Docs Home
Azure Active Directory (Azure AD) v6.2.0 published on Tuesday, Jan 21, 2025 by Pulumi
azuread.ServicePrincipalDelegatedPermissionGrant
Explore with Pulumi AI
Azure Active Directory (Azure AD) v6.2.0 published on Tuesday, Jan 21, 2025 by Pulumi
Manages a delegated permission grant for a service principal, on behalf of a single user, or all users.
API Permissions
The following API permissions are required in order to use this resource.
When authenticated with a service principal, this resource requires the following application role: Directory.ReadWrite.All
When authenticated with a user principal, this resource requires one the following directory role: Global Administrator
Example Usage
Delegated permission grant for all users
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const wellKnown = azuread.getApplicationPublishedAppIds({});
const msgraph = new azuread.ServicePrincipal("msgraph", {
clientId: wellKnown.then(wellKnown => wellKnown.result?.microsoftGraph),
useExisting: true,
});
const example = new azuread.Application("example", {
displayName: "example",
requiredResourceAccesses: [{
resourceAppId: wellKnown.then(wellKnown => wellKnown.result?.microsoftGraph),
resourceAccesses: [
{
id: msgraph.oauth2PermissionScopeIds.openid,
type: "Scope",
},
{
id: msgraph.oauth2PermissionScopeIds["User.Read"],
type: "Scope",
},
],
}],
});
const exampleServicePrincipal = new azuread.ServicePrincipal("example", {clientId: example.clientId});
const exampleServicePrincipalDelegatedPermissionGrant = new azuread.ServicePrincipalDelegatedPermissionGrant("example", {
servicePrincipalObjectId: exampleServicePrincipal.objectId,
resourceServicePrincipalObjectId: msgraph.objectId,
claimValues: [
"openid",
"User.Read.All",
],
});
import pulumi
import pulumi_azuread as azuread
well_known = azuread.get_application_published_app_ids()
msgraph = azuread.ServicePrincipal("msgraph",
client_id=well_known.result["microsoftGraph"],
use_existing=True)
example = azuread.Application("example",
display_name="example",
required_resource_accesses=[{
"resource_app_id": well_known.result["microsoftGraph"],
"resource_accesses": [
{
"id": msgraph.oauth2_permission_scope_ids["openid"],
"type": "Scope",
},
{
"id": msgraph.oauth2_permission_scope_ids["User.Read"],
"type": "Scope",
},
],
}])
example_service_principal = azuread.ServicePrincipal("example", client_id=example.client_id)
example_service_principal_delegated_permission_grant = azuread.ServicePrincipalDelegatedPermissionGrant("example",
service_principal_object_id=example_service_principal.object_id,
resource_service_principal_object_id=msgraph.object_id,
claim_values=[
"openid",
"User.Read.All",
])
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
wellKnown, err := azuread.GetApplicationPublishedAppIds(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
msgraph, err := azuread.NewServicePrincipal(ctx, "msgraph", &azuread.ServicePrincipalArgs{
ClientId: pulumi.String(wellKnown.Result.MicrosoftGraph),
UseExisting: pulumi.Bool(true),
})
if err != nil {
return err
}
example, err := azuread.NewApplication(ctx, "example", &azuread.ApplicationArgs{
DisplayName: pulumi.String("example"),
RequiredResourceAccesses: azuread.ApplicationRequiredResourceAccessArray{
&azuread.ApplicationRequiredResourceAccessArgs{
ResourceAppId: pulumi.String(wellKnown.Result.MicrosoftGraph),
ResourceAccesses: azuread.ApplicationRequiredResourceAccessResourceAccessArray{
&azuread.ApplicationRequiredResourceAccessResourceAccessArgs{
Id: msgraph.Oauth2PermissionScopeIds.ApplyT(func(oauth2PermissionScopeIds map[string]string) (string, error) {
return oauth2PermissionScopeIds.Openid, nil
}).(pulumi.StringOutput),
Type: pulumi.String("Scope"),
},
&azuread.ApplicationRequiredResourceAccessResourceAccessArgs{
Id: msgraph.Oauth2PermissionScopeIds.ApplyT(func(oauth2PermissionScopeIds map[string]string) (string, error) {
return oauth2PermissionScopeIds.User.Read, nil
}).(pulumi.StringOutput),
Type: pulumi.String("Scope"),
},
},
},
},
})
if err != nil {
return err
}
exampleServicePrincipal, err := azuread.NewServicePrincipal(ctx, "example", &azuread.ServicePrincipalArgs{
ClientId: example.ClientId,
})
if err != nil {
return err
}
_, err = azuread.NewServicePrincipalDelegatedPermissionGrant(ctx, "example", &azuread.ServicePrincipalDelegatedPermissionGrantArgs{
ServicePrincipalObjectId: exampleServicePrincipal.ObjectId,
ResourceServicePrincipalObjectId: msgraph.ObjectId,
ClaimValues: pulumi.StringArray{
pulumi.String("openid"),
pulumi.String("User.Read.All"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var wellKnown = AzureAD.GetApplicationPublishedAppIds.Invoke();
var msgraph = new AzureAD.ServicePrincipal("msgraph", new()
{
ClientId = wellKnown.Apply(getApplicationPublishedAppIdsResult => getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
UseExisting = true,
});
var example = new AzureAD.Application("example", new()
{
DisplayName = "example",
RequiredResourceAccesses = new[]
{
new AzureAD.Inputs.ApplicationRequiredResourceAccessArgs
{
ResourceAppId = wellKnown.Apply(getApplicationPublishedAppIdsResult => getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
ResourceAccesses = new[]
{
new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs
{
Id = msgraph.Oauth2PermissionScopeIds.Apply(oauth2PermissionScopeIds => oauth2PermissionScopeIds.Openid),
Type = "Scope",
},
new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs
{
Id = msgraph.Oauth2PermissionScopeIds.Apply(oauth2PermissionScopeIds => oauth2PermissionScopeIds.User_Read),
Type = "Scope",
},
},
},
},
});
var exampleServicePrincipal = new AzureAD.ServicePrincipal("example", new()
{
ClientId = example.ClientId,
});
var exampleServicePrincipalDelegatedPermissionGrant = new AzureAD.ServicePrincipalDelegatedPermissionGrant("example", new()
{
ServicePrincipalObjectId = exampleServicePrincipal.ObjectId,
ResourceServicePrincipalObjectId = msgraph.ObjectId,
ClaimValues = new[]
{
"openid",
"User.Read.All",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.inputs.ApplicationRequiredResourceAccessArgs;
import com.pulumi.azuread.ServicePrincipalDelegatedPermissionGrant;
import com.pulumi.azuread.ServicePrincipalDelegatedPermissionGrantArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();
var msgraph = new ServicePrincipal("msgraph", ServicePrincipalArgs.builder()
.clientId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -> getApplicationPublishedAppIdsResult.result().microsoftGraph()))
.useExisting(true)
.build());
var example = new Application("example", ApplicationArgs.builder()
.displayName("example")
.requiredResourceAccesses(ApplicationRequiredResourceAccessArgs.builder()
.resourceAppId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -> getApplicationPublishedAppIdsResult.result().microsoftGraph()))
.resourceAccesses(
ApplicationRequiredResourceAccessResourceAccessArgs.builder()
.id(msgraph.oauth2PermissionScopeIds().applyValue(oauth2PermissionScopeIds -> oauth2PermissionScopeIds.openid()))
.type("Scope")
.build(),
ApplicationRequiredResourceAccessResourceAccessArgs.builder()
.id(msgraph.oauth2PermissionScopeIds().applyValue(oauth2PermissionScopeIds -> oauth2PermissionScopeIds.User.Read()))
.type("Scope")
.build())
.build())
.build());
var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()
.clientId(example.clientId())
.build());
var exampleServicePrincipalDelegatedPermissionGrant = new ServicePrincipalDelegatedPermissionGrant("exampleServicePrincipalDelegatedPermissionGrant", ServicePrincipalDelegatedPermissionGrantArgs.builder()
.servicePrincipalObjectId(exampleServicePrincipal.objectId())
.resourceServicePrincipalObjectId(msgraph.objectId())
.claimValues(
"openid",
"User.Read.All")
.build());
}
}
resources:
msgraph:
type: azuread:ServicePrincipal
properties:
clientId: ${wellKnown.result.microsoftGraph}
useExisting: true
example:
type: azuread:Application
properties:
displayName: example
requiredResourceAccesses:
- resourceAppId: ${wellKnown.result.microsoftGraph}
resourceAccesses:
- id: ${msgraph.oauth2PermissionScopeIds.openid}
type: Scope
- id: ${msgraph.oauth2PermissionScopeIds"User.Read"[%!s(MISSING)]}
type: Scope
exampleServicePrincipal:
type: azuread:ServicePrincipal
name: example
properties:
clientId: ${example.clientId}
exampleServicePrincipalDelegatedPermissionGrant:
type: azuread:ServicePrincipalDelegatedPermissionGrant
name: example
properties:
servicePrincipalObjectId: ${exampleServicePrincipal.objectId}
resourceServicePrincipalObjectId: ${msgraph.objectId}
claimValues:
- openid
- User.Read.All
variables:
wellKnown:
fn::invoke:
function: azuread:getApplicationPublishedAppIds
arguments: {}
Delegated permission grant for a single user
import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
const wellKnown = azuread.getApplicationPublishedAppIds({});
const msgraph = new azuread.ServicePrincipal("msgraph", {
clientId: wellKnown.then(wellKnown => wellKnown.result?.microsoftGraph),
useExisting: true,
});
const example = new azuread.Application("example", {
displayName: "example",
requiredResourceAccesses: [{
resourceAppId: wellKnown.then(wellKnown => wellKnown.result?.microsoftGraph),
resourceAccesses: [
{
id: msgraph.oauth2PermissionScopeIds.openid,
type: "Scope",
},
{
id: msgraph.oauth2PermissionScopeIds["User.Read"],
type: "Scope",
},
],
}],
});
const exampleServicePrincipal = new azuread.ServicePrincipal("example", {clientId: example.clientId});
const exampleUser = new azuread.User("example", {
displayName: "J. Doe",
userPrincipalName: "jdoe@example.com",
mailNickname: "jdoe",
password: "SecretP@sswd99!",
});
const exampleServicePrincipalDelegatedPermissionGrant = new azuread.ServicePrincipalDelegatedPermissionGrant("example", {
servicePrincipalObjectId: exampleServicePrincipal.objectId,
resourceServicePrincipalObjectId: msgraph.objectId,
claimValues: [
"openid",
"User.Read.All",
],
userObjectId: exampleUser.objectId,
});
import pulumi
import pulumi_azuread as azuread
well_known = azuread.get_application_published_app_ids()
msgraph = azuread.ServicePrincipal("msgraph",
client_id=well_known.result["microsoftGraph"],
use_existing=True)
example = azuread.Application("example",
display_name="example",
required_resource_accesses=[{
"resource_app_id": well_known.result["microsoftGraph"],
"resource_accesses": [
{
"id": msgraph.oauth2_permission_scope_ids["openid"],
"type": "Scope",
},
{
"id": msgraph.oauth2_permission_scope_ids["User.Read"],
"type": "Scope",
},
],
}])
example_service_principal = azuread.ServicePrincipal("example", client_id=example.client_id)
example_user = azuread.User("example",
display_name="J. Doe",
user_principal_name="jdoe@example.com",
mail_nickname="jdoe",
password="SecretP@sswd99!")
example_service_principal_delegated_permission_grant = azuread.ServicePrincipalDelegatedPermissionGrant("example",
service_principal_object_id=example_service_principal.object_id,
resource_service_principal_object_id=msgraph.object_id,
claim_values=[
"openid",
"User.Read.All",
],
user_object_id=example_user.object_id)
package main
import (
"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
wellKnown, err := azuread.GetApplicationPublishedAppIds(ctx, map[string]interface{}{}, nil)
if err != nil {
return err
}
msgraph, err := azuread.NewServicePrincipal(ctx, "msgraph", &azuread.ServicePrincipalArgs{
ClientId: pulumi.String(wellKnown.Result.MicrosoftGraph),
UseExisting: pulumi.Bool(true),
})
if err != nil {
return err
}
example, err := azuread.NewApplication(ctx, "example", &azuread.ApplicationArgs{
DisplayName: pulumi.String("example"),
RequiredResourceAccesses: azuread.ApplicationRequiredResourceAccessArray{
&azuread.ApplicationRequiredResourceAccessArgs{
ResourceAppId: pulumi.String(wellKnown.Result.MicrosoftGraph),
ResourceAccesses: azuread.ApplicationRequiredResourceAccessResourceAccessArray{
&azuread.ApplicationRequiredResourceAccessResourceAccessArgs{
Id: msgraph.Oauth2PermissionScopeIds.ApplyT(func(oauth2PermissionScopeIds map[string]string) (string, error) {
return oauth2PermissionScopeIds.Openid, nil
}).(pulumi.StringOutput),
Type: pulumi.String("Scope"),
},
&azuread.ApplicationRequiredResourceAccessResourceAccessArgs{
Id: msgraph.Oauth2PermissionScopeIds.ApplyT(func(oauth2PermissionScopeIds map[string]string) (string, error) {
return oauth2PermissionScopeIds.User.Read, nil
}).(pulumi.StringOutput),
Type: pulumi.String("Scope"),
},
},
},
},
})
if err != nil {
return err
}
exampleServicePrincipal, err := azuread.NewServicePrincipal(ctx, "example", &azuread.ServicePrincipalArgs{
ClientId: example.ClientId,
})
if err != nil {
return err
}
exampleUser, err := azuread.NewUser(ctx, "example", &azuread.UserArgs{
DisplayName: pulumi.String("J. Doe"),
UserPrincipalName: pulumi.String("jdoe@example.com"),
MailNickname: pulumi.String("jdoe"),
Password: pulumi.String("SecretP@sswd99!"),
})
if err != nil {
return err
}
_, err = azuread.NewServicePrincipalDelegatedPermissionGrant(ctx, "example", &azuread.ServicePrincipalDelegatedPermissionGrantArgs{
ServicePrincipalObjectId: exampleServicePrincipal.ObjectId,
ResourceServicePrincipalObjectId: msgraph.ObjectId,
ClaimValues: pulumi.StringArray{
pulumi.String("openid"),
pulumi.String("User.Read.All"),
},
UserObjectId: exampleUser.ObjectId,
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;
return await Deployment.RunAsync(() =>
{
var wellKnown = AzureAD.GetApplicationPublishedAppIds.Invoke();
var msgraph = new AzureAD.ServicePrincipal("msgraph", new()
{
ClientId = wellKnown.Apply(getApplicationPublishedAppIdsResult => getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
UseExisting = true,
});
var example = new AzureAD.Application("example", new()
{
DisplayName = "example",
RequiredResourceAccesses = new[]
{
new AzureAD.Inputs.ApplicationRequiredResourceAccessArgs
{
ResourceAppId = wellKnown.Apply(getApplicationPublishedAppIdsResult => getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
ResourceAccesses = new[]
{
new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs
{
Id = msgraph.Oauth2PermissionScopeIds.Apply(oauth2PermissionScopeIds => oauth2PermissionScopeIds.Openid),
Type = "Scope",
},
new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs
{
Id = msgraph.Oauth2PermissionScopeIds.Apply(oauth2PermissionScopeIds => oauth2PermissionScopeIds.User_Read),
Type = "Scope",
},
},
},
},
});
var exampleServicePrincipal = new AzureAD.ServicePrincipal("example", new()
{
ClientId = example.ClientId,
});
var exampleUser = new AzureAD.User("example", new()
{
DisplayName = "J. Doe",
UserPrincipalName = "jdoe@example.com",
MailNickname = "jdoe",
Password = "SecretP@sswd99!",
});
var exampleServicePrincipalDelegatedPermissionGrant = new AzureAD.ServicePrincipalDelegatedPermissionGrant("example", new()
{
ServicePrincipalObjectId = exampleServicePrincipal.ObjectId,
ResourceServicePrincipalObjectId = msgraph.ObjectId,
ClaimValues = new[]
{
"openid",
"User.Read.All",
},
UserObjectId = exampleUser.ObjectId,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.inputs.ApplicationRequiredResourceAccessArgs;
import com.pulumi.azuread.User;
import com.pulumi.azuread.UserArgs;
import com.pulumi.azuread.ServicePrincipalDelegatedPermissionGrant;
import com.pulumi.azuread.ServicePrincipalDelegatedPermissionGrantArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();
var msgraph = new ServicePrincipal("msgraph", ServicePrincipalArgs.builder()
.clientId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -> getApplicationPublishedAppIdsResult.result().microsoftGraph()))
.useExisting(true)
.build());
var example = new Application("example", ApplicationArgs.builder()
.displayName("example")
.requiredResourceAccesses(ApplicationRequiredResourceAccessArgs.builder()
.resourceAppId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -> getApplicationPublishedAppIdsResult.result().microsoftGraph()))
.resourceAccesses(
ApplicationRequiredResourceAccessResourceAccessArgs.builder()
.id(msgraph.oauth2PermissionScopeIds().applyValue(oauth2PermissionScopeIds -> oauth2PermissionScopeIds.openid()))
.type("Scope")
.build(),
ApplicationRequiredResourceAccessResourceAccessArgs.builder()
.id(msgraph.oauth2PermissionScopeIds().applyValue(oauth2PermissionScopeIds -> oauth2PermissionScopeIds.User.Read()))
.type("Scope")
.build())
.build())
.build());
var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()
.clientId(example.clientId())
.build());
var exampleUser = new User("exampleUser", UserArgs.builder()
.displayName("J. Doe")
.userPrincipalName("jdoe@example.com")
.mailNickname("jdoe")
.password("SecretP@sswd99!")
.build());
var exampleServicePrincipalDelegatedPermissionGrant = new ServicePrincipalDelegatedPermissionGrant("exampleServicePrincipalDelegatedPermissionGrant", ServicePrincipalDelegatedPermissionGrantArgs.builder()
.servicePrincipalObjectId(exampleServicePrincipal.objectId())
.resourceServicePrincipalObjectId(msgraph.objectId())
.claimValues(
"openid",
"User.Read.All")
.userObjectId(exampleUser.objectId())
.build());
}
}
resources:
msgraph:
type: azuread:ServicePrincipal
properties:
clientId: ${wellKnown.result.microsoftGraph}
useExisting: true
example:
type: azuread:Application
properties:
displayName: example
requiredResourceAccesses:
- resourceAppId: ${wellKnown.result.microsoftGraph}
resourceAccesses:
- id: ${msgraph.oauth2PermissionScopeIds.openid}
type: Scope
- id: ${msgraph.oauth2PermissionScopeIds"User.Read"[%!s(MISSING)]}
type: Scope
exampleServicePrincipal:
type: azuread:ServicePrincipal
name: example
properties:
clientId: ${example.clientId}
exampleUser:
type: azuread:User
name: example
properties:
displayName: J. Doe
userPrincipalName: jdoe@example.com
mailNickname: jdoe
password: SecretP@sswd99!
exampleServicePrincipalDelegatedPermissionGrant:
type: azuread:ServicePrincipalDelegatedPermissionGrant
name: example
properties:
servicePrincipalObjectId: ${exampleServicePrincipal.objectId}
resourceServicePrincipalObjectId: ${msgraph.objectId}
claimValues:
- openid
- User.Read.All
userObjectId: ${exampleUser.objectId}
variables:
wellKnown:
fn::invoke:
function: azuread:getApplicationPublishedAppIds
arguments: {}
Create ServicePrincipalDelegatedPermissionGrant Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ServicePrincipalDelegatedPermissionGrant(name: string, args: ServicePrincipalDelegatedPermissionGrantArgs, opts?: CustomResourceOptions);@overload
def ServicePrincipalDelegatedPermissionGrant(resource_name: str,
args: ServicePrincipalDelegatedPermissionGrantArgs,
opts: Optional[ResourceOptions] = None)
@overload
def ServicePrincipalDelegatedPermissionGrant(resource_name: str,
opts: Optional[ResourceOptions] = None,
claim_values: Optional[Sequence[str]] = None,
resource_service_principal_object_id: Optional[str] = None,
service_principal_object_id: Optional[str] = None,
user_object_id: Optional[str] = None)func NewServicePrincipalDelegatedPermissionGrant(ctx *Context, name string, args ServicePrincipalDelegatedPermissionGrantArgs, opts ...ResourceOption) (*ServicePrincipalDelegatedPermissionGrant, error)public ServicePrincipalDelegatedPermissionGrant(string name, ServicePrincipalDelegatedPermissionGrantArgs args, CustomResourceOptions? opts = null)
public ServicePrincipalDelegatedPermissionGrant(String name, ServicePrincipalDelegatedPermissionGrantArgs args)
public ServicePrincipalDelegatedPermissionGrant(String name, ServicePrincipalDelegatedPermissionGrantArgs args, CustomResourceOptions options)
type: azuread:ServicePrincipalDelegatedPermissionGrant
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ServicePrincipalDelegatedPermissionGrantArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ServicePrincipalDelegatedPermissionGrantArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ServicePrincipalDelegatedPermissionGrantArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ServicePrincipalDelegatedPermissionGrantArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ServicePrincipalDelegatedPermissionGrantArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var servicePrincipalDelegatedPermissionGrantResource = new AzureAD.ServicePrincipalDelegatedPermissionGrant("servicePrincipalDelegatedPermissionGrantResource", new()
{
ClaimValues = new[]
{
"string",
},
ResourceServicePrincipalObjectId = "string",
ServicePrincipalObjectId = "string",
UserObjectId = "string",
});
example, err := azuread.NewServicePrincipalDelegatedPermissionGrant(ctx, "servicePrincipalDelegatedPermissionGrantResource", &azuread.ServicePrincipalDelegatedPermissionGrantArgs{
ClaimValues: pulumi.StringArray{
pulumi.String("string"),
},
ResourceServicePrincipalObjectId: pulumi.String("string"),
ServicePrincipalObjectId: pulumi.String("string"),
UserObjectId: pulumi.String("string"),
})
var servicePrincipalDelegatedPermissionGrantResource = new ServicePrincipalDelegatedPermissionGrant("servicePrincipalDelegatedPermissionGrantResource", ServicePrincipalDelegatedPermissionGrantArgs.builder()
.claimValues("string")
.resourceServicePrincipalObjectId("string")
.servicePrincipalObjectId("string")
.userObjectId("string")
.build());
service_principal_delegated_permission_grant_resource = azuread.ServicePrincipalDelegatedPermissionGrant("servicePrincipalDelegatedPermissionGrantResource",
claim_values=["string"],
resource_service_principal_object_id="string",
service_principal_object_id="string",
user_object_id="string")
const servicePrincipalDelegatedPermissionGrantResource = new azuread.ServicePrincipalDelegatedPermissionGrant("servicePrincipalDelegatedPermissionGrantResource", {
claimValues: ["string"],
resourceServicePrincipalObjectId: "string",
servicePrincipalObjectId: "string",
userObjectId: "string",
});
type: azuread:ServicePrincipalDelegatedPermissionGrant
properties:
claimValues:
- string
resourceServicePrincipalObjectId: string
servicePrincipalObjectId: string
userObjectId: string
ServicePrincipalDelegatedPermissionGrant Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The ServicePrincipalDelegatedPermissionGrant resource accepts the following input properties:
- Claim
Values List<string> - A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
- Resource
Service stringPrincipal Object Id - The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
- Service
Principal stringObject Id - The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
- User
Object stringId The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.
Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the
user_object_idproperty.
- Claim
Values []string - A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
- Resource
Service stringPrincipal Object Id - The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
- Service
Principal stringObject Id - The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
- User
Object stringId The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.
Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the
user_object_idproperty.
- claim
Values List<String> - A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
- resource
Service StringPrincipal Object Id - The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
- service
Principal StringObject Id - The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
- user
Object StringId The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.
Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the
user_object_idproperty.
- claim
Values string[] - A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
- resource
Service stringPrincipal Object Id - The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
- service
Principal stringObject Id - The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
- user
Object stringId The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.
Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the
user_object_idproperty.
- claim_
values Sequence[str] - A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
- resource_
service_ strprincipal_ object_ id - The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
- service_
principal_ strobject_ id - The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
- user_
object_ strid The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.
Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the
user_object_idproperty.
- claim
Values List<String> - A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
- resource
Service StringPrincipal Object Id - The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
- service
Principal StringObject Id - The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
- user
Object StringId The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.
Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the
user_object_idproperty.
Outputs
All input properties are implicitly available as output properties. Additionally, the ServicePrincipalDelegatedPermissionGrant resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing ServicePrincipalDelegatedPermissionGrant Resource
Get an existing ServicePrincipalDelegatedPermissionGrant resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ServicePrincipalDelegatedPermissionGrantState, opts?: CustomResourceOptions): ServicePrincipalDelegatedPermissionGrant@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
claim_values: Optional[Sequence[str]] = None,
resource_service_principal_object_id: Optional[str] = None,
service_principal_object_id: Optional[str] = None,
user_object_id: Optional[str] = None) -> ServicePrincipalDelegatedPermissionGrantfunc GetServicePrincipalDelegatedPermissionGrant(ctx *Context, name string, id IDInput, state *ServicePrincipalDelegatedPermissionGrantState, opts ...ResourceOption) (*ServicePrincipalDelegatedPermissionGrant, error)public static ServicePrincipalDelegatedPermissionGrant Get(string name, Input<string> id, ServicePrincipalDelegatedPermissionGrantState? state, CustomResourceOptions? opts = null)public static ServicePrincipalDelegatedPermissionGrant get(String name, Output<String> id, ServicePrincipalDelegatedPermissionGrantState state, CustomResourceOptions options)resources: _: type: azuread:ServicePrincipalDelegatedPermissionGrant get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Claim
Values List<string> - A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
- Resource
Service stringPrincipal Object Id - The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
- Service
Principal stringObject Id - The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
- User
Object stringId The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.
Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the
user_object_idproperty.
- Claim
Values []string - A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
- Resource
Service stringPrincipal Object Id - The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
- Service
Principal stringObject Id - The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
- User
Object stringId The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.
Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the
user_object_idproperty.
- claim
Values List<String> - A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
- resource
Service StringPrincipal Object Id - The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
- service
Principal StringObject Id - The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
- user
Object StringId The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.
Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the
user_object_idproperty.
- claim
Values string[] - A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
- resource
Service stringPrincipal Object Id - The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
- service
Principal stringObject Id - The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
- user
Object stringId The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.
Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the
user_object_idproperty.
- claim_
values Sequence[str] - A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
- resource_
service_ strprincipal_ object_ id - The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
- service_
principal_ strobject_ id - The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
- user_
object_ strid The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.
Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the
user_object_idproperty.
- claim
Values List<String> - A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
- resource
Service StringPrincipal Object Id - The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
- service
Principal StringObject Id - The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
- user
Object StringId The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.
Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the
user_object_idproperty.
Import
Delegated permission grants can be imported using their ID, e.g.
$ pulumi import azuread:index/servicePrincipalDelegatedPermissionGrant:ServicePrincipalDelegatedPermissionGrant example aaBBcDDeFG6h5JKLMN2PQrrssTTUUvWWxxxxxyyyzzz
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Azure Active Directory (Azure AD) pulumi/pulumi-azuread
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
azureadTerraform Provider.
Azure Active Directory (Azure AD) v6.2.0 published on Tuesday, Jan 21, 2025 by Pulumi