServicePrincipalOauth2PermissionScopeArgs]: A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
object_id str: The object ID of the service principal.
owners Sequence[str]: A list of object IDs of principals that will be granted ownership of the service principal
preferred_single_sign_on_mode str: The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.
redirect_uris Sequence[str]: A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
saml_metadata_url str: The URL where the service exposes SAML metadata for federation.
saml_single_sign_on ServicePrincipalSamlSingleSignOnArgs: A saml_single_sign_on block as documented below.
service_principal_names Sequence[str]: A list of identifier URI(s), copied over from the associated application.
sign_in_audience str: The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
tags Sequence[str]: A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.
Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.
type str: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
use_existing bool: When true, the resource will return an existing service principal instead of failing with an error

accountEnabled Boolean: Whether or not the service principal account is enabled. Defaults to true.
alternativeNames List<String>: A set of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
appRoleAssignmentRequired Boolean: Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application. Defaults to false.
appRoleIds Map<String>: A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
appRoles List<Property Map>: A list of app roles published by the associated application, as documented below. For more information official documentation.
applicationTenantId String: The tenant ID where the associated application is registered.
clientId String: The client ID of the application for which to create a service principal.
description String: A description of the service principal provided for internal end-users.
displayName String: Display name for the app role that appears during app role assignment and in consent experiences.
featureTags List<Property Map>: A feature_tags block as described below. Cannot be used together with the tags property.
Features and Tags Features are configured for a service principal using tags, and are provided as a shortcut to set the corresponding magic tag value for each feature. You cannot configure feature_tags and tags for a service principal at the same time, so if you need to assign additional custom tags it's recommended to use the tags property instead. Any tags configured for the linked application will propagate to this service principal.
features List<Property Map>: Block of features to configure for this service principal using tags
Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider
homepageUrl String: Home page or landing page of the associated application.
loginUrl String: The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on.
logoutUrl String: The URL that will be used by Microsoft's authorization service to log out an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
notes String: A free text field to capture information about the service principal, typically used for operational purposes.
notificationEmailAddresses List<String>: A set of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
oauth2PermissionScopeIds Map<String>: A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
oauth2PermissionScopes List<Property Map>: A list of OAuth 2.0 delegated permission scopes exposed by the associated application, as documented below.
objectId String: The object ID of the service principal.
owners List<String>: A list of object IDs of principals that will be granted ownership of the service principal
preferredSingleSignOnMode String: The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. Supported values are oidc, password, saml or notSupported. Omit this property or specify a blank string to unset.
redirectUris List<String>: A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
samlMetadataUrl String: The URL where the service exposes SAML metadata for federation.
samlSingleSignOn Property Map: A saml_single_sign_on block as documented below.
servicePrincipalNames List<String>: A list of identifier URI(s), copied over from the associated application.
signInAudience String: The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
tags List<String>: A set of tags to apply to the service principal for configuring specific behaviours of the service principal. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block.
Tags and Features Azure Active Directory uses special tag values to configure the behavior of service principals. These can be specified using either the tags property or with the feature_tags block. If you need to set any custom tag values not supported by the feature_tags block, it's recommended to use the tags property. Tag values set for the linked application will also propagate to this service principal.
type String: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
useExisting Boolean: When true, the resource will return an existing service principal instead of failing with an error

Supporting Types

ServicePrincipalAppRole
, ServicePrincipalAppRoleArgs

AllowedMemberTypes List<string>: Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are: User and Application, or both.
Description string: A description of the service principal provided for internal end-users.
DisplayName string: Display name for the app role that appears during app role assignment and in consent experiences.
Enabled bool: Specifies whether the permission scope is enabled.
Id string: The unique identifier of the delegated permission.
Value string: The value that is used for the scp claim in OAuth 2.0 access tokens.

AllowedMemberTypes []string: Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are: User and Application, or both.
Description string: A description of the service principal provided for internal end-users.
DisplayName string: Display name for the app role that appears during app role assignment and in consent experiences.
Enabled bool: Specifies whether the permission scope is enabled.
Id string: The unique identifier of the delegated permission.
Value string: The value that is used for the scp claim in OAuth 2.0 access tokens.

allowedMemberTypes List<String>: Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are: User and Application, or both.
description String: A description of the service principal provided for internal end-users.
displayName String: Display name for the app role that appears during app role assignment and in consent experiences.
enabled Boolean: Specifies whether the permission scope is enabled.
id String: The unique identifier of the delegated permission.
value String: The value that is used for the scp claim in OAuth 2.0 access tokens.

allowedMemberTypes string[]: Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are: User and Application, or both.
description string: A description of the service principal provided for internal end-users.
displayName string: Display name for the app role that appears during app role assignment and in consent experiences.
enabled boolean: Specifies whether the permission scope is enabled.
id string: The unique identifier of the delegated permission.
value string: The value that is used for the scp claim in OAuth 2.0 access tokens.

allowed_member_types Sequence[str]: Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are: User and Application, or both.
description str: A description of the service principal provided for internal end-users.
display_name str: Display name for the app role that appears during app role assignment and in consent experiences.
enabled bool: Specifies whether the permission scope is enabled.
id str: The unique identifier of the delegated permission.
value str: The value that is used for the scp claim in OAuth 2.0 access tokens.

allowedMemberTypes List<String>: Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in a standalone scenario). Possible values are: User and Application, or both.
description String: A description of the service principal provided for internal end-users.
displayName String: Display name for the app role that appears during app role assignment and in consent experiences.
enabled Boolean: Specifies whether the permission scope is enabled.
id String: The unique identifier of the delegated permission.
value String: The value that is used for the scp claim in OAuth 2.0 access tokens.

ServicePrincipalFeature
, ServicePrincipalFeatureArgs

CustomSingleSignOnApp bool: Whether this service principal represents a custom SAML application
EnterpriseApplication bool: Whether this service principal represents an Enterprise Application
GalleryApplication bool: Whether this service principal represents a gallery application
VisibleToUsers bool: Whether this app is visible to users in My Apps and Office 365 Launcher

CustomSingleSignOnApp bool: Whether this service principal represents a custom SAML application
EnterpriseApplication bool: Whether this service principal represents an Enterprise Application
GalleryApplication bool: Whether this service principal represents a gallery application
VisibleToUsers bool: Whether this app is visible to users in My Apps and Office 365 Launcher

customSingleSignOnApp Boolean: Whether this service principal represents a custom SAML application
enterpriseApplication Boolean: Whether this service principal represents an Enterprise Application
galleryApplication Boolean: Whether this service principal represents a gallery application
visibleToUsers Boolean: Whether this app is visible to users in My Apps and Office 365 Launcher

customSingleSignOnApp boolean: Whether this service principal represents a custom SAML application
enterpriseApplication boolean: Whether this service principal represents an Enterprise Application
galleryApplication boolean: Whether this service principal represents a gallery application
visibleToUsers boolean: Whether this app is visible to users in My Apps and Office 365 Launcher

custom_single_sign_on_app bool: Whether this service principal represents a custom SAML application
enterprise_application bool: Whether this service principal represents an Enterprise Application
gallery_application bool: Whether this service principal represents a gallery application
visible_to_users bool: Whether this app is visible to users in My Apps and Office 365 Launcher

customSingleSignOnApp Boolean: Whether this service principal represents a custom SAML application
enterpriseApplication Boolean: Whether this service principal represents an Enterprise Application
galleryApplication Boolean: Whether this service principal represents a gallery application
visibleToUsers Boolean: Whether this app is visible to users in My Apps and Office 365 Launcher

ServicePrincipalFeatureTag
, ServicePrincipalFeatureTagArgs

CustomSingleSignOn bool: Whether this service principal represents a custom SAML application. Enabling this will assign the WindowsAzureActiveDirectoryCustomSingleSignOnApplication tag. Defaults to false.
Enterprise bool: Whether this service principal represents an Enterprise Application. Enabling this will assign the WindowsAzureActiveDirectoryIntegratedApp tag. Defaults to false.
Gallery bool: Whether this service principal represents a gallery application. Enabling this will assign the WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1 tag. Defaults to false.
Hide bool: Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the HideApp tag. Defaults to false.

CustomSingleSignOn bool: Whether this service principal represents a custom SAML application. Enabling this will assign the WindowsAzureActiveDirectoryCustomSingleSignOnApplication tag. Defaults to false.
Enterprise bool: Whether this service principal represents an Enterprise Application. Enabling this will assign the WindowsAzureActiveDirectoryIntegratedApp tag. Defaults to false.
Gallery bool: Whether this service principal represents a gallery application. Enabling this will assign the WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1 tag. Defaults to false.
Hide bool: Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the HideApp tag. Defaults to false.

customSingleSignOn Boolean: Whether this service principal represents a custom SAML application. Enabling this will assign the WindowsAzureActiveDirectoryCustomSingleSignOnApplication tag. Defaults to false.
enterprise Boolean: Whether this service principal represents an Enterprise Application. Enabling this will assign the WindowsAzureActiveDirectoryIntegratedApp tag. Defaults to false.
gallery Boolean: Whether this service principal represents a gallery application. Enabling this will assign the WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1 tag. Defaults to false.
hide Boolean: Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the HideApp tag. Defaults to false.

customSingleSignOn boolean: Whether this service principal represents a custom SAML application. Enabling this will assign the WindowsAzureActiveDirectoryCustomSingleSignOnApplication tag. Defaults to false.
enterprise boolean: Whether this service principal represents an Enterprise Application. Enabling this will assign the WindowsAzureActiveDirectoryIntegratedApp tag. Defaults to false.
gallery boolean: Whether this service principal represents a gallery application. Enabling this will assign the WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1 tag. Defaults to false.
hide boolean: Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the HideApp tag. Defaults to false.

custom_single_sign_on bool: Whether this service principal represents a custom SAML application. Enabling this will assign the WindowsAzureActiveDirectoryCustomSingleSignOnApplication tag. Defaults to false.
enterprise bool: Whether this service principal represents an Enterprise Application. Enabling this will assign the WindowsAzureActiveDirectoryIntegratedApp tag. Defaults to false.
gallery bool: Whether this service principal represents a gallery application. Enabling this will assign the WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1 tag. Defaults to false.
hide bool: Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the HideApp tag. Defaults to false.

customSingleSignOn Boolean: Whether this service principal represents a custom SAML application. Enabling this will assign the WindowsAzureActiveDirectoryCustomSingleSignOnApplication tag. Defaults to false.
enterprise Boolean: Whether this service principal represents an Enterprise Application. Enabling this will assign the WindowsAzureActiveDirectoryIntegratedApp tag. Defaults to false.
gallery Boolean: Whether this service principal represents a gallery application. Enabling this will assign the WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1 tag. Defaults to false.
hide Boolean: Whether this app is invisible to users in My Apps and Office 365 Launcher. Enabling this will assign the HideApp tag. Defaults to false.

ServicePrincipalOauth2PermissionScope
, ServicePrincipalOauth2PermissionScopeArgs

AdminConsentDescription string: Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
AdminConsentDisplayName string: Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
Enabled bool: Specifies whether the permission scope is enabled.
Id string: The unique identifier of the delegated permission.
Type string: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
UserConsentDescription string: Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
UserConsentDisplayName string: Display name for the delegated permission that appears in the end user consent experience.
Value string: The value that is used for the scp claim in OAuth 2.0 access tokens.

AdminConsentDescription string: Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
AdminConsentDisplayName string: Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
Enabled bool: Specifies whether the permission scope is enabled.
Id string: The unique identifier of the delegated permission.
Type string: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
UserConsentDescription string: Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
UserConsentDisplayName string: Display name for the delegated permission that appears in the end user consent experience.
Value string: The value that is used for the scp claim in OAuth 2.0 access tokens.

adminConsentDescription String: Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
adminConsentDisplayName String: Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
enabled Boolean: Specifies whether the permission scope is enabled.
id String: The unique identifier of the delegated permission.
type String: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
userConsentDescription String: Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
userConsentDisplayName String: Display name for the delegated permission that appears in the end user consent experience.
value String: The value that is used for the scp claim in OAuth 2.0 access tokens.

adminConsentDescription string: Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
adminConsentDisplayName string: Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
enabled boolean: Specifies whether the permission scope is enabled.
id string: The unique identifier of the delegated permission.
type string: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
userConsentDescription string: Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
userConsentDisplayName string: Display name for the delegated permission that appears in the end user consent experience.
value string: The value that is used for the scp claim in OAuth 2.0 access tokens.

admin_consent_description str: Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
admin_consent_display_name str: Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
enabled bool: Specifies whether the permission scope is enabled.
id str: The unique identifier of the delegated permission.
type str: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
user_consent_description str: Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
user_consent_display_name str: Display name for the delegated permission that appears in the end user consent experience.
value str: The value that is used for the scp claim in OAuth 2.0 access tokens.

adminConsentDescription String: Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
adminConsentDisplayName String: Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
enabled Boolean: Specifies whether the permission scope is enabled.
id String: The unique identifier of the delegated permission.
type String: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
userConsentDescription String: Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
userConsentDisplayName String: Display name for the delegated permission that appears in the end user consent experience.
value String: The value that is used for the scp claim in OAuth 2.0 access tokens.

ServicePrincipalSamlSingleSignOn
, ServicePrincipalSamlSingleSignOnArgs

RelayState string: The relative URI the service provider would redirect to after completion of the single sign-on flow.

RelayState string: The relative URI the service provider would redirect to after completion of the single sign-on flow.

relayState String: The relative URI the service provider would redirect to after completion of the single sign-on flow.

relayState string: The relative URI the service provider would redirect to after completion of the single sign-on flow.

relay_state str: The relative URI the service provider would redirect to after completion of the single sign-on flow.

relayState String: The relative URI the service provider would redirect to after completion of the single sign-on flow.

Import

Service principals can be imported using their object ID, e.g.

$ pulumi import azuread:index/servicePrincipal:ServicePrincipal example /servicePrincipals/00000000-0000-0000-0000-000000000000

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: Azure Active Directory (Azure AD) pulumi/pulumi-azuread
License: Apache-2.0
Notes: This Pulumi package is based on the azuread Terraform Provider.

Azure Active Directory (Azure AD) v6.2.0 published on Tuesday, Jan 21, 2025 by Pulumi

pulumi/pulumi-azuread

azuread.ServicePrincipal

On this page

On this page

Example Usage

Create ServicePrincipal Resource

Constructor syntax

Parameters

Constructor example

ServicePrincipal Resource Properties

Inputs

Outputs

Look up Existing ServicePrincipal Resource

Supporting Types

ServicePrincipalAppRole
, ServicePrincipalAppRoleArgs

ServicePrincipalFeature
, ServicePrincipalFeatureArgs

ServicePrincipalFeatureTag
, ServicePrincipalFeatureTagArgs

ServicePrincipalOauth2PermissionScope
, ServicePrincipalOauth2PermissionScopeArgs

ServicePrincipalSamlSingleSignOn
, ServicePrincipalSamlSingleSignOnArgs

Import

Package Details

On this page

On this page

azuread.ServicePrincipal

On this page

On this page

Example Usage

Create ServicePrincipal Resource

Constructor syntax

Parameters

Constructor example

ServicePrincipal Resource Properties

Inputs

Outputs

Look up Existing ServicePrincipal Resource

Supporting Types

ServicePrincipalAppRole, ServicePrincipalAppRoleArgs

ServicePrincipalFeature, ServicePrincipalFeatureArgs

ServicePrincipalFeatureTag, ServicePrincipalFeatureTagArgs

ServicePrincipalOauth2PermissionScope, ServicePrincipalOauth2PermissionScopeArgs

ServicePrincipalSamlSingleSignOn, ServicePrincipalSamlSingleSignOnArgs

Import

Package Details

On this page

On this page

ServicePrincipalAppRole
, ServicePrincipalAppRoleArgs

ServicePrincipalFeature
, ServicePrincipalFeatureArgs

ServicePrincipalFeatureTag
, ServicePrincipalFeatureTagArgs

ServicePrincipalOauth2PermissionScope
, ServicePrincipalOauth2PermissionScopeArgs

ServicePrincipalSamlSingleSignOn
, ServicePrincipalSamlSingleSignOnArgs