AccessPolicy is the Schema for the AccessPolicys API.
Type
CRD
Group
conditionalaccess.azuread.upbound.io
Version
v1beta1
apiVersion: conditionalaccess.azuread.upbound.io/v1beta1
kind: AccessPolicy
AccessPolicySpec defines the desired state of AccessPolicy
No description provided.
A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.
A list of application IDs explicitly excluded from the policy. Can also be set to Office365.
A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.
A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.
A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.
An client_applications block as documented below, which specifies service principals included in and excluded from the policy.
A list of service principal IDs explicitly excluded in the policy.
A list of service principal IDs explicitly included in the policy. Can be set to ServicePrincipalsInMyTenant to include all service principals. This is mandatory value when at least one excluded_service_principals is set.
A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.
A locations block as documented below, which specifies locations included in and excluded from the policy.
A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.
A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.
A platforms block as documented below, which specifies platforms included in and excluded from the policy.
A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
A list of service principal sign-in risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.
A list of user sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.
A list of group IDs excluded from scope of policy.
A list of role IDs excluded from scope of policy.
A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.
A list of group IDs in scope of policy unless explicitly excluded.
A list of role IDs in scope of policy unless explicitly excluded.
A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.
A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.
List of custom controls IDs required by the policy.
List of terms of use IDs required by the policy.
A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.
THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler.
A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.
A list of application IDs explicitly excluded from the policy. Can also be set to Office365.
A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.
A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.
A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.
An client_applications block as documented below, which specifies service principals included in and excluded from the policy.
A list of service principal IDs explicitly excluded in the policy.
A list of service principal IDs explicitly included in the policy. Can be set to ServicePrincipalsInMyTenant to include all service principals. This is mandatory value when at least one excluded_service_principals is set.
A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.
A locations block as documented below, which specifies locations included in and excluded from the policy.
A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.
A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.
A platforms block as documented below, which specifies platforms included in and excluded from the policy.
A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
A list of service principal sign-in risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.
A list of user sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.
A list of group IDs excluded from scope of policy.
A list of role IDs excluded from scope of policy.
A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.
A list of group IDs in scope of policy unless explicitly excluded.
A list of role IDs in scope of policy unless explicitly excluded.
A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.
A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.
List of custom controls IDs required by the policy.
List of terms of use IDs required by the policy.
A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.
THIS IS AN ALPHA FIELD. Do not use it in production. It is not honored unless the relevant Crossplane feature flag is enabled, and may be changed or removed without notice. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md
ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured.
Policies for referencing.
ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. providerConfigRef
Policies for referencing.
PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource.
WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other.
AccessPolicyStatus defines the observed state of AccessPolicy.
No description provided.
A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.
A list of application IDs explicitly excluded from the policy. Can also be set to Office365.
A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.
A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.
A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.
An client_applications block as documented below, which specifies service principals included in and excluded from the policy.
A list of service principal IDs explicitly excluded in the policy.
A list of service principal IDs explicitly included in the policy. Can be set to ServicePrincipalsInMyTenant to include all service principals. This is mandatory value when at least one excluded_service_principals is set.
A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.
A locations block as documented below, which specifies locations included in and excluded from the policy.
A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.
A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.
A platforms block as documented below, which specifies platforms included in and excluded from the policy.
A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
A list of service principal sign-in risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.
A list of user sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.
A list of group IDs excluded from scope of policy.
A list of role IDs excluded from scope of policy.
A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.
A list of group IDs in scope of policy unless explicitly excluded.
A list of role IDs in scope of policy unless explicitly excluded.
A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.
A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.
List of custom controls IDs required by the policy.
List of terms of use IDs required by the policy.
A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.
Conditions of the resource.
example
apiVersion: conditionalaccess.azuread.upbound.io/v1beta1
kind: AccessPolicy
metadata:
annotations:
meta.upbound.io/example-id: conditionalaccess/v1beta1/accesspolicy
labels:
testing.upbound.io/example-name: example
name: example
spec:
forProvider:
conditions:
- applications:
- excludedApplications: []
includedApplications:
- All
clientAppTypes:
- all
devices:
- filter:
- mode: exclude
rule: device.operatingSystem eq "Doors"
locations:
- excludedLocations:
- AllTrusted
includedLocations:
- All
platforms:
- excludedPlatforms:
- iOS
includedPlatforms:
- android
signInRiskLevels:
- medium
userRiskLevels:
- medium
users:
- excludedUsers:
- GuestsOrExternalUsers
includedUsers:
- All
displayName: example policy
grantControls:
- builtInControls:
- mfa
operator: OR
sessionControls:
- applicationEnforcedRestrictionsEnabled: true
cloudAppSecurityPolicy: monitorOnly
signInFrequency: 10
signInFrequencyPeriod: hours
state: disabled
© 2022 Upbound, Inc.
Discover the building blocksfor your internal cloud platform.