azure.graphrbac.models module¶
-
exception
azure.graphrbac.models.
GraphErrorException
(deserialize, response, *args)[source]¶ Bases:
msrest.exceptions.HttpOperationError
Server responsed with exception of type: ‘GraphError’.
Parameters: - deserialize – A deserializer
- response – Server response to be deserialized.
-
class
azure.graphrbac.models.
InformationalUrl
(*, terms_of_service: str = None, marketing: str = None, privacy: str = None, support: str = None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Represents a group of URIs that provide terms of service, marketing, support and privacy policy information about an application. The default value for each string is null.
Parameters: - terms_of_service (str) – The terms of service URI
- marketing (str) – The marketing URI
- privacy (str) – The privacy policy URI
- support (str) – The support URI
-
class
azure.graphrbac.models.
OAuth2Permission
(*, admin_consent_description: str = None, admin_consent_display_name: str = None, id: str = None, is_enabled: bool = None, type: str = None, user_consent_description: str = None, user_consent_display_name: str = None, value: str = None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Represents an OAuth 2.0 delegated permission scope. The specified OAuth 2.0 delegated permission scopes may be requested by client applications (through the requiredResourceAccess collection on the Application object) when calling a resource application. The oauth2Permissions property of the ServicePrincipal entity and of the Application entity is a collection of OAuth2Permission.
Parameters: - admin_consent_description (str) – Permission help text that appears in the admin consent and app assignment experiences.
- admin_consent_display_name (str) – Display name for the permission that appears in the admin consent and app assignment experiences.
- id (str) – Unique scope permission identifier inside the oauth2Permissions collection.
- is_enabled (bool) – When creating or updating a permission, this property must be set to true (which is the default). To delete a permission, this property must first be set to false. At that point, in a subsequent call, the permission may be removed.
- type (str) – Specifies whether this scope permission can be consented to by an end user, or whether it is a tenant-wide permission that must be consented to by a Company Administrator. Possible values are “User” or “Admin”.
- user_consent_description (str) – Permission help text that appears in the end user consent experience.
- user_consent_display_name (str) – Display name for the permission that appears in the end user consent experience.
- value (str) – The value of the scope claim that the resource application should expect in the OAuth 2.0 access token.
-
class
azure.graphrbac.models.
OptionalClaim
(*, name: str = None, source: str = None, essential: bool = None, additional_properties=None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Specifying the claims to be included in a token.
Parameters: - name (str) – Claim name.
- source (str) – Claim source.
- essential (bool) – Is this a required claim.
- additional_properties (object) –
-
class
azure.graphrbac.models.
OptionalClaims
(*, id_token=None, access_token=None, saml_token=None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Specifying the claims to be included in the token.
Parameters: - id_token (list[OptionalClaim]) – Optional claims requested to be included in the id token.
- access_token (list[OptionalClaim]) – Optional claims requested to be included in the access token.
- saml_token (list[OptionalClaim]) – Optional claims requested to be included in the saml token.
-
class
azure.graphrbac.models.
PreAuthorizedApplicationPermission
(*, direct_access_grant: bool = None, access_grants=None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Contains information about the pre-authorized permissions.
Parameters: - direct_access_grant (bool) – Indicates whether the permission set is DirectAccess or impersonation.
- access_grants (list[str]) – The list of permissions.
-
class
azure.graphrbac.models.
PreAuthorizedApplicationExtension
(*, conditions=None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Representation of an app PreAuthorizedApplicationExtension required by a pre authorized client app.
Parameters: conditions (list[str]) – The extension’s conditions.
-
class
azure.graphrbac.models.
PreAuthorizedApplication
(*, app_id: str = None, permissions=None, extensions=None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Contains information about pre authorized client application.
Parameters: - app_id (str) – Represents the application id.
- permissions (list[PreAuthorizedApplicationPermission]) – Collection of required app permissions/entitlements from the resource application.
- extensions (list[PreAuthorizedApplicationExtension]) – Collection of extensions from the resource application.
-
class
azure.graphrbac.models.
GraphError
(*, code: str = None, message: str = None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Active Directory error information.
Parameters: - code (str) – Error code.
- message (str) – Error message value.
-
class
azure.graphrbac.models.
DirectoryObject
(*, additional_properties=None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Represents an Azure Active Directory object.
You probably want to use the sub-classes and not this class directly. Known sub-classes are: Application, ADGroup, ServicePrincipal, User
Variables are only populated by the server, and will be ignored when sending a request.
All required parameters must be populated in order to send to Azure.
Parameters: - additional_properties (dict[str, object]) – Unmatched properties from the message are deserialized this collection
- object_type (str) – Required. Constant filled by server.
Variables: - object_id (str) – The object ID.
- deletion_timestamp (datetime) – The time at which the directory object was deleted.
-
class
azure.graphrbac.models.
KeyCredential
(*, additional_properties=None, start_date=None, end_date=None, value: str = None, key_id: str = None, usage: str = None, type: str = None, custom_key_identifier: str = None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Active Directory Key Credential information.
Parameters: - additional_properties (dict[str, object]) – Unmatched properties from the message are deserialized this collection
- start_date (datetime) – Start date.
- end_date (datetime) – End date.
- value (str) – Key value.
- key_id (str) – Key ID.
- usage (str) – Usage. Acceptable values are ‘Verify’ and ‘Sign’.
- type (str) – Type. Acceptable values are ‘AsymmetricX509Cert’ and ‘Symmetric’.
- custom_key_identifier (str) – Custom Key Identifier
-
class
azure.graphrbac.models.
PasswordCredential
(*, additional_properties=None, start_date=None, end_date=None, key_id: str = None, value: str = None, custom_key_identifier: bytearray = None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Active Directory Password Credential information.
Parameters: - additional_properties (dict[str, object]) – Unmatched properties from the message are deserialized this collection
- start_date (datetime) – Start date.
- end_date (datetime) – End date.
- key_id (str) – Key ID.
- value (str) – Key value.
- custom_key_identifier (bytearray) – Custom Key Identifier
-
class
azure.graphrbac.models.
ResourceAccess
(*, id: str, additional_properties=None, type: str = None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Specifies an OAuth 2.0 permission scope or an app role that an application requires. The resourceAccess property of the RequiredResourceAccess type is a collection of ResourceAccess.
All required parameters must be populated in order to send to Azure.
Parameters: - additional_properties (dict[str, object]) – Unmatched properties from the message are deserialized this collection
- id (str) – Required. The unique identifier for one of the OAuth2Permission or AppRole instances that the resource application exposes.
- type (str) – Specifies whether the id property references an OAuth2Permission or an AppRole. Possible values are “scope” or “role”.
-
class
azure.graphrbac.models.
RequiredResourceAccess
(*, resource_access, additional_properties=None, resource_app_id: str = None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Specifies the set of OAuth 2.0 permission scopes and app roles under the specified resource that an application requires access to. The specified OAuth 2.0 permission scopes may be requested by client applications (through the requiredResourceAccess collection) when calling a resource application. The requiredResourceAccess property of the Application entity is a collection of RequiredResourceAccess.
All required parameters must be populated in order to send to Azure.
Parameters: - additional_properties (dict[str, object]) – Unmatched properties from the message are deserialized this collection
- resource_access (list[ResourceAccess]) – Required. The list of OAuth2.0 permission scopes and app roles that the application requires from the specified resource.
- resource_app_id (str) – The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application.
-
class
azure.graphrbac.models.
AppRole
(*, id: str = None, allowed_member_types=None, description: str = None, display_name: str = None, is_enabled: bool = None, value: str = None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
AppRole.
Parameters: - id (str) – Unique role identifier inside the appRoles collection.
- allowed_member_types (list[str]) – Specifies whether this app role definition can be assigned to users and groups by setting to ‘User’, or to other applications (that are accessing this application in daemon service scenarios) by setting to ‘Application’, or to both.
- description (str) – Permission help text that appears in the admin app assignment and consent experiences.
- display_name (str) – Display name for the permission that appears in the admin consent and app assignment experiences.
- is_enabled (bool) – When creating or updating a role definition, this must be set to true (which is the default). To delete a role, this must first be set to false. At that point, in a subsequent call, this role may be removed.
- value (str) – Specifies the value of the roles claim that the application should expect in the authentication and access tokens.
-
class
azure.graphrbac.models.
ApplicationBase
(*, allow_guests_sign_in: bool = None, allow_passthrough_users: bool = None, app_logo_url: str = None, app_roles=None, app_permissions=None, available_to_other_tenants: bool = None, error_url: str = None, group_membership_claims=None, homepage: str = None, informational_urls=None, is_device_only_auth_supported: bool = None, key_credentials=None, known_client_applications=None, logout_url: str = None, oauth2_allow_implicit_flow: bool = None, oauth2_allow_url_path_matching: bool = None, oauth2_permissions=None, oauth2_require_post_response: bool = None, org_restrictions=None, optional_claims=None, password_credentials=None, pre_authorized_applications=None, public_client: bool = None, publisher_domain: str = None, reply_urls=None, required_resource_access=None, saml_metadata_url: str = None, sign_in_audience: str = None, www_homepage: str = None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Active Directive Application common properties shared among GET, POST and PATCH.
Parameters: - allow_guests_sign_in (bool) – A property on the application to indicate if the application accepts other IDPs or not or partially accepts.
- allow_passthrough_users (bool) – Indicates that the application supports pass through users who have no presence in the resource tenant.
- app_logo_url (str) – The url for the application logo image stored in a CDN.
- app_roles (list[AppRole]) – The collection of application roles that an application may declare. These roles can be assigned to users, groups or service principals.
- app_permissions (list[str]) – The application permissions.
- available_to_other_tenants (bool) – Whether the application is available to other tenants.
- error_url (str) – A URL provided by the author of the application to report errors when using the application.
- group_membership_claims (object) – Configures the groups claim issued in a user or OAuth 2.0 access token that the app expects.
- homepage (str) – The home page of the application.
- informational_urls (InformationalUrl) – URLs with more information about the application.
- is_device_only_auth_supported (bool) – Specifies whether this application supports device authentication without a user. The default is false.
- key_credentials (list[KeyCredential]) – A collection of KeyCredential objects.
- known_client_applications (list[str]) – Client applications that are tied to this resource application. Consent to any of the known client applications will result in implicit consent to the resource application through a combined consent dialog (showing the OAuth permission scopes required by the client and the resource).
- logout_url (str) – the url of the logout page
- oauth2_allow_implicit_flow (bool) – Whether to allow implicit grant flow for OAuth2
- oauth2_allow_url_path_matching (bool) – Specifies whether during a token Request Azure AD will allow path matching of the redirect URI against the applications collection of replyURLs. The default is false.
- oauth2_permissions (list[OAuth2Permission]) – The collection of OAuth 2.0 permission scopes that the web API (resource) application exposes to client applications. These permission scopes may be granted to client applications during consent.
- oauth2_require_post_response (bool) – Specifies whether, as part of OAuth 2.0 token requests, Azure AD will allow POST requests, as opposed to GET requests. The default is false, which specifies that only GET requests will be allowed.
- org_restrictions (list[str]) – A list of tenants allowed to access application.
- optional_claims (OptionalClaims) –
- password_credentials (list[PasswordCredential]) – A collection of PasswordCredential objects
- pre_authorized_applications (list[PreAuthorizedApplication]) – list of pre-authorized applications.
- public_client (bool) – Specifies whether this application is a public client (such as an installed application running on a mobile device). Default is false.
- publisher_domain (str) – Reliable domain which can be used to identify an application.
- reply_urls (list[str]) – A collection of reply URLs for the application.
- required_resource_access (list[RequiredResourceAccess]) – Specifies resources that this application requires access to and the set of OAuth permission scopes and application roles that it needs under each of those resources. This pre-configuration of required resource access drives the consent experience.
- saml_metadata_url (str) – The URL to the SAML metadata for the application.
- sign_in_audience (str) – Audience for signing in to the application (AzureADMyOrganization, AzureADAllOrganizations, AzureADAndMicrosoftAccounts).
- www_homepage (str) – The primary Web page.
-
class
azure.graphrbac.models.
ApplicationCreateParameters
(*, display_name: str, allow_guests_sign_in: bool = None, allow_passthrough_users: bool = None, app_logo_url: str = None, app_roles=None, app_permissions=None, available_to_other_tenants: bool = None, error_url: str = None, group_membership_claims=None, homepage: str = None, informational_urls=None, is_device_only_auth_supported: bool = None, key_credentials=None, known_client_applications=None, logout_url: str = None, oauth2_allow_implicit_flow: bool = None, oauth2_allow_url_path_matching: bool = None, oauth2_permissions=None, oauth2_require_post_response: bool = None, org_restrictions=None, optional_claims=None, password_credentials=None, pre_authorized_applications=None, public_client: bool = None, publisher_domain: str = None, reply_urls=None, required_resource_access=None, saml_metadata_url: str = None, sign_in_audience: str = None, www_homepage: str = None, identifier_uris=None, **kwargs)[source]¶ Bases:
azure.graphrbac.models.application_base_py3.ApplicationBase
Request parameters for creating a new application.
All required parameters must be populated in order to send to Azure.
Parameters: - allow_guests_sign_in (bool) – A property on the application to indicate if the application accepts other IDPs or not or partially accepts.
- allow_passthrough_users (bool) – Indicates that the application supports pass through users who have no presence in the resource tenant.
- app_logo_url (str) – The url for the application logo image stored in a CDN.
- app_roles (list[AppRole]) – The collection of application roles that an application may declare. These roles can be assigned to users, groups or service principals.
- app_permissions (list[str]) – The application permissions.
- available_to_other_tenants (bool) – Whether the application is available to other tenants.
- error_url (str) – A URL provided by the author of the application to report errors when using the application.
- group_membership_claims (object) – Configures the groups claim issued in a user or OAuth 2.0 access token that the app expects.
- homepage (str) – The home page of the application.
- informational_urls (InformationalUrl) – URLs with more information about the application.
- is_device_only_auth_supported (bool) – Specifies whether this application supports device authentication without a user. The default is false.
- key_credentials (list[KeyCredential]) – A collection of KeyCredential objects.
- known_client_applications (list[str]) – Client applications that are tied to this resource application. Consent to any of the known client applications will result in implicit consent to the resource application through a combined consent dialog (showing the OAuth permission scopes required by the client and the resource).
- logout_url (str) – the url of the logout page
- oauth2_allow_implicit_flow (bool) – Whether to allow implicit grant flow for OAuth2
- oauth2_allow_url_path_matching (bool) – Specifies whether during a token Request Azure AD will allow path matching of the redirect URI against the applications collection of replyURLs. The default is false.
- oauth2_permissions (list[OAuth2Permission]) – The collection of OAuth 2.0 permission scopes that the web API (resource) application exposes to client applications. These permission scopes may be granted to client applications during consent.
- oauth2_require_post_response (bool) – Specifies whether, as part of OAuth 2.0 token requests, Azure AD will allow POST requests, as opposed to GET requests. The default is false, which specifies that only GET requests will be allowed.
- org_restrictions (list[str]) – A list of tenants allowed to access application.
- optional_claims (OptionalClaims) –
- password_credentials (list[PasswordCredential]) – A collection of PasswordCredential objects
- pre_authorized_applications (list[PreAuthorizedApplication]) – list of pre-authorized applications.
- public_client (bool) – Specifies whether this application is a public client (such as an installed application running on a mobile device). Default is false.
- publisher_domain (str) – Reliable domain which can be used to identify an application.
- reply_urls (list[str]) – A collection of reply URLs for the application.
- required_resource_access (list[RequiredResourceAccess]) – Specifies resources that this application requires access to and the set of OAuth permission scopes and application roles that it needs under each of those resources. This pre-configuration of required resource access drives the consent experience.
- saml_metadata_url (str) – The URL to the SAML metadata for the application.
- sign_in_audience (str) – Audience for signing in to the application (AzureADMyOrganization, AzureADAllOrganizations, AzureADAndMicrosoftAccounts).
- www_homepage (str) – The primary Web page.
- display_name (str) – Required. The display name of the application.
- identifier_uris (list[str]) – A collection of URIs for the application.
-
class
azure.graphrbac.models.
ApplicationUpdateParameters
(*, allow_guests_sign_in: bool = None, allow_passthrough_users: bool = None, app_logo_url: str = None, app_roles=None, app_permissions=None, available_to_other_tenants: bool = None, error_url: str = None, group_membership_claims=None, homepage: str = None, informational_urls=None, is_device_only_auth_supported: bool = None, key_credentials=None, known_client_applications=None, logout_url: str = None, oauth2_allow_implicit_flow: bool = None, oauth2_allow_url_path_matching: bool = None, oauth2_permissions=None, oauth2_require_post_response: bool = None, org_restrictions=None, optional_claims=None, password_credentials=None, pre_authorized_applications=None, public_client: bool = None, publisher_domain: str = None, reply_urls=None, required_resource_access=None, saml_metadata_url: str = None, sign_in_audience: str = None, www_homepage: str = None, display_name: str = None, identifier_uris=None, **kwargs)[source]¶ Bases:
azure.graphrbac.models.application_base_py3.ApplicationBase
Request parameters for updating a new application.
Parameters: - allow_guests_sign_in (bool) – A property on the application to indicate if the application accepts other IDPs or not or partially accepts.
- allow_passthrough_users (bool) – Indicates that the application supports pass through users who have no presence in the resource tenant.
- app_logo_url (str) – The url for the application logo image stored in a CDN.
- app_roles (list[AppRole]) – The collection of application roles that an application may declare. These roles can be assigned to users, groups or service principals.
- app_permissions (list[str]) – The application permissions.
- available_to_other_tenants (bool) – Whether the application is available to other tenants.
- error_url (str) – A URL provided by the author of the application to report errors when using the application.
- group_membership_claims (object) – Configures the groups claim issued in a user or OAuth 2.0 access token that the app expects.
- homepage (str) – The home page of the application.
- informational_urls (InformationalUrl) – URLs with more information about the application.
- is_device_only_auth_supported (bool) – Specifies whether this application supports device authentication without a user. The default is false.
- key_credentials (list[KeyCredential]) – A collection of KeyCredential objects.
- known_client_applications (list[str]) – Client applications that are tied to this resource application. Consent to any of the known client applications will result in implicit consent to the resource application through a combined consent dialog (showing the OAuth permission scopes required by the client and the resource).
- logout_url (str) – the url of the logout page
- oauth2_allow_implicit_flow (bool) – Whether to allow implicit grant flow for OAuth2
- oauth2_allow_url_path_matching (bool) – Specifies whether during a token Request Azure AD will allow path matching of the redirect URI against the applications collection of replyURLs. The default is false.
- oauth2_permissions (list[OAuth2Permission]) – The collection of OAuth 2.0 permission scopes that the web API (resource) application exposes to client applications. These permission scopes may be granted to client applications during consent.
- oauth2_require_post_response (bool) – Specifies whether, as part of OAuth 2.0 token requests, Azure AD will allow POST requests, as opposed to GET requests. The default is false, which specifies that only GET requests will be allowed.
- org_restrictions (list[str]) – A list of tenants allowed to access application.
- optional_claims (OptionalClaims) –
- password_credentials (list[PasswordCredential]) – A collection of PasswordCredential objects
- pre_authorized_applications (list[PreAuthorizedApplication]) – list of pre-authorized applications.
- public_client (bool) – Specifies whether this application is a public client (such as an installed application running on a mobile device). Default is false.
- publisher_domain (str) – Reliable domain which can be used to identify an application.
- reply_urls (list[str]) – A collection of reply URLs for the application.
- required_resource_access (list[RequiredResourceAccess]) – Specifies resources that this application requires access to and the set of OAuth permission scopes and application roles that it needs under each of those resources. This pre-configuration of required resource access drives the consent experience.
- saml_metadata_url (str) – The URL to the SAML metadata for the application.
- sign_in_audience (str) – Audience for signing in to the application (AzureADMyOrganization, AzureADAllOrganizations, AzureADAndMicrosoftAccounts).
- www_homepage (str) – The primary Web page.
- display_name (str) – The display name of the application.
- identifier_uris (list[str]) – A collection of URIs for the application.
-
class
azure.graphrbac.models.
Application
(*, additional_properties=None, app_id: str = None, allow_guests_sign_in: bool = None, allow_passthrough_users: bool = None, app_logo_url: str = None, app_roles=None, app_permissions=None, available_to_other_tenants: bool = None, display_name: str = None, error_url: str = None, group_membership_claims=None, homepage: str = None, identifier_uris=None, informational_urls=None, is_device_only_auth_supported: bool = None, key_credentials=None, known_client_applications=None, logout_url: str = None, oauth2_allow_implicit_flow: bool = None, oauth2_allow_url_path_matching: bool = None, oauth2_permissions=None, oauth2_require_post_response: bool = None, org_restrictions=None, optional_claims=None, password_credentials=None, pre_authorized_applications=None, public_client: bool = None, publisher_domain: str = None, reply_urls=None, required_resource_access=None, saml_metadata_url: str = None, sign_in_audience: str = None, www_homepage: str = None, **kwargs)[source]¶ Bases:
azure.graphrbac.models.directory_object_py3.DirectoryObject
Active Directory application information.
Variables are only populated by the server, and will be ignored when sending a request.
All required parameters must be populated in order to send to Azure.
Parameters: - additional_properties (dict[str, object]) – Unmatched properties from the message are deserialized this collection
- object_type (str) – Required. Constant filled by server.
- app_id (str) – The application ID.
- allow_guests_sign_in (bool) – A property on the application to indicate if the application accepts other IDPs or not or partially accepts.
- allow_passthrough_users (bool) – Indicates that the application supports pass through users who have no presence in the resource tenant.
- app_logo_url (str) – The url for the application logo image stored in a CDN.
- app_roles (list[AppRole]) – The collection of application roles that an application may declare. These roles can be assigned to users, groups or service principals.
- app_permissions (list[str]) – The application permissions.
- available_to_other_tenants (bool) – Whether the application is available to other tenants.
- display_name (str) – The display name of the application.
- error_url (str) – A URL provided by the author of the application to report errors when using the application.
- group_membership_claims (object) – Configures the groups claim issued in a user or OAuth 2.0 access token that the app expects.
- homepage (str) – The home page of the application.
- identifier_uris (list[str]) – A collection of URIs for the application.
- informational_urls (InformationalUrl) – URLs with more information about the application.
- is_device_only_auth_supported (bool) – Specifies whether this application supports device authentication without a user. The default is false.
- key_credentials (list[KeyCredential]) – A collection of KeyCredential objects.
- known_client_applications (list[str]) – Client applications that are tied to this resource application. Consent to any of the known client applications will result in implicit consent to the resource application through a combined consent dialog (showing the OAuth permission scopes required by the client and the resource).
- logout_url (str) – the url of the logout page
- oauth2_allow_implicit_flow (bool) – Whether to allow implicit grant flow for OAuth2
- oauth2_allow_url_path_matching (bool) – Specifies whether during a token Request Azure AD will allow path matching of the redirect URI against the applications collection of replyURLs. The default is false.
- oauth2_permissions (list[OAuth2Permission]) – The collection of OAuth 2.0 permission scopes that the web API (resource) application exposes to client applications. These permission scopes may be granted to client applications during consent.
- oauth2_require_post_response (bool) – Specifies whether, as part of OAuth 2.0 token requests, Azure AD will allow POST requests, as opposed to GET requests. The default is false, which specifies that only GET requests will be allowed.
- org_restrictions (list[str]) – A list of tenants allowed to access application.
- optional_claims (OptionalClaims) –
- password_credentials (list[PasswordCredential]) – A collection of PasswordCredential objects
- pre_authorized_applications (list[PreAuthorizedApplication]) – list of pre-authorized applications.
- public_client (bool) – Specifies whether this application is a public client (such as an installed application running on a mobile device). Default is false.
- publisher_domain (str) – Reliable domain which can be used to identify an application.
- reply_urls (list[str]) – A collection of reply URLs for the application.
- required_resource_access (list[RequiredResourceAccess]) – Specifies resources that this application requires access to and the set of OAuth permission scopes and application roles that it needs under each of those resources. This pre-configuration of required resource access drives the consent experience.
- saml_metadata_url (str) – The URL to the SAML metadata for the application.
- sign_in_audience (str) – Audience for signing in to the application (AzureADMyOrganization, AzureADAllOrganizations, AzureADAndMicrosoftAccounts).
- www_homepage (str) – The primary Web page.
Variables: - object_id (str) – The object ID.
- deletion_timestamp (datetime) – The time at which the directory object was deleted.
-
class
azure.graphrbac.models.
ServicePrincipalObjectResult
(*, value: str = None, odatametadata: str = None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Service Principal Object Result.
Parameters: - value (str) – The Object ID of the service principal with the specified application ID.
- odatametadata (str) – The URL representing edm equivalent.
-
class
azure.graphrbac.models.
AddOwnerParameters
(*, url: str, additional_properties=None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Request parameters for adding a owner to an application.
All required parameters must be populated in order to send to Azure.
Parameters: - additional_properties (dict[str, object]) – Unmatched properties from the message are deserialized this collection
- url (str) – Required. A owner object URL, such as “https://graph.windows.net/0b1f9851-1bf0-433f-aec3-cb9272f093dc/directoryObjects/f260bbc4-c254-447b-94cf-293b5ec434dd”, where “0b1f9851-1bf0-433f-aec3-cb9272f093dc” is the tenantId and “f260bbc4-c254-447b-94cf-293b5ec434dd” is the objectId of the owner (user, application, servicePrincipal, group) to be added.
-
class
azure.graphrbac.models.
KeyCredentialsUpdateParameters
(*, value, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Request parameters for a KeyCredentials update operation.
All required parameters must be populated in order to send to Azure.
Parameters: value (list[KeyCredential]) – Required. A collection of KeyCredentials.
-
class
azure.graphrbac.models.
PasswordCredentialsUpdateParameters
(*, value, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Request parameters for a PasswordCredentials update operation.
All required parameters must be populated in order to send to Azure.
Parameters: value (list[PasswordCredential]) – Required. A collection of PasswordCredentials.
-
class
azure.graphrbac.models.
GroupAddMemberParameters
(*, url: str, additional_properties=None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Request parameters for adding a member to a group.
All required parameters must be populated in order to send to Azure.
Parameters: - additional_properties (dict[str, object]) – Unmatched properties from the message are deserialized this collection
- url (str) – Required. A member object URL, such as “https://graph.windows.net/0b1f9851-1bf0-433f-aec3-cb9272f093dc/directoryObjects/f260bbc4-c254-447b-94cf-293b5ec434dd”, where “0b1f9851-1bf0-433f-aec3-cb9272f093dc” is the tenantId and “f260bbc4-c254-447b-94cf-293b5ec434dd” is the objectId of the member (user, application, servicePrincipal, group) to be added.
-
class
azure.graphrbac.models.
GroupCreateParameters
(*, display_name: str, mail_nickname: str, additional_properties=None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Request parameters for creating a new group.
Variables are only populated by the server, and will be ignored when sending a request.
All required parameters must be populated in order to send to Azure.
Parameters: - additional_properties (dict[str, object]) – Unmatched properties from the message are deserialized this collection
- display_name (str) – Required. Group display name
- mail_nickname (str) – Required. Mail nickname
Variables: - mail_enabled (bool) – Required. Whether the group is mail-enabled. Must be false. This is because only pure security groups can be created using the Graph API. Default value: False .
- security_enabled (bool) – Required. Whether the group is a security group. Must be true. This is because only pure security groups can be created using the Graph API. Default value: True .
-
mail_enabled
= False¶
-
security_enabled
= True¶
-
class
azure.graphrbac.models.
ADGroup
(*, additional_properties=None, display_name: str = None, mail_enabled: bool = None, mail_nickname: str = None, security_enabled: bool = None, mail: str = None, **kwargs)[source]¶ Bases:
azure.graphrbac.models.directory_object_py3.DirectoryObject
Active Directory group information.
Variables are only populated by the server, and will be ignored when sending a request.
All required parameters must be populated in order to send to Azure.
Parameters: - additional_properties (dict[str, object]) – Unmatched properties from the message are deserialized this collection
- object_type (str) – Required. Constant filled by server.
- display_name (str) – The display name of the group.
- mail_enabled (bool) – Whether the group is mail-enabled. Must be false. This is because only pure security groups can be created using the Graph API.
- mail_nickname (str) – The mail alias for the group.
- security_enabled (bool) – Whether the group is security-enable.
- mail (str) – The primary email address of the group.
Variables: - object_id (str) – The object ID.
- deletion_timestamp (datetime) – The time at which the directory object was deleted.
-
class
azure.graphrbac.models.
GroupGetMemberGroupsParameters
(*, security_enabled_only: bool, additional_properties=None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Request parameters for GetMemberGroups API call.
All required parameters must be populated in order to send to Azure.
Parameters: - additional_properties (dict[str, object]) – Unmatched properties from the message are deserialized this collection
- security_enabled_only (bool) – Required. If true, only membership in security-enabled groups should be checked. Otherwise, membership in all groups should be checked.
-
class
azure.graphrbac.models.
CheckGroupMembershipParameters
(*, group_id: str, member_id: str, additional_properties=None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Request parameters for IsMemberOf API call.
All required parameters must be populated in order to send to Azure.
Parameters: - additional_properties (dict[str, object]) – Unmatched properties from the message are deserialized this collection
- group_id (str) – Required. The object ID of the group to check.
- member_id (str) – Required. The object ID of the contact, group, user, or service principal to check for membership in the specified group.
-
class
azure.graphrbac.models.
CheckGroupMembershipResult
(*, additional_properties=None, value: bool = None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Server response for IsMemberOf API call.
Parameters: - additional_properties (dict[str, object]) – Unmatched properties from the message are deserialized this collection
- value (bool) – True if the specified user, group, contact, or service principal has either direct or transitive membership in the specified group; otherwise, false.
-
class
azure.graphrbac.models.
ServicePrincipalBase
(*, account_enabled: bool = None, app_role_assignment_required: bool = None, key_credentials=None, password_credentials=None, service_principal_type: str = None, tags=None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Active Directory service principal common properties shared among GET, POST and PATCH.
Parameters: - account_enabled (bool) – whether or not the service principal account is enabled
- app_role_assignment_required (bool) – Specifies whether an AppRoleAssignment to a user or group is required before Azure AD will issue a user or access token to the application.
- key_credentials (list[KeyCredential]) – The collection of key credentials associated with the service principal.
- password_credentials (list[PasswordCredential]) – The collection of password credentials associated with the service principal.
- service_principal_type (str) – the type of the service principal
- tags (list[str]) – Optional list of tags that you can apply to your service principals. Not nullable.
-
class
azure.graphrbac.models.
ServicePrincipalCreateParameters
(*, app_id: str, account_enabled: bool = None, app_role_assignment_required: bool = None, key_credentials=None, password_credentials=None, service_principal_type: str = None, tags=None, **kwargs)[source]¶ Bases:
azure.graphrbac.models.service_principal_base_py3.ServicePrincipalBase
Request parameters for creating a new service principal.
All required parameters must be populated in order to send to Azure.
Parameters: - account_enabled (bool) – whether or not the service principal account is enabled
- app_role_assignment_required (bool) – Specifies whether an AppRoleAssignment to a user or group is required before Azure AD will issue a user or access token to the application.
- key_credentials (list[KeyCredential]) – The collection of key credentials associated with the service principal.
- password_credentials (list[PasswordCredential]) – The collection of password credentials associated with the service principal.
- service_principal_type (str) – the type of the service principal
- tags (list[str]) – Optional list of tags that you can apply to your service principals. Not nullable.
- app_id (str) – Required. The application ID.
-
class
azure.graphrbac.models.
ServicePrincipalUpdateParameters
(*, account_enabled: bool = None, app_role_assignment_required: bool = None, key_credentials=None, password_credentials=None, service_principal_type: str = None, tags=None, **kwargs)[source]¶ Bases:
azure.graphrbac.models.service_principal_base_py3.ServicePrincipalBase
Request parameters for update an existing service principal.
Parameters: - account_enabled (bool) – whether or not the service principal account is enabled
- app_role_assignment_required (bool) – Specifies whether an AppRoleAssignment to a user or group is required before Azure AD will issue a user or access token to the application.
- key_credentials (list[KeyCredential]) – The collection of key credentials associated with the service principal.
- password_credentials (list[PasswordCredential]) – The collection of password credentials associated with the service principal.
- service_principal_type (str) – the type of the service principal
- tags (list[str]) – Optional list of tags that you can apply to your service principals. Not nullable.
-
class
azure.graphrbac.models.
ServicePrincipal
(*, additional_properties=None, account_enabled: bool = None, alternative_names=None, app_id: str = None, app_role_assignment_required: bool = None, app_roles=None, display_name: str = None, error_url: str = None, homepage: str = None, key_credentials=None, logout_url: str = None, password_credentials=None, preferred_token_signing_key_thumbprint: str = None, publisher_name: str = None, reply_urls=None, saml_metadata_url: str = None, service_principal_names=None, service_principal_type: str = None, tags=None, **kwargs)[source]¶ Bases:
azure.graphrbac.models.directory_object_py3.DirectoryObject
Active Directory service principal information.
Variables are only populated by the server, and will be ignored when sending a request.
All required parameters must be populated in order to send to Azure.
Parameters: - additional_properties (dict[str, object]) – Unmatched properties from the message are deserialized this collection
- object_type (str) – Required. Constant filled by server.
- account_enabled (bool) – whether or not the service principal account is enabled
- alternative_names (list[str]) – alternative names
- app_id (str) – The application ID.
- app_role_assignment_required (bool) – Specifies whether an AppRoleAssignment to a user or group is required before Azure AD will issue a user or access token to the application.
- app_roles (list[AppRole]) – The collection of application roles that an application may declare. These roles can be assigned to users, groups or service principals.
- display_name (str) – The display name of the service principal.
- error_url (str) – A URL provided by the author of the associated application to report errors when using the application.
- homepage (str) – The URL to the homepage of the associated application.
- key_credentials (list[KeyCredential]) – The collection of key credentials associated with the service principal.
- logout_url (str) – A URL provided by the author of the associated application to logout
- password_credentials (list[PasswordCredential]) – The collection of password credentials associated with the service principal.
- preferred_token_signing_key_thumbprint (str) – The thumbprint of preferred certificate to sign the token
- publisher_name (str) – The publisher’s name of the associated application
- reply_urls (list[str]) – The URLs that user tokens are sent to for sign in with the associated application. The redirect URIs that the oAuth 2.0 authorization code and access tokens are sent to for the associated application.
- saml_metadata_url (str) – The URL to the SAML metadata of the associated application
- service_principal_names (list[str]) – A collection of service principal names.
- service_principal_type (str) – the type of the service principal
- tags (list[str]) – Optional list of tags that you can apply to your service principals. Not nullable.
Variables: - object_id (str) – The object ID.
- deletion_timestamp (datetime) – The time at which the directory object was deleted.
- app_display_name (str) – The display name exposed by the associated application.
- app_owner_tenant_id (str) –
- oauth2_permissions (list[OAuth2Permission]) – The OAuth 2.0 permissions exposed by the associated application.
-
class
azure.graphrbac.models.
PasswordProfile
(*, password: str, additional_properties=None, force_change_password_next_login: bool = None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
The password profile associated with a user.
All required parameters must be populated in order to send to Azure.
Parameters: - additional_properties (dict[str, object]) – Unmatched properties from the message are deserialized this collection
- password (str) – Required. Password
- force_change_password_next_login (bool) – Whether to force a password change on next login.
-
class
azure.graphrbac.models.
UserBase
(*, additional_properties=None, immutable_id: str = None, usage_location: str = None, given_name: str = None, surname: str = None, user_type=None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
UserBase.
Parameters: - additional_properties (dict[str, object]) – Unmatched properties from the message are deserialized this collection
- immutable_id (str) – This must be specified if you are using a federated domain for the user’s userPrincipalName (UPN) property when creating a new user account. It is used to associate an on-premises Active Directory user account with their Azure AD user object.
- usage_location (str) – A two letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. Examples include: “US”, “JP”, and “GB”.
- given_name (str) – The given name for the user.
- surname (str) – The user’s surname (family name or last name).
- user_type (str or UserType) – A string value that can be used to classify user types in your directory, such as ‘Member’ and ‘Guest’. Possible values include: ‘Member’, ‘Guest’
-
class
azure.graphrbac.models.
UserCreateParameters
(*, account_enabled: bool, display_name: str, password_profile, user_principal_name: str, mail_nickname: str, additional_properties=None, immutable_id: str = None, usage_location: str = None, given_name: str = None, surname: str = None, user_type=None, mail: str = None, **kwargs)[source]¶ Bases:
azure.graphrbac.models.user_base_py3.UserBase
Request parameters for creating a new work or school account user.
All required parameters must be populated in order to send to Azure.
Parameters: - additional_properties (dict[str, object]) – Unmatched properties from the message are deserialized this collection
- immutable_id (str) – This must be specified if you are using a federated domain for the user’s userPrincipalName (UPN) property when creating a new user account. It is used to associate an on-premises Active Directory user account with their Azure AD user object.
- usage_location (str) – A two letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. Examples include: “US”, “JP”, and “GB”.
- given_name (str) – The given name for the user.
- surname (str) – The user’s surname (family name or last name).
- user_type (str or UserType) – A string value that can be used to classify user types in your directory, such as ‘Member’ and ‘Guest’. Possible values include: ‘Member’, ‘Guest’
- account_enabled (bool) – Required. Whether the account is enabled.
- display_name (str) – Required. The display name of the user.
- password_profile (PasswordProfile) – Required. Password Profile
- user_principal_name (str) – Required. The user principal name (someuser@contoso.com). It must contain one of the verified domains for the tenant.
- mail_nickname (str) – Required. The mail alias for the user.
- mail (str) – The primary email address of the user.
-
class
azure.graphrbac.models.
UserUpdateParameters
(*, additional_properties=None, immutable_id: str = None, usage_location: str = None, given_name: str = None, surname: str = None, user_type=None, account_enabled: bool = None, display_name: str = None, password_profile=None, user_principal_name: str = None, mail_nickname: str = None, **kwargs)[source]¶ Bases:
azure.graphrbac.models.user_base_py3.UserBase
Request parameters for updating an existing work or school account user.
Parameters: - additional_properties (dict[str, object]) – Unmatched properties from the message are deserialized this collection
- immutable_id (str) – This must be specified if you are using a federated domain for the user’s userPrincipalName (UPN) property when creating a new user account. It is used to associate an on-premises Active Directory user account with their Azure AD user object.
- usage_location (str) – A two letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. Examples include: “US”, “JP”, and “GB”.
- given_name (str) – The given name for the user.
- surname (str) – The user’s surname (family name or last name).
- user_type (str or UserType) – A string value that can be used to classify user types in your directory, such as ‘Member’ and ‘Guest’. Possible values include: ‘Member’, ‘Guest’
- account_enabled (bool) – Whether the account is enabled.
- display_name (str) – The display name of the user.
- password_profile (PasswordProfile) – The password profile of the user.
- user_principal_name (str) – The user principal name (someuser@contoso.com). It must contain one of the verified domains for the tenant.
- mail_nickname (str) – The mail alias for the user.
-
class
azure.graphrbac.models.
SignInName
(*, additional_properties=None, type: str = None, value: str = None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Contains information about a sign-in name of a local account user in an Azure Active Directory B2C tenant.
Parameters: - additional_properties (dict[str, object]) – Unmatched properties from the message are deserialized this collection
- type (str) – A string value that can be used to classify user sign-in types in your directory, such as ‘emailAddress’ or ‘userName’.
- value (str) – The sign-in used by the local account. Must be unique across the company/tenant. For example, ‘johnc@example.com’.
-
class
azure.graphrbac.models.
User
(*, additional_properties=None, immutable_id: str = None, usage_location: str = None, given_name: str = None, surname: str = None, user_type=None, account_enabled: bool = None, display_name: str = None, user_principal_name: str = None, mail_nickname: str = None, mail: str = None, sign_in_names=None, **kwargs)[source]¶ Bases:
azure.graphrbac.models.directory_object_py3.DirectoryObject
Active Directory user information.
Variables are only populated by the server, and will be ignored when sending a request.
All required parameters must be populated in order to send to Azure.
Parameters: - additional_properties (dict[str, object]) – Unmatched properties from the message are deserialized this collection
- object_type (str) – Required. Constant filled by server.
- immutable_id (str) – This must be specified if you are using a federated domain for the user’s userPrincipalName (UPN) property when creating a new user account. It is used to associate an on-premises Active Directory user account with their Azure AD user object.
- usage_location (str) – A two letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries. Examples include: “US”, “JP”, and “GB”.
- given_name (str) – The given name for the user.
- surname (str) – The user’s surname (family name or last name).
- user_type (str or UserType) – A string value that can be used to classify user types in your directory, such as ‘Member’ and ‘Guest’. Possible values include: ‘Member’, ‘Guest’
- account_enabled (bool) – Whether the account is enabled.
- display_name (str) – The display name of the user.
- user_principal_name (str) – The principal name of the user.
- mail_nickname (str) – The mail alias for the user.
- mail (str) – The primary email address of the user.
- sign_in_names (list[SignInName]) – The sign-in names of the user.
Variables: - object_id (str) – The object ID.
- deletion_timestamp (datetime) – The time at which the directory object was deleted.
-
class
azure.graphrbac.models.
UserGetMemberGroupsParameters
(*, security_enabled_only: bool, additional_properties=None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Request parameters for GetMemberGroups API call.
All required parameters must be populated in order to send to Azure.
Parameters: - additional_properties (dict[str, object]) – Unmatched properties from the message are deserialized this collection
- security_enabled_only (bool) – Required. If true, only membership in security-enabled groups should be checked. Otherwise, membership in all groups should be checked.
-
class
azure.graphrbac.models.
GetObjectsParameters
(*, additional_properties=None, object_ids=None, types=None, include_directory_object_references: bool = None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Request parameters for the GetObjectsByObjectIds API.
Parameters: - additional_properties (dict[str, object]) – Unmatched properties from the message are deserialized this collection
- object_ids (list[str]) – The requested object IDs.
- types (list[str]) – The requested object types.
- include_directory_object_references (bool) – If true, also searches for object IDs in the partner tenant.
-
class
azure.graphrbac.models.
Domain
(*, name: str, additional_properties=None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
Active Directory Domain information.
Variables are only populated by the server, and will be ignored when sending a request.
All required parameters must be populated in order to send to Azure.
Parameters: - additional_properties (dict[str, object]) – Unmatched properties from the message are deserialized this collection
- name (str) – Required. the domain name.
Variables: - authentication_type (str) – the type of the authentication into the domain.
- is_default (bool) – if this is the default domain in the tenant.
- is_verified (bool) – if this domain’s ownership is verified.
-
class
azure.graphrbac.models.
OAuth2PermissionGrant
(*, odatatype: str = None, client_id: str = None, object_id: str = None, consent_type=None, principal_id: str = None, resource_id: str = None, scope: str = None, start_time: str = None, expiry_time: str = None, **kwargs)[source]¶ Bases:
msrest.serialization.Model
OAuth2PermissionGrant.
Parameters: - odatatype (str) – Microsoft.DirectoryServices.OAuth2PermissionGrant
- client_id (str) – The id of the resource’s service principal granted consent to impersonate the user when accessing the resource (represented by the resourceId property).
- object_id (str) – The id of the permission grant
- consent_type (str or ConsentType) – Indicates if consent was provided by the administrator (on behalf of the organization) or by an individual. Possible values include: ‘AllPrincipals’, ‘Principal’
- principal_id (str) – When consent type is Principal, this property specifies the id of the user that granted consent and applies only for that user.
- resource_id (str) – Object Id of the resource you want to grant
- scope (str) – Specifies the value of the scope claim that the resource application should expect in the OAuth 2.0 access token. For example, User.Read
- start_time (str) – Start time for TTL
- expiry_time (str) – Expiry time for TTL
-
class
azure.graphrbac.models.
DirectoryObjectPaged
(*args, **kwargs)[source]¶ Bases:
msrest.paging.Paged
A paging container for iterating over a list of
DirectoryObject
object
-
class
azure.graphrbac.models.
ApplicationPaged
(*args, **kwargs)[source]¶ Bases:
msrest.paging.Paged
A paging container for iterating over a list of
Application
object
-
class
azure.graphrbac.models.
KeyCredentialPaged
(*args, **kwargs)[source]¶ Bases:
msrest.paging.Paged
A paging container for iterating over a list of
KeyCredential
object
-
class
azure.graphrbac.models.
PasswordCredentialPaged
(*args, **kwargs)[source]¶ Bases:
msrest.paging.Paged
A paging container for iterating over a list of
PasswordCredential
object
-
class
azure.graphrbac.models.
ADGroupPaged
(*args, **kwargs)[source]¶ Bases:
msrest.paging.Paged
A paging container for iterating over a list of
ADGroup
object
-
class
azure.graphrbac.models.
StrPaged
(*args, **kwargs)[source]¶ Bases:
msrest.paging.Paged
A paging container for iterating over a list of str object
-
class
azure.graphrbac.models.
ServicePrincipalPaged
(*args, **kwargs)[source]¶ Bases:
msrest.paging.Paged
A paging container for iterating over a list of
ServicePrincipal
object
-
class
azure.graphrbac.models.
UserPaged
(*args, **kwargs)[source]¶ Bases:
msrest.paging.Paged
A paging container for iterating over a list of
User
object
-
class
azure.graphrbac.models.
DomainPaged
(*args, **kwargs)[source]¶ Bases:
msrest.paging.Paged
A paging container for iterating over a list of
Domain
object
-
class
azure.graphrbac.models.
OAuth2PermissionGrantPaged
(*args, **kwargs)[source]¶ Bases:
msrest.paging.Paged
A paging container for iterating over a list of
OAuth2PermissionGrant
object