Try SpotterManage Azure Active Directory application
| "added in version" 1.6.0 of azure.azcollection"
Authors: guopeng_lin (@guopenglin) haiyuan_zhang (@haiyuazhang) Fred-sun (@Fred-sun)
Install with ansible-galaxy collection install azure.azcollection:==2.3.0
collections:
- name: azure.azcollection
version: 2.3.0Manage Azure Active Directory application.
- name: Create ad application
azure_rm_adapplication:
display_name: "{{ display_name }}"
- name: Create ad application with multi redirect urls
azure_rm_adapplication:
display_name: "{{ display_name }}"
web_reply_urls:
- https://web01.com
spa_reply_urls:
- https://spa01.com
- https://spa02.com
public_client_reply_urls:
- https://public01.com
- https://public02.com
- name: Create application with more parameter
azure_rm_adapplication:
display_name: "{{ display_name }}"
sign_in_audience: AzureADandPersonalMicrosoftAccount
credential_description: "for test"
end_date: 2021-10-01
start_date: 2021-05-18
identifier_uris: fredtest02.com
- name: delete ad application
azure_rm_adapplication:
app_id: "{{ app_id }}"
state: absent
state:
choices:
- absent
- present
default: present
description:
- Assert the state of Active Dirctory service principal.
- Use C(present) to create or update a Password and use C(absent) to delete.
type: str
app_id:
description:
- Application ID.
type: str
secret:
description:
- Azure client secret. Use when authenticating with a Service Principal.
type: str
tenant:
description:
- Azure tenant ID. Use when authenticating with a Service Principal.
type: str
ad_user:
description:
- Active Directory username. Use when authenticating with an Active Directory user
rather than service principal.
type: str
profile:
description:
- Security profile found in ~/.azure/credentials file.
type: str
end_date:
description:
- Date or datetime after which credentials expire(e.g. '2017-12-31').
- Default value is one year after current time.
type: str
homepage:
description:
- The url where users can sign in and use your app.
type: str
key_type:
choices:
- AsymmetricX509Cert
- Password
- Symmetric
default: AsymmetricX509Cert
description:
- The type of the key credentials associated with the application.
type: str
log_mode:
description:
- Parent argument.
type: str
log_path:
description:
- Parent argument.
type: str
password:
description:
- App password, aka 'client secret'.
type: str
app_roles:
description:
- Declare the roles you want to associate with your application.
elements: dict
suboptions:
allowed_member_types:
description:
- Specifies whether this app role can be assigned to users and groups I(allowed_member_types=User).
- To other application's I(allowed_member_types=Application).
- Or both C(User) and C(Appplication).
elements: str
required: true
type: list
description:
description:
- The description for the app role.
- This is displayed when the app role is being assigned.
- if the app role functions as an application permission, during consent experiences.
type: str
display_name:
description:
- Display name for the permission that appears in the app role assignment and
consent experiences.
type: str
is_enabled:
description:
- When creating or updating an app role, this must be set to true (which is the
default).
- To delete a role, this must first be set to false.
- At that point, in a subsequent call, this role may be removed.
type: bool
value:
description:
- Specifies the value to include in the roles claim in ID tokens and access tokens
authenticating an assigned user or service principal.
- Must not exceed 120 characters in length.
- Allowed characters include !
- Any other character, including the space character, are not allowed.
type: str
type: list
client_id:
description:
- Azure client ID. Use when authenticating with a Service Principal or Managed Identity
(msi).
- Can also be set via the C(AZURE_CLIENT_ID) environment variable.
type: str
key_usage:
choices:
- Sign
- Verify
default: Verify
description:
- The usage of the key credentials associated with the application.
type: str
key_value:
description:
- The value for the key credentials associated with the application.
type: str
native_app:
description:
- An application which can be installed on a user's device or computer.
type: bool
start_date:
description:
- Date or datetime at which credentials become valid, such as '2017-01-01'.
- Default value is current time.
type: str
thumbprint:
description:
- The thumbprint of the private key specified in I(x509_certificate_path).
- Use when authenticating with a Service Principal.
- Required if I(x509_certificate_path) is defined.
type: str
version_added: 1.14.0
version_added_collection: azure.azcollection
api_profile:
default: latest
description:
- Selects an API profile to use when communicating with Azure services. Default value
of C(latest) is appropriate for public clouds; future values will allow use with
Azure Stack.
type: str
version_added: 0.0.1
version_added_collection: azure.azcollection
auth_source:
choices:
- auto
- cli
- credential_file
- env
- msi
default: auto
description:
- Controls the source of the credentials to use for authentication.
- Can also be set via the C(ANSIBLE_AZURE_AUTH_SOURCE) environment variable.
- When set to C(auto) (the default) the precedence is module parameters -> C(env)
-> C(credential_file) -> C(cli).
- When set to C(env), the credentials will be read from the environment variables
- When set to C(credential_file), it will read the profile from C(~/.azure/credentials).
- When set to C(cli), the credentials will be sources from the Azure CLI profile.
C(subscription_id) or the environment variable C(AZURE_SUBSCRIPTION_ID) can be used
to identify the subscription ID if more than one is present otherwise the default
az cli subscription is used.
- When set to C(msi), the host machine must be an azure resource with an enabled MSI
extension. C(subscription_id) or the environment variable C(AZURE_SUBSCRIPTION_ID)
can be used to identify the subscription ID if the resource is granted access to
more than one subscription, otherwise the first subscription is chosen.
- The C(msi) was added in Ansible 2.6.
type: str
version_added: 0.0.1
version_added_collection: azure.azcollection
display_name:
description:
- The display name of the application.
required: true
type: str
spa_reply_urls:
description:
- The spa redirect urls.
- Space-separated URIs to which Azure AD will redirect in response to an OAuth 2.0
request.
- The value does not need to be a physical endpoint, but must be a valid URI.
elements: str
type: list
web_reply_urls:
aliases:
- reply_urls
description:
- The web redirect urls.
- Space-separated URIs to which Azure AD will redirect in response to an OAuth 2.0
request.
- The value does not need to be a physical endpoint, but must be a valid URI.
elements: str
type: list
identifier_uris:
description:
- Space-separated unique URIs that Azure AD can use for this app.
elements: str
type: list
optional_claims:
description:
- Declare the optional claims for the application.
elements: dict
suboptions:
additional_properties:
description:
- Additional properties of the claim.
- If a property exists in this collection, it modifies the behavior of the optional
claim specified in the name property.
type: str
essential:
default: false
description:
- If the value is true, the claim specified by the client is necessary to ensure
a smooth authorization experience for the specific task requested by the end
user.
- The default value is false.
type: bool
name:
description:
- The name of the optional claim.
required: true
type: str
source:
description:
- The source (directory object) of the claim.
- There are predefined claims and user-defined claims from extension properties.
- If the source value is null, the claim is a predefined optional claim.
- If the source value is user, the value in the name property is the extension
property from the user object.
type: str
type: list
subscription_id:
description:
- Your Azure subscription Id.
type: str
sign_in_audience:
choices:
- AzureADMyOrg
- AzureADMultipleOrgs
- AzureADandPersonalMicrosoftAccount
- PersonalMicrosoftAccount
description:
- The application can be used from any Azure AD tenants.
- Microsoft Graph SDK deprecate I(available_to_other_tenants), replace by I(sign_in_audience).
- Refer to link U(https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-property-differences#application-property-differences)
type: str
cloud_environment:
default: AzureCloud
description:
- For cloud environments other than the US public cloud, the environment name (as
defined by Azure Python SDK, eg, C(AzureChinaCloud), C(AzureUSGovernment)), or a
metadata discovery endpoint URL (required for Azure Stack). Can also be set via
credential file profile or the C(AZURE_CLOUD_ENVIRONMENT) environment variable.
type: str
version_added: 0.0.1
version_added_collection: azure.azcollection
adfs_authority_url:
description:
- Azure AD authority url. Use when authenticating with Username/password, and has
your own ADFS authority.
type: str
version_added: 0.0.1
version_added_collection: azure.azcollection
allow_guests_sign_in:
description:
- A property on the application to indicate if the application accepts other IDPs
or not or partially accepts.
type: bool
cert_validation_mode:
choices:
- ignore
- validate
description:
- Controls the certificate validation behavior for Azure endpoints. By default, all
modules will validate the server certificate, but when an HTTPS proxy is in use,
or against Azure Stack, it may be necessary to disable this behavior by passing
C(ignore). Can also be set via credential file profile or the C(AZURE_CERT_VALIDATION)
environment variable.
type: str
version_added: 0.0.1
version_added_collection: azure.azcollection
x509_certificate_path:
description:
- Path to the X509 certificate used to create the service principal in PEM format.
- The certificate must be appended to the private key.
- Use when authenticating with a Service Principal.
type: path
version_added: 1.14.0
version_added_collection: azure.azcollection
credential_description:
description:
- The description of the password.
type: str
public_client_reply_urls:
description:
- The public client redirect urls.
- Space-separated URIs to which Azure AD will redirect in response to an OAuth 2.0
request.
- The value does not need to be a physical endpoint, but must be a valid URI.
elements: str
type: list
available_to_other_tenants:
description:
- (Deprecated) The application can be used from any Azure AD tenants.
- This parameter was not supported after the migration to Microsoft Graph and was
replaced by I(sign_in_audience).
- It will deprecated in next version(V3.0.0).
type: bool
disable_instance_discovery:
default: false
description:
- Determines whether or not instance discovery is performed when attempting to authenticate.
Setting this to true will completely disable both instance discovery and authority
validation. This functionality is intended for use in scenarios where the metadata
endpoint cannot be reached such as in private clouds or Azure Stack. The process
of instance discovery entails retrieving authority metadata from https://login.microsoft.com/
to validate the authority. By setting this to **True**, the validation of the authority
is disabled. As a result, it is crucial to ensure that the configured authority
host is valid and trustworthy.
- Set via credential file profile or the C(AZURE_DISABLE_INSTANCE_DISCOVERY) environment
variable.
type: bool
version_added: 2.3.0
version_added_collection: azure.azcollection
oauth2_allow_implicit_flow:
description:
- Whether to allow implicit grant flow for OAuth2.
type: bool
required_resource_accesses:
description:
- Resource scopes and roles the application requires access to.
- Should be in manifest json format.
elements: dict
suboptions:
resource_access:
description:
- The description of the app role.
elements: dict
suboptions:
id:
description:
- The unique identifier for one of the oauth2PermissionScopes or appRole instances
that the resource application exposes.
type: str
type:
description:
- Specifies whether the id property references an oauth2PermissionScopes or
an appRole.
- Possible values are Scope or Role.
type: str
type: list
resource_app_id:
description:
- The unique identifier for the resource that the application requires access
to.
- This should be equal to the appId declared on the target resource application.
type: str
type: list
output:
contains:
app_id:
description:
- The application ID.
returned: always
sample: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
type: str
available_to_other_tenants:
description:
- The application can be used from any Azure AD tenants.
returned: always
sample: AzureADandPersonalMicrosoftAccount
type: str
display_name:
description:
- Object's display name or its prefix.
returned: always
sample: fredAKSCluster
type: str
homepage:
description:
- The url where users can sign in and use your app.
returned: always
sample: null
type: str
identifier_uris:
description:
- Space-separated unique URIs that Azure AD can use for this app.
returned: always
sample: []
type: list
oauth2_allow_implicit_flow:
description:
- Whether to allow implicit grant flow for OAuth2.
returned: always
sample: false
type: bool
object_id:
description:
- Object ID of the application
returned: always
sample: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
type: str
optional_claims:
description:
- The optional claims for the application.
returned: always
sample: []
type: list
public_client_reply_urls:
description:
- The public client redirect urls.
- Space-separated URIs to which Azure AD will redirect in response to an OAuth
2.0 request.
returned: always
sample: []
type: list
sign_in_audience:
description:
- The application can be used from any Azure AD tenants.
returned: always
sample: AzureADandPersonalMicrosoftAccount
type: str
spa_reply_urls:
description:
- The spa redirect urls.
- Space-separated URIs to which Azure AD will redirect in response to an OAuth
2.0 request.
returned: always
sample: []
type: list
web_reply_urls:
description:
- The web redirect urls.
- Space-separated URIs to which Azure AD will redirect in response to an OAuth
2.0 request.
returned: always
sample: []
type: list
description:
- Current state of the adapplication.
returned: awalys
type: complex