import * as pulumi from "@pulumi/pulumi";
import * as inputs from "./types/input";
import * as outputs from "./types/output";
/**
 * Manages a Conditional Access Policy within Azure Active Directory.
 *
 * > **Licensing Requirements** Specifying `clientApplications` property requires the activation of Microsoft Entra on your tenant and the availability of sufficient Workload Identities Premium licences (one per service principal managed by a conditional access).
 *
 * > **API Limits** This resource is subject to a restrictive API request limit of 1 request/second. Whilst Terraform will automatically back-off and retry throttled requests, if you have a large number of resource changes to make, you may wish to reduce parallelism or specify extended custom resource timeouts.
 *
 * ## API Permissions
 *
 * The following API permissions are required in order to use this resource.
 *
 * When authenticated with a service principal, this resource requires the following application roles: `Policy.ReadWrite.ConditionalAccess` and `Policy.Read.All`
 *
 * When authenticated with a user principal, this resource requires one of the following directory roles: `Conditional Access Administrator` or `Global Administrator`
 *
 * ## Example Usage
 *
 * ### All users except guests or external users
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as azuread from "@pulumi/azuread";
 *
 * const example = new azuread.ConditionalAccessPolicy("example", {
 *     displayName: "example policy",
 *     state: "disabled",
 *     conditions: {
 *         clientAppTypes: ["all"],
 *         signInRiskLevels: ["medium"],
 *         userRiskLevels: ["medium"],
 *         applications: {
 *             includedApplications: ["All"],
 *             excludedApplications: [],
 *         },
 *         devices: {
 *             filter: {
 *                 mode: "exclude",
 *                 rule: "device.operatingSystem eq \"Doors\"",
 *             },
 *         },
 *         locations: {
 *             includedLocations: ["All"],
 *             excludedLocations: ["AllTrusted"],
 *         },
 *         platforms: {
 *             includedPlatforms: ["android"],
 *             excludedPlatforms: ["iOS"],
 *         },
 *         users: {
 *             includedUsers: ["All"],
 *             excludedUsers: ["GuestsOrExternalUsers"],
 *         },
 *     },
 *     grantControls: {
 *         operator: "OR",
 *         builtInControls: ["mfa"],
 *     },
 *     sessionControls: {
 *         applicationEnforcedRestrictionsEnabled: true,
 *         disableResilienceDefaults: false,
 *         signInFrequency: 10,
 *         signInFrequencyPeriod: "hours",
 *         cloudAppSecurityPolicy: "monitorOnly",
 *     },
 * });
 * ```
 *
 * ### Included client applications / service principals
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as azuread from "@pulumi/azuread";
 *
 * const current = azuread.getClientConfig({});
 * const example = new azuread.ConditionalAccessPolicy("example", {
 *     displayName: "example policy",
 *     state: "disabled",
 *     conditions: {
 *         clientAppTypes: ["all"],
 *         applications: {
 *             includedApplications: ["All"],
 *         },
 *         clientApplications: {
 *             includedServicePrincipals: [current.then(current => current.objectId)],
 *             excludedServicePrincipals: [],
 *         },
 *         users: {
 *             includedUsers: ["None"],
 *         },
 *     },
 *     grantControls: {
 *         operator: "OR",
 *         builtInControls: ["block"],
 *     },
 * });
 * ```
 *
 * ### Excluded client applications / service principals
 *
 * ```typescript
 * import * as pulumi from "@pulumi/pulumi";
 * import * as azuread from "@pulumi/azuread";
 *
 * const current = azuread.getClientConfig({});
 * const example = new azuread.ConditionalAccessPolicy("example", {
 *     displayName: "example policy",
 *     state: "disabled",
 *     conditions: {
 *         clientAppTypes: ["all"],
 *         applications: {
 *             includedApplications: ["All"],
 *         },
 *         clientApplications: {
 *             includedServicePrincipals: ["ServicePrincipalsInMyTenant"],
 *             excludedServicePrincipals: [current.then(current => current.objectId)],
 *         },
 *         users: {
 *             includedUsers: ["None"],
 *         },
 *     },
 *     grantControls: {
 *         operator: "OR",
 *         builtInControls: ["block"],
 *     },
 * });
 * ```
 *
 * ## Import
 *
 * Conditional Access Policies can be imported using the `id`, e.g.
 *
 * ```sh
 * $ pulumi import azuread:index/conditionalAccessPolicy:ConditionalAccessPolicy my_location /identity/conditionalAccess/policies/00000000-0000-0000-0000-000000000000
 * ```
 */
export declare class ConditionalAccessPolicy extends pulumi.CustomResource {
    /**
     * Get an existing ConditionalAccessPolicy resource's state with the given name, ID, and optional extra
     * properties used to qualify the lookup.
     *
     * @param name The _unique_ name of the resulting resource.
     * @param id The _unique_ provider ID of the resource to lookup.
     * @param state Any extra arguments used during the lookup.
     * @param opts Optional settings to control the behavior of the CustomResource.
     */
    static get(name: string, id: pulumi.Input<pulumi.ID>, state?: ConditionalAccessPolicyState, opts?: pulumi.CustomResourceOptions): ConditionalAccessPolicy;
    /**
     * Returns true if the given object is an instance of ConditionalAccessPolicy.  This is designed to work even
     * when multiple copies of the Pulumi SDK have been loaded into the same process.
     */
    static isInstance(obj: any): obj is ConditionalAccessPolicy;
    /**
     * A `conditions` block as documented below, which specifies the rules that must be met for the policy to apply.
     */
    readonly conditions: pulumi.Output<outputs.ConditionalAccessPolicyConditions>;
    /**
     * The friendly name for this Conditional Access Policy.
     */
    readonly displayName: pulumi.Output<string>;
    /**
     * A `grantControls` block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
     */
    readonly grantControls: pulumi.Output<outputs.ConditionalAccessPolicyGrantControls | undefined>;
    /**
     * The object ID of the policy
     */
    readonly objectId: pulumi.Output<string>;
    /**
     * A `sessionControls` block as documented below, which specifies the session controls that are enforced after sign-in.
     *
     * > Note: At least one of `grantControls` and/or `sessionControls` blocks must be specified.
     */
    readonly sessionControls: pulumi.Output<outputs.ConditionalAccessPolicySessionControls | undefined>;
    /**
     * Specifies the state of the policy object. Possible values are: `enabled`, `disabled` and `enabledForReportingButNotEnforced`
     */
    readonly state: pulumi.Output<string>;
    /**
     * Create a ConditionalAccessPolicy resource with the given unique name, arguments, and options.
     *
     * @param name The _unique_ name of the resource.
     * @param args The arguments to use to populate this resource's properties.
     * @param opts A bag of options that control this resource's behavior.
     */
    constructor(name: string, args: ConditionalAccessPolicyArgs, opts?: pulumi.CustomResourceOptions);
}
/**
 * Input properties used for looking up and filtering ConditionalAccessPolicy resources.
 */
export interface ConditionalAccessPolicyState {
    /**
     * A `conditions` block as documented below, which specifies the rules that must be met for the policy to apply.
     */
    conditions?: pulumi.Input<inputs.ConditionalAccessPolicyConditions | undefined>;
    /**
     * The friendly name for this Conditional Access Policy.
     */
    displayName?: pulumi.Input<string | undefined>;
    /**
     * A `grantControls` block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
     */
    grantControls?: pulumi.Input<inputs.ConditionalAccessPolicyGrantControls | undefined>;
    /**
     * The object ID of the policy
     */
    objectId?: pulumi.Input<string | undefined>;
    /**
     * A `sessionControls` block as documented below, which specifies the session controls that are enforced after sign-in.
     *
     * > Note: At least one of `grantControls` and/or `sessionControls` blocks must be specified.
     */
    sessionControls?: pulumi.Input<inputs.ConditionalAccessPolicySessionControls | undefined>;
    /**
     * Specifies the state of the policy object. Possible values are: `enabled`, `disabled` and `enabledForReportingButNotEnforced`
     */
    state?: pulumi.Input<string | undefined>;
}
/**
 * The set of arguments for constructing a ConditionalAccessPolicy resource.
 */
export interface ConditionalAccessPolicyArgs {
    /**
     * A `conditions` block as documented below, which specifies the rules that must be met for the policy to apply.
     */
    conditions: pulumi.Input<inputs.ConditionalAccessPolicyConditions>;
    /**
     * The friendly name for this Conditional Access Policy.
     */
    displayName: pulumi.Input<string>;
    /**
     * A `grantControls` block as documented below, which specifies the grant controls that must be fulfilled to pass the policy.
     */
    grantControls?: pulumi.Input<inputs.ConditionalAccessPolicyGrantControls | undefined>;
    /**
     * A `sessionControls` block as documented below, which specifies the session controls that are enforced after sign-in.
     *
     * > Note: At least one of `grantControls` and/or `sessionControls` blocks must be specified.
     */
    sessionControls?: pulumi.Input<inputs.ConditionalAccessPolicySessionControls | undefined>;
    /**
     * Specifies the state of the policy object. Possible values are: `enabled`, `disabled` and `enabledForReportingButNotEnforced`
     */
    state: pulumi.Input<string>;
}
//# sourceMappingURL=conditionalAccessPolicy.d.ts.map