### Install Pulumi Azure AD Provider Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Install the provider SDK for your preferred language. This is the first step to using the Azure AD provider in your Pulumi project. ```bash # Node.js / TypeScript npm install @pulumi/azuread # Python pip install pulumi-azuread # Go go get github.com/pulumi/pulumi-azuread/sdk/v6 # .NET dotnet add package Pulumi.Azuread ``` -------------------------------- ### Configure Azure AD Provider (Go) Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Provider configuration in Go is read automatically from stack config or environment variables. Use pulumi.Run to bootstrap the context. ```go // Go: provider config is read from stack config or environment automatically. // Use pulumi.Run to bootstrap the context. package main import ( "github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { // GetClientConfig retrieves the authenticated principal's IDs. cfg, err := azuread.GetClientConfig(ctx) if err != nil { return err } ctx.Export("tenantId", pulumi.String(cfg.TenantId)) ctx.Export("clientId", pulumi.String(cfg.ClientId)) ctx.Export("objectId", pulumi.String(cfg.ObjectId)) return nil }) } ``` -------------------------------- ### Create Azure AD Invitation - Go Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Manages an Azure AD guest user invitation, sending an invite email to an external address and creating a guest user object in the tenant. Requires `User.Invite.All`, `User.ReadWrite.All`, or `Directory.ReadWrite.All` permissions. ```go package main import ( "github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { inv, err := azuread.NewInvitation(ctx, "example", &azuread.InvitationArgs{ UserDisplayName: pulumi.String("Bob Bobson"), UserEmailAddress: pulumi.String("bbobson@example.com"), RedirectUrl: pulumi.String("https://portal.azure.com"), Message: &azuread.InvitationMessageArgs{ Body: pulumi.String("Hello! You have been invited to our Azure AD tenant."), Language: pulumi.String("en-US"), AdditionalRecipients: pulumi.StringArray{ pulumi.String("admin@example.com"), }, }, }) if err != nil { return err } ctx.Export("guestUserId", inv.UserId) ctx.Export("inviteRedeemUrl", inv.RedeemUrl) return nil }) } ``` -------------------------------- ### GetClientConfig Data Source (Go) Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Retrieves the tenant ID, client ID, and object ID of the currently authenticated principal using the `GetClientConfig` data source in Go. This is commonly used as input for `owners` fields. ```go package main import ( "github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { current, err := azuread.GetClientConfig(ctx) if err != nil { return err } // current.TenantId – "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" // current.ClientId – "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" // current.ObjectId – "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" ctx.Export("currentPrincipalObjectId", pulumi.String(current.ObjectId)) return nil }) } ``` -------------------------------- ### Configure Azure AD Provider (TypeScript) Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Configure the AzureAD provider with authentication credentials in TypeScript. Values can be set via Pulumi config or environment variables. ```typescript import * as pulumi from "@pulumi/pulumi"; // pulumi config set azuread:clientId // pulumi config set azuread:tenantId // pulumi config set --secret azuread:clientSecret // Or set via environment variables: // export ARM_CLIENT_ID=... // export ARM_TENANT_ID=... // export ARM_CLIENT_SECRET=... // export ARM_ENVIRONMENT=public # public | usgovernment | german | china // export ARM_USE_MSI=true # use managed identity ``` -------------------------------- ### Create Full Application Registration Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Use this to manage a complete application registration including app roles, OAuth 2.0 scopes, and redirect URIs. Requires specific API permissions. ```typescript import * as azuread from "@pulumi/azuread"; const current = await azuread.getClientConfig(); const app = new azuread.Application("my-app", { displayName: "my-app", identifierUris: ["api://my-app"], signInAudience: "AzureADMyOrg", owners: [current.objectId], api: { mappedClaimsEnabled: true, requestedAccessTokenVersion: 2, oauth2PermissionScopes: [{ id: "96183846-204b-4b43-82e1-5d2222eb4b9b", adminConsentDisplayName: "Access my-app", adminConsentDescription: "Allow the app to access my-app on behalf of the signed-in user.", userConsentDisplayName: "Access my-app", userConsentDescription: "Allow the app to access my-app on your behalf.", value: "user_impersonation", type: "User", enabled: true, }], }, appRoles: [{ id: "1b19509b-32b1-4e9f-b71d-4992aa991967", allowedMemberTypes: ["User", "Application"], displayName: "Admin", description: "Admins can manage roles and perform all task actions", value: "admin", enabled: true, }], web: { redirectUris: ["https://myapp.example.com/callback"], implicitGrant: { accessTokenIssuanceEnabled: false, idTokenIssuanceEnabled: true }, }, }); export const appClientId = app.clientId; export const appObjectId = app.id; ``` -------------------------------- ### Create Application Password with Rotation Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Manages a client secret for an application registration. Supports automatic rotation using the `pulumi-time` provider. ```go package main import ( "github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" "github.com/pulumiverse/pulumi-time/sdk/go/time" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { app, err := azuread.NewApplicationRegistration(ctx, "example", &azuread.ApplicationRegistrationArgs{ DisplayName: pulumi.String("example"), }) if err != nil { return err } // Rotate the secret every 7 days rotating, err := time.NewRotating(ctx, "example", &time.RotatingArgs{ RotationDays: pulumi.Int(7), }) if err != nil { return err } secret, err := azuread.NewApplicationPassword(ctx, "example", &azuread.ApplicationPasswordArgs{ ApplicationId: app.ID(), RotateWhenChanged: pulumi.StringMap{ "rotation": rotating.ID(), }, }) if err != nil { return err } ctx.Export("clientSecret", pulumi.ToSecret(secret.Value)) return nil }) } ``` -------------------------------- ### Create Azure AD SCIM Synchronization Job Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Creates a SCIM synchronization job for a service principal, enabling automated user provisioning. Requires Application.ReadWrite.All or Directory.Read.All permissions. ```go package main import ( "github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { // Look up the gallery app template tmpl, err := azuread.GetApplicationTemplate(ctx, &azuread.GetApplicationTemplateArgs{ DisplayName: pulumi.StringRef("Azure Databricks SCIM Provisioning Connector"), }, nil) if err != nil { return err } // Create app from template appFromTmpl, err := azuread.NewApplicationFromTemplate(ctx, "databricks", &azuread.ApplicationFromTemplateArgs{ DisplayName: pulumi.String("databricks-provisioning"), TemplateId: pulumi.String(tmpl.TemplateId), }) if err != nil { return err } spOutput := azuread.GetServicePrincipalOutput(ctx, azuread.GetServicePrincipalOutputArgs{ ObjectId: appFromTmpl.ServicePrincipalObjectId, }, nil) spId := spOutput.ApplyT(func(sp azuread.GetServicePrincipalResult) string { return sp.Id }).(pulumi.StringOutput) // Store SCIM endpoint credentials _, err = azuread.NewSynchronizationSecret(ctx, "databricks", &azuread.SynchronizationSecretArgs{ ServicePrincipalId: spId, Credentials: azuread.SynchronizationSecretCredentialArray{ &azuread.SynchronizationSecretCredentialArgs{ Key: pulumi.String("BaseAddress"), Value: pulumi.String("https://adb-example.azuredatabricks.net/api/2.0/preview/scim"), }, &azuread.SynchronizationSecretCredentialArgs{ Key: pulumi.String("SecretToken"), Value: pulumi.String("my-databricks-token"), }, }, }) if err != nil { return err } // Start the synchronization job _, err = azuread.NewSynchronizationJob(ctx, "databricks", &azuread.SynchronizationJobArgs{ ServicePrincipalId: spId, TemplateId: pulumi.String("dataBricks"), Enabled: pulumi.Bool(true), }) return err }) } ``` -------------------------------- ### Invitation Resource Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Manages an Azure AD guest user invitation, sending an invite email to an external address and creating a guest user object in the tenant. Requires `User.Invite.All`, `User.ReadWrite.All`, or `Directory.ReadWrite.All`. ```APIDOC ## Invitation — resource Manages an Azure AD guest user invitation, sending an invite email to an external address and creating a guest user object in the tenant. Requires `User.Invite.All`, `User.ReadWrite.All`, or `Directory.ReadWrite.All`. ```go package main import ( "github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { inv, err := azuread.NewInvitation(ctx, "example", &azuread.InvitationArgs{ UserDisplayName: pulumi.String("Bob Bobson"), UserEmailAddress: pulumi.String("bbobson@example.com"), RedirectUrl: pulumi.String("https://portal.azure.com"), Message: &azuread.InvitationMessageArgs{ Body: pulumi.String("Hello! You have been invited to our Azure AD tenant."), Language: pulumi.String("en-US"), AdditionalRecipients: pulumi.StringArray{ pulumi.String("admin@example.com"), }, }, }) if err != nil { return err } ctx.Export("guestUserId", inv.UserId) ctx.Export("inviteRedeemUrl", inv.RedeemUrl) return nil }) } ``` ``` -------------------------------- ### Create Administrative Unit and Add Member in AzureAD Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Manages an Administrative Unit (AU) and adds a member to it. Requires AdministrativeUnit.ReadWrite.All or Directory.ReadWrite.All permissions. ```go package main import ( "github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { au, err := azuread.NewAdministrativeUnit(ctx, "example", &azuread.AdministrativeUnitArgs{ DisplayName: pulumi.String("EMEA-Division"), Description: pulumi.String("Administrative unit for EMEA division"), HiddenMembershipEnabled: pulumi.Bool(false), }) if err != nil { return err } // Add a member to the AU _, err = azuread.NewAdministrativeUnitMember(ctx, "example", &azuread.AdministrativeUnitMemberArgs{ AdministrativeUnitObjectId: au.ObjectId, MemberObjectId: pulumi.String("00000000-0000-0000-0000-000000000000"), }) return err }) } ``` -------------------------------- ### Create Access Package within Catalog in AzureAD Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Manages an Identity Governance Access Package, bundling resources into a requestable unit. Must be placed inside an AccessPackageCatalog. Requires EntitlementManagement.ReadWrite.All permissions. ```typescript import * as azuread from "@pulumi/azuread"; const catalog = new azuread.AccessPackageCatalog("example", { displayName: "example-catalog", description: "Catalog for example access packages", published: true, }); const pkg = new azuread.AccessPackage("example", { catalogId: catalog.id, displayName: "Engineering Access", description: "Access to Engineering group and repositories", hidden: false, }); export const packageId = pkg.id; ``` -------------------------------- ### Create Service Principal Password - Go Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Manages a password credential for a service principal. Supports automatic rotation with `rotateWhenChanged`. ```go package main import ( "github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { app, _ := azuread.NewApplication(ctx, "example", &azuread.ApplicationArgs{ DisplayName: pulumi.String("example"), }) sp, _ := azuread.NewServicePrincipal(ctx, "example", &azuread.ServicePrincipalArgs{ ClientId: app.ClientId, }) pwd, err := azuread.NewServicePrincipalPassword(ctx, "example", &azuread.ServicePrincipalPasswordArgs{ ServicePrincipalId: sp.ID(), }) if err != nil { return err } ctx.Export("clientSecret", pulumi.ToSecret(pwd.Value)) return nil }) } ``` -------------------------------- ### Create User Account - TypeScript Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Manages a user account in Azure Active Directory, including profile fields, password, and account status. Requires specific API permissions. ```typescript import * as azuread from "@pulumi/azuread"; const user = new azuread.User("jdoe", { userPrincipalName: "jdoe@example.com", displayName: "J. Doe", givenName: "John", surname: "Doe", mailNickname: "jdoe", password: "SecretP@sswd99!", forcePasswordChange: true, department: "Engineering", jobTitle: "Software Engineer", usageLocation: "US", accountEnabled: true, disablePasswordExpiration: false, }); export const userId = user.objectId; export const userMail = user.mail; ``` -------------------------------- ### Create Conditional Access Policy - Go Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Manages a Conditional Access Policy that enforces access controls (MFA, compliant devices, etc.) based on conditions such as user/group membership, application, location, device state, risk levels, and client app type. Requires `Policy.ReadWrite.ConditionalAccess` and `Policy.Read.All` permissions. ```go package main import ( "github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { _, err := azuread.NewConditionalAccessPolicy(ctx, "require-mfa", &azuread.ConditionalAccessPolicyArgs{ DisplayName: pulumi.String("Require MFA for all users"), State: pulumi.String("enabled"), Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{ ClientAppTypes: pulumi.StringArray{pulumi.String("all")}, SignInRiskLevels: pulumi.StringArray{pulumi.String("medium"), pulumi.String("high")}, Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{ IncludedApplications: pulumi.StringArray{pulumi.String("All")}, ExcludedApplications: pulumi.StringArray{}, }, Locations: &azuread.ConditionalAccessPolicyConditionsLocationsArgs{ IncludedLocations: pulumi.StringArray{pulumi.String("All")}, ExcludedLocations: pulumi.StringArray{pulumi.String("AllTrusted")}, }, Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{ IncludedUsers: pulumi.StringArray{pulumi.String("All")}, ExcludedUsers: pulumi.StringArray{pulumi.String("GuestsOrExternalUsers")}, }, }, GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{ Operator: pulumi.String("OR"), BuiltInControls: pulumi.StringArray{pulumi.String("mfa")}, }, }) return err }) } ``` -------------------------------- ### Create Lightweight Application Registration Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Use this for managing only core application registration fields like display name and sign-in audience. It does not manage OAuth scopes or app roles. ```typescript import * as azuread from "@pulumi/azuread"; const reg = new azuread.ApplicationRegistration("example", { displayName: "Example Application", description: "My example application", signInAudience: "AzureADMyOrg", homepageUrl: "https://app.example.com/", logoutUrl: "https://app.example.com/logout", marketingUrl: "https://example.com/", privacyStatementUrl: "https://example.com/privacy", supportUrl: "https://support.example.com/", termsOfServiceUrl: "https://example.com/terms", }); export const clientId = reg.clientId; ``` -------------------------------- ### GetClientConfig Data Source Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Retrieves the tenant ID, client ID, and object ID of the currently authenticated principal. This is often used as input for owner fields in various resources. ```APIDOC ## GetClientConfig — data source Retrieves the tenant ID, client ID, and object ID of the currently authenticated principal; commonly used as input to `owners` fields across all resources. ```go package main import ( "github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { current, err := azuread.GetClientConfig(ctx) if err != nil { return err } // current.TenantId – "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" // current.ClientId – "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" // current.ObjectId – "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" ctx.Export("currentPrincipalObjectId", pulumi.String(current.ObjectId)) return nil }) } ``` ``` -------------------------------- ### AccessPackage Resource Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Manages an Identity Governance Access Package, which bundles resources into a requestable unit for entitlement management. ```APIDOC ## AccessPackage — resource Manages an Identity Governance Access Package, which bundles resources into a requestable unit for entitlement management. Must be placed inside an `AccessPackageCatalog`. Requires `EntitlementManagement.ReadWrite.All`. ```typescript import * as azuread from "@pulumi/azuread"; const catalog = new azuread.AccessPackageCatalog("example", { displayName: "example-catalog", description: "Catalog for example access packages", published: true, }); const pkg = new azuread.AccessPackage("example", { catalogId: catalog.id, displayName: "Engineering Access", description: "Access to Engineering group and repositories", hidden: false, }); export const packageId = pkg.id; ``` ``` -------------------------------- ### SynchronizationJob Resource Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Manages a SCIM synchronization job attached to a service principal. This enables automated provisioning of users and groups from Azure AD to a third-party application. Requires `Application.ReadWrite.All` or `Directory.ReadWrite.All` permissions. ```APIDOC ## SynchronizationJob — resource Manages a SCIM synchronization job attached to a service principal (enterprise application), enabling automated provisioning of users and groups from Azure AD to a third-party application such as Databricks or Salesforce. Requires `Application.ReadWrite.All` or `Directory.Read.All`. ```go package main import ( "github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { // Look up the gallery app template tmpl, err := azuread.GetApplicationTemplate(ctx, &azuread.GetApplicationTemplateArgs{ DisplayName: pulumi.StringRef("Azure Databricks SCIM Provisioning Connector"), }, nil) if err != nil { return err } // Create app from template appFromTmpl, err := azuread.NewApplicationFromTemplate(ctx, "databricks", &azuread.ApplicationFromTemplateArgs{ DisplayName: pulumi.String("databricks-provisioning"), TemplateId: pulumi.String(tmpl.TemplateId), }) if err != nil { return err } spOutput := azuread.GetServicePrincipalOutput(ctx, azuread.GetServicePrincipalOutputArgs{ ObjectId: appFromTmpl.ServicePrincipalObjectId, }, nil) spId := spOutput.ApplyT(func(sp azuread.GetServicePrincipalResult) string { return sp.Id }).(pulumi.StringOutput) // Store SCIM endpoint credentials _, err = azuread.NewSynchronizationSecret(ctx, "databricks", &azuread.SynchronizationSecretArgs{ ServicePrincipalId: spId, Credentials: azuread.SynchronizationSecretCredentialArray{ &azuread.SynchronizationSecretCredentialArgs{ Key: pulumi.String("BaseAddress"), Value: pulumi.String("https://adb-example.azuredatabricks.net/api/2.0/preview/scim"), }, &azuread.SynchronizationSecretCredentialArgs{ Key: pulumi.String("SecretToken"), Value: pulumi.String("my-databricks-token"), }, }, }) if err != nil { return err } // Start the synchronization job _, err = azuread.NewSynchronizationJob(ctx, "databricks", &azuread.SynchronizationJobArgs{ ServicePrincipalId: spId, TemplateId: pulumi.String("dataBricks"), Enabled: pulumi.Bool(true), }) return err }) } ``` ``` -------------------------------- ### Create Service Principal with Client Secret Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Creates a service principal for an application and generates a client secret for authentication. Requires specific API permissions. ```typescript import * as azuread from "@pulumi/azuread"; const current = await azuread.getClientConfig(); const app = new azuread.Application("example", { displayName: "example", owners: [current.objectId], }); const sp = new azuread.ServicePrincipal("example", { clientId: app.clientId, appRoleAssignmentRequired: false, owners: [current.objectId], }); // Add a client secret to the service principal const spSecret = new azuread.ServicePrincipalPassword("example", { servicePrincipalId: sp.id, }); export const spClientId = app.clientId; export const spClientSecret = spSecret.value; ``` -------------------------------- ### Add Group Member - Go Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Manages a single group membership, associating a user, service principal, or another group with a group. Do not mix with the `members` property on the `Group` resource for the same group. ```go package main import ( "github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { user, err := azuread.LookupUser(ctx, &azuread.LookupUserArgs{ UserPrincipalName: pulumi.StringRef("jdoe@example.com"), }, nil) if err != nil { return err } grp, err := azuread.NewGroup(ctx, "example", &azuread.GroupArgs{ DisplayName: pulumi.String("my_group"), SecurityEnabled: pulumi.Bool(true), }) if err != nil { return err } _, err = azuread.NewGroupMember(ctx, "example", &azuread.GroupMemberArgs{ GroupObjectId: grp.ObjectId, MemberObjectId: pulumi.String(user.ObjectId), }) return err }) } ``` -------------------------------- ### Configure Federated Identity Credential for Application Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Configures a federated identity credential on an application registration. Use this to enable workload identity federation for external identity providers like GitHub Actions. ```typescript import * as azuread from "@pulumi/azuread"; const current = await azuread.getClientConfig(); const app = new azuread.ApplicationRegistration("example", { displayName: "example", }); // Trust GitHub Actions for a specific repo and environment const fedCred = new azuread.ApplicationFederatedIdentityCredential("github-actions", { applicationId: app.id, displayName: "github-actions-prod", description: "GitHub Actions deploy workflow for main branch", audiences: ["api://AzureADTokenExchange"], issuer: "https://token.actions.githubusercontent.com", subject: "repo:my-org/my-repo:environment:production", }); export const fedCredId = fedCred.credentialId; ``` -------------------------------- ### DirectoryRole Resource Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Activates a built-in Azure AD directory role from its role template (by template ID or display name) so that role assignments can be made. Activated roles cannot be deactivated; no action is taken on destroy. Requires `RoleManagement.ReadWrite.Directory` or `Directory.ReadWrite.All`. ```APIDOC ## DirectoryRole — resource Activates a built-in Azure AD directory role from its role template (by template ID or display name) so that role assignments can be made. Activated roles cannot be deactivated; no action is taken on destroy. Requires `RoleManagement.ReadWrite.Directory` or `Directory.ReadWrite.All`. ```typescript import * as azuread from "@pulumi/azuread"; // Activate by display name const printerAdmin = new azuread.DirectoryRole("printer-admin", { displayName: "Printer administrator", }); // Activate by template ID const customRole = new azuread.DirectoryRole("by-template-id", { templateId: "00000000-0000-0000-0000-000000000000", }); // Assign a user to the activated role const assignment = new azuread.DirectoryRoleMember("example", { roleObjectId: printerAdmin.objectId, memberObjectId: "11111111-1111-1111-1111-111111111111", }); ``` ``` -------------------------------- ### Lookup Azure AD User by UPN Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Looks up an existing Azure AD user by their User Principal Name (UPN). Requires User.Read.All or Directory.Read.All permissions when using a service principal. ```go package main import ( "github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { // Lookup by UPN user, err := azuread.LookupUser(ctx, &azuread.LookupUserArgs{ UserPrincipalName: pulumi.StringRef("jdoe@example.com"), }, nil) if err != nil { return err } ctx.Export("userObjectId", pulumi.String(user.ObjectId)) ctx.Export("userDepartment", pulumi.String(user.Department)) ctx.Export("userJobTitle", pulumi.String(user.JobTitle)) return nil }) } ``` -------------------------------- ### User Resource Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Manages a user account within Azure Active Directory, including all profile fields such as department, job title, manager, and phone number. ```APIDOC ## User — resource Manages a user account within Azure Active Directory, including all profile fields (department, job title, manager, phone, etc.). Requires `User.ReadWrite.All` or `Directory.ReadWrite.All`. ```typescript import * as azuread from "@pulumi/azuread"; const user = new azuread.User("jdoe", { userPrincipalName: "jdoe@example.com", displayName: "J. Doe", givenName: "John", surname: "Doe", mailNickname: "jdoe", password: "SecretP@sswd99!", forcePasswordChange: true, department: "Engineering", jobTitle: "Software Engineer", usageLocation: "US", accountEnabled: true, disablePasswordExpiration: false, }); export const userId = user.objectId; export const userMail = user.mail; ``` ``` -------------------------------- ### LookupUser Data Source Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Looks up an existing Azure AD user by UPN, object ID, mail address, mail nickname, or employee ID. Exposes all profile attributes as outputs. Requires `User.Read.All` or `Directory.Read.All` when using a service principal. ```APIDOC ## GetUser — data source Looks up an existing Azure AD user by UPN, object ID, mail address, mail nickname, or employee ID and exposes all profile attributes as outputs. Requires `User.Read.All` or `Directory.Read.All` when using a service principal. ```go package main import ( "github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { // Lookup by UPN user, err := azuread.LookupUser(ctx, &azuread.LookupUserArgs{ UserPrincipalName: pulumi.StringRef("jdoe@example.com"), }, nil) if err != nil { return err } ctx.Export("userObjectId", pulumi.String(user.ObjectId)) ctx.Export("userDepartment", pulumi.String(user.Department)) ctx.Export("userJobTitle", pulumi.String(user.JobTitle)) return nil }) } ``` ``` -------------------------------- ### Create Azure AD Group - TypeScript Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Manages security groups, Microsoft 365 (Unified) groups, and dynamic groups with optional mail-enabled settings and owners. Requires specific API permissions. ```typescript import * as azuread from "@pulumi/azuread"; const current = await azuread.getClientConfig(); // Security group const securityGroup = new azuread.Group("security-group", { displayName: "Security Group", owners: [current.objectId], securityEnabled: true, }); // Microsoft 365 group (mail-enabled + Unified type) const m365Group = new azuread.Group("m365-group", { displayName: "M365 Group", mailEnabled: true, mailNickname: "m365group", securityEnabled: true, types: ["Unified"], owners: [current.objectId], }); // Dynamic group (members auto-assigned by rule) const dynamicGroup = new azuread.Group("dynamic-group", { displayName: "Dynamic Group", owners: [current.objectId], securityEnabled: true, types: ["DynamicMembership"], dynamicMembership: { enabled: true, rule: "user.department -eq \"Sales\"", }, }); export const securityGroupId = securityGroup.objectId; ``` -------------------------------- ### Create IP-based Named Location in AzureAD Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Manages an IP-range based named location for Conditional Access Policies. Requires Policy.ReadWrite.ConditionalAccess and Policy.Read.All permissions. Subject to an API rate limit of 1 request/second. ```typescript import * as azuread from "@pulumi/azuread"; // IP-based trusted location const ipLocation = new azuread.NamedLocation("office-ips", { displayName: "Office IP Ranges", ip: { ipRanges: ["203.0.113.0/24", "198.51.100.10/32"], trusted: true, }, }); export const ipLocationId = ipLocation.id; ``` -------------------------------- ### Lookup Azure AD Group by Display Name Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Looks up an existing Azure AD group by its display name. Requires Group.Read.All or Directory.Read.All permissions. ```typescript import * as azuread from "@pulumi/azuread"; // Lookup by display name const group = azuread.getGroupOutput({ displayName: "Engineering", securityEnabled: true, }); // Use the result as input to another resource const member = new azuread.GroupMember("new-member", { groupObjectId: group.objectId, memberObjectId: "00000000-0000-0000-0000-000000000000", }); export const groupId = group.objectId; export const groupMembers = group.members; ``` -------------------------------- ### GetGroup Data Source Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Looks up an existing Azure AD group by display name, object ID, or mail nickname. Optionally resolves transitive members and returns full group metadata. Requires `Group.Read.All` or `Directory.Read.All`. ```APIDOC ## GetGroup — data source Looks up an existing Azure AD group by display name, object ID, or mail nickname, returning full group metadata and optionally resolving transitive members. Requires `Group.Read.All` or `Directory.Read.All`. ```typescript import * as azuread from "@pulumi/azuread"; // Lookup by display name const group = azuread.getGroupOutput({ displayName: "Engineering", securityEnabled: true, }); // Use the result as input to another resource const member = new azuread.GroupMember("new-member", { groupObjectId: group.objectId, memberObjectId: "00000000-0000-0000-0000-000000000000", }); export const groupId = group.objectId; export const groupMembers = group.members; ``` ``` -------------------------------- ### Activate Azure AD Directory Role - TypeScript Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Activates a built-in Azure AD directory role from its role template (by template ID or display name) so that role assignments can be made. Activated roles cannot be deactivated; no action is taken on destroy. Requires `RoleManagement.ReadWrite.Directory` or `Directory.ReadWrite.All` permissions. ```typescript import * as azuread from "@pulumi/azuread"; // Activate by display name const printerAdmin = new azuread.DirectoryRole("printer-admin", { displayName: "Printer administrator", }); // Activate by template ID const customRole = new azuread.DirectoryRole("by-template-id", { templateId: "00000000-0000-0000-0000-000000000000", }); // Assign a user to the activated role const assignment = new azuread.DirectoryRoleMember("example", { roleObjectId: printerAdmin.objectId, memberObjectId: "11111111-1111-1111-1111-111111111111", }); ``` -------------------------------- ### AdministrativeUnit Resource Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Manages an Administrative Unit (AU) within Azure Active Directory, allowing scoped management of a subset of users or groups. ```APIDOC ## AdministrativeUnit — resource Manages an Administrative Unit (AU) within Azure Active Directory, allowing scoped management of a subset of users or groups. Requires `AdministrativeUnit.ReadWrite.All` or `Directory.ReadWrite.All`. ```go package main import ( "github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { au, err := azuread.NewAdministrativeUnit(ctx, "example", &azuread.AdministrativeUnitArgs{ DisplayName: pulumi.String("EMEA-Division"), Description: pulumi.String("Administrative unit for EMEA division"), HiddenMembershipEnabled: pulumi.Bool(false), }) if err != nil { return err } // Add a member to the AU _, err = azuread.NewAdministrativeUnitMember(ctx, "example", &azuread.AdministrativeUnitMemberArgs{ AdministrativeUnitObjectId: au.ObjectId, MemberObjectId: pulumi.String("00000000-0000-0000-0000-000000000000"), }) return err }) } ``` ``` -------------------------------- ### Create Country-based Named Location in AzureAD Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Manages a country/region-based named location for Conditional Access Policies. Requires Policy.ReadWrite.ConditionalAccess and Policy.Read.All permissions. Subject to an API rate limit of 1 request/second. ```typescript // Country-based location const countryLocation = new azuread.NamedLocation("allowed-countries", { displayName: "Allowed Countries", country: { countriesAndRegions: ["US", "GB", "DE"], includeUnknownCountriesAndRegions: false, }, }); export const countryLocationId = countryLocation.id; ``` -------------------------------- ### ConditionalAccessPolicy Resource Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Manages a Conditional Access Policy that enforces access controls (MFA, compliant devices, etc.) based on conditions such as user/group membership, application, location, device state, risk levels, and client app type. Requires `Policy.ReadWrite.ConditionalAccess` and `Policy.Read.All`. ```APIDOC ## ConditionalAccessPolicy — resource Manages a Conditional Access Policy that enforces access controls (MFA, compliant devices, etc.) based on conditions such as user/group membership, application, location, device state, risk levels, and client app type. Requires `Policy.ReadWrite.ConditionalAccess` and `Policy.Read.All`. ```go package main import ( "github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { _, err := azuread.NewConditionalAccessPolicy(ctx, "require-mfa", &azuread.ConditionalAccessPolicyArgs{ DisplayName: pulumi.String("Require MFA for all users"), State: pulumi.String("enabled"), Conditions: &azuread.ConditionalAccessPolicyConditionsArgs{ ClientAppTypes: pulumi.StringArray{pulumi.String("all")}, SignInRiskLevels: pulumi.StringArray{pulumi.String("medium"), pulumi.String("high")}, Applications: &azuread.ConditionalAccessPolicyConditionsApplicationsArgs{ IncludedApplications: pulumi.StringArray{pulumi.String("All")}, ExcludedApplications: pulumi.StringArray{}, }, Locations: &azuread.ConditionalAccessPolicyConditionsLocationsArgs{ IncludedLocations: pulumi.StringArray{pulumi.String("All")}, ExcludedLocations: pulumi.StringArray{pulumi.String("AllTrusted")}, }, Users: &azuread.ConditionalAccessPolicyConditionsUsersArgs{ IncludedUsers: pulumi.StringArray{pulumi.String("All")}, ExcludedUsers: pulumi.StringArray{pulumi.String("GuestsOrExternalUsers")}, }, }, GrantControls: &azuread.ConditionalAccessPolicyGrantControlsArgs{ Operator: pulumi.String("OR"), BuiltInControls: pulumi.StringArray{pulumi.String("mfa")}, }, }) return err }) } ``` ``` -------------------------------- ### Lookup Azure AD Service Principal by Display Name Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Looks up an existing Azure AD service principal by its display name. Useful for obtaining the object ID of a gallery application. ```typescript import * as azuread from "@pulumi/azuread"; // Lookup Microsoft Graph service principal const msgraph = azuread.getServicePrincipalOutput({ displayName: "Microsoft Graph", }); export const msgraphSpId = msgraph.objectId; export const msgraphAppId = msgraph.clientId; ``` -------------------------------- ### GetServicePrincipal Data Source Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Looks up an existing service principal by client ID, object ID, or display name. Commonly used to obtain the service principal object ID of a gallery application before creating a synchronization job or role assignment. ```APIDOC ## GetServicePrincipal — data source Looks up an existing service principal by client ID, object ID, or display name. Commonly used to obtain the service principal object ID of a gallery application before creating a synchronization job or role assignment. ```typescript import * as azuread from "@pulumi/azuread"; // Lookup Microsoft Graph service principal const msgraph = azuread.getServicePrincipalOutput({ displayName: "Microsoft Graph", }); export const msgraphSpId = msgraph.objectId; export const msgraphAppId = msgraph.clientId; ``` ``` -------------------------------- ### Assign App Role to Service Principal Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Assigns an app role defined on one application to a service principal. This is used to grant specific permissions within an application or authorize service-to-service access. ```typescript import * as azuread from "@pulumi/azuread"; const current = await azuread.getClientConfig(); // The application that exposes the app role const resourceApp = new azuread.Application("resource-app", { displayName: "Resource Application", owners: [current.objectId], appRoles: [{ id: "00000000-0000-0000-0000-000000000001", allowedMemberTypes: ["Application"], displayName: "Read All", description: "Ability to read all items", value: "Item.Read.All", enabled: true, }], }); const resourceSp = new azuread.ServicePrincipal("resource-sp", { clientId: resourceApp.clientId, owners: [current.objectId], }); // The client service principal that needs the role const clientSp = new azuread.ServicePrincipal("client-sp", { clientId: "..." }); // Assign "Item.Read.All" to the client SP const assignment = new azuread.AppRoleAssignment("example", { appRoleId: pulumi.output("00000000-0000-0000-0000-000000000001"), principalObjectId: clientSp.objectId, resourceObjectId: resourceSp.objectId, }); ``` -------------------------------- ### Group Resource Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Manages a security group or Microsoft 365 (Unified) group in Azure Active Directory, with optional dynamic membership rules, mail-enabled settings, and owners. ```APIDOC ## Group — resource Manages a security group or Microsoft 365 (Unified) group in Azure Active Directory, with optional dynamic membership rules, mail-enabled settings, and owners. Requires `Group.ReadWrite.All` or `Directory.ReadWrite.All`. ```typescript import * as azuread from "@pulumi/azuread"; const current = await azuread.getClientConfig(); // Security group const securityGroup = new azuread.Group("security-group", { displayName: "Security Group", owners: [current.objectId], securityEnabled: true, }); // Microsoft 365 group (mail-enabled + Unified type) const m365Group = new azuread.Group("m365-group", { displayName: "M365 Group", mailEnabled: true, mailNickname: "m365group", securityEnabled: true, types: ["Unified"], owners: [current.objectId], }); // Dynamic group (members auto-assigned by rule) const dynamicGroup = new azuread.Group("dynamic-group", { displayName: "Dynamic Group", owners: [current.objectId], securityEnabled: true, types: ["DynamicMembership"], dynamicMembership: { enabled: true, rule: "user.department -eq \"Sales\"", }, }); export const securityGroupId = securityGroup.objectId; ``` ``` -------------------------------- ### GroupMember Resource Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Manages a single group membership, associating one Azure AD object (user, service principal, or another group) with a group. ```APIDOC ## GroupMember — resource Manages a single group membership, associating one Azure AD object (user, service principal, or another group) with a group. Do not mix with the `members` property on the `Group` resource for the same group. ```go package main import ( "github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { user, err := azuread.LookupUser(ctx, &azuread.LookupUserArgs{ UserPrincipalName: pulumi.StringRef("jdoe@example.com"), }, nil) if err != nil { return err } grp, err := azuread.NewGroup(ctx, "example", &azuread.GroupArgs{ DisplayName: pulumi.String("my_group"), SecurityEnabled: pulumi.Bool(true), }) if err != nil { return err } _, err = azuread.NewGroupMember(ctx, "example", &azuread.GroupMemberArgs{ GroupObjectId: grp.ObjectId, MemberObjectId: pulumi.String(user.ObjectId), }) return err }) } ``` ``` -------------------------------- ### NamedLocation Resource Source: https://context7.com/pulumi/pulumi-azuread/llms.txt Manages Named Locations, which can be IP-based or country/region-based, used as conditions in Conditional Access Policies. ```APIDOC ## NamedLocation — resource Manages a Named Location (IP-range based or country/region based) used as a condition in Conditional Access Policies. Subject to an API rate limit of 1 request/second. Requires `Policy.ReadWrite.ConditionalAccess` and `Policy.Read.All`. ```typescript import * as azuread from "@pulumi/azuread"; // IP-based trusted location const ipLocation = new azuread.NamedLocation("office-ips", { displayName: "Office IP Ranges", ip: { ipRanges: ["203.0.113.0/24", "198.51.100.10/32"], trusted: true, }, }); // Country-based location const countryLocation = new azuread.NamedLocation("allowed-countries", { displayName: "Allowed Countries", country: { countriesAndRegions: ["US", "GB", "DE"], includeUnknownCountriesAndRegions: false, }, }); export const ipLocationId = ipLocation.id; export const countryLocationId = countryLocation.id; ``` ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.