azure.azcollection.azure_rm_adapplication module – Manage Azure Active Directory application
Note
This module is part of the azure.azcollection collection (version 3.1.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install azure.azcollection
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: azure.azcollection.azure_rm_adapplication
.
New in azure.azcollection 1.6.0
Synopsis
Manage Azure Active Directory application.
Requirements
The below requirements are needed on the host that executes this module.
python >= 2.7
The host that executes this module must have the azure.azcollection collection installed via galaxy
All python packages listed in collection’s requirements.txt must be installed via pip on the host that executes modules from azure.azcollection
Full installation instructions may be found https://galaxy.ansible.com/azure/azcollection
Parameters
Parameter |
Comments |
---|---|
Active Directory username. Use when authenticating with an Active Directory user rather than service principal. |
|
Azure AD authority url. Use when authenticating with Username/password, and has your own ADFS authority. |
|
A property on the application to indicate if the application accepts other IDPs or not or partially accepts. Choices:
|
|
Selects an API profile to use when communicating with Azure services. Default value of Default: |
|
Application ID. |
|
Declare the roles you want to associate with your application. |
|
Specifies whether this app role can be assigned to users and groups allowed_member_types=User. To other application’s allowed_member_types=Application. Or both |
|
The description for the app role. This is displayed when the app role is being assigned. if the app role functions as an application permission, during consent experiences. |
|
Display name for the permission that appears in the app role assignment and consent experiences. |
|
When creating or updating an app role, this must be set to true (which is the default). To delete a role, this must first be set to false. At that point, in a subsequent call, this role may be removed. Choices:
|
|
Specifies the value to include in the roles claim in ID tokens and access tokens authenticating an assigned user or service principal. Must not exceed 120 characters in length. Allowed characters include ! Any other character, including the space character, are not allowed. |
|
Controls the source of the credentials to use for authentication. Can also be set via the When set to When set to When set to When set to When set to The Choices:
|
|
Controls the certificate validation behavior for Azure endpoints. By default, all modules will validate the server certificate, but when an HTTPS proxy is in use, or against Azure Stack, it may be necessary to disable this behavior by passing Choices:
|
|
Azure client ID. Use when authenticating with a Service Principal or Managed Identity (msi). Can also be set via the |
|
For cloud environments other than the US public cloud, the environment name (as defined by Azure Python SDK, eg, Default: |
|
The description of the password. |
|
Determines whether or not instance discovery is performed when attempting to authenticate. Setting this to true will completely disable both instance discovery and authority validation. This functionality is intended for use in scenarios where the metadata endpoint cannot be reached such as in private clouds or Azure Stack. The process of instance discovery entails retrieving authority metadata from https://login.microsoft.com/ to validate the authority. By setting this to **True**, the validation of the authority is disabled. As a result, it is crucial to ensure that the configured authority host is valid and trustworthy. Set via credential file profile or the Choices:
|
|
The display name of the application. |
|
Date or datetime after which credentials expire(e.g. ‘2017-12-31’). Default value is one year after current time. |
|
The url where users can sign in and use your app. |
|
Space-separated unique URIs that Azure AD can use for this app. |
|
The type of the key credentials associated with the application. Choices:
|
|
The usage of the key credentials associated with the application. Choices:
|
|
The value for the key credentials associated with the application. |
|
Parent argument. |
|
Parent argument. |
|
An application which can be installed on a user’s device or computer. Choices:
|
|
Whether to allow implicit grant flow for OAuth2. Choices:
|
|
Declare the optional claims for the application. |
|
The optional claims returned in the JWT access token |
|
Additional properties of the claim. If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property. |
|
If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience for the specific task requested by the end user. The default value is false. Choices:
|
|
The name of the optional claim. |
|
The source (directory object) of the claim. There are predefined claims and user-defined claims from extension properties. If the source value is null, the claim is a predefined optional claim. If the source value is user, the value in the name property is the extension property from the user object. |
|
The optional claims returned in the JWT ID token |
|
Additional properties of the claim. If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property. |
|
If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience for the specific task requested by the end user. The default value is false. Choices:
|
|
The name of the optional claim. |
|
The source (directory object) of the claim. There are predefined claims and user-defined claims from extension properties. If the source value is null, the claim is a predefined optional claim. If the source value is user, the value in the name property is the extension property from the user object. |
|
The optional claims returned in the SAML token |
|
Additional properties of the claim. If a property exists in this collection, it modifies the behavior of the optional claim specified in the name property. |
|
If the value is true, the claim specified by the client is necessary to ensure a smooth authorization experience for the specific task requested by the end user. The default value is false. Choices:
|
|
The name of the optional claim. |
|
The source (directory object) of the claim. There are predefined claims and user-defined claims from extension properties. If the source value is null, the claim is a predefined optional claim. If the source value is user, the value in the name property is the extension property rom the user object. |
|
App password, aka ‘client secret’. |
|
Security profile found in ~/.azure/credentials file. |
|
The public client redirect urls. Space-separated URIs to which Azure AD will redirect in response to an OAuth 2.0 request. The value does not need to be a physical endpoint, but must be a valid URI. |
|
Resource scopes and roles the application requires access to. Should be in manifest json format. |
|
The description of the app role. |
|
The unique identifier for one of the oauth2PermissionScopes or appRole instances that the resource application exposes. |
|
Specifies whether the id property references an oauth2PermissionScopes or an appRole. Possible values are Scope or Role. |
|
The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application. |
|
Azure client secret. Use when authenticating with a Service Principal. |
|
The application can be used from any Azure AD tenants. Microsoft Graph SDK deprecate available_to_other_tenants, replace by sign_in_audience. Refer to link https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-property-differences#application-property-differences Choices:
|
|
The spa redirect urls. Space-separated URIs to which Azure AD will redirect in response to an OAuth 2.0 request. The value does not need to be a physical endpoint, but must be a valid URI. |
|
Date or datetime at which credentials become valid, such as ‘2017-01-01’. Default value is current time. |
|
Assert the state of Active Dirctory service principal. Use Choices:
|
|
Your Azure subscription Id. |
|
Azure tenant ID. Use when authenticating with a Service Principal. |
|
The thumbprint of the private key specified in x509_certificate_path. Use when authenticating with a Service Principal. Required if x509_certificate_path is defined. |
|
The web redirect urls. Space-separated URIs to which Azure AD will redirect in response to an OAuth 2.0 request. The value does not need to be a physical endpoint, but must be a valid URI. |
|
Path to the X509 certificate used to create the service principal in PEM format. The certificate must be appended to the private key. Use when authenticating with a Service Principal. |
Notes
Note
For authentication with Azure you can pass parameters, set environment variables, use a profile stored in ~/.azure/credentials, or log in before you run your tasks or playbook with
az login
.Authentication is also possible using a service principal or Active Directory user.
To authenticate via service principal, pass subscription_id, client_id, secret and tenant or set environment variables AZURE_SUBSCRIPTION_ID, AZURE_CLIENT_ID, AZURE_SECRET and AZURE_TENANT.
To authenticate via Active Directory user, pass ad_user and password, or set AZURE_AD_USER and AZURE_PASSWORD in the environment.
Alternatively, credentials can be stored in ~/.azure/credentials. This is an ini file containing a [default] section and the following keys: subscription_id, client_id, secret and tenant or subscription_id, ad_user and password. It is also possible to add additional profiles. Specify the profile by passing profile or setting AZURE_PROFILE in the environment.
See Also
See also
- Sign in with Azure CLI
How to authenticate using the
az login
command.
Examples
- name: Create ad application
azure_rm_adapplication:
display_name: "{{ display_name }}"
- name: Create ad application with multi redirect urls
azure_rm_adapplication:
display_name: "{{ display_name }}"
web_reply_urls:
- https://web01.com
spa_reply_urls:
- https://spa01.com
- https://spa02.com
public_client_reply_urls:
- https://public01.com
- https://public02.com
- name: Create application with more parameter
azure_rm_adapplication:
display_name: "{{ display_name }}"
sign_in_audience: AzureADandPersonalMicrosoftAccount
credential_description: "for test"
end_date: 2021-10-01
start_date: 2021-05-18
identifier_uris: fredtest02.com
- name: delete ad application
azure_rm_adapplication:
app_id: "{{ app_id }}"
state: absent
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
The application ID. Returned: always Sample: |
|
Object’s display name or its prefix. Returned: always Sample: |
|
The url where users can sign in and use your app. Returned: always |
|
Space-separated unique URIs that Azure AD can use for this app. Returned: always Sample: |
|
Whether to allow implicit grant flow for OAuth2. Returned: always Sample: |
|
Object ID of the application Returned: always Sample: |
|
Declare the optional claims for the application. Returned: always |
|
The optional claims returned in the JWT access token Returned: always Sample: |
|
The optional claims returned in the JWT ID token Returned: always Sample: |
|
The optional claims returned in the SAML token Returned: always Sample: |
|
The public client redirect urls. Space-separated URIs to which Azure AD will redirect in response to an OAuth 2.0 request. Returned: always Sample: |
|
The application can be used from any Azure AD tenants. Returned: always Sample: |
|
The spa redirect urls. Space-separated URIs to which Azure AD will redirect in response to an OAuth 2.0 request. Returned: always Sample: |
|
The web redirect urls. Space-separated URIs to which Azure AD will redirect in response to an OAuth 2.0 request. Returned: always Sample: |