Resource: azuread_conditional_access_policy

Manages a Conditional Access Policy within Azure Active Directory.

API Permissions

The following API permissions are required in order to use this resource.

When authenticated with a service principal, this resource requires the following application roles: Policy.ReadWrite.ConditionalAccess and Policy.Read.All

When authenticated with a user principal, this resource requires one of the following directory roles: Conditional Access Administrator or Global Administrator

Example Usage

All users except guests or external users

resource "azuread_conditional_access_policy" "example" {
  display_name = "example policy"
  state        = "disabled"

  conditions {
    client_app_types    = ["all"]
    sign_in_risk_levels = ["medium"]
    user_risk_levels    = ["medium"]

    applications {
      included_applications = ["All"]
      excluded_applications = []
    }

    devices {
      filter {
        mode = "exclude"
        rule = "device.operatingSystem eq \"Doors\""
      }
    }

    locations {
      included_locations = ["All"]
      excluded_locations = ["AllTrusted"]
    }

    platforms {
      included_platforms = ["android"]
      excluded_platforms = ["iOS"]
    }

    users {
      included_users = ["All"]
      excluded_users = ["GuestsOrExternalUsers"]
    }
  }

  grant_controls {
    operator          = "OR"
    built_in_controls = ["mfa"]
  }

  session_controls {
    application_enforced_restrictions_enabled = true
    disable_resilience_defaults               = false
    sign_in_frequency                         = 10
    sign_in_frequency_period                  = "hours"
    cloud_app_security_policy                 = "monitorOnly"
  }
}

Included client applications / service principals

data "azuread_client_config" "current" {}

resource "azuread_conditional_access_policy" "example" {
  display_name = "example policy"
  state        = "disabled"

  conditions {
    client_app_types = ["all"]

    applications {
      included_applications = ["All"]
    }

    client_applications {
      included_service_principals = [data.azuread_client_config.current.object_id]
      excluded_service_principals = []
    }

    users {
      included_users = ["None"]
    }
  }

  grant_controls {
    operator          = "OR"
    built_in_controls = ["block"]
  }
}

Excluded client applications / service principals

data "azuread_client_config" "current" {}

resource "azuread_conditional_access_policy" "example" {
  display_name = "example policy"
  state        = "disabled"

  conditions {
    client_app_types = ["all"]

    applications {
      included_applications = ["All"]
    }

    client_applications {
      included_service_principals = ["ServicePrincipalsInMyTenant"]
      excluded_service_principals = [data.azuread_client_config.current.object_id]
    }

    users {
      included_users = ["None"]
    }
  }

  grant_controls {
    operator          = "OR"
    built_in_controls = ["block"]
  }
}

Argument Reference

The following arguments are supported:


conditions block supports the following:


applications block supports the following:


client_applications block supports the following:


devices block supports the following:


filter block supports the following:


users block supports the following:


guests_or_external_users block supports the following:


external_tenants block supports the following:


locations block supports the following:


platforms block supports the following:


grant_controls block supports the following:


session_controls block supports the following:


Attributes Reference

In addition to all arguments above, the following attributes are exported:

Import

Conditional Access Policies can be imported using the id, e.g.

terraform import azuread_conditional_access_policy.my_location 00000000-0000-0000-0000-000000000000