Manages optional claims for an application registration.
This resource is analogous to the optional_claims
block in the azuread_application
resource. When using these resources together, you should use the ignore_changes
lifecycle meta-argument (see example below).
The following API permissions are required in order to use this resource.
When authenticated with a service principal, this resource requires one of the following application roles: Application.ReadWrite.OwnedBy
or Application.ReadWrite.All
When authenticated with a user principal, this resource may require one of the following directory roles: Application Administrator
or Global Administrator
resource "azuread_application_registration" "example" {
display_name = "example"
}
resource "azuread_application_optional_claims" "example" {
application_id = azuread_application_registration.example.id
access_token {
name = "myclaim"
}
access_token {
name = "otherclaim"
}
id_token {
name = "userclaim"
source = "user"
essential = true
additional_properties = ["emit_as_roles"]
}
saml2_token {
name = "samlexample"
}
}
The following arguments are supported:
access_token
- (Optional) One or more access_token
blocks as documented below.application_id
- (Required) The resource ID of the application registration. Changing this forces a new resource to be created.id_token
- (Optional) One or more id_token
blocks as documented below.saml2_token
- (Optional) One or more saml2_token
blocks as documented below.access_token
, id_token
and saml2_token
blocks support the following:
additional_properties
- List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: cloud_displayname
, dns_domain_and_sam_account_name
, emit_as_roles
, include_externally_authenticated_upn_without_hash
, include_externally_authenticated_upn
, max_size_limit
, netbios_domain_and_sam_account_name
, on_premise_security_identifier
, sam_account_name
, and use_guid
.essential
- Whether the claim specified by the client is necessary to ensure a smooth authorization experience.name
- The name of the optional claim.source
- The source of the claim. If source
is absent, the claim is a predefined optional claim. If source
is user
, the value of name
is the extension property from the user object.No additional attributes are exported.
Application Optional Claims can be imported using the object ID of the application, in the following format.
terraform import azuread_application_optional_claims.example /applications/00000000-0000-0000-0000-000000000000