import * as pulumi from "@pulumi/pulumi";
/**
 * Manages a permission scope for an application registration.
 *
 * This resource is analogous to the `oauth2PermissionScope` block in the `api` block of the  `azuread.Application` resource. When using these resources together, you should use the `ignoreChanges` lifecycle meta-argument (see example below).
 *
 * ## API Permissions
 *
 * The following API permissions are required in order to use this resource.
 *
 * When authenticated with a service principal, this resource requires one of the following application roles: `Application.ReadWrite.OwnedBy` or `Application.ReadWrite.All`
 *
 * > When using the `Application.ReadWrite.OwnedBy` application role, the principal being used to run Terraform must be an owner of the application.
 *
 * When authenticated with a user principal, this resource may require one of the following directory roles: `Application Administrator` or `Global Administrator`
 *
 * ## Example Usage
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as azuread from "@pulumi/azuread";
 * import * as random from "@pulumi/random";
 *
 * const example = new azuread.ApplicationRegistration("example", {displayName: "example"});
 * const exampleAdminister = new random.index.Uuid("example_administer", {});
 * const exampleApplicationPermissionScope = new azuread.ApplicationPermissionScope("example", {
 *     applicationId: test.id,
 *     scopeId: exampleAdminister.id,
 *     value: "administer",
 *     adminConsentDescription: "Administer the application",
 *     adminConsentDisplayName: "Administer",
 * });
 * ```
 *
 * > **Tip** For managing more permissions scopes, create additional instances of this resource
 *
 * *Usage with azuread.Application resource*
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as azuread from "@pulumi/azuread";
 *
 * const example = new azuread.Application("example", {displayName: "example"});
 * const exampleApplicationPermissionScope = new azuread.ApplicationPermissionScope("example", {applicationId: example.id});
 * ```
 *
 * ## Import
 *
 * Application App Roles can be imported using the object ID of the application and the ID of the permission scope, in the following format.
 *
 * ```sh
 * $ pulumi import azuread:index/applicationPermissionScope:ApplicationPermissionScope example /applications/00000000-0000-0000-0000-000000000000/permissionScopes/11111111-1111-1111-1111-111111111111
 * ```
 */
export declare class ApplicationPermissionScope extends pulumi.CustomResource {
    /**
     * Get an existing ApplicationPermissionScope resource's state with the given name, ID, and optional extra
     * properties used to qualify the lookup.
     *
     * @param name The _unique_ name of the resulting resource.
     * @param id The _unique_ provider ID of the resource to lookup.
     * @param state Any extra arguments used during the lookup.
     * @param opts Optional settings to control the behavior of the CustomResource.
     */
    static get(name: string, id: pulumi.Input<pulumi.ID>, state?: ApplicationPermissionScopeState, opts?: pulumi.CustomResourceOptions): ApplicationPermissionScope;
    /**
     * Returns true if the given object is an instance of ApplicationPermissionScope.  This is designed to work even
     * when multiple copies of the Pulumi SDK have been loaded into the same process.
     */
    static isInstance(obj: any): obj is ApplicationPermissionScope;
    /**
     * Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
     */
    readonly adminConsentDescription: pulumi.Output<string>;
    /**
     * Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
     */
    readonly adminConsentDisplayName: pulumi.Output<string>;
    /**
     * The resource ID of the application registration. Changing this forces a new resource to be created.
     */
    readonly applicationId: pulumi.Output<string>;
    /**
     * The unique identifier of the permission scope. Must be a valid UUID. Changing this forces a new resource to be created.
     */
    readonly scopeId: pulumi.Output<string>;
    /**
     * Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions.
     */
    readonly type: pulumi.Output<string | undefined>;
    /**
     * Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
     */
    readonly userConsentDescription: pulumi.Output<string | undefined>;
    /**
     * Display name for the delegated permission that appears in the end user consent experience.
     *
     * > **Tip** Use the `randomUuid` resource to generate UUIDs and save them to state for permission scopes within your Terraform configuration
     */
    readonly userConsentDisplayName: pulumi.Output<string | undefined>;
    /**
     * The value that is used for the `scp` claim in OAuth access tokens.
     *
     * > **Roles and Permission Scopes** In Azure Active Directory, application roles and permission scopes exported by an application share the same namespace and cannot contain duplicate values.
     */
    readonly value: pulumi.Output<string>;
    /**
     * Create a ApplicationPermissionScope resource with the given unique name, arguments, and options.
     *
     * @param name The _unique_ name of the resource.
     * @param args The arguments to use to populate this resource's properties.
     * @param opts A bag of options that control this resource's behavior.
     */
    constructor(name: string, args: ApplicationPermissionScopeArgs, opts?: pulumi.CustomResourceOptions);
}
/**
 * Input properties used for looking up and filtering ApplicationPermissionScope resources.
 */
export interface ApplicationPermissionScopeState {
    /**
     * Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
     */
    adminConsentDescription?: pulumi.Input<string | undefined>;
    /**
     * Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
     */
    adminConsentDisplayName?: pulumi.Input<string | undefined>;
    /**
     * The resource ID of the application registration. Changing this forces a new resource to be created.
     */
    applicationId?: pulumi.Input<string | undefined>;
    /**
     * The unique identifier of the permission scope. Must be a valid UUID. Changing this forces a new resource to be created.
     */
    scopeId?: pulumi.Input<string | undefined>;
    /**
     * Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions.
     */
    type?: pulumi.Input<string | undefined>;
    /**
     * Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
     */
    userConsentDescription?: pulumi.Input<string | undefined>;
    /**
     * Display name for the delegated permission that appears in the end user consent experience.
     *
     * > **Tip** Use the `randomUuid` resource to generate UUIDs and save them to state for permission scopes within your Terraform configuration
     */
    userConsentDisplayName?: pulumi.Input<string | undefined>;
    /**
     * The value that is used for the `scp` claim in OAuth access tokens.
     *
     * > **Roles and Permission Scopes** In Azure Active Directory, application roles and permission scopes exported by an application share the same namespace and cannot contain duplicate values.
     */
    value?: pulumi.Input<string | undefined>;
}
/**
 * The set of arguments for constructing a ApplicationPermissionScope resource.
 */
export interface ApplicationPermissionScopeArgs {
    /**
     * Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
     */
    adminConsentDescription: pulumi.Input<string>;
    /**
     * Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
     */
    adminConsentDisplayName: pulumi.Input<string>;
    /**
     * The resource ID of the application registration. Changing this forces a new resource to be created.
     */
    applicationId: pulumi.Input<string>;
    /**
     * The unique identifier of the permission scope. Must be a valid UUID. Changing this forces a new resource to be created.
     */
    scopeId: pulumi.Input<string>;
    /**
     * Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions.
     */
    type?: pulumi.Input<string | undefined>;
    /**
     * Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
     */
    userConsentDescription?: pulumi.Input<string | undefined>;
    /**
     * Display name for the delegated permission that appears in the end user consent experience.
     *
     * > **Tip** Use the `randomUuid` resource to generate UUIDs and save them to state for permission scopes within your Terraform configuration
     */
    userConsentDisplayName?: pulumi.Input<string | undefined>;
    /**
     * The value that is used for the `scp` claim in OAuth access tokens.
     *
     * > **Roles and Permission Scopes** In Azure Active Directory, application roles and permission scopes exported by an application share the same namespace and cannot contain duplicate values.
     */
    value: pulumi.Input<string>;
}
//# sourceMappingURL=applicationPermissionScope.d.ts.map