Azure Active Directory (Azure AD) v6.4.0, Apr 7 25

Azure Active Directory (Azure AD) v6.4.0 published on Monday, Apr 7, 2025 by Pulumi

azuread.getServicePrincipal

Explore with Pulumi AI

Azure Active Directory (Azure AD) v6.4.0 published on Monday, Apr 7, 2025 by Pulumi

pulumi/pulumi-azuread

API Permissions

The following API permissions are required in order to use this data source.

When authenticated with a service principal, this data source requires one of the following application roles: Application.Read.All or Directory.Read.All

When authenticated with a user principal, this data source does not require any additional roles.

Example Usage

Look up by application display name

import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const example = azuread.getServicePrincipal({
    displayName: "my-awesome-application",
});

import pulumi
import pulumi_azuread as azuread

example = azuread.get_service_principal(display_name="my-awesome-application")

package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := azuread.LookupServicePrincipal(ctx, &azuread.LookupServicePrincipalArgs{
			DisplayName: pulumi.StringRef("my-awesome-application"),
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var example = AzureAD.GetServicePrincipal.Invoke(new()
    {
        DisplayName = "my-awesome-application",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.inputs.GetServicePrincipalArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var example = AzureadFunctions.getServicePrincipal(GetServicePrincipalArgs.builder()
            .displayName("my-awesome-application")
            .build());

    }
}

variables:
  example:
    fn::invoke:
      function: azuread:getServicePrincipal
      arguments:
        displayName: my-awesome-application

Look up by client ID

import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const example = azuread.getServicePrincipal({
    clientId: "00000000-0000-0000-0000-000000000000",
});

import pulumi
import pulumi_azuread as azuread

example = azuread.get_service_principal(client_id="00000000-0000-0000-0000-000000000000")

package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := azuread.LookupServicePrincipal(ctx, &azuread.LookupServicePrincipalArgs{
			ClientId: pulumi.StringRef("00000000-0000-0000-0000-000000000000"),
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var example = AzureAD.GetServicePrincipal.Invoke(new()
    {
        ClientId = "00000000-0000-0000-0000-000000000000",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.inputs.GetServicePrincipalArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var example = AzureadFunctions.getServicePrincipal(GetServicePrincipalArgs.builder()
            .clientId("00000000-0000-0000-0000-000000000000")
            .build());

    }
}

variables:
  example:
    fn::invoke:
      function: azuread:getServicePrincipal
      arguments:
        clientId: 00000000-0000-0000-0000-000000000000

Look up by service principal object ID

import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const example = azuread.getServicePrincipal({
    objectId: "00000000-0000-0000-0000-000000000000",
});

import pulumi
import pulumi_azuread as azuread

example = azuread.get_service_principal(object_id="00000000-0000-0000-0000-000000000000")

package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := azuread.LookupServicePrincipal(ctx, &azuread.LookupServicePrincipalArgs{
			ObjectId: pulumi.StringRef("00000000-0000-0000-0000-000000000000"),
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var example = AzureAD.GetServicePrincipal.Invoke(new()
    {
        ObjectId = "00000000-0000-0000-0000-000000000000",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.AzureadFunctions;
import com.pulumi.azuread.inputs.GetServicePrincipalArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var example = AzureadFunctions.getServicePrincipal(GetServicePrincipalArgs.builder()
            .objectId("00000000-0000-0000-0000-000000000000")
            .build());

    }
}

variables:
  example:
    fn::invoke:
      function: azuread:getServicePrincipal
      arguments:
        objectId: 00000000-0000-0000-0000-000000000000

Using getServicePrincipal

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getServicePrincipal(args: GetServicePrincipalArgs, opts?: InvokeOptions): Promise<GetServicePrincipalResult>
function getServicePrincipalOutput(args: GetServicePrincipalOutputArgs, opts?: InvokeOptions): Output<GetServicePrincipalResult>

def get_service_principal(client_id: Optional[str] = None,
                          display_name: Optional[str] = None,
                          object_id: Optional[str] = None,
                          opts: Optional[InvokeOptions] = None) -> GetServicePrincipalResult
def get_service_principal_output(client_id: Optional[pulumi.Input[str]] = None,
                          display_name: Optional[pulumi.Input[str]] = None,
                          object_id: Optional[pulumi.Input[str]] = None,
                          opts: Optional[InvokeOptions] = None) -> Output[GetServicePrincipalResult]

func LookupServicePrincipal(ctx *Context, args *LookupServicePrincipalArgs, opts ...InvokeOption) (*LookupServicePrincipalResult, error)
func LookupServicePrincipalOutput(ctx *Context, args *LookupServicePrincipalOutputArgs, opts ...InvokeOption) LookupServicePrincipalResultOutput

> Note: This function is named LookupServicePrincipal in the Go SDK.

public static class GetServicePrincipal 
{
    public static Task<GetServicePrincipalResult> InvokeAsync(GetServicePrincipalArgs args, InvokeOptions? opts = null)
    public static Output<GetServicePrincipalResult> Invoke(GetServicePrincipalInvokeArgs args, InvokeOptions? opts = null)
}

public static CompletableFuture<GetServicePrincipalResult> getServicePrincipal(GetServicePrincipalArgs args, InvokeOptions options)
public static Output<GetServicePrincipalResult> getServicePrincipal(GetServicePrincipalArgs args, InvokeOptions options)

fn::invoke:
  function: azuread:index/getServicePrincipal:getServicePrincipal
  arguments:
    # arguments dictionary

The following arguments are supported:

ClientId string: The client ID of the application associated with this service principal.
DisplayName string: The display name of the application associated with this service principal.
ObjectId string: The object ID of the service principal.
One of client_id, display_name or object_id must be specified.

ClientId string: The client ID of the application associated with this service principal.
DisplayName string: The display name of the application associated with this service principal.
ObjectId string: The object ID of the service principal.
One of client_id, display_name or object_id must be specified.

clientId String: The client ID of the application associated with this service principal.
displayName String: The display name of the application associated with this service principal.
objectId String: The object ID of the service principal.
One of client_id, display_name or object_id must be specified.

clientId string: The client ID of the application associated with this service principal.
displayName string: The display name of the application associated with this service principal.
objectId string: The object ID of the service principal.
One of client_id, display_name or object_id must be specified.

client_id str: The client ID of the application associated with this service principal.
display_name str: The display name of the application associated with this service principal.
object_id str: The object ID of the service principal.
One of client_id, display_name or object_id must be specified.

clientId String: The client ID of the application associated with this service principal.
displayName String: The display name of the application associated with this service principal.
objectId String: The object ID of the service principal.
One of client_id, display_name or object_id must be specified.

getServicePrincipal Result

The following output properties are available:

AccountEnabled bool: Whether the service principal account is enabled.
AlternativeNames List<string>: A list of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
AppRoleAssignmentRequired bool: Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application.
AppRoleIds Dictionary<string, string>: A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
AppRoles List<Pulumi.AzureAD.Outputs.GetServicePrincipalAppRole>: A list of app roles published by the associated application, as documented below. For more information official documentation.
ApplicationTenantId string: The tenant ID where the associated application is registered.
ClientId string: The client ID of the application associated with this service principal.
Description string: Permission help text that appears in the admin app assignment and consent experiences.
DisplayName string: Display name for the permission that appears in the admin consent and app assignment experiences.
FeatureTags List<Pulumi.AzureAD.Outputs.GetServicePrincipalFeatureTag>
Features List<Pulumi.AzureAD.Outputs.GetServicePrincipalFeature>: A features block as described below.
Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider
HomepageUrl string: Home page or landing page of the associated application.
Id string: The provider-assigned unique ID for this managed resource.
LoginUrl string: The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps.
LogoutUrl string: The URL that will be used by Microsoft's authorization service to logout an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
Notes string: A free text field to capture information about the service principal, typically used for operational purposes.
NotificationEmailAddresses List<string>: A list of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
Oauth2PermissionScopeIds Dictionary<string, string>: A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
Oauth2PermissionScopes List<Pulumi.AzureAD.Outputs.GetServicePrincipalOauth2PermissionScope>: A collection of OAuth 2.0 delegated permissions exposed by the associated application. Each permission is covered by an oauth2_permission_scopes block as documented below.
ObjectId string: The object ID of the service principal.
PreferredSingleSignOnMode string: The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps.
RedirectUris List<string>: A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
SamlMetadataUrl string: The URL where the service exposes SAML metadata for federation.
SamlSingleSignOns List<Pulumi.AzureAD.Outputs.GetServicePrincipalSamlSingleSignOn>: A saml_single_sign_on block as documented below.
ServicePrincipalNames List<string>: A list of identifier URI(s), copied over from the associated application.
SignInAudience string: The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
Tags List<string>: A list of tags applied to the service principal.
Type string: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

AccountEnabled bool: Whether the service principal account is enabled.
AlternativeNames []string: A list of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
AppRoleAssignmentRequired bool: Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application.
AppRoleIds map[string]string: A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
AppRoles []GetServicePrincipalAppRole: A list of app roles published by the associated application, as documented below. For more information official documentation.
ApplicationTenantId string: The tenant ID where the associated application is registered.
ClientId string: The client ID of the application associated with this service principal.
Description string: Permission help text that appears in the admin app assignment and consent experiences.
DisplayName string: Display name for the permission that appears in the admin consent and app assignment experiences.
FeatureTags []GetServicePrincipalFeatureTag
Features []GetServicePrincipalFeature: A features block as described below.
Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider
HomepageUrl string: Home page or landing page of the associated application.
Id string: The provider-assigned unique ID for this managed resource.
LoginUrl string: The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps.
LogoutUrl string: The URL that will be used by Microsoft's authorization service to logout an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
Notes string: A free text field to capture information about the service principal, typically used for operational purposes.
NotificationEmailAddresses []string: A list of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
Oauth2PermissionScopeIds map[string]string: A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
Oauth2PermissionScopes []GetServicePrincipalOauth2PermissionScope: A collection of OAuth 2.0 delegated permissions exposed by the associated application. Each permission is covered by an oauth2_permission_scopes block as documented below.
ObjectId string: The object ID of the service principal.
PreferredSingleSignOnMode string: The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps.
RedirectUris []string: A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
SamlMetadataUrl string: The URL where the service exposes SAML metadata for federation.
SamlSingleSignOns []GetServicePrincipalSamlSingleSignOn: A saml_single_sign_on block as documented below.
ServicePrincipalNames []string: A list of identifier URI(s), copied over from the associated application.
SignInAudience string: The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
Tags []string: A list of tags applied to the service principal.
Type string: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

accountEnabled Boolean: Whether the service principal account is enabled.
alternativeNames List<String>: A list of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
appRoleAssignmentRequired Boolean: Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application.
appRoleIds Map<String,String>: A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
appRoles List<GetServicePrincipalAppRole>: A list of app roles published by the associated application, as documented below. For more information official documentation.
applicationTenantId String: The tenant ID where the associated application is registered.
clientId String: The client ID of the application associated with this service principal.
description String: Permission help text that appears in the admin app assignment and consent experiences.
displayName String: Display name for the permission that appears in the admin consent and app assignment experiences.
featureTags List<GetServicePrincipalFeatureTag>
features List<GetServicePrincipalFeature>: A features block as described below.
Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider
homepageUrl String: Home page or landing page of the associated application.
id String: The provider-assigned unique ID for this managed resource.
loginUrl String: The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps.
logoutUrl String: The URL that will be used by Microsoft's authorization service to logout an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
notes String: A free text field to capture information about the service principal, typically used for operational purposes.
notificationEmailAddresses List<String>: A list of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
oauth2PermissionScopeIds Map<String,String>: A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
oauth2PermissionScopes List<GetServicePrincipalOauth2PermissionScope>: A collection of OAuth 2.0 delegated permissions exposed by the associated application. Each permission is covered by an oauth2_permission_scopes block as documented below.
objectId String: The object ID of the service principal.
preferredSingleSignOnMode String: The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps.
redirectUris List<String>: A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
samlMetadataUrl String: The URL where the service exposes SAML metadata for federation.
samlSingleSignOns List<GetServicePrincipalSamlSingleSignOn>: A saml_single_sign_on block as documented below.
servicePrincipalNames List<String>: A list of identifier URI(s), copied over from the associated application.
signInAudience String: The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
tags List<String>: A list of tags applied to the service principal.
type String: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

accountEnabled boolean: Whether the service principal account is enabled.
alternativeNames string[]: A list of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
appRoleAssignmentRequired boolean: Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application.
appRoleIds {[key: string]: string}: A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
appRoles GetServicePrincipalAppRole[]: A list of app roles published by the associated application, as documented below. For more information official documentation.
applicationTenantId string: The tenant ID where the associated application is registered.
clientId string: The client ID of the application associated with this service principal.
description string: Permission help text that appears in the admin app assignment and consent experiences.
displayName string: Display name for the permission that appears in the admin consent and app assignment experiences.
featureTags GetServicePrincipalFeatureTag[]
features GetServicePrincipalFeature[]: A features block as described below.
Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider
homepageUrl string: Home page or landing page of the associated application.
id string: The provider-assigned unique ID for this managed resource.
loginUrl string: The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps.
logoutUrl string: The URL that will be used by Microsoft's authorization service to logout an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
notes string: A free text field to capture information about the service principal, typically used for operational purposes.
notificationEmailAddresses string[]: A list of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
oauth2PermissionScopeIds {[key: string]: string}: A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
oauth2PermissionScopes GetServicePrincipalOauth2PermissionScope[]: A collection of OAuth 2.0 delegated permissions exposed by the associated application. Each permission is covered by an oauth2_permission_scopes block as documented below.
objectId string: The object ID of the service principal.
preferredSingleSignOnMode string: The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps.
redirectUris string[]: A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
samlMetadataUrl string: The URL where the service exposes SAML metadata for federation.
samlSingleSignOns GetServicePrincipalSamlSingleSignOn[]: A saml_single_sign_on block as documented below.
servicePrincipalNames string[]: A list of identifier URI(s), copied over from the associated application.
signInAudience string: The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
tags string[]: A list of tags applied to the service principal.
type string: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

account_enabled bool: Whether the service principal account is enabled.
alternative_names Sequence[str]: A list of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
app_role_assignment_required bool: Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application.
app_role_ids Mapping[str, str]: A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
app_roles Sequence[GetServicePrincipalAppRole]: A list of app roles published by the associated application, as documented below. For more information official documentation.
application_tenant_id str: The tenant ID where the associated application is registered.
client_id str: The client ID of the application associated with this service principal.
description str: Permission help text that appears in the admin app assignment and consent experiences.
display_name str: Display name for the permission that appears in the admin consent and app assignment experiences.
feature_tags Sequence[GetServicePrincipalFeatureTag]
features Sequence[GetServicePrincipalFeature]: A features block as described below.
Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider
homepage_url str: Home page or landing page of the associated application.
id str: The provider-assigned unique ID for this managed resource.
login_url str: The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps.
logout_url str: The URL that will be used by Microsoft's authorization service to logout an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
notes str: A free text field to capture information about the service principal, typically used for operational purposes.
notification_email_addresses Sequence[str]: A list of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
oauth2_permission_scope_ids Mapping[str, str]: A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
oauth2_permission_scopes Sequence[GetServicePrincipalOauth2PermissionScope]: A collection of OAuth 2.0 delegated permissions exposed by the associated application. Each permission is covered by an oauth2_permission_scopes block as documented below.
object_id str: The object ID of the service principal.
preferred_single_sign_on_mode str: The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps.
redirect_uris Sequence[str]: A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
saml_metadata_url str: The URL where the service exposes SAML metadata for federation.
saml_single_sign_ons Sequence[GetServicePrincipalSamlSingleSignOn]: A saml_single_sign_on block as documented below.
service_principal_names Sequence[str]: A list of identifier URI(s), copied over from the associated application.
sign_in_audience str: The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
tags Sequence[str]: A list of tags applied to the service principal.
type str: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

accountEnabled Boolean: Whether the service principal account is enabled.
alternativeNames List<String>: A list of alternative names, used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities.
appRoleAssignmentRequired Boolean: Whether this service principal requires an app role assignment to a user or group before Azure AD will issue a user or access token to the application.
appRoleIds Map<String>: A mapping of app role values to app role IDs, as published by the associated application, intended to be useful when referencing app roles in other resources in your configuration.
appRoles List<Property Map>: A list of app roles published by the associated application, as documented below. For more information official documentation.
applicationTenantId String: The tenant ID where the associated application is registered.
clientId String: The client ID of the application associated with this service principal.
description String: Permission help text that appears in the admin app assignment and consent experiences.
displayName String: Display name for the permission that appears in the admin consent and app assignment experiences.
featureTags List<Property Map>
features List<Property Map>: A features block as described below.
Deprecated: This block has been renamed to feature_tags and will be removed in version 3.0 of the provider
homepageUrl String: Home page or landing page of the associated application.
id String: The provider-assigned unique ID for this managed resource.
loginUrl String: The URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps.
logoutUrl String: The URL that will be used by Microsoft's authorization service to logout an user using OpenId Connect front-channel, back-channel or SAML logout protocols, taken from the associated application.
notes String: A free text field to capture information about the service principal, typically used for operational purposes.
notificationEmailAddresses List<String>: A list of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications.
oauth2PermissionScopeIds Map<String>: A mapping of OAuth2.0 permission scope values to scope IDs, as exposed by the associated application, intended to be useful when referencing permission scopes in other resources in your configuration.
oauth2PermissionScopes List<Property Map>: A collection of OAuth 2.0 delegated permissions exposed by the associated application. Each permission is covered by an oauth2_permission_scopes block as documented below.
objectId String: The object ID of the service principal.
preferredSingleSignOnMode String: The single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps.
redirectUris List<String>: A list of URLs where user tokens are sent for sign-in with the associated application, or the redirect URIs where OAuth 2.0 authorization codes and access tokens are sent for the associated application.
samlMetadataUrl String: The URL where the service exposes SAML metadata for federation.
samlSingleSignOns List<Property Map>: A saml_single_sign_on block as documented below.
servicePrincipalNames List<String>: A list of identifier URI(s), copied over from the associated application.
signInAudience String: The Microsoft account types that are supported for the associated application. Possible values include AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.
tags List<String>: A list of tags applied to the service principal.
type String: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.

Supporting Types

GetServicePrincipalAppRole

AllowedMemberTypes List<string>: Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in daemon service scenarios). Possible values are: User and Application, or both.
Description string: Permission help text that appears in the admin app assignment and consent experiences.
DisplayName string: The display name of the application associated with this service principal.
Enabled bool: Determines if the permission scope is enabled.
Id string: The unique identifier of the delegated permission. Must be a valid UUID.
Value string: The value that is used for the scp claim in OAuth 2.0 access tokens.

AllowedMemberTypes []string: Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in daemon service scenarios). Possible values are: User and Application, or both.
Description string: Permission help text that appears in the admin app assignment and consent experiences.
DisplayName string: The display name of the application associated with this service principal.
Enabled bool: Determines if the permission scope is enabled.
Id string: The unique identifier of the delegated permission. Must be a valid UUID.
Value string: The value that is used for the scp claim in OAuth 2.0 access tokens.

allowedMemberTypes List<String>: Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in daemon service scenarios). Possible values are: User and Application, or both.
description String: Permission help text that appears in the admin app assignment and consent experiences.
displayName String: The display name of the application associated with this service principal.
enabled Boolean: Determines if the permission scope is enabled.
id String: The unique identifier of the delegated permission. Must be a valid UUID.
value String: The value that is used for the scp claim in OAuth 2.0 access tokens.

allowedMemberTypes string[]: Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in daemon service scenarios). Possible values are: User and Application, or both.
description string: Permission help text that appears in the admin app assignment and consent experiences.
displayName string: The display name of the application associated with this service principal.
enabled boolean: Determines if the permission scope is enabled.
id string: The unique identifier of the delegated permission. Must be a valid UUID.
value string: The value that is used for the scp claim in OAuth 2.0 access tokens.

allowed_member_types Sequence[str]: Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in daemon service scenarios). Possible values are: User and Application, or both.
description str: Permission help text that appears in the admin app assignment and consent experiences.
display_name str: The display name of the application associated with this service principal.
enabled bool: Determines if the permission scope is enabled.
id str: The unique identifier of the delegated permission. Must be a valid UUID.
value str: The value that is used for the scp claim in OAuth 2.0 access tokens.

allowedMemberTypes List<String>: Specifies whether this app role definition can be assigned to users and groups, or to other applications (that are accessing this application in daemon service scenarios). Possible values are: User and Application, or both.
description String: Permission help text that appears in the admin app assignment and consent experiences.
displayName String: The display name of the application associated with this service principal.
enabled Boolean: Determines if the permission scope is enabled.
id String: The unique identifier of the delegated permission. Must be a valid UUID.
value String: The value that is used for the scp claim in OAuth 2.0 access tokens.

GetServicePrincipalFeature

CustomSingleSignOnApp bool: Whether this service principal represents a custom SAML application.
EnterpriseApplication bool: Whether this service principal represents an Enterprise Application.
GalleryApplication bool: Whether this service principal represents a gallery application.
VisibleToUsers bool: Whether this app is visible to users in My Apps and Office 365 Launcher.

CustomSingleSignOnApp bool: Whether this service principal represents a custom SAML application.
EnterpriseApplication bool: Whether this service principal represents an Enterprise Application.
GalleryApplication bool: Whether this service principal represents a gallery application.
VisibleToUsers bool: Whether this app is visible to users in My Apps and Office 365 Launcher.

customSingleSignOnApp Boolean: Whether this service principal represents a custom SAML application.
enterpriseApplication Boolean: Whether this service principal represents an Enterprise Application.
galleryApplication Boolean: Whether this service principal represents a gallery application.
visibleToUsers Boolean: Whether this app is visible to users in My Apps and Office 365 Launcher.

customSingleSignOnApp boolean: Whether this service principal represents a custom SAML application.
enterpriseApplication boolean: Whether this service principal represents an Enterprise Application.
galleryApplication boolean: Whether this service principal represents a gallery application.
visibleToUsers boolean: Whether this app is visible to users in My Apps and Office 365 Launcher.

custom_single_sign_on_app bool: Whether this service principal represents a custom SAML application.
enterprise_application bool: Whether this service principal represents an Enterprise Application.
gallery_application bool: Whether this service principal represents a gallery application.
visible_to_users bool: Whether this app is visible to users in My Apps and Office 365 Launcher.

customSingleSignOnApp Boolean: Whether this service principal represents a custom SAML application.
enterpriseApplication Boolean: Whether this service principal represents an Enterprise Application.
galleryApplication Boolean: Whether this service principal represents a gallery application.
visibleToUsers Boolean: Whether this app is visible to users in My Apps and Office 365 Launcher.

GetServicePrincipalFeatureTag

CustomSingleSignOn bool: Whether this service principal represents a custom SAML application
Enterprise bool: Whether this service principal represents an Enterprise Application
Gallery bool: Whether this service principal represents a gallery application
Hide bool: Whether this app is invisible to users in My Apps and Office 365 Launcher

CustomSingleSignOn bool: Whether this service principal represents a custom SAML application
Enterprise bool: Whether this service principal represents an Enterprise Application
Gallery bool: Whether this service principal represents a gallery application
Hide bool: Whether this app is invisible to users in My Apps and Office 365 Launcher

customSingleSignOn Boolean: Whether this service principal represents a custom SAML application
enterprise Boolean: Whether this service principal represents an Enterprise Application
gallery Boolean: Whether this service principal represents a gallery application
hide Boolean: Whether this app is invisible to users in My Apps and Office 365 Launcher

customSingleSignOn boolean: Whether this service principal represents a custom SAML application
enterprise boolean: Whether this service principal represents an Enterprise Application
gallery boolean: Whether this service principal represents a gallery application
hide boolean: Whether this app is invisible to users in My Apps and Office 365 Launcher

custom_single_sign_on bool: Whether this service principal represents a custom SAML application
enterprise bool: Whether this service principal represents an Enterprise Application
gallery bool: Whether this service principal represents a gallery application
hide bool: Whether this app is invisible to users in My Apps and Office 365 Launcher

customSingleSignOn Boolean: Whether this service principal represents a custom SAML application
enterprise Boolean: Whether this service principal represents an Enterprise Application
gallery Boolean: Whether this service principal represents a gallery application
hide Boolean: Whether this app is invisible to users in My Apps and Office 365 Launcher

GetServicePrincipalOauth2PermissionScope

AdminConsentDescription string: Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
AdminConsentDisplayName string: Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
Enabled bool: Determines if the permission scope is enabled.
Id string: The unique identifier of the delegated permission. Must be a valid UUID.
Type string: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
UserConsentDescription string: Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
UserConsentDisplayName string: Display name for the delegated permission that appears in the end user consent experience.
Value string: The value that is used for the scp claim in OAuth 2.0 access tokens.

AdminConsentDescription string: Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
AdminConsentDisplayName string: Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
Enabled bool: Determines if the permission scope is enabled.
Id string: The unique identifier of the delegated permission. Must be a valid UUID.
Type string: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
UserConsentDescription string: Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
UserConsentDisplayName string: Display name for the delegated permission that appears in the end user consent experience.
Value string: The value that is used for the scp claim in OAuth 2.0 access tokens.

adminConsentDescription String: Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
adminConsentDisplayName String: Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
enabled Boolean: Determines if the permission scope is enabled.
id String: The unique identifier of the delegated permission. Must be a valid UUID.
type String: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
userConsentDescription String: Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
userConsentDisplayName String: Display name for the delegated permission that appears in the end user consent experience.
value String: The value that is used for the scp claim in OAuth 2.0 access tokens.

adminConsentDescription string: Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
adminConsentDisplayName string: Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
enabled boolean: Determines if the permission scope is enabled.
id string: The unique identifier of the delegated permission. Must be a valid UUID.
type string: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
userConsentDescription string: Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
userConsentDisplayName string: Display name for the delegated permission that appears in the end user consent experience.
value string: The value that is used for the scp claim in OAuth 2.0 access tokens.

admin_consent_description str: Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
admin_consent_display_name str: Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
enabled bool: Determines if the permission scope is enabled.
id str: The unique identifier of the delegated permission. Must be a valid UUID.
type str: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
user_consent_description str: Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
user_consent_display_name str: Display name for the delegated permission that appears in the end user consent experience.
value str: The value that is used for the scp claim in OAuth 2.0 access tokens.

adminConsentDescription String: Delegated permission description that appears in all tenant-wide admin consent experiences, intended to be read by an administrator granting the permission on behalf of all users.
adminConsentDisplayName String: Display name for the delegated permission, intended to be read by an administrator granting the permission on behalf of all users.
enabled Boolean: Determines if the permission scope is enabled.
id String: The unique identifier of the delegated permission. Must be a valid UUID.
type String: Whether this delegated permission should be considered safe for non-admin users to consent to on behalf of themselves, or whether an administrator should be required for consent to the permissions. Possible values are User or Admin.
userConsentDescription String: Delegated permission description that appears in the end user consent experience, intended to be read by a user consenting on their own behalf.
userConsentDisplayName String: Display name for the delegated permission that appears in the end user consent experience.
value String: The value that is used for the scp claim in OAuth 2.0 access tokens.

GetServicePrincipalSamlSingleSignOn

RelayState string: The relative URI the service provider would redirect to after completion of the single sign-on flow.

RelayState string: The relative URI the service provider would redirect to after completion of the single sign-on flow.

relayState String: The relative URI the service provider would redirect to after completion of the single sign-on flow.

relayState string: The relative URI the service provider would redirect to after completion of the single sign-on flow.

relay_state str: The relative URI the service provider would redirect to after completion of the single sign-on flow.

relayState String: The relative URI the service provider would redirect to after completion of the single sign-on flow.

Package Details

Repository: Azure Active Directory (Azure AD) pulumi/pulumi-azuread
License: Apache-2.0
Notes: This Pulumi package is based on the azuread Terraform Provider.

Azure Active Directory (Azure AD) v6.4.0 published on Monday, Apr 7, 2025 by Pulumi

pulumi/pulumi-azuread

azuread.getServicePrincipal

On this page

On this page

API Permissions

Example Usage

Using getServicePrincipal

getServicePrincipal Result

Supporting Types

GetServicePrincipalAppRole

GetServicePrincipalFeature

GetServicePrincipalFeatureTag

GetServicePrincipalOauth2PermissionScope

GetServicePrincipalSamlSingleSignOn

Package Details

On this page

On this page