pulumi-azuread 5.48.0a1706744699__py3-none-any.whl → 6.8.0a1766208344__py3-none-any.whl

pulumi_azuread/directory_role_assignment.py

@@ -1,12 +1,17 @@
 # coding=utf-8
-# *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+# *** WARNING: this file was generated by pulumi-language-python. ***
 # *** Do not edit by hand unless you're certain you know what you are doing! ***
 
-import copy
+import builtins as _builtins
 import warnings
+import sys
 import pulumi
 import pulumi.runtime
 from typing import Any, Mapping, Optional, Sequence, Union, overload
+if sys.version_info >= (3, 11):
+    from typing import NotRequired, TypedDict, TypeAlias
+else:
+    from typing_extensions import NotRequired, TypedDict, TypeAlias
 from . import _utilities
 
 __all__ = ['DirectoryRoleAssignmentArgs', 'DirectoryRoleAssignment']
@@ -14,232 +19,155 @@ __all__ = ['DirectoryRoleAssignmentArgs', 'DirectoryRoleAssignment']
 @pulumi.input_type
 class DirectoryRoleAssignmentArgs:
     def __init__(__self__, *,
-                 principal_object_id: pulumi.Input[str],
-                 role_id: pulumi.Input[str],
-                 app_scope_id: Optional[pulumi.Input[str]] = None,
-                 app_scope_object_id: Optional[pulumi.Input[str]] = None,
-                 directory_scope_id: Optional[pulumi.Input[str]] = None,
-                 directory_scope_object_id: Optional[pulumi.Input[str]] = None):
+                 principal_object_id: pulumi.Input[_builtins.str],
+                 role_id: pulumi.Input[_builtins.str],
+                 app_scope_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 directory_scope_id: Optional[pulumi.Input[_builtins.str]] = None):
         """
         The set of arguments for constructing a DirectoryRoleAssignment resource.
-        :param pulumi.Input[str] principal_object_id: The object ID of the principal for you want to create a role assignment. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.
-        :param pulumi.Input[str] role_id: The template ID (in the case of built-in roles) or object ID (in the case of custom roles) of the directory role you want to assign. Changing this forces a new resource to be created.
-        :param pulumi.Input[str] app_scope_id: Identifier of the app-specific scope when the assignment scope is app-specific. Cannot be used with `directory_scope_id`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created.
-        :param pulumi.Input[str] app_scope_object_id: Identifier of the app-specific scope when the assignment scope is app-specific
-        :param pulumi.Input[str] directory_scope_id: Identifier of the directory object representing the scope of the assignment. Cannot be used with `app_scope_id`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created.
-        :param pulumi.Input[str] directory_scope_object_id: Identifier of the directory object representing the scope of the assignment
+        :param pulumi.Input[_builtins.str] principal_object_id: The object ID of the principal for you want to create a role assignment. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.str] role_id: The template ID (in the case of built-in roles) or object ID (in the case of custom roles) of the directory role you want to assign. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.str] app_scope_id: Identifier of the app-specific scope when the assignment scope is app-specific. Cannot be used with `directory_scope_id`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.str] directory_scope_id: Identifier of the directory object representing the scope of the assignment. Cannot be used with `app_scope_id`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created.
         """
         pulumi.set(__self__, "principal_object_id", principal_object_id)
         pulumi.set(__self__, "role_id", role_id)
         if app_scope_id is not None:
             pulumi.set(__self__, "app_scope_id", app_scope_id)
-        if app_scope_object_id is not None:
-            warnings.warn("""`app_scope_object_id` has been renamed to `app_scope_id` and will be removed in version 3.0 or the AzureAD Provider""", DeprecationWarning)
-            pulumi.log.warn("""app_scope_object_id is deprecated: `app_scope_object_id` has been renamed to `app_scope_id` and will be removed in version 3.0 or the AzureAD Provider""")
-        if app_scope_object_id is not None:
-            pulumi.set(__self__, "app_scope_object_id", app_scope_object_id)
         if directory_scope_id is not None:
             pulumi.set(__self__, "directory_scope_id", directory_scope_id)
-        if directory_scope_object_id is not None:
-            pulumi.set(__self__, "directory_scope_object_id", directory_scope_object_id)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="principalObjectId")
-    def principal_object_id(self) -> pulumi.Input[str]:
+    def principal_object_id(self) -> pulumi.Input[_builtins.str]:
         """
         The object ID of the principal for you want to create a role assignment. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.
         """
         return pulumi.get(self, "principal_object_id")
 
     @principal_object_id.setter
-    def principal_object_id(self, value: pulumi.Input[str]):
+    def principal_object_id(self, value: pulumi.Input[_builtins.str]):
         pulumi.set(self, "principal_object_id", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="roleId")
-    def role_id(self) -> pulumi.Input[str]:
+    def role_id(self) -> pulumi.Input[_builtins.str]:
         """
         The template ID (in the case of built-in roles) or object ID (in the case of custom roles) of the directory role you want to assign. Changing this forces a new resource to be created.
         """
         return pulumi.get(self, "role_id")
 
     @role_id.setter
-    def role_id(self, value: pulumi.Input[str]):
+    def role_id(self, value: pulumi.Input[_builtins.str]):
         pulumi.set(self, "role_id", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="appScopeId")
-    def app_scope_id(self) -> Optional[pulumi.Input[str]]:
+    def app_scope_id(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         Identifier of the app-specific scope when the assignment scope is app-specific. Cannot be used with `directory_scope_id`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created.
         """
         return pulumi.get(self, "app_scope_id")
 
     @app_scope_id.setter
-    def app_scope_id(self, value: Optional[pulumi.Input[str]]):
+    def app_scope_id(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "app_scope_id", value)
 
-    @property
-    @pulumi.getter(name="appScopeObjectId")
-    def app_scope_object_id(self) -> Optional[pulumi.Input[str]]:
-        """
-        Identifier of the app-specific scope when the assignment scope is app-specific
-        """
-        warnings.warn("""`app_scope_object_id` has been renamed to `app_scope_id` and will be removed in version 3.0 or the AzureAD Provider""", DeprecationWarning)
-        pulumi.log.warn("""app_scope_object_id is deprecated: `app_scope_object_id` has been renamed to `app_scope_id` and will be removed in version 3.0 or the AzureAD Provider""")
-
-        return pulumi.get(self, "app_scope_object_id")
-
-    @app_scope_object_id.setter
-    def app_scope_object_id(self, value: Optional[pulumi.Input[str]]):
-        pulumi.set(self, "app_scope_object_id", value)
-
-    @property
+    @_builtins.property
     @pulumi.getter(name="directoryScopeId")
-    def directory_scope_id(self) -> Optional[pulumi.Input[str]]:
+    def directory_scope_id(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         Identifier of the directory object representing the scope of the assignment. Cannot be used with `app_scope_id`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created.
         """
         return pulumi.get(self, "directory_scope_id")
 
     @directory_scope_id.setter
-    def directory_scope_id(self, value: Optional[pulumi.Input[str]]):
+    def directory_scope_id(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "directory_scope_id", value)
 
-    @property
-    @pulumi.getter(name="directoryScopeObjectId")
-    def directory_scope_object_id(self) -> Optional[pulumi.Input[str]]:
-        """
-        Identifier of the directory object representing the scope of the assignment
-        """
-        return pulumi.get(self, "directory_scope_object_id")
-
-    @directory_scope_object_id.setter
-    def directory_scope_object_id(self, value: Optional[pulumi.Input[str]]):
-        pulumi.set(self, "directory_scope_object_id", value)
-
 
 @pulumi.input_type
 class _DirectoryRoleAssignmentState:
     def __init__(__self__, *,
-                 app_scope_id: Optional[pulumi.Input[str]] = None,
-                 app_scope_object_id: Optional[pulumi.Input[str]] = None,
-                 directory_scope_id: Optional[pulumi.Input[str]] = None,
-                 directory_scope_object_id: Optional[pulumi.Input[str]] = None,
-                 principal_object_id: Optional[pulumi.Input[str]] = None,
-                 role_id: Optional[pulumi.Input[str]] = None):
+                 app_scope_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 directory_scope_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 principal_object_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 role_id: Optional[pulumi.Input[_builtins.str]] = None):
         """
         Input properties used for looking up and filtering DirectoryRoleAssignment resources.
-        :param pulumi.Input[str] app_scope_id: Identifier of the app-specific scope when the assignment scope is app-specific. Cannot be used with `directory_scope_id`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created.
-        :param pulumi.Input[str] app_scope_object_id: Identifier of the app-specific scope when the assignment scope is app-specific
-        :param pulumi.Input[str] directory_scope_id: Identifier of the directory object representing the scope of the assignment. Cannot be used with `app_scope_id`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created.
-        :param pulumi.Input[str] directory_scope_object_id: Identifier of the directory object representing the scope of the assignment
-        :param pulumi.Input[str] principal_object_id: The object ID of the principal for you want to create a role assignment. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.
-        :param pulumi.Input[str] role_id: The template ID (in the case of built-in roles) or object ID (in the case of custom roles) of the directory role you want to assign. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.str] app_scope_id: Identifier of the app-specific scope when the assignment scope is app-specific. Cannot be used with `directory_scope_id`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.str] directory_scope_id: Identifier of the directory object representing the scope of the assignment. Cannot be used with `app_scope_id`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.str] principal_object_id: The object ID of the principal for you want to create a role assignment. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.str] role_id: The template ID (in the case of built-in roles) or object ID (in the case of custom roles) of the directory role you want to assign. Changing this forces a new resource to be created.
         """
         if app_scope_id is not None:
             pulumi.set(__self__, "app_scope_id", app_scope_id)
-        if app_scope_object_id is not None:
-            warnings.warn("""`app_scope_object_id` has been renamed to `app_scope_id` and will be removed in version 3.0 or the AzureAD Provider""", DeprecationWarning)
-            pulumi.log.warn("""app_scope_object_id is deprecated: `app_scope_object_id` has been renamed to `app_scope_id` and will be removed in version 3.0 or the AzureAD Provider""")
-        if app_scope_object_id is not None:
-            pulumi.set(__self__, "app_scope_object_id", app_scope_object_id)
         if directory_scope_id is not None:
             pulumi.set(__self__, "directory_scope_id", directory_scope_id)
-        if directory_scope_object_id is not None:
-            pulumi.set(__self__, "directory_scope_object_id", directory_scope_object_id)
         if principal_object_id is not None:
             pulumi.set(__self__, "principal_object_id", principal_object_id)
         if role_id is not None:
             pulumi.set(__self__, "role_id", role_id)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="appScopeId")
-    def app_scope_id(self) -> Optional[pulumi.Input[str]]:
+    def app_scope_id(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         Identifier of the app-specific scope when the assignment scope is app-specific. Cannot be used with `directory_scope_id`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created.
         """
         return pulumi.get(self, "app_scope_id")
 
     @app_scope_id.setter
-    def app_scope_id(self, value: Optional[pulumi.Input[str]]):
+    def app_scope_id(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "app_scope_id", value)
 
-    @property
-    @pulumi.getter(name="appScopeObjectId")
-    def app_scope_object_id(self) -> Optional[pulumi.Input[str]]:
-        """
-        Identifier of the app-specific scope when the assignment scope is app-specific
-        """
-        warnings.warn("""`app_scope_object_id` has been renamed to `app_scope_id` and will be removed in version 3.0 or the AzureAD Provider""", DeprecationWarning)
-        pulumi.log.warn("""app_scope_object_id is deprecated: `app_scope_object_id` has been renamed to `app_scope_id` and will be removed in version 3.0 or the AzureAD Provider""")
-
-        return pulumi.get(self, "app_scope_object_id")
-
-    @app_scope_object_id.setter
-    def app_scope_object_id(self, value: Optional[pulumi.Input[str]]):
-        pulumi.set(self, "app_scope_object_id", value)
-
-    @property
+    @_builtins.property
     @pulumi.getter(name="directoryScopeId")
-    def directory_scope_id(self) -> Optional[pulumi.Input[str]]:
+    def directory_scope_id(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         Identifier of the directory object representing the scope of the assignment. Cannot be used with `app_scope_id`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created.
         """
         return pulumi.get(self, "directory_scope_id")
 
     @directory_scope_id.setter
-    def directory_scope_id(self, value: Optional[pulumi.Input[str]]):
+    def directory_scope_id(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "directory_scope_id", value)
 
-    @property
-    @pulumi.getter(name="directoryScopeObjectId")
-    def directory_scope_object_id(self) -> Optional[pulumi.Input[str]]:
-        """
-        Identifier of the directory object representing the scope of the assignment
-        """
-        return pulumi.get(self, "directory_scope_object_id")
-
-    @directory_scope_object_id.setter
-    def directory_scope_object_id(self, value: Optional[pulumi.Input[str]]):
-        pulumi.set(self, "directory_scope_object_id", value)
-
-    @property
+    @_builtins.property
     @pulumi.getter(name="principalObjectId")
-    def principal_object_id(self) -> Optional[pulumi.Input[str]]:
+    def principal_object_id(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The object ID of the principal for you want to create a role assignment. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.
         """
         return pulumi.get(self, "principal_object_id")
 
     @principal_object_id.setter
-    def principal_object_id(self, value: Optional[pulumi.Input[str]]):
+    def principal_object_id(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "principal_object_id", value)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="roleId")
-    def role_id(self) -> Optional[pulumi.Input[str]]:
+    def role_id(self) -> Optional[pulumi.Input[_builtins.str]]:
         """
         The template ID (in the case of built-in roles) or object ID (in the case of custom roles) of the directory role you want to assign. Changing this forces a new resource to be created.
         """
         return pulumi.get(self, "role_id")
 
     @role_id.setter
-    def role_id(self, value: Optional[pulumi.Input[str]]):
+    def role_id(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "role_id", value)
 
 
+@pulumi.type_token("azuread:index/directoryRoleAssignment:DirectoryRoleAssignment")
 class DirectoryRoleAssignment(pulumi.CustomResource):
     @overload
     def __init__(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
-                 app_scope_id: Optional[pulumi.Input[str]] = None,
-                 app_scope_object_id: Optional[pulumi.Input[str]] = None,
-                 directory_scope_id: Optional[pulumi.Input[str]] = None,
-                 directory_scope_object_id: Optional[pulumi.Input[str]] = None,
-                 principal_object_id: Optional[pulumi.Input[str]] = None,
-                 role_id: Optional[pulumi.Input[str]] = None,
+                 app_scope_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 directory_scope_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 principal_object_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 role_id: Optional[pulumi.Input[_builtins.str]] = None,
                  __props__=None):
         """
         Manages a single directory role assignment within Azure Active Directory.
@@ -252,22 +180,78 @@ class DirectoryRoleAssignment(pulumi.CustomResource):
 
         When authenticated with a user principal, this resource requires one of the following directory roles: `Privileged Role Administrator` or `Global Administrator`
 
+        ## Example Usage
+
+        *Assignment for a built-in role*
+
+        ```python
+        import pulumi
+        import pulumi_azuread as azuread
+
+        example = azuread.get_user(user_principal_name="jdoe@example.com")
+        example_directory_role = azuread.DirectoryRole("example", display_name="Security administrator")
+        example_directory_role_assignment = azuread.DirectoryRoleAssignment("example",
+            role_id=example_directory_role.template_id,
+            principal_object_id=example.object_id)
+        ```
+
+        > Note the use of the `template_id` attribute when referencing built-in roles.
+
+        *Assignment for a custom role*
+
+        ```python
+        import pulumi
+        import pulumi_azuread as azuread
+
+        example = azuread.get_user(user_principal_name="jdoe@example.com")
+        example_custom_directory_role = azuread.CustomDirectoryRole("example",
+            display_name="My Custom Role",
+            enabled=True,
+            version="1.0",
+            permissions=[{
+                "allowed_resource_actions": [
+                    "microsoft.directory/applications/basic/update",
+                    "microsoft.directory/applications/standard/read",
+                ],
+            }])
+        example_directory_role_assignment = azuread.DirectoryRoleAssignment("example",
+            role_id=example_custom_directory_role.object_id,
+            principal_object_id=example.object_id)
+        ```
+
+        *Scoped assignment for an application*
+
+        ```python
+        import pulumi
+        import pulumi_azuread as azuread
+        import pulumi_std as std
+
+        example_directory_role = azuread.DirectoryRole("example", display_name="Cloud application administrator")
+        example_application = azuread.Application("example", display_name="My Application")
+        example = azuread.get_user(user_principal_name="jdoe@example.com")
+        example_directory_role_assignment = azuread.DirectoryRoleAssignment("example",
+            role_id=example_directory_role.template_id,
+            principal_object_id=example.object_id,
+            directory_scope_id=std.format(input="/%s",
+                args=[example_application.object_id]).result)
+        ```
+
+        > Note the use of the `template_id` attribute when referencing built-in roles.
+
         ## Import
 
         Directory role assignments can be imported using the ID of the assignment, e.g.
 
         ```sh
-         $ pulumi import azuread:index/directoryRoleAssignment:DirectoryRoleAssignment example ePROZI_iKE653D_d6aoLHyr-lKgHI8ZGiIdz8CLVcng-1
+        $ pulumi import azuread:index/directoryRoleAssignment:DirectoryRoleAssignment example ePROZI_iKE653D_d6aoLHyr-lKgHI8ZGiIdz8CLVcng-1
         ```
 
         :param str resource_name: The name of the resource.
         :param pulumi.ResourceOptions opts: Options for the resource.
-        :param pulumi.Input[str] app_scope_id: Identifier of the app-specific scope when the assignment scope is app-specific. Cannot be used with `directory_scope_id`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created.
-        :param pulumi.Input[str] app_scope_object_id: Identifier of the app-specific scope when the assignment scope is app-specific
-        :param pulumi.Input[str] directory_scope_id: Identifier of the directory object representing the scope of the assignment. Cannot be used with `app_scope_id`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created.
-        :param pulumi.Input[str] directory_scope_object_id: Identifier of the directory object representing the scope of the assignment
-        :param pulumi.Input[str] principal_object_id: The object ID of the principal for you want to create a role assignment. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.
-        :param pulumi.Input[str] role_id: The template ID (in the case of built-in roles) or object ID (in the case of custom roles) of the directory role you want to assign. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.str] app_scope_id: Identifier of the app-specific scope when the assignment scope is app-specific. Cannot be used with `directory_scope_id`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.str] directory_scope_id: Identifier of the directory object representing the scope of the assignment. Cannot be used with `app_scope_id`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.str] principal_object_id: The object ID of the principal for you want to create a role assignment. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.str] role_id: The template ID (in the case of built-in roles) or object ID (in the case of custom roles) of the directory role you want to assign. Changing this forces a new resource to be created.
         """
         ...
     @overload
@@ -286,12 +270,70 @@ class DirectoryRoleAssignment(pulumi.CustomResource):
 
         When authenticated with a user principal, this resource requires one of the following directory roles: `Privileged Role Administrator` or `Global Administrator`
 
+        ## Example Usage
+
+        *Assignment for a built-in role*
+
+        ```python
+        import pulumi
+        import pulumi_azuread as azuread
+
+        example = azuread.get_user(user_principal_name="jdoe@example.com")
+        example_directory_role = azuread.DirectoryRole("example", display_name="Security administrator")
+        example_directory_role_assignment = azuread.DirectoryRoleAssignment("example",
+            role_id=example_directory_role.template_id,
+            principal_object_id=example.object_id)
+        ```
+
+        > Note the use of the `template_id` attribute when referencing built-in roles.
+
+        *Assignment for a custom role*
+
+        ```python
+        import pulumi
+        import pulumi_azuread as azuread
+
+        example = azuread.get_user(user_principal_name="jdoe@example.com")
+        example_custom_directory_role = azuread.CustomDirectoryRole("example",
+            display_name="My Custom Role",
+            enabled=True,
+            version="1.0",
+            permissions=[{
+                "allowed_resource_actions": [
+                    "microsoft.directory/applications/basic/update",
+                    "microsoft.directory/applications/standard/read",
+                ],
+            }])
+        example_directory_role_assignment = azuread.DirectoryRoleAssignment("example",
+            role_id=example_custom_directory_role.object_id,
+            principal_object_id=example.object_id)
+        ```
+
+        *Scoped assignment for an application*
+
+        ```python
+        import pulumi
+        import pulumi_azuread as azuread
+        import pulumi_std as std
+
+        example_directory_role = azuread.DirectoryRole("example", display_name="Cloud application administrator")
+        example_application = azuread.Application("example", display_name="My Application")
+        example = azuread.get_user(user_principal_name="jdoe@example.com")
+        example_directory_role_assignment = azuread.DirectoryRoleAssignment("example",
+            role_id=example_directory_role.template_id,
+            principal_object_id=example.object_id,
+            directory_scope_id=std.format(input="/%s",
+                args=[example_application.object_id]).result)
+        ```
+
+        > Note the use of the `template_id` attribute when referencing built-in roles.
+
         ## Import
 
         Directory role assignments can be imported using the ID of the assignment, e.g.
 
         ```sh
-         $ pulumi import azuread:index/directoryRoleAssignment:DirectoryRoleAssignment example ePROZI_iKE653D_d6aoLHyr-lKgHI8ZGiIdz8CLVcng-1
+        $ pulumi import azuread:index/directoryRoleAssignment:DirectoryRoleAssignment example ePROZI_iKE653D_d6aoLHyr-lKgHI8ZGiIdz8CLVcng-1
         ```
 
         :param str resource_name: The name of the resource.
@@ -309,12 +351,10 @@ class DirectoryRoleAssignment(pulumi.CustomResource):
     def _internal_init(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
-                 app_scope_id: Optional[pulumi.Input[str]] = None,
-                 app_scope_object_id: Optional[pulumi.Input[str]] = None,
-                 directory_scope_id: Optional[pulumi.Input[str]] = None,
-                 directory_scope_object_id: Optional[pulumi.Input[str]] = None,
-                 principal_object_id: Optional[pulumi.Input[str]] = None,
-                 role_id: Optional[pulumi.Input[str]] = None,
+                 app_scope_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 directory_scope_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 principal_object_id: Optional[pulumi.Input[_builtins.str]] = None,
+                 role_id: Optional[pulumi.Input[_builtins.str]] = None,
                  __props__=None):
         opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
         if not isinstance(opts, pulumi.ResourceOptions):
@@ -325,9 +365,7 @@ class DirectoryRoleAssignment(pulumi.CustomResource):
             __props__ = DirectoryRoleAssignmentArgs.__new__(DirectoryRoleAssignmentArgs)
 
             __props__.__dict__["app_scope_id"] = app_scope_id
-            __props__.__dict__["app_scope_object_id"] = app_scope_object_id
             __props__.__dict__["directory_scope_id"] = directory_scope_id
-            __props__.__dict__["directory_scope_object_id"] = directory_scope_object_id
             if principal_object_id is None and not opts.urn:
                 raise TypeError("Missing required property 'principal_object_id'")
             __props__.__dict__["principal_object_id"] = principal_object_id
@@ -344,12 +382,10 @@ class DirectoryRoleAssignment(pulumi.CustomResource):
     def get(resource_name: str,
             id: pulumi.Input[str],
             opts: Optional[pulumi.ResourceOptions] = None,
-            app_scope_id: Optional[pulumi.Input[str]] = None,
-            app_scope_object_id: Optional[pulumi.Input[str]] = None,
-            directory_scope_id: Optional[pulumi.Input[str]] = None,
-            directory_scope_object_id: Optional[pulumi.Input[str]] = None,
-            principal_object_id: Optional[pulumi.Input[str]] = None,
-            role_id: Optional[pulumi.Input[str]] = None) -> 'DirectoryRoleAssignment':
+            app_scope_id: Optional[pulumi.Input[_builtins.str]] = None,
+            directory_scope_id: Optional[pulumi.Input[_builtins.str]] = None,
+            principal_object_id: Optional[pulumi.Input[_builtins.str]] = None,
+            role_id: Optional[pulumi.Input[_builtins.str]] = None) -> 'DirectoryRoleAssignment':
         """
         Get an existing DirectoryRoleAssignment resource's state with the given name, id, and optional extra
         properties used to qualify the lookup.
@@ -357,71 +393,48 @@ class DirectoryRoleAssignment(pulumi.CustomResource):
         :param str resource_name: The unique name of the resulting resource.
         :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
         :param pulumi.ResourceOptions opts: Options for the resource.
-        :param pulumi.Input[str] app_scope_id: Identifier of the app-specific scope when the assignment scope is app-specific. Cannot be used with `directory_scope_id`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created.
-        :param pulumi.Input[str] app_scope_object_id: Identifier of the app-specific scope when the assignment scope is app-specific
-        :param pulumi.Input[str] directory_scope_id: Identifier of the directory object representing the scope of the assignment. Cannot be used with `app_scope_id`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created.
-        :param pulumi.Input[str] directory_scope_object_id: Identifier of the directory object representing the scope of the assignment
-        :param pulumi.Input[str] principal_object_id: The object ID of the principal for you want to create a role assignment. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.
-        :param pulumi.Input[str] role_id: The template ID (in the case of built-in roles) or object ID (in the case of custom roles) of the directory role you want to assign. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.str] app_scope_id: Identifier of the app-specific scope when the assignment scope is app-specific. Cannot be used with `directory_scope_id`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.str] directory_scope_id: Identifier of the directory object representing the scope of the assignment. Cannot be used with `app_scope_id`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.str] principal_object_id: The object ID of the principal for you want to create a role assignment. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.
+        :param pulumi.Input[_builtins.str] role_id: The template ID (in the case of built-in roles) or object ID (in the case of custom roles) of the directory role you want to assign. Changing this forces a new resource to be created.
         """
         opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
 
         __props__ = _DirectoryRoleAssignmentState.__new__(_DirectoryRoleAssignmentState)
 
         __props__.__dict__["app_scope_id"] = app_scope_id
-        __props__.__dict__["app_scope_object_id"] = app_scope_object_id
         __props__.__dict__["directory_scope_id"] = directory_scope_id
-        __props__.__dict__["directory_scope_object_id"] = directory_scope_object_id
         __props__.__dict__["principal_object_id"] = principal_object_id
         __props__.__dict__["role_id"] = role_id
         return DirectoryRoleAssignment(resource_name, opts=opts, __props__=__props__)
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="appScopeId")
-    def app_scope_id(self) -> pulumi.Output[str]:
+    def app_scope_id(self) -> pulumi.Output[_builtins.str]:
         """
         Identifier of the app-specific scope when the assignment scope is app-specific. Cannot be used with `directory_scope_id`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created.
         """
         return pulumi.get(self, "app_scope_id")
 
-    @property
-    @pulumi.getter(name="appScopeObjectId")
-    def app_scope_object_id(self) -> pulumi.Output[str]:
-        """
-        Identifier of the app-specific scope when the assignment scope is app-specific
-        """
-        warnings.warn("""`app_scope_object_id` has been renamed to `app_scope_id` and will be removed in version 3.0 or the AzureAD Provider""", DeprecationWarning)
-        pulumi.log.warn("""app_scope_object_id is deprecated: `app_scope_object_id` has been renamed to `app_scope_id` and will be removed in version 3.0 or the AzureAD Provider""")
-
-        return pulumi.get(self, "app_scope_object_id")
-
-    @property
+    @_builtins.property
     @pulumi.getter(name="directoryScopeId")
-    def directory_scope_id(self) -> pulumi.Output[str]:
+    def directory_scope_id(self) -> pulumi.Output[_builtins.str]:
         """
         Identifier of the directory object representing the scope of the assignment. Cannot be used with `app_scope_id`. See [official documentation](https://docs.microsoft.com/en-us/graph/api/rbacapplication-post-roleassignments?view=graph-rest-1.0&tabs=http) for example usage. Changing this forces a new resource to be created.
         """
         return pulumi.get(self, "directory_scope_id")
 
-    @property
-    @pulumi.getter(name="directoryScopeObjectId")
-    def directory_scope_object_id(self) -> pulumi.Output[str]:
-        """
-        Identifier of the directory object representing the scope of the assignment
-        """
-        return pulumi.get(self, "directory_scope_object_id")
-
-    @property
+    @_builtins.property
     @pulumi.getter(name="principalObjectId")
-    def principal_object_id(self) -> pulumi.Output[str]:
+    def principal_object_id(self) -> pulumi.Output[_builtins.str]:
         """
         The object ID of the principal for you want to create a role assignment. Supported object types are Users, Groups or Service Principals. Changing this forces a new resource to be created.
         """
         return pulumi.get(self, "principal_object_id")
 
-    @property
+    @_builtins.property
     @pulumi.getter(name="roleId")
-    def role_id(self) -> pulumi.Output[str]:
+    def role_id(self) -> pulumi.Output[_builtins.str]:
         """
         The template ID (in the case of built-in roles) or object ID (in the case of custom roles) of the directory role you want to assign. Changing this forces a new resource to be created.
         """