1. Packages
  2. Azure Active Directory (Azure AD)
  3. API Docs
  4. ServicePrincipalDelegatedPermissionGrant
Azure Active Directory (Azure AD) v6.4.0 published on Monday, Apr 7, 2025 by Pulumi

azuread.ServicePrincipalDelegatedPermissionGrant

Explore with Pulumi AI

Manages a delegated permission grant for a service principal, on behalf of a single user, or all users.

API Permissions

The following API permissions are required in order to use this resource.

When authenticated with a service principal, this resource requires the following application role: Directory.ReadWrite.All

When authenticated with a user principal, this resource requires one the following directory role: Global Administrator

Example Usage

Delegated permission grant for all users

import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const wellKnown = azuread.getApplicationPublishedAppIds({});
const msgraph = new azuread.ServicePrincipal("msgraph", {
    clientId: wellKnown.then(wellKnown => wellKnown.result?.microsoftGraph),
    useExisting: true,
});
const example = new azuread.Application("example", {
    displayName: "example",
    requiredResourceAccesses: [{
        resourceAppId: wellKnown.then(wellKnown => wellKnown.result?.microsoftGraph),
        resourceAccesses: [
            {
                id: msgraph.oauth2PermissionScopeIds.openid,
                type: "Scope",
            },
            {
                id: msgraph.oauth2PermissionScopeIds["User.Read"],
                type: "Scope",
            },
        ],
    }],
});
const exampleServicePrincipal = new azuread.ServicePrincipal("example", {clientId: example.clientId});
const exampleServicePrincipalDelegatedPermissionGrant = new azuread.ServicePrincipalDelegatedPermissionGrant("example", {
    servicePrincipalObjectId: exampleServicePrincipal.objectId,
    resourceServicePrincipalObjectId: msgraph.objectId,
    claimValues: [
        "openid",
        "User.Read.All",
    ],
});
Copy
import pulumi
import pulumi_azuread as azuread

well_known = azuread.get_application_published_app_ids()
msgraph = azuread.ServicePrincipal("msgraph",
    client_id=well_known.result["microsoftGraph"],
    use_existing=True)
example = azuread.Application("example",
    display_name="example",
    required_resource_accesses=[{
        "resource_app_id": well_known.result["microsoftGraph"],
        "resource_accesses": [
            {
                "id": msgraph.oauth2_permission_scope_ids["openid"],
                "type": "Scope",
            },
            {
                "id": msgraph.oauth2_permission_scope_ids["User.Read"],
                "type": "Scope",
            },
        ],
    }])
example_service_principal = azuread.ServicePrincipal("example", client_id=example.client_id)
example_service_principal_delegated_permission_grant = azuread.ServicePrincipalDelegatedPermissionGrant("example",
    service_principal_object_id=example_service_principal.object_id,
    resource_service_principal_object_id=msgraph.object_id,
    claim_values=[
        "openid",
        "User.Read.All",
    ])
Copy
package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		wellKnown, err := azuread.GetApplicationPublishedAppIds(ctx, map[string]interface{}{}, nil)
		if err != nil {
			return err
		}
		msgraph, err := azuread.NewServicePrincipal(ctx, "msgraph", &azuread.ServicePrincipalArgs{
			ClientId:    pulumi.String(wellKnown.Result.MicrosoftGraph),
			UseExisting: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		example, err := azuread.NewApplication(ctx, "example", &azuread.ApplicationArgs{
			DisplayName: pulumi.String("example"),
			RequiredResourceAccesses: azuread.ApplicationRequiredResourceAccessArray{
				&azuread.ApplicationRequiredResourceAccessArgs{
					ResourceAppId: pulumi.String(wellKnown.Result.MicrosoftGraph),
					ResourceAccesses: azuread.ApplicationRequiredResourceAccessResourceAccessArray{
						&azuread.ApplicationRequiredResourceAccessResourceAccessArgs{
							Id: msgraph.Oauth2PermissionScopeIds.ApplyT(func(oauth2PermissionScopeIds map[string]string) (string, error) {
								return oauth2PermissionScopeIds.Openid, nil
							}).(pulumi.StringOutput),
							Type: pulumi.String("Scope"),
						},
						&azuread.ApplicationRequiredResourceAccessResourceAccessArgs{
							Id: msgraph.Oauth2PermissionScopeIds.ApplyT(func(oauth2PermissionScopeIds map[string]string) (string, error) {
								return oauth2PermissionScopeIds.User.Read, nil
							}).(pulumi.StringOutput),
							Type: pulumi.String("Scope"),
						},
					},
				},
			},
		})
		if err != nil {
			return err
		}
		exampleServicePrincipal, err := azuread.NewServicePrincipal(ctx, "example", &azuread.ServicePrincipalArgs{
			ClientId: example.ClientId,
		})
		if err != nil {
			return err
		}
		_, err = azuread.NewServicePrincipalDelegatedPermissionGrant(ctx, "example", &azuread.ServicePrincipalDelegatedPermissionGrantArgs{
			ServicePrincipalObjectId:         exampleServicePrincipal.ObjectId,
			ResourceServicePrincipalObjectId: msgraph.ObjectId,
			ClaimValues: pulumi.StringArray{
				pulumi.String("openid"),
				pulumi.String("User.Read.All"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var wellKnown = AzureAD.GetApplicationPublishedAppIds.Invoke();

    var msgraph = new AzureAD.ServicePrincipal("msgraph", new()
    {
        ClientId = wellKnown.Apply(getApplicationPublishedAppIdsResult => getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
        UseExisting = true,
    });

    var example = new AzureAD.Application("example", new()
    {
        DisplayName = "example",
        RequiredResourceAccesses = new[]
        {
            new AzureAD.Inputs.ApplicationRequiredResourceAccessArgs
            {
                ResourceAppId = wellKnown.Apply(getApplicationPublishedAppIdsResult => getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
                ResourceAccesses = new[]
                {
                    new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs
                    {
                        Id = msgraph.Oauth2PermissionScopeIds.Apply(oauth2PermissionScopeIds => oauth2PermissionScopeIds.Openid),
                        Type = "Scope",
                    },
                    new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs
                    {
                        Id = msgraph.Oauth2PermissionScopeIds.Apply(oauth2PermissionScopeIds => oauth2PermissionScopeIds.User_Read),
                        Type = "Scope",
                    },
                },
            },
        },
    });

    var exampleServicePrincipal = new AzureAD.ServicePrincipal("example", new()
    {
        ClientId = example.ClientId,
    });

    var exampleServicePrincipalDelegatedPermissionGrant = new AzureAD.ServicePrincipalDelegatedPermissionGrant("example", new()
    {
        ServicePrincipalObjectId = exampleServicePrincipal.ObjectId,
        ResourceServicePrincipalObjectId = msgraph.ObjectId,
        ClaimValues = new[]
        {
            "openid",
            "User.Read.All",
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.inputs.ApplicationRequiredResourceAccessArgs;
import com.pulumi.azuread.ServicePrincipalDelegatedPermissionGrant;
import com.pulumi.azuread.ServicePrincipalDelegatedPermissionGrantArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();

        var msgraph = new ServicePrincipal("msgraph", ServicePrincipalArgs.builder()
            .clientId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -> getApplicationPublishedAppIdsResult.result().microsoftGraph()))
            .useExisting(true)
            .build());

        var example = new Application("example", ApplicationArgs.builder()
            .displayName("example")
            .requiredResourceAccesses(ApplicationRequiredResourceAccessArgs.builder()
                .resourceAppId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -> getApplicationPublishedAppIdsResult.result().microsoftGraph()))
                .resourceAccesses(                
                    ApplicationRequiredResourceAccessResourceAccessArgs.builder()
                        .id(msgraph.oauth2PermissionScopeIds().applyValue(oauth2PermissionScopeIds -> oauth2PermissionScopeIds.openid()))
                        .type("Scope")
                        .build(),
                    ApplicationRequiredResourceAccessResourceAccessArgs.builder()
                        .id(msgraph.oauth2PermissionScopeIds().applyValue(oauth2PermissionScopeIds -> oauth2PermissionScopeIds.User.Read()))
                        .type("Scope")
                        .build())
                .build())
            .build());

        var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()
            .clientId(example.clientId())
            .build());

        var exampleServicePrincipalDelegatedPermissionGrant = new ServicePrincipalDelegatedPermissionGrant("exampleServicePrincipalDelegatedPermissionGrant", ServicePrincipalDelegatedPermissionGrantArgs.builder()
            .servicePrincipalObjectId(exampleServicePrincipal.objectId())
            .resourceServicePrincipalObjectId(msgraph.objectId())
            .claimValues(            
                "openid",
                "User.Read.All")
            .build());

    }
}
Copy
resources:
  msgraph:
    type: azuread:ServicePrincipal
    properties:
      clientId: ${wellKnown.result.microsoftGraph}
      useExisting: true
  example:
    type: azuread:Application
    properties:
      displayName: example
      requiredResourceAccesses:
        - resourceAppId: ${wellKnown.result.microsoftGraph}
          resourceAccesses:
            - id: ${msgraph.oauth2PermissionScopeIds.openid}
              type: Scope
            - id: ${msgraph.oauth2PermissionScopeIds"User.Read"[%!s(MISSING)]}
              type: Scope
  exampleServicePrincipal:
    type: azuread:ServicePrincipal
    name: example
    properties:
      clientId: ${example.clientId}
  exampleServicePrincipalDelegatedPermissionGrant:
    type: azuread:ServicePrincipalDelegatedPermissionGrant
    name: example
    properties:
      servicePrincipalObjectId: ${exampleServicePrincipal.objectId}
      resourceServicePrincipalObjectId: ${msgraph.objectId}
      claimValues:
        - openid
        - User.Read.All
variables:
  wellKnown:
    fn::invoke:
      function: azuread:getApplicationPublishedAppIds
      arguments: {}
Copy

Delegated permission grant for a single user

import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const wellKnown = azuread.getApplicationPublishedAppIds({});
const msgraph = new azuread.ServicePrincipal("msgraph", {
    clientId: wellKnown.then(wellKnown => wellKnown.result?.microsoftGraph),
    useExisting: true,
});
const example = new azuread.Application("example", {
    displayName: "example",
    requiredResourceAccesses: [{
        resourceAppId: wellKnown.then(wellKnown => wellKnown.result?.microsoftGraph),
        resourceAccesses: [
            {
                id: msgraph.oauth2PermissionScopeIds.openid,
                type: "Scope",
            },
            {
                id: msgraph.oauth2PermissionScopeIds["User.Read"],
                type: "Scope",
            },
        ],
    }],
});
const exampleServicePrincipal = new azuread.ServicePrincipal("example", {clientId: example.clientId});
const exampleUser = new azuread.User("example", {
    displayName: "J. Doe",
    userPrincipalName: "jdoe@example.com",
    mailNickname: "jdoe",
    password: "SecretP@sswd99!",
});
const exampleServicePrincipalDelegatedPermissionGrant = new azuread.ServicePrincipalDelegatedPermissionGrant("example", {
    servicePrincipalObjectId: exampleServicePrincipal.objectId,
    resourceServicePrincipalObjectId: msgraph.objectId,
    claimValues: [
        "openid",
        "User.Read.All",
    ],
    userObjectId: exampleUser.objectId,
});
Copy
import pulumi
import pulumi_azuread as azuread

well_known = azuread.get_application_published_app_ids()
msgraph = azuread.ServicePrincipal("msgraph",
    client_id=well_known.result["microsoftGraph"],
    use_existing=True)
example = azuread.Application("example",
    display_name="example",
    required_resource_accesses=[{
        "resource_app_id": well_known.result["microsoftGraph"],
        "resource_accesses": [
            {
                "id": msgraph.oauth2_permission_scope_ids["openid"],
                "type": "Scope",
            },
            {
                "id": msgraph.oauth2_permission_scope_ids["User.Read"],
                "type": "Scope",
            },
        ],
    }])
example_service_principal = azuread.ServicePrincipal("example", client_id=example.client_id)
example_user = azuread.User("example",
    display_name="J. Doe",
    user_principal_name="jdoe@example.com",
    mail_nickname="jdoe",
    password="SecretP@sswd99!")
example_service_principal_delegated_permission_grant = azuread.ServicePrincipalDelegatedPermissionGrant("example",
    service_principal_object_id=example_service_principal.object_id,
    resource_service_principal_object_id=msgraph.object_id,
    claim_values=[
        "openid",
        "User.Read.All",
    ],
    user_object_id=example_user.object_id)
Copy
package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		wellKnown, err := azuread.GetApplicationPublishedAppIds(ctx, map[string]interface{}{}, nil)
		if err != nil {
			return err
		}
		msgraph, err := azuread.NewServicePrincipal(ctx, "msgraph", &azuread.ServicePrincipalArgs{
			ClientId:    pulumi.String(wellKnown.Result.MicrosoftGraph),
			UseExisting: pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		example, err := azuread.NewApplication(ctx, "example", &azuread.ApplicationArgs{
			DisplayName: pulumi.String("example"),
			RequiredResourceAccesses: azuread.ApplicationRequiredResourceAccessArray{
				&azuread.ApplicationRequiredResourceAccessArgs{
					ResourceAppId: pulumi.String(wellKnown.Result.MicrosoftGraph),
					ResourceAccesses: azuread.ApplicationRequiredResourceAccessResourceAccessArray{
						&azuread.ApplicationRequiredResourceAccessResourceAccessArgs{
							Id: msgraph.Oauth2PermissionScopeIds.ApplyT(func(oauth2PermissionScopeIds map[string]string) (string, error) {
								return oauth2PermissionScopeIds.Openid, nil
							}).(pulumi.StringOutput),
							Type: pulumi.String("Scope"),
						},
						&azuread.ApplicationRequiredResourceAccessResourceAccessArgs{
							Id: msgraph.Oauth2PermissionScopeIds.ApplyT(func(oauth2PermissionScopeIds map[string]string) (string, error) {
								return oauth2PermissionScopeIds.User.Read, nil
							}).(pulumi.StringOutput),
							Type: pulumi.String("Scope"),
						},
					},
				},
			},
		})
		if err != nil {
			return err
		}
		exampleServicePrincipal, err := azuread.NewServicePrincipal(ctx, "example", &azuread.ServicePrincipalArgs{
			ClientId: example.ClientId,
		})
		if err != nil {
			return err
		}
		exampleUser, err := azuread.NewUser(ctx, "example", &azuread.UserArgs{
			DisplayName:       pulumi.String("J. Doe"),
			UserPrincipalName: pulumi.String("jdoe@example.com"),
			MailNickname:      pulumi.String("jdoe"),
			Password:          pulumi.String("SecretP@sswd99!"),
		})
		if err != nil {
			return err
		}
		_, err = azuread.NewServicePrincipalDelegatedPermissionGrant(ctx, "example", &azuread.ServicePrincipalDelegatedPermissionGrantArgs{
			ServicePrincipalObjectId:         exampleServicePrincipal.ObjectId,
			ResourceServicePrincipalObjectId: msgraph.ObjectId,
			ClaimValues: pulumi.StringArray{
				pulumi.String("openid"),
				pulumi.String("User.Read.All"),
			},
			UserObjectId: exampleUser.ObjectId,
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var wellKnown = AzureAD.GetApplicationPublishedAppIds.Invoke();

    var msgraph = new AzureAD.ServicePrincipal("msgraph", new()
    {
        ClientId = wellKnown.Apply(getApplicationPublishedAppIdsResult => getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
        UseExisting = true,
    });

    var example = new AzureAD.Application("example", new()
    {
        DisplayName = "example",
        RequiredResourceAccesses = new[]
        {
            new AzureAD.Inputs.ApplicationRequiredResourceAccessArgs
            {
                ResourceAppId = wellKnown.Apply(getApplicationPublishedAppIdsResult => getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
                ResourceAccesses = new[]
                {
                    new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs
                    {
                        Id = msgraph.Oauth2PermissionScopeIds.Apply(oauth2PermissionScopeIds => oauth2PermissionScopeIds.Openid),
                        Type = "Scope",
                    },
                    new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs
                    {
                        Id = msgraph.Oauth2PermissionScopeIds.Apply(oauth2PermissionScopeIds => oauth2PermissionScopeIds.User_Read),
                        Type = "Scope",
                    },
                },
            },
        },
    });

    var exampleServicePrincipal = new AzureAD.ServicePrincipal("example", new()
    {
        ClientId = example.ClientId,
    });

    var exampleUser = new AzureAD.User("example", new()
    {
        DisplayName = "J. Doe",
        UserPrincipalName = "jdoe@example.com",
        MailNickname = "jdoe",
        Password = "SecretP@sswd99!",
    });

    var exampleServicePrincipalDelegatedPermissionGrant = new AzureAD.ServicePrincipalDelegatedPermissionGrant("example", new()
    {
        ServicePrincipalObjectId = exampleServicePrincipal.ObjectId,
        ResourceServicePrincipalObjectId = msgraph.ObjectId,
        ClaimValues = new[]
        {
            "openid",
            "User.Read.All",
        },
        UserObjectId = exampleUser.ObjectId,
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.ServicePrincipal;
import com.pulumi.azuread.ServicePrincipalArgs;
import com.pulumi.azuread.Application;
import com.pulumi.azuread.ApplicationArgs;
import com.pulumi.azuread.inputs.ApplicationRequiredResourceAccessArgs;
import com.pulumi.azuread.User;
import com.pulumi.azuread.UserArgs;
import com.pulumi.azuread.ServicePrincipalDelegatedPermissionGrant;
import com.pulumi.azuread.ServicePrincipalDelegatedPermissionGrantArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();

        var msgraph = new ServicePrincipal("msgraph", ServicePrincipalArgs.builder()
            .clientId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -> getApplicationPublishedAppIdsResult.result().microsoftGraph()))
            .useExisting(true)
            .build());

        var example = new Application("example", ApplicationArgs.builder()
            .displayName("example")
            .requiredResourceAccesses(ApplicationRequiredResourceAccessArgs.builder()
                .resourceAppId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -> getApplicationPublishedAppIdsResult.result().microsoftGraph()))
                .resourceAccesses(                
                    ApplicationRequiredResourceAccessResourceAccessArgs.builder()
                        .id(msgraph.oauth2PermissionScopeIds().applyValue(oauth2PermissionScopeIds -> oauth2PermissionScopeIds.openid()))
                        .type("Scope")
                        .build(),
                    ApplicationRequiredResourceAccessResourceAccessArgs.builder()
                        .id(msgraph.oauth2PermissionScopeIds().applyValue(oauth2PermissionScopeIds -> oauth2PermissionScopeIds.User.Read()))
                        .type("Scope")
                        .build())
                .build())
            .build());

        var exampleServicePrincipal = new ServicePrincipal("exampleServicePrincipal", ServicePrincipalArgs.builder()
            .clientId(example.clientId())
            .build());

        var exampleUser = new User("exampleUser", UserArgs.builder()
            .displayName("J. Doe")
            .userPrincipalName("jdoe@example.com")
            .mailNickname("jdoe")
            .password("SecretP@sswd99!")
            .build());

        var exampleServicePrincipalDelegatedPermissionGrant = new ServicePrincipalDelegatedPermissionGrant("exampleServicePrincipalDelegatedPermissionGrant", ServicePrincipalDelegatedPermissionGrantArgs.builder()
            .servicePrincipalObjectId(exampleServicePrincipal.objectId())
            .resourceServicePrincipalObjectId(msgraph.objectId())
            .claimValues(            
                "openid",
                "User.Read.All")
            .userObjectId(exampleUser.objectId())
            .build());

    }
}
Copy
resources:
  msgraph:
    type: azuread:ServicePrincipal
    properties:
      clientId: ${wellKnown.result.microsoftGraph}
      useExisting: true
  example:
    type: azuread:Application
    properties:
      displayName: example
      requiredResourceAccesses:
        - resourceAppId: ${wellKnown.result.microsoftGraph}
          resourceAccesses:
            - id: ${msgraph.oauth2PermissionScopeIds.openid}
              type: Scope
            - id: ${msgraph.oauth2PermissionScopeIds"User.Read"[%!s(MISSING)]}
              type: Scope
  exampleServicePrincipal:
    type: azuread:ServicePrincipal
    name: example
    properties:
      clientId: ${example.clientId}
  exampleUser:
    type: azuread:User
    name: example
    properties:
      displayName: J. Doe
      userPrincipalName: jdoe@example.com
      mailNickname: jdoe
      password: SecretP@sswd99!
  exampleServicePrincipalDelegatedPermissionGrant:
    type: azuread:ServicePrincipalDelegatedPermissionGrant
    name: example
    properties:
      servicePrincipalObjectId: ${exampleServicePrincipal.objectId}
      resourceServicePrincipalObjectId: ${msgraph.objectId}
      claimValues:
        - openid
        - User.Read.All
      userObjectId: ${exampleUser.objectId}
variables:
  wellKnown:
    fn::invoke:
      function: azuread:getApplicationPublishedAppIds
      arguments: {}
Copy

Create ServicePrincipalDelegatedPermissionGrant Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new ServicePrincipalDelegatedPermissionGrant(name: string, args: ServicePrincipalDelegatedPermissionGrantArgs, opts?: CustomResourceOptions);
@overload
def ServicePrincipalDelegatedPermissionGrant(resource_name: str,
                                             args: ServicePrincipalDelegatedPermissionGrantArgs,
                                             opts: Optional[ResourceOptions] = None)

@overload
def ServicePrincipalDelegatedPermissionGrant(resource_name: str,
                                             opts: Optional[ResourceOptions] = None,
                                             claim_values: Optional[Sequence[str]] = None,
                                             resource_service_principal_object_id: Optional[str] = None,
                                             service_principal_object_id: Optional[str] = None,
                                             user_object_id: Optional[str] = None)
func NewServicePrincipalDelegatedPermissionGrant(ctx *Context, name string, args ServicePrincipalDelegatedPermissionGrantArgs, opts ...ResourceOption) (*ServicePrincipalDelegatedPermissionGrant, error)
public ServicePrincipalDelegatedPermissionGrant(string name, ServicePrincipalDelegatedPermissionGrantArgs args, CustomResourceOptions? opts = null)
public ServicePrincipalDelegatedPermissionGrant(String name, ServicePrincipalDelegatedPermissionGrantArgs args)
public ServicePrincipalDelegatedPermissionGrant(String name, ServicePrincipalDelegatedPermissionGrantArgs args, CustomResourceOptions options)
type: azuread:ServicePrincipalDelegatedPermissionGrant
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args This property is required. ServicePrincipalDelegatedPermissionGrantArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args This property is required. ServicePrincipalDelegatedPermissionGrantArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args This property is required. ServicePrincipalDelegatedPermissionGrantArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args This property is required. ServicePrincipalDelegatedPermissionGrantArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. ServicePrincipalDelegatedPermissionGrantArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var servicePrincipalDelegatedPermissionGrantResource = new AzureAD.ServicePrincipalDelegatedPermissionGrant("servicePrincipalDelegatedPermissionGrantResource", new()
{
    ClaimValues = new[]
    {
        "string",
    },
    ResourceServicePrincipalObjectId = "string",
    ServicePrincipalObjectId = "string",
    UserObjectId = "string",
});
Copy
example, err := azuread.NewServicePrincipalDelegatedPermissionGrant(ctx, "servicePrincipalDelegatedPermissionGrantResource", &azuread.ServicePrincipalDelegatedPermissionGrantArgs{
	ClaimValues: pulumi.StringArray{
		pulumi.String("string"),
	},
	ResourceServicePrincipalObjectId: pulumi.String("string"),
	ServicePrincipalObjectId:         pulumi.String("string"),
	UserObjectId:                     pulumi.String("string"),
})
Copy
var servicePrincipalDelegatedPermissionGrantResource = new ServicePrincipalDelegatedPermissionGrant("servicePrincipalDelegatedPermissionGrantResource", ServicePrincipalDelegatedPermissionGrantArgs.builder()
    .claimValues("string")
    .resourceServicePrincipalObjectId("string")
    .servicePrincipalObjectId("string")
    .userObjectId("string")
    .build());
Copy
service_principal_delegated_permission_grant_resource = azuread.ServicePrincipalDelegatedPermissionGrant("servicePrincipalDelegatedPermissionGrantResource",
    claim_values=["string"],
    resource_service_principal_object_id="string",
    service_principal_object_id="string",
    user_object_id="string")
Copy
const servicePrincipalDelegatedPermissionGrantResource = new azuread.ServicePrincipalDelegatedPermissionGrant("servicePrincipalDelegatedPermissionGrantResource", {
    claimValues: ["string"],
    resourceServicePrincipalObjectId: "string",
    servicePrincipalObjectId: "string",
    userObjectId: "string",
});
Copy
type: azuread:ServicePrincipalDelegatedPermissionGrant
properties:
    claimValues:
        - string
    resourceServicePrincipalObjectId: string
    servicePrincipalObjectId: string
    userObjectId: string
Copy

ServicePrincipalDelegatedPermissionGrant Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The ServicePrincipalDelegatedPermissionGrant resource accepts the following input properties:

ClaimValues This property is required. List<string>
A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
ResourceServicePrincipalObjectId
This property is required.
Changes to this property will trigger replacement.
string
The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
ServicePrincipalObjectId
This property is required.
Changes to this property will trigger replacement.
string
The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
UserObjectId Changes to this property will trigger replacement. string

The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.

Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the user_object_id property.

ClaimValues This property is required. []string
A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
ResourceServicePrincipalObjectId
This property is required.
Changes to this property will trigger replacement.
string
The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
ServicePrincipalObjectId
This property is required.
Changes to this property will trigger replacement.
string
The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
UserObjectId Changes to this property will trigger replacement. string

The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.

Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the user_object_id property.

claimValues This property is required. List<String>
A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
resourceServicePrincipalObjectId
This property is required.
Changes to this property will trigger replacement.
String
The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
servicePrincipalObjectId
This property is required.
Changes to this property will trigger replacement.
String
The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
userObjectId Changes to this property will trigger replacement. String

The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.

Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the user_object_id property.

claimValues This property is required. string[]
A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
resourceServicePrincipalObjectId
This property is required.
Changes to this property will trigger replacement.
string
The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
servicePrincipalObjectId
This property is required.
Changes to this property will trigger replacement.
string
The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
userObjectId Changes to this property will trigger replacement. string

The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.

Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the user_object_id property.

claim_values This property is required. Sequence[str]
A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
resource_service_principal_object_id
This property is required.
Changes to this property will trigger replacement.
str
The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
service_principal_object_id
This property is required.
Changes to this property will trigger replacement.
str
The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
user_object_id Changes to this property will trigger replacement. str

The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.

Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the user_object_id property.

claimValues This property is required. List<String>
A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
resourceServicePrincipalObjectId
This property is required.
Changes to this property will trigger replacement.
String
The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
servicePrincipalObjectId
This property is required.
Changes to this property will trigger replacement.
String
The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
userObjectId Changes to this property will trigger replacement. String

The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.

Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the user_object_id property.

Outputs

All input properties are implicitly available as output properties. Additionally, the ServicePrincipalDelegatedPermissionGrant resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
Id string
The provider-assigned unique ID for this managed resource.
id String
The provider-assigned unique ID for this managed resource.
id string
The provider-assigned unique ID for this managed resource.
id str
The provider-assigned unique ID for this managed resource.
id String
The provider-assigned unique ID for this managed resource.

Look up Existing ServicePrincipalDelegatedPermissionGrant Resource

Get an existing ServicePrincipalDelegatedPermissionGrant resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ServicePrincipalDelegatedPermissionGrantState, opts?: CustomResourceOptions): ServicePrincipalDelegatedPermissionGrant
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        claim_values: Optional[Sequence[str]] = None,
        resource_service_principal_object_id: Optional[str] = None,
        service_principal_object_id: Optional[str] = None,
        user_object_id: Optional[str] = None) -> ServicePrincipalDelegatedPermissionGrant
func GetServicePrincipalDelegatedPermissionGrant(ctx *Context, name string, id IDInput, state *ServicePrincipalDelegatedPermissionGrantState, opts ...ResourceOption) (*ServicePrincipalDelegatedPermissionGrant, error)
public static ServicePrincipalDelegatedPermissionGrant Get(string name, Input<string> id, ServicePrincipalDelegatedPermissionGrantState? state, CustomResourceOptions? opts = null)
public static ServicePrincipalDelegatedPermissionGrant get(String name, Output<String> id, ServicePrincipalDelegatedPermissionGrantState state, CustomResourceOptions options)
resources:  _:    type: azuread:ServicePrincipalDelegatedPermissionGrant    get:      id: ${id}
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
ClaimValues List<string>
A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
ResourceServicePrincipalObjectId Changes to this property will trigger replacement. string
The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
ServicePrincipalObjectId Changes to this property will trigger replacement. string
The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
UserObjectId Changes to this property will trigger replacement. string

The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.

Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the user_object_id property.

ClaimValues []string
A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
ResourceServicePrincipalObjectId Changes to this property will trigger replacement. string
The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
ServicePrincipalObjectId Changes to this property will trigger replacement. string
The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
UserObjectId Changes to this property will trigger replacement. string

The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.

Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the user_object_id property.

claimValues List<String>
A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
resourceServicePrincipalObjectId Changes to this property will trigger replacement. String
The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
servicePrincipalObjectId Changes to this property will trigger replacement. String
The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
userObjectId Changes to this property will trigger replacement. String

The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.

Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the user_object_id property.

claimValues string[]
A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
resourceServicePrincipalObjectId Changes to this property will trigger replacement. string
The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
servicePrincipalObjectId Changes to this property will trigger replacement. string
The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
userObjectId Changes to this property will trigger replacement. string

The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.

Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the user_object_id property.

claim_values Sequence[str]
A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
resource_service_principal_object_id Changes to this property will trigger replacement. str
The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
service_principal_object_id Changes to this property will trigger replacement. str
The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
user_object_id Changes to this property will trigger replacement. str

The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.

Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the user_object_id property.

claimValues List<String>
A set of claim values for delegated permission scopes which should be included in access tokens for the resource.
resourceServicePrincipalObjectId Changes to this property will trigger replacement. String
The object ID of the service principal representing the resource to be accessed. Changing this forces a new resource to be created.
servicePrincipalObjectId Changes to this property will trigger replacement. String
The object ID of the service principal for which this delegated permission grant should be created. Changing this forces a new resource to be created.
userObjectId Changes to this property will trigger replacement. String

The object ID of the user on behalf of whom the service principal is authorized to access the resource. When omitted, the delegated permission grant will be consented for all users. Changing this forces a new resource to be created.

Granting Admin Consent To grant admin consent for the service principal to impersonate all users, just omit the user_object_id property.

Import

Delegated permission grants can be imported using their ID, e.g.

$ pulumi import azuread:index/servicePrincipalDelegatedPermissionGrant:ServicePrincipalDelegatedPermissionGrant example aaBBcDDeFG6h5JKLMN2PQrrssTTUUvWWxxxxxyyyzzz
Copy

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository
Azure Active Directory (Azure AD) pulumi/pulumi-azuread
License
Apache-2.0
Notes
This Pulumi package is based on the azuread Terraform Provider.