AADServicePrincipal¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| AppId | Key | String | The unique identifier for the associated application. | |
| AppRoleAssignedTo | Write | MSFT_AADServicePrincipalRoleAssignment[] | App role assignments for this app or service, granted to users, groups, and other service principals. | |
| ObjectID | Write | String | The ObjectID of the ServicePrincipal | |
| DisplayName | Write | String | Displayname of the ServicePrincipal. | |
| AlternativeNames | Write | StringArray[] | The alternative names for this service principal | |
| AccountEnabled | Write | Boolean | True if the service principal account is enabled; otherwise, false. | |
| AppRoleAssignmentRequired | Write | Boolean | Indicates whether an application role assignment is required. | |
| ClaimsPolicy | Write | MSFT_AADServicePrincipalClaimsPolicy | Represents a claims policy that allows application admins to customize the claims emitted in tokens affected by this policy. | |
| ErrorUrl | Write | String | Specifies the error URL of the ServicePrincipal. | |
| Homepage | Write | String | Specifies the homepage of the ServicePrincipal. | |
| LogoutUrl | Write | String | Specifies the LogoutURL of the ServicePrincipal. | |
| Notes | Write | String | Notes associated with the ServicePrincipal. | |
| PublisherName | Write | String | Specifies the PublisherName of the ServicePrincipal. | |
| Owners | Write | StringArray[] | List of the owners of the service principal. | |
| PreferredSingleSignOnMode | Write | String | Specifies the signle sign-on mode configured for this application. | |
| ReplyUrls | Write | StringArray[] | The URLs that user tokens are sent to for sign in with the associated application, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to for the associated application. | |
| SamlMetadataUrl | Write | String | The URL for the SAML metadata of the ServicePrincipal. | |
| ServicePrincipalNames | Write | StringArray[] | Specifies an array of service principal names. Based on the identifierURIs collection, plus the application's appId property, these URIs are used to reference an application's service principal. | |
| ServicePrincipalType | Write | String | The type of the service principal. | |
| Tags | Write | StringArray[] | Tags linked to this service principal.Note that if you intend for this service principal to show up in the All Applications list in the admin portal, you need to set this value to | |
| DelegatedPermissionClassifications | Write | MSFT_AADServicePrincipalDelegatedPermissionClassification[] | The permission classifications for delegated permissions exposed by the app that this service principal represents. | |
| CustomSecurityAttributes | Write | MSFT_AADServicePrincipalAttributeSet[] | The list of custom security attributes attached to this SPN | |
| Ensure | Write | String | Specify if the Azure AD App should exist or not. | Present, Absent |
| ApplicationId | Write | String | Id of the Azure Active Directory application to authenticate with. | |
| TenantId | Write | String | Id of the Azure Active Directory tenant used for authentication. | |
| CertificateThumbprint | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | |
| ApplicationSecret | Write | PSCredential | Secret of the Azure Active Directory application to authenticate with. | |
| Credential | Write | PSCredential | Credentials of the Azure AD Admin | |
| ManagedIdentity | Write | Boolean | Managed ID being used for authentication. | |
| AccessTokens | Write | StringArray[] | Access token used for authentication. | |
| PasswordCredentials | Write | MSFT_MicrosoftGraphpasswordCredential[] | The collection of password credentials associated with the service principal. Not nullable. | |
| KeyCredentials | Write | MSFT_MicrosoftGraphkeyCredential[] | The collection of key credentials associated with the service principal. Not nullable. Supports $filter (eq, NOT, ge, le). |
Embedded Instances¶
MSFT_AADServicePrincipalRoleAssignment¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| PrincipalType | Required | String | Type of principal. Accepted values are User or Group | Group, User |
| Identity | Required | String | Unique identity representing the principal. |
MSFT_AADServicePrincipalDelegatedPermissionClassification¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Classification | Write | String | Classification of the delegated permission | low, medium, high |
| PermissionName | Required | String | Name of the permission |
MSFT_AADServicePrincipalAttributeValue¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| AttributeName | Required | String | Name of the Attribute | |
| StringArrayValue | Write | StringArray[] | If the attribute has a string array value | |
| IntArrayValue | Write | UInt32Array[] | If the attribute has a int array value | |
| StringValue | Write | String | If the attribute has a string value | |
| IntValue | Write | UInt32 | If the attribute has a int value | |
| BoolValue | Write | Boolean | If the attribute has a boolean value |
MSFT_AADServicePrincipalAttributeSet¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| AttributeSetName | Required | String | Attribute Set Name. | |
| AttributeValues | Write | MSFT_AADServicePrincipalAttributeValue[] | List of attribute values. |
MSFT_AADServicePrincipalTransformationAttribute¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| treatAsMultiValue | Write | Boolean | This flag is only relevant in the case where the attribute is multivalued. By default, transformations are only applied to the first element in a multi-valued claim, however setting this flag to true ensures the transformation is applied to all values, resulting in a multivalued output. |
MSFT_AADServicePrincipalCustomClaimTransformation¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| input | Write | MSFT_AADServicePrincipalTransformationAttribute | The input attribute that provides the source for the transformation. This parameter is required if it's the first or only transformation in the list of transformations to be applied. Subsequent transformations use the output of the prior transformation as input. |
MSFT_AADServicePrincipalCustomClaimCondition¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| odataType | Write | String | The type of the entity. | #microsoft.graph.customClaimCondition |
| memberOf | Write | StringArray[] | A list of groups (GUIDs) to which the user/application must be a member for this condition to be applied. | |
| userType | Write | String | The type of user this condition applies to. The possible values are: any, members, allGuests, aadGuests, externalGuests. | any, members, allGuests, aadGuests, externalGuests |
MSFT_AADServicePrincipalCustomClaimAttribute¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| odataType | Required | String | The type of the entity. | #microsoft.graph.sourcedAttribute, #microsoft.graph.valueBasedAttribute |
| id | Write | String | The identifier of the attribute on the specified source. Only applicable for sourcedAttribute. | |
| isExtensionAttribute | Write | Boolean | A flag that indicates if the name specified is that of an extension attribute. Only applicable for sourcedAttribute. | |
| source | Write | String | The source where the claim is going to retrieve its value. Valid sources include user, application, resource, audience and company. Only applicable for sourcedAttribute. | |
| value | Write | String | The static value to be used an the attribute. Only applicable for valueBasedAttribute. |
MSFT_AADServicePrincipalCustomClaimConfiguration¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| attribute | Write | MSFT_AADServicePrincipalCustomClaimAttribute | The attribute on which we source this property. | |
| condition | Write | MSFT_AADServicePrincipalCustomClaimCondition | The condition, if any, associated with this configuration. | |
| transformations | Write | MSFT_AADServicePrincipalCustomClaimTransformation[] | An ordered list of transformations that are applied in sequence. |
MSFT_AADServicePrincipalCustomClaim¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| odataType | Required | String | The type of the entity. | #microsoft.graph.customClaim, #microsoft.graph.samlNameIdClaim |
| configurations | Write | MSFT_AADServicePrincipalCustomClaimConfiguration[] | One or more configurations that describe how the claim is sourced and under what conditions. | |
| name | Write | String | The name of the claim to be emitted. | |
| namespace | Write | String | An optional namespace to be included as part of the claim name. | |
| samlAttributeNameFormat | Write | String | If specified, it sets the nameFormat attribute associated with the claim in the SAML response. The possible values are: unspecified, uri, basic. | unspecified, uri, basic |
| tokenFormat | Write | StringArray[] | List of token formats for which this claim should be emitted. The possible values are: saml,jwt. | saml, jwt |
| nameIdFormat | Write | String | Allows to specify the format of the saml nameID claim value. The possible values are: default, unspecified, emailAddress, windowsDomainQualifiedName, persistent, unknownFutureValue. Only applicable to samlNameIdClaim. | default, unspecified, emailAddress, windowsDomainQualifiedName, persistent |
| serviceProviderNameQualifier | Write | String | Allows the specification of a service provider name qualifier reflected in the sAML response. The value provided must match one of the service provider names configured for the application and is only applicable for IdP-initiated applications (the sign-on URL should be empty for the IdP-initiated applications), in all other cases this value is ignored. Only applicable to samlNameIdClaim. |
MSFT_AADServicePrincipalClaimsPolicy¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| audienceOverride | Write | String | If specified, it overrides the content of the audience claim for WS-Federation and SAML2 protocols. A custom signing key must be used for audienceOverride to be applied, otherwise, the audienceOverride value is ignored. The value provided must be in the format of an absolute URI. | |
| Claims | Write | MSFT_AADServicePrincipalCustomClaim[] | Defines which claims are present in the tokens affected by the policy, in addition to the basic claim and the core claim set. | |
| includeApplicationIdInIssuer | Write | Boolean | Indicates whether the application ID is added to the claim. It is relevant only for SAML2.0 and if a custom signing key is used. the default value is true. Optional. | |
| includeBasicClaimSet | Write | Boolean | Determines whether the basic claim set is included in tokens affected by this policy. If set to true, all claims in the basic claim set are emitted in tokens affected by the policy. By default the basic claim set isn't in the tokens unless they're explicitly configured in this policy. |
MSFT_MicrosoftGraphKeyCredential¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| CustomKeyIdentifier | Write | String | A 40-character binary type that can be used to identify the credential. Optional. When not provided in the payload, defaults to the thumbprint of the certificate. | |
| DisplayName | Write | String | Friendly name for the key. Optional. | |
| EndDateTime | Write | String | The date and time at which the credential expires. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. | |
| KeyId | Write | String | The unique identifier (GUID) for the key. | |
| Key | Write | String | The certificate's raw data in byte array converted to Base64 string. | |
| StartDateTime | Write | String | The date and time at which the credential becomes valid.The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. | |
| Type | Write | String | The type of key credential for example, Symmetric, AsymmetricX509Cert. | |
| Usage | Write | String | A string that describes the purpose for which the key can be used for example, Verify. |
MSFT_MicrosoftGraphPasswordCredential¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| DisplayName | Write | String | Friendly name for the password. Optional. | |
| EndDateTime | Write | String | The date and time at which the password expires represented using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Optional. | |
| Hint | Write | String | Contains the first three characters of the password. Read-only. | |
| KeyId | Write | String | The unique identifier for the password. | |
| StartDateTime | Write | String | The date and time at which the password becomes valid. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Optional. |
Description¶
This resource configures an Azure Active Directory ServicePrincipal.
Permissions¶
Microsoft Graph¶
To authenticate with the Microsoft Graph API, this resource requires the following permissions:
Delegated permissions¶
- Read
-
Application.Read.All, Group.Read.All, User.Read.All
-
Update
- Application.ReadWrite.All, Group.Read.All, User.Read.All
Application permissions¶
- Read
-
Application.Read.All, Group.Read.All, User.Read.All
-
Update
- Application.ReadWrite.All, Group.Read.All, User.Read.All
Examples¶
Example 1¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
AADServicePrincipal 'AADServicePrincipal'
{
AppId = 'AppDisplayName'
DisplayName = "AppDisplayName"
AlternativeNames = "AlternativeName1","AlternativeName2"
AccountEnabled = $true
AppRoleAssignmentRequired = $false
Homepage = "https://$TenantId"
LogoutUrl = "https://$TenantId/logout"
ReplyURLs = "https://$TenantId"
ServicePrincipalType = "Application"
Tags = "{WindowsAzureActiveDirectoryIntegratedApp}"
Ensure = "Present"
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
}
}
}
Example 2¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
AADServicePrincipal 'AADServicePrincipal'
{
AppId = 'AppDisplayName'
DisplayName = "AppDisplayName"
AlternativeNames = "AlternativeName1","AlternativeName3" # Updated Property
AccountEnabled = $true
AppRoleAssignmentRequired = $false
Homepage = "https://$TenantId"
LogoutUrl = "https://$TenantId/logout"
ReplyURLs = "https://$TenantId"
ServicePrincipalType = "Application"
Tags = "{WindowsAzureActiveDirectoryIntegratedApp}"
Ensure = "Present"
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
}
}
}
Example 3¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
AADServicePrincipal 'AADServicePrincipal'
{
AppId = "AppDisplayName"
DisplayName = "AppDisplayName"
Ensure = "Absent"
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
}
}
}