AccessPolicy is the Schema for the AccessPolicys API.
Type
CRD
Group
conditionalaccess.azuread.upbound.io
Version
v1beta1
apiVersion: conditionalaccess.azuread.upbound.io/v1beta1
kind: AccessPolicy
AccessPolicySpec defines the desired state of AccessPolicy
No description provided.
A conditions block as documented below, which specifies the rules that must be met for the policy to apply.
An applications block as documented below, which specifies applications and user actions included in and excluded from the policy.
A list of application IDs explicitly excluded from the policy. Can also be set to Office365.
A list of application IDs the policy applies to, unless explicitly excluded (in excluded_applications). Can also be set to All, None or Office365. Cannot be specified with included_user_actions. One of included_applications or included_user_actions must be specified.
A list of user actions to include. Supported values are urn:user:registerdevice and urn:user:registersecurityinfo. Cannot be specified with included_applications. One of included_applications or included_user_actions must be specified.
A list of client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported and other.
A devices block as documented below, which describes devices to be included in and excluded from the policy. A devices block can be added to an existing policy, but removing the devices block forces a new resource to be created.
A locations block as documented below, which specifies locations included in and excluded from the policy.
A list of location IDs excluded from scope of policy. Can also be set to AllTrusted.
A list of location IDs in scope of policy unless explicitly excluded. Can also be set to All, or AllTrusted.
A platforms block as documented below, which specifies platforms included in and excluded from the policy.
A list of platforms explicitly excluded from the policy. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
A list of platforms the policy applies to, unless explicitly excluded. Possible values are: all, android, iOS, linux, macOS, windows, windowsPhone or unknownFutureValue.
A list of sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
A list of user risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
A users block as documented below, which specifies users, groups, and roles included in and excluded from the policy.
A list of group IDs excluded from scope of policy.
A list of role IDs excluded from scope of policy.
A list of user IDs excluded from scope of policy and/or GuestsOrExternalUsers.
A list of group IDs in scope of policy unless explicitly excluded.
A list of role IDs in scope of policy unless explicitly excluded.
A list of user IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers.
A grant_controls block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
List of built-in controls required by the policy. Possible values are: block, mfa, approvedApplication, compliantApplication, compliantDevice, domainJoinedDevice, passwordChange or unknownFutureValue.
List of custom controls IDs required by the policy.
List of terms of use IDs required by the policy.
A session_controls block as documented below, which specifies the session controls that are enforced after sign-in.
ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured.
Policies for referencing.
ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. providerConfigRef
Policies for referencing.
PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource.
WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other.
AccessPolicyStatus defines the observed state of AccessPolicy.
No description provided.
Conditions of the resource.
example
apiVersion: conditionalaccess.azuread.upbound.io/v1beta1
kind: AccessPolicy
metadata:
annotations:
meta.upbound.io/example-id: conditionalaccess/v1beta1/accesspolicy
labels:
testing.upbound.io/example-name: example
name: example
spec:
forProvider:
conditions:
- applications:
- excludedApplications: []
includedApplications:
- All
clientAppTypes:
- all
devices:
- filter:
- mode: exclude
rule: device.operatingSystem eq "Doors"
locations:
- excludedLocations:
- AllTrusted
includedLocations:
- All
platforms:
- excludedPlatforms:
- iOS
includedPlatforms:
- android
signInRiskLevels:
- medium
userRiskLevels:
- medium
users:
- excludedUsers:
- GuestsOrExternalUsers
includedUsers:
- All
displayName: example policy
grantControls:
- builtInControls:
- mfa
operator: OR
sessionControls:
- applicationEnforcedRestrictionsEnabled: true
cloudAppSecurityPolicy: monitorOnly
signInFrequency: 10
signInFrequencyPeriod: hours
state: disabled