Application is the Schema for the Applications API.
Type
CRD
Group
applications.azuread.upbound.io
Version
apiVersion: applications.azuread.upbound.io/v1beta1
kind: Application
ApplicationSpec defines the desired state of Application
No description provided.
An api block as documented below, which configures API related settings for this application.
A set of application IDs (client IDs), used for bundling consent if you have a solution that contains two parts: a client app and a custom web API app. Used for bundling consent if you have a solution that contains two parts: a client app and a custom web API app
One or more oauth2_permission_scope blocks as documented below, to describe delegated permissions exposed by the web API represented by this application.
One or more oauth2_permission_scope
blocks to describe delegated permissions exposed by the web API represented by this application
A collection of app_role blocks as documented below. For more information see official documentation on Application Roles.
Specifies whether this app role definition can be assigned to users and groups by setting to User, or to other applications (that are accessing this application in a standalone scenario) by setting to Application, or to both.
Specifies whether this app role definition can be assigned to users and groups by setting to User
, or to other applications (that are accessing this application in a standalone scenario) by setting to Application
, or to both
A feature_tags block as described below. Cannot be used together with the tags property. Block of features to configure for this application using tags
Configures the groups claim issued in a user or OAuth 2.0 access token that the app expects. Possible values are None, SecurityGroup, DirectoryRole, ApplicationGroup or All.
Configures the groups
claim issued in a user or OAuth 2.0 access token that the app expects
A set of user-defined URI(s) that uniquely identify an application within its Azure AD tenant, or within a verified custom domain if the application is multi-tenant. The user-defined URI(s) that uniquely identify an application within its Azure AD tenant, or within a verified custom domain if the application is multi-tenant
An optional_claims block as documented below.
One or more access_token blocks as documented below.
List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: cloud_displayname, dns_domain_and_sam_account_name, emit_as_roles, include_externally_authenticated_upn_without_hash, include_externally_authenticated_upn, max_size_limit, netbios_domain_and_sam_account_name, on_premise_security_identifier, sam_account_name, and use_guid. List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim
One or more id_token blocks as documented below.
List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: cloud_displayname, dns_domain_and_sam_account_name, emit_as_roles, include_externally_authenticated_upn_without_hash, include_externally_authenticated_upn, max_size_limit, netbios_domain_and_sam_account_name, on_premise_security_identifier, sam_account_name, and use_guid. List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim
One or more saml2_token blocks as documented below.
List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: cloud_displayname, dns_domain_and_sam_account_name, emit_as_roles, include_externally_authenticated_upn_without_hash, include_externally_authenticated_upn, max_size_limit, netbios_domain_and_sam_account_name, on_premise_security_identifier, sam_account_name, and use_guid. List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim
A set of object IDs of principals that will be granted ownership of the application. Supported object types are users or service principals. By default, no owners are assigned. A list of object IDs of principals that will be granted ownership of the application
A public_client block as documented below, which configures non-web app or non-web API application settings, for example mobile or other public clients such as an installed application running on a desktop device.
A set of URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. Must be a valid https or ms-appx-web URL. The URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent
A collection of required_resource_access blocks as documented below.
A single_page_application block as documented below, which configures single-page application (SPA) related settings for this application.
A set of URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. Must be a valid https URL. The URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent
A set of tags to apply to the application for configuring specific behaviours of the application and linked service principals. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block. A set of tags to apply to the application
A web block as documented below, which configures web related settings for this application.
An implicit_grant block as documented above.
A set of URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. Must be a valid http URL or a URN. The URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent
THIS IS A BETA FIELD. It will be honored unless the Management Policies feature flag is disabled. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler.
An api block as documented below, which configures API related settings for this application.
A set of application IDs (client IDs), used for bundling consent if you have a solution that contains two parts: a client app and a custom web API app. Used for bundling consent if you have a solution that contains two parts: a client app and a custom web API app
One or more oauth2_permission_scope blocks as documented below, to describe delegated permissions exposed by the web API represented by this application.
One or more oauth2_permission_scope
blocks to describe delegated permissions exposed by the web API represented by this application
A collection of app_role blocks as documented below. For more information see official documentation on Application Roles.
Specifies whether this app role definition can be assigned to users and groups by setting to User, or to other applications (that are accessing this application in a standalone scenario) by setting to Application, or to both.
Specifies whether this app role definition can be assigned to users and groups by setting to User
, or to other applications (that are accessing this application in a standalone scenario) by setting to Application
, or to both
A feature_tags block as described below. Cannot be used together with the tags property. Block of features to configure for this application using tags
Configures the groups claim issued in a user or OAuth 2.0 access token that the app expects. Possible values are None, SecurityGroup, DirectoryRole, ApplicationGroup or All.
Configures the groups
claim issued in a user or OAuth 2.0 access token that the app expects
A set of user-defined URI(s) that uniquely identify an application within its Azure AD tenant, or within a verified custom domain if the application is multi-tenant. The user-defined URI(s) that uniquely identify an application within its Azure AD tenant, or within a verified custom domain if the application is multi-tenant
An optional_claims block as documented below.
One or more access_token blocks as documented below.
List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: cloud_displayname, dns_domain_and_sam_account_name, emit_as_roles, include_externally_authenticated_upn_without_hash, include_externally_authenticated_upn, max_size_limit, netbios_domain_and_sam_account_name, on_premise_security_identifier, sam_account_name, and use_guid. List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim
One or more id_token blocks as documented below.
List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: cloud_displayname, dns_domain_and_sam_account_name, emit_as_roles, include_externally_authenticated_upn_without_hash, include_externally_authenticated_upn, max_size_limit, netbios_domain_and_sam_account_name, on_premise_security_identifier, sam_account_name, and use_guid. List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim
One or more saml2_token blocks as documented below.
List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: cloud_displayname, dns_domain_and_sam_account_name, emit_as_roles, include_externally_authenticated_upn_without_hash, include_externally_authenticated_upn, max_size_limit, netbios_domain_and_sam_account_name, on_premise_security_identifier, sam_account_name, and use_guid. List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim
A set of object IDs of principals that will be granted ownership of the application. Supported object types are users or service principals. By default, no owners are assigned. A list of object IDs of principals that will be granted ownership of the application
A public_client block as documented below, which configures non-web app or non-web API application settings, for example mobile or other public clients such as an installed application running on a desktop device.
A set of URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. Must be a valid https or ms-appx-web URL. The URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent
A collection of required_resource_access blocks as documented below.
A single_page_application block as documented below, which configures single-page application (SPA) related settings for this application.
A set of URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. Must be a valid https URL. The URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent
A set of tags to apply to the application for configuring specific behaviours of the application and linked service principals. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block. A set of tags to apply to the application
A web block as documented below, which configures web related settings for this application.
An implicit_grant block as documented above.
A set of URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. Must be a valid http URL or a URN. The URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent
THIS IS A BETA FIELD. It is on by default but can be opted out through a Crossplane feature flag. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md
ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured.
Policies for referencing.
PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource.
WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other.
ApplicationStatus defines the observed state of Application.
No description provided.
An api block as documented below, which configures API related settings for this application.
A set of application IDs (client IDs), used for bundling consent if you have a solution that contains two parts: a client app and a custom web API app. Used for bundling consent if you have a solution that contains two parts: a client app and a custom web API app
One or more oauth2_permission_scope blocks as documented below, to describe delegated permissions exposed by the web API represented by this application.
One or more oauth2_permission_scope
blocks to describe delegated permissions exposed by the web API represented by this application
A collection of app_role blocks as documented below. For more information see official documentation on Application Roles.
Specifies whether this app role definition can be assigned to users and groups by setting to User, or to other applications (that are accessing this application in a standalone scenario) by setting to Application, or to both.
Specifies whether this app role definition can be assigned to users and groups by setting to User
, or to other applications (that are accessing this application in a standalone scenario) by setting to Application
, or to both
A feature_tags block as described below. Cannot be used together with the tags property. Block of features to configure for this application using tags
Configures the groups claim issued in a user or OAuth 2.0 access token that the app expects. Possible values are None, SecurityGroup, DirectoryRole, ApplicationGroup or All.
Configures the groups
claim issued in a user or OAuth 2.0 access token that the app expects
A set of user-defined URI(s) that uniquely identify an application within its Azure AD tenant, or within a verified custom domain if the application is multi-tenant. The user-defined URI(s) that uniquely identify an application within its Azure AD tenant, or within a verified custom domain if the application is multi-tenant
An optional_claims block as documented below.
One or more access_token blocks as documented below.
List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: cloud_displayname, dns_domain_and_sam_account_name, emit_as_roles, include_externally_authenticated_upn_without_hash, include_externally_authenticated_upn, max_size_limit, netbios_domain_and_sam_account_name, on_premise_security_identifier, sam_account_name, and use_guid. List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim
One or more id_token blocks as documented below.
List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: cloud_displayname, dns_domain_and_sam_account_name, emit_as_roles, include_externally_authenticated_upn_without_hash, include_externally_authenticated_upn, max_size_limit, netbios_domain_and_sam_account_name, on_premise_security_identifier, sam_account_name, and use_guid. List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim
One or more saml2_token blocks as documented below.
List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: cloud_displayname, dns_domain_and_sam_account_name, emit_as_roles, include_externally_authenticated_upn_without_hash, include_externally_authenticated_upn, max_size_limit, netbios_domain_and_sam_account_name, on_premise_security_identifier, sam_account_name, and use_guid. List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim
A set of object IDs of principals that will be granted ownership of the application. Supported object types are users or service principals. By default, no owners are assigned. A list of object IDs of principals that will be granted ownership of the application
A public_client block as documented below, which configures non-web app or non-web API application settings, for example mobile or other public clients such as an installed application running on a desktop device.
A set of URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. Must be a valid https or ms-appx-web URL. The URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent
A collection of required_resource_access blocks as documented below.
A single_page_application block as documented below, which configures single-page application (SPA) related settings for this application.
A set of URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. Must be a valid https URL. The URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent
A set of tags to apply to the application for configuring specific behaviours of the application and linked service principals. Note that these are not provided for use by practitioners. Cannot be used together with the feature_tags block. A set of tags to apply to the application
A web block as documented below, which configures web related settings for this application.
An implicit_grant block as documented above.
A set of URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent. Must be a valid http URL or a URN. The URLs where user tokens are sent for sign-in, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent
Conditions of the resource.
example
apiVersion: applications.azuread.upbound.io/v1beta1
kind: Application
metadata:
annotations:
meta.upbound.io/example-id: app/v1beta1/roleassignment
labels:
testing.upbound.io/example-name: example
name: example
spec:
forProvider:
displayName: example
requiredResourceAccess:
- resourceAccess:
- id: df021288-bdef-4463-88db-98f22de89214
type: Role
- id: b4e74841-8e56-480b-be8b-910348b18b4c
type: Scope
resourceAppId: 00000003-0000-0000-c000-000000000000
example-authorizing-app
apiVersion: applications.azuread.upbound.io/v1beta1
kind: Application
metadata:
annotations:
meta.upbound.io/example-id: applications/v1beta1/preauthorized
labels:
testing.upbound.io/example-name: example-authorizing-app
name: example-authorizing-app
spec:
forProvider:
api:
- oauth2PermissionScope:
- adminConsentDescription: Administer the application
adminConsentDisplayName: Administer
enabled: true
id: ced9c4c3-c273-4f0f-ac71-a20377b90f9c
type: Admin
value: administer
- adminConsentDescription: Access the application
adminConsentDisplayName: Access
enabled: true
id: 2d5e07ca-664d-4d9b-ad61-ec07fd215213
type: User
userConsentDescription: Access the application
userConsentDisplayName: Access
value: user_impersonation
displayName: example-authorizing-app
example
apiVersion: applications.azuread.upbound.io/v1beta1
kind: Application
metadata:
annotations:
meta.upbound.io/example-id: serviceprincipals/v1beta1/claimsmappingpolicyassignment
labels:
testing.upbound.io/example-name: example
name: example
spec:
forProvider:
displayName: example
example
apiVersion: applications.azuread.upbound.io/v1beta1
kind: Application
metadata:
annotations:
meta.upbound.io/example-id: serviceprincipals/v1beta1/password
labels:
testing.upbound.io/example-name: example
name: example
spec:
forProvider:
displayName: example
example
apiVersion: applications.azuread.upbound.io/v1beta1
kind: Application
metadata:
annotations:
meta.upbound.io/example-id: serviceprincipals/v1beta1/certificate
labels:
testing.upbound.io/example-name: example
name: example
spec:
forProvider:
displayName: example
example
apiVersion: applications.azuread.upbound.io/v1beta1
kind: Application
metadata:
annotations:
meta.upbound.io/example-id: serviceprincipals/v1beta1/tokensigningcertificate
labels:
testing.upbound.io/example-name: example
name: example
spec:
forProvider:
displayName: example
example
apiVersion: applications.azuread.upbound.io/v1beta1
kind: Application
metadata:
annotations:
meta.upbound.io/example-id: applications/v1beta1/federatedidentitycredential
labels:
testing.upbound.io/example-name: example
name: example
spec:
forProvider:
displayName: example
example
apiVersion: applications.azuread.upbound.io/v1beta1
kind: Application
metadata:
annotations:
meta.upbound.io/example-id: serviceprincipaldelegated/v1beta1/permissiongrant
labels:
testing.upbound.io/example-name: example
name: example
spec:
forProvider:
displayName: example
requiredResourceAccess:
- resourceAccess:
- id: 37f7f235-527c-4136-accd-4a02d197296e
type: Scope
- id: e1fe6dd8-ba31-4d61-89e7-88639da4683d
type: Scope
resourceAppId: 00000003-0000-0000-c000-000000000000
example
apiVersion: applications.azuread.upbound.io/v1beta1
kind: Application
metadata:
annotations:
meta.upbound.io/example-id: synchronization/v1beta1/job
labels:
testing.upbound.io/example-name: example
name: example
spec:
forProvider:
displayName: example
featureTags:
- enterprise: true
gallery: true
templateId: 9c9818d2-2900-49e8-8ba4-22688be7c675
example
apiVersion: applications.azuread.upbound.io/v1beta1
kind: Application
metadata:
annotations:
meta.upbound.io/example-id: serviceprincipals/v1beta1/principal
labels:
testing.upbound.io/example-name: example
name: example
spec:
forProvider:
displayName: example
example
apiVersion: applications.azuread.upbound.io/v1beta1
kind: Application
metadata:
annotations:
meta.upbound.io/example-id: applications/v1beta1/password
labels:
testing.upbound.io/example-name: example
name: example
spec:
forProvider:
displayName: example
example-authorized-app
apiVersion: applications.azuread.upbound.io/v1beta1
kind: Application
metadata:
annotations:
meta.upbound.io/example-id: applications/v1beta1/preauthorized
labels:
testing.upbound.io/example-name: example-authorized-app
name: example-authorized-app
spec:
forProvider:
displayName: example-authorized-app
example
apiVersion: applications.azuread.upbound.io/v1beta1
kind: Application
metadata:
annotations:
meta.upbound.io/example-id: applications/v1beta1/certificate
labels:
testing.upbound.io/example-name: example
name: example
spec:
forProvider:
displayName: example
example
apiVersion: applications.azuread.upbound.io/v1beta1
kind: Application
metadata:
annotations:
meta.upbound.io/example-id: synchronization/v1beta1/secret
labels:
testing.upbound.io/example-name: example
name: example
spec:
forProvider:
displayName: example
featureTags:
- enterprise: true
gallery: true
templateId: 9c9818d2-2900-49e8-8ba4-22688be7c675
© 2022 Upbound, Inc.
Discover the building blocksfor your internal cloud platform.