From 7516b2aaaa736f19db0c015c2ea8f4ab43f1655b Mon Sep 17 00:00:00 2001
From: Ian Wahbe <ian@wahbe.com>
Date: Mon, 30 Oct 2023 14:25:30 -0700
Subject: [PATCH] Upgrade terraform-provider-azuread to v2.45.0 (#529)

This PR was generated via `$ upgrade-provider pulumi/pulumi-azuread`.

---

- Upgrading terraform-provider-azuread from 2.44.0  to 2.45.0.
	Fixes #523
	Fixes #510
Fixes #525
---
 .../bridge-metadata.json                      | 100 +++
 .../cmd/pulumi-resource-azuread/schema.json   | 220 ++++-
 provider/go.mod                               |   6 +-
 provider/go.sum                               |  11 +-
 provider/shim/go.mod                          |   6 +-
 provider/shim/go.sum                          |  11 +-
 sdk/dotnet/ApplicationOptionalClaims.cs       | 251 ++++++
 sdk/dotnet/GetApplicationPublishedAppIds.cs   |   4 +-
 ...pplicationOptionalClaimsAccessTokenArgs.cs |   2 +-
 ...icationOptionalClaimsAccessTokenGetArgs.cs |   2 +-
 .../ApplicationOptionalClaimsIdTokenArgs.cs   |   2 +-
 ...ApplicationOptionalClaimsIdTokenGetArgs.cs |   2 +-
 ...ApplicationOptionalClaimsSaml2TokenArgs.cs |   2 +-
 ...licationOptionalClaimsSaml2TokenGetArgs.cs |   2 +-
 ...tionalAccessPolicyConditionsDevicesArgs.cs |   2 +-
 ...nalAccessPolicyConditionsDevicesGetArgs.cs |   2 +-
 ...ditionalAccessPolicyConditionsUsersArgs.cs |  26 +-
 ...nsUsersExcludedGuestsOrExternalUserArgs.cs |  44 +
 ...dGuestsOrExternalUserExternalTenantArgs.cs |  38 +
 ...estsOrExternalUserExternalTenantGetArgs.cs |  38 +
 ...sersExcludedGuestsOrExternalUserGetArgs.cs |  44 +
 ...ionalAccessPolicyConditionsUsersGetArgs.cs |  26 +-
 ...nsUsersIncludedGuestsOrExternalUserArgs.cs |  44 +
 ...dGuestsOrExternalUserExternalTenantArgs.cs |  38 +
 ...estsOrExternalUserExternalTenantGetArgs.cs |  38 +
 ...sersIncludedGuestsOrExternalUserGetArgs.cs |  44 +
 ...ditionalAccessPolicySessionControlsArgs.cs |  16 +-
 ...ionalAccessPolicySessionControlsGetArgs.cs |  16 +-
 .../ApplicationOptionalClaimsAccessToken.cs   |   2 +-
 .../ApplicationOptionalClaimsIdToken.cs       |   2 +-
 .../ApplicationOptionalClaimsSaml2Token.cs    |   2 +-
 ...onditionalAccessPolicyConditionsDevices.cs |   2 +-
 .../ConditionalAccessPolicyConditionsUsers.cs |  16 +-
 ...itionsUsersExcludedGuestsOrExternalUser.cs |  35 +
 ...ludedGuestsOrExternalUserExternalTenant.cs |  35 +
 ...itionsUsersIncludedGuestsOrExternalUser.cs |  35 +
 ...ludedGuestsOrExternalUserExternalTenant.cs |  35 +
 .../ConditionalAccessPolicySessionControls.cs |  18 +-
 sdk/dotnet/ServicePrincipal.cs                |   8 +-
 sdk/go/azuread/application.go                 |  16 +-
 sdk/go/azuread/applicationOptionalClaims.go   | 380 ++++++++
 .../azuread/getApplicationPublishedAppIds.go  |   4 +-
 sdk/go/azuread/init.go                        |   7 +
 sdk/go/azuread/pulumiTypes.go                 | 838 +++++++++++++++---
 sdk/go/azuread/servicePrincipal.go            |  12 +-
 .../azuread/ApplicationOptionalClaims.java    | 197 ++++
 .../ApplicationOptionalClaimsArgs.java        | 239 +++++
 .../com/pulumi/azuread/AzureadFunctions.java  |  12 +-
 .../com/pulumi/azuread/ServicePrincipal.java  |   8 +-
 ...licationOptionalClaimsAccessTokenArgs.java |  10 +-
 .../ApplicationOptionalClaimsIdTokenArgs.java |  10 +-
 ...plicationOptionalClaimsSaml2TokenArgs.java |  10 +-
 .../ApplicationOptionalClaimsState.java       | 238 +++++
 ...onalAccessPolicyConditionsDevicesArgs.java |   8 +-
 ...tionalAccessPolicyConditionsUsersArgs.java | 106 ++-
 ...UsersExcludedGuestsOrExternalUserArgs.java | 143 +++
 ...uestsOrExternalUserExternalTenantArgs.java | 132 +++
 ...UsersIncludedGuestsOrExternalUserArgs.java | 143 +++
 ...uestsOrExternalUserExternalTenantArgs.java | 132 +++
 ...tionalAccessPolicySessionControlsArgs.java |  90 +-
 .../ApplicationOptionalClaimsAccessToken.java |   4 +-
 .../ApplicationOptionalClaimsIdToken.java     |   4 +-
 .../ApplicationOptionalClaimsSaml2Token.java  |   4 +-
 ...ditionalAccessPolicyConditionsDevices.java |   4 +-
 ...onditionalAccessPolicyConditionsUsers.java |  52 +-
 ...ionsUsersExcludedGuestsOrExternalUser.java |  83 ++
 ...dedGuestsOrExternalUserExternalTenant.java |  79 ++
 ...ionsUsersIncludedGuestsOrExternalUser.java |  83 ++
 ...dedGuestsOrExternalUserExternalTenant.java |  79 ++
 ...onditionalAccessPolicySessionControls.java |  48 +-
 sdk/nodejs/applicationOptionalClaims.ts       | 172 ++++
 sdk/nodejs/getApplicationPublishedAppIds.ts   |   4 +-
 sdk/nodejs/index.ts                           |   8 +
 sdk/nodejs/servicePrincipal.ts                |   8 +-
 sdk/nodejs/tsconfig.json                      |   1 +
 sdk/nodejs/types/input.ts                     |  74 +-
 sdk/nodejs/types/output.ts                    |  74 +-
 sdk/python/pulumi_azuread/__init__.py         |   9 +
 sdk/python/pulumi_azuread/_inputs.py          | 248 +++++-
 .../application_optional_claims.py            | 371 ++++++++
 .../get_application_published_app_ids.py      |   4 +-
 sdk/python/pulumi_azuread/outputs.py          | 280 +++++-
 .../pulumi_azuread/service_principal.py       |  16 +-
 83 files changed, 5385 insertions(+), 286 deletions(-)
 create mode 100644 sdk/dotnet/ApplicationOptionalClaims.cs
 create mode 100644 sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs.cs
 create mode 100644 sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs.cs
 create mode 100644 sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantGetArgs.cs
 create mode 100644 sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserGetArgs.cs
 create mode 100644 sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs.cs
 create mode 100644 sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs.cs
 create mode 100644 sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantGetArgs.cs
 create mode 100644 sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserGetArgs.cs
 create mode 100644 sdk/dotnet/Outputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser.cs
 create mode 100644 sdk/dotnet/Outputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant.cs
 create mode 100644 sdk/dotnet/Outputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser.cs
 create mode 100644 sdk/dotnet/Outputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant.cs
 create mode 100644 sdk/go/azuread/applicationOptionalClaims.go
 create mode 100644 sdk/java/src/main/java/com/pulumi/azuread/ApplicationOptionalClaims.java
 create mode 100644 sdk/java/src/main/java/com/pulumi/azuread/ApplicationOptionalClaimsArgs.java
 create mode 100644 sdk/java/src/main/java/com/pulumi/azuread/inputs/ApplicationOptionalClaimsState.java
 create mode 100644 sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs.java
 create mode 100644 sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs.java
 create mode 100644 sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs.java
 create mode 100644 sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs.java
 create mode 100644 sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser.java
 create mode 100644 sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant.java
 create mode 100644 sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser.java
 create mode 100644 sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant.java
 create mode 100644 sdk/nodejs/applicationOptionalClaims.ts
 create mode 100644 sdk/python/pulumi_azuread/application_optional_claims.py

diff --git a/provider/cmd/pulumi-resource-azuread/bridge-metadata.json b/provider/cmd/pulumi-resource-azuread/bridge-metadata.json
index 7382af231..2ddf61622 100644
--- a/provider/cmd/pulumi-resource-azuread/bridge-metadata.json
+++ b/provider/cmd/pulumi-resource-azuread/bridge-metadata.json
@@ -506,6 +506,41 @@
                     }
                 }
             },
+            "azuread_application_optional_claims": {
+                "current": "azuread:index/applicationOptionalClaims:ApplicationOptionalClaims",
+                "fields": {
+                    "access_token": {
+                        "maxItemsOne": false,
+                        "elem": {
+                            "fields": {
+                                "additional_properties": {
+                                    "maxItemsOne": false
+                                }
+                            }
+                        }
+                    },
+                    "id_token": {
+                        "maxItemsOne": false,
+                        "elem": {
+                            "fields": {
+                                "additional_properties": {
+                                    "maxItemsOne": false
+                                }
+                            }
+                        }
+                    },
+                    "saml2_token": {
+                        "maxItemsOne": false,
+                        "elem": {
+                            "fields": {
+                                "additional_properties": {
+                                    "maxItemsOne": false
+                                }
+                            }
+                        }
+                    }
+                }
+            },
             "azuread_application_owner": {
                 "current": "azuread:index/applicationOwner:ApplicationOwner"
             },
@@ -680,6 +715,26 @@
                                                 "maxItemsOne": false,
                                                 "elem": {}
                                             },
+                                            "excluded_guests_or_external_users": {
+                                                "maxItemsOne": false,
+                                                "elem": {
+                                                    "fields": {
+                                                        "external_tenants": {
+                                                            "maxItemsOne": false,
+                                                            "elem": {
+                                                                "fields": {
+                                                                    "members": {
+                                                                        "maxItemsOne": false
+                                                                    }
+                                                                }
+                                                            }
+                                                        },
+                                                        "guest_or_external_user_types": {
+                                                            "maxItemsOne": false
+                                                        }
+                                                    }
+                                                }
+                                            },
                                             "excluded_roles": {
                                                 "maxItemsOne": false,
                                                 "elem": {}
@@ -692,6 +747,26 @@
                                                 "maxItemsOne": false,
                                                 "elem": {}
                                             },
+                                            "included_guests_or_external_users": {
+                                                "maxItemsOne": false,
+                                                "elem": {
+                                                    "fields": {
+                                                        "external_tenants": {
+                                                            "maxItemsOne": false,
+                                                            "elem": {
+                                                                "fields": {
+                                                                    "members": {
+                                                                        "maxItemsOne": false
+                                                                    }
+                                                                }
+                                                            }
+                                                        },
+                                                        "guest_or_external_user_types": {
+                                                            "maxItemsOne": false
+                                                        }
+                                                    }
+                                                }
+                                            },
                                             "included_roles": {
                                                 "maxItemsOne": false,
                                                 "elem": {}
@@ -1600,6 +1675,7 @@
             "azuread:index/applicationFromTemplate:ApplicationFromTemplate": "azuread_application_from_template",
             "azuread:index/applicationIdentifierUri:ApplicationIdentifierUri": "azuread_application_identifier_uri",
             "azuread:index/applicationKnownClients:ApplicationKnownClients": "azuread_application_known_clients",
+            "azuread:index/applicationOptionalClaims:ApplicationOptionalClaims": "azuread_application_optional_claims",
             "azuread:index/applicationOwner:ApplicationOwner": "azuread_application_owner",
             "azuread:index/applicationPassword:ApplicationPassword": "azuread_application_password",
             "azuread:index/applicationPermissionScope:ApplicationPermissionScope": "azuread_application_permission_scope",
@@ -1796,12 +1872,28 @@
             },
             "azuread:index/ConditionalAccessPolicyConditionsUsers:ConditionalAccessPolicyConditionsUsers": {
                 "excludedGroups": "excluded_groups",
+                "excludedGuestsOrExternalUsers": "excluded_guests_or_external_users",
                 "excludedRoles": "excluded_roles",
                 "excludedUsers": "excluded_users",
                 "includedGroups": "included_groups",
+                "includedGuestsOrExternalUsers": "included_guests_or_external_users",
                 "includedRoles": "included_roles",
                 "includedUsers": "included_users"
             },
+            "azuread:index/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser:ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser": {
+                "externalTenants": "external_tenants",
+                "guestOrExternalUserTypes": "guest_or_external_user_types"
+            },
+            "azuread:index/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant:ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant": {
+                "membershipKind": "membership_kind"
+            },
+            "azuread:index/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser:ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser": {
+                "externalTenants": "external_tenants",
+                "guestOrExternalUserTypes": "guest_or_external_user_types"
+            },
+            "azuread:index/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant:ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant": {
+                "membershipKind": "membership_kind"
+            },
             "azuread:index/ConditionalAccessPolicyGrantControls:ConditionalAccessPolicyGrantControls": {
                 "authenticationStrengthPolicyId": "authentication_strength_policy_id",
                 "builtInControls": "built_in_controls",
@@ -1814,6 +1906,8 @@
                 "disableResilienceDefaults": "disable_resilience_defaults",
                 "persistentBrowserMode": "persistent_browser_mode",
                 "signInFrequency": "sign_in_frequency",
+                "signInFrequencyAuthenticationType": "sign_in_frequency_authentication_type",
+                "signInFrequencyInterval": "sign_in_frequency_interval",
                 "signInFrequencyPeriod": "sign_in_frequency_period"
             },
             "azuread:index/CustomDirectoryRolePermission:CustomDirectoryRolePermission": {
@@ -1984,6 +2078,12 @@
                 "applicationId": "application_id",
                 "knownClientIds": "known_client_ids"
             },
+            "azuread:index/applicationOptionalClaims:ApplicationOptionalClaims": {
+                "accessTokens": "access_token",
+                "applicationId": "application_id",
+                "idTokens": "id_token",
+                "saml2Tokens": "saml2_token"
+            },
             "azuread:index/applicationOwner:ApplicationOwner": {
                 "applicationId": "application_id",
                 "ownerObjectId": "owner_object_id"
diff --git a/provider/cmd/pulumi-resource-azuread/schema.json b/provider/cmd/pulumi-resource-azuread/schema.json
index 3ad9dcf78..c576e4c05 100644
--- a/provider/cmd/pulumi-resource-azuread/schema.json
+++ b/provider/cmd/pulumi-resource-azuread/schema.json
@@ -635,7 +635,7 @@
                     "items": {
                         "type": "string"
                     },
-                    "description": "List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.\n"
+                    "description": "List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.\n"
                 },
                 "essential": {
                     "type": "boolean",
@@ -662,7 +662,7 @@
                     "items": {
                         "type": "string"
                     },
-                    "description": "List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.\n"
+                    "description": "List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.\n"
                 },
                 "essential": {
                     "type": "boolean",
@@ -689,7 +689,7 @@
                     "items": {
                         "type": "string"
                     },
-                    "description": "List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.\n"
+                    "description": "List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.\n"
                 },
                 "essential": {
                     "type": "boolean",
@@ -918,7 +918,7 @@
             "properties": {
                 "filter": {
                     "$ref": "#/types/azuread:index/ConditionalAccessPolicyConditionsDevicesFilter:ConditionalAccessPolicyConditionsDevicesFilter",
-                    "description": "A `filter` block as described below. A `filter` block can be added to an existing policy, but removing the `filter` block forces a new resource to be created.\n"
+                    "description": "A `filter` block as described below.\n"
                 }
             },
             "type": "object"
@@ -993,6 +993,13 @@
                     },
                     "description": "A list of group IDs excluded from scope of policy.\n"
                 },
+                "excludedGuestsOrExternalUsers": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/types/azuread:index/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser:ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser"
+                    },
+                    "description": "A `guests_or_external_users` block as documented below, which specifies internal guests and external users excluded from scope of policy.\n"
+                },
                 "excludedRoles": {
                     "type": "array",
                     "items": {
@@ -1014,6 +1021,13 @@
                     },
                     "description": "A list of group IDs in scope of policy unless explicitly excluded.\n"
                 },
+                "includedGuestsOrExternalUsers": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/types/azuread:index/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser:ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser"
+                    },
+                    "description": "A `guests_or_external_users` block as documented below, which specifies internal guests and external users in scope of policy.\n"
+                },
                 "includedRoles": {
                     "type": "array",
                     "items": {
@@ -1026,11 +1040,93 @@
                     "items": {
                         "type": "string"
                     },
-                    "description": "A list of user IDs in scope of policy unless explicitly excluded, or `None` or `All` or `GuestsOrExternalUsers`.\n\n\u003e At least one of `included_groups`, `included_roles` or `included_users` must be specified.\n"
+                    "description": "A list of user IDs in scope of policy unless explicitly excluded, or `None` or `All` or `GuestsOrExternalUsers`.\n\n\u003e At least one of `included_groups`, `included_guests_or_external_users`, `included_roles` or `included_users` must be specified.\n"
                 }
             },
             "type": "object"
         },
+        "azuread:index/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser:ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser": {
+            "properties": {
+                "externalTenants": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/types/azuread:index/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant:ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant"
+                    },
+                    "description": "An `external_tenants` block as documented below, which specifies external tenants in a policy scope.\n"
+                },
+                "guestOrExternalUserTypes": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    },
+                    "description": "A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.\n"
+                }
+            },
+            "type": "object",
+            "required": [
+                "guestOrExternalUserTypes"
+            ]
+        },
+        "azuread:index/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant:ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant": {
+            "properties": {
+                "members": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    },
+                    "description": "A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.\n"
+                },
+                "membershipKind": {
+                    "type": "string",
+                    "description": "The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.\n"
+                }
+            },
+            "type": "object",
+            "required": [
+                "membershipKind"
+            ]
+        },
+        "azuread:index/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser:ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser": {
+            "properties": {
+                "externalTenants": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/types/azuread:index/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant:ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant"
+                    },
+                    "description": "An `external_tenants` block as documented below, which specifies external tenants in a policy scope.\n"
+                },
+                "guestOrExternalUserTypes": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    },
+                    "description": "A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.\n"
+                }
+            },
+            "type": "object",
+            "required": [
+                "guestOrExternalUserTypes"
+            ]
+        },
+        "azuread:index/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant:ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant": {
+            "properties": {
+                "members": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    },
+                    "description": "A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.\n"
+                },
+                "membershipKind": {
+                    "type": "string",
+                    "description": "The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.\n"
+                }
+            },
+            "type": "object",
+            "required": [
+                "membershipKind"
+            ]
+        },
         "azuread:index/ConditionalAccessPolicyGrantControls:ConditionalAccessPolicyGrantControls": {
             "properties": {
                 "authenticationStrengthPolicyId": {
@@ -1088,11 +1184,19 @@
                 },
                 "signInFrequency": {
                     "type": "integer",
-                    "description": "Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.\n"
+                    "description": "Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified.\n"
+                },
+                "signInFrequencyAuthenticationType": {
+                    "type": "string",
+                    "description": "Authentication type for enforcing sign-in frequency. Possible values are: `primaryAndSecondaryAuthentication` or `secondaryAuthentication`. Defaults to `primaryAndSecondaryAuthentication`.\n"
+                },
+                "signInFrequencyInterval": {
+                    "type": "string",
+                    "description": "The interval to apply to sign-in frequency control. Possible values are: `timeBased` or `everyTime`. Defaults to `timeBased`.\n"
                 },
                 "signInFrequencyPeriod": {
                     "type": "string",
-                    "description": "The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.\n"
+                    "description": "The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified.\n"
                 }
             },
             "type": "object"
@@ -3276,7 +3380,7 @@
             }
         },
         "azuread:index/application:Application": {
-            "description": "{{% examples %}}\n## Example Usage\n{{% example %}}\n\n*Create an application*\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azuread from \"@pulumi/azuread\";\nimport * as fs from \"fs\";\n\nconst current = azuread.getClientConfig({});\nconst example = new azuread.Application(\"example\", {\n    displayName: \"example\",\n    identifierUris: [\"api://example-app\"],\n    logoImage: Buffer.from(fs.readFileSync(\"/path/to/logo.png\"), 'binary').toString('base64'),\n    owners: [current.then(current =\u003e current.objectId)],\n    signInAudience: \"AzureADMultipleOrgs\",\n    api: {\n        mappedClaimsEnabled: true,\n        requestedAccessTokenVersion: 2,\n        knownClientApplications: [\n            azuread_application.known1.application_id,\n            azuread_application.known2.application_id,\n        ],\n        oauth2PermissionScopes: [\n            {\n                adminConsentDescription: \"Allow the application to access example on behalf of the signed-in user.\",\n                adminConsentDisplayName: \"Access example\",\n                enabled: true,\n                id: \"96183846-204b-4b43-82e1-5d2222eb4b9b\",\n                type: \"User\",\n                userConsentDescription: \"Allow the application to access example on your behalf.\",\n                userConsentDisplayName: \"Access example\",\n                value: \"user_impersonation\",\n            },\n            {\n                adminConsentDescription: \"Administer the example application\",\n                adminConsentDisplayName: \"Administer\",\n                enabled: true,\n                id: \"be98fa3e-ab5b-4b11-83d9-04ba2b7946bc\",\n                type: \"Admin\",\n                value: \"administer\",\n            },\n        ],\n    },\n    appRoles: [\n        {\n            allowedMemberTypes: [\n                \"User\",\n                \"Application\",\n            ],\n            description: \"Admins can manage roles and perform all task actions\",\n            displayName: \"Admin\",\n            enabled: true,\n            id: \"1b19509b-32b1-4e9f-b71d-4992aa991967\",\n            value: \"admin\",\n        },\n        {\n            allowedMemberTypes: [\"User\"],\n            description: \"ReadOnly roles have limited query access\",\n            displayName: \"ReadOnly\",\n            enabled: true,\n            id: \"497406e4-012a-4267-bf18-45a1cb148a01\",\n            value: \"User\",\n        },\n    ],\n    featureTags: [{\n        enterprise: true,\n        gallery: true,\n    }],\n    optionalClaims: {\n        accessTokens: [\n            {\n                name: \"myclaim\",\n            },\n            {\n                name: \"otherclaim\",\n            },\n        ],\n        idTokens: [{\n            name: \"userclaim\",\n            source: \"user\",\n            essential: true,\n            additionalProperties: [\"emit_as_roles\"],\n        }],\n        saml2Tokens: [{\n            name: \"samlexample\",\n        }],\n    },\n    requiredResourceAccesses: [\n        {\n            resourceAppId: \"00000003-0000-0000-c000-000000000000\",\n            resourceAccesses: [\n                {\n                    id: \"df021288-bdef-4463-88db-98f22de89214\",\n                    type: \"Role\",\n                },\n                {\n                    id: \"b4e74841-8e56-480b-be8b-910348b18b4c\",\n                    type: \"Scope\",\n                },\n            ],\n        },\n        {\n            resourceAppId: \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\n            resourceAccesses: [{\n                id: \"594c1fb6-4f81-4475-ae41-0c394909246c\",\n                type: \"Role\",\n            }],\n        },\n    ],\n    web: {\n        homepageUrl: \"https://app.example.net\",\n        logoutUrl: \"https://app.example.net/logout\",\n        redirectUris: [\"https://app.example.net/account\"],\n        implicitGrant: {\n            accessTokenIssuanceEnabled: true,\n            idTokenIssuanceEnabled: true,\n        },\n    },\n});\n```\n```python\nimport pulumi\nimport base64\nimport pulumi_azuread as azuread\n\ncurrent = azuread.get_client_config()\nexample = azuread.Application(\"example\",\n    display_name=\"example\",\n    identifier_uris=[\"api://example-app\"],\n    logo_image=(lambda path: base64.b64encode(open(path).read().encode()).decode())(\"/path/to/logo.png\"),\n    owners=[current.object_id],\n    sign_in_audience=\"AzureADMultipleOrgs\",\n    api=azuread.ApplicationApiArgs(\n        mapped_claims_enabled=True,\n        requested_access_token_version=2,\n        known_client_applications=[\n            azuread_application[\"known1\"][\"application_id\"],\n            azuread_application[\"known2\"][\"application_id\"],\n        ],\n        oauth2_permission_scopes=[\n            azuread.ApplicationApiOauth2PermissionScopeArgs(\n                admin_consent_description=\"Allow the application to access example on behalf of the signed-in user.\",\n                admin_consent_display_name=\"Access example\",\n                enabled=True,\n                id=\"96183846-204b-4b43-82e1-5d2222eb4b9b\",\n                type=\"User\",\n                user_consent_description=\"Allow the application to access example on your behalf.\",\n                user_consent_display_name=\"Access example\",\n                value=\"user_impersonation\",\n            ),\n            azuread.ApplicationApiOauth2PermissionScopeArgs(\n                admin_consent_description=\"Administer the example application\",\n                admin_consent_display_name=\"Administer\",\n                enabled=True,\n                id=\"be98fa3e-ab5b-4b11-83d9-04ba2b7946bc\",\n                type=\"Admin\",\n                value=\"administer\",\n            ),\n        ],\n    ),\n    app_roles=[\n        azuread.ApplicationAppRoleArgs(\n            allowed_member_types=[\n                \"User\",\n                \"Application\",\n            ],\n            description=\"Admins can manage roles and perform all task actions\",\n            display_name=\"Admin\",\n            enabled=True,\n            id=\"1b19509b-32b1-4e9f-b71d-4992aa991967\",\n            value=\"admin\",\n        ),\n        azuread.ApplicationAppRoleArgs(\n            allowed_member_types=[\"User\"],\n            description=\"ReadOnly roles have limited query access\",\n            display_name=\"ReadOnly\",\n            enabled=True,\n            id=\"497406e4-012a-4267-bf18-45a1cb148a01\",\n            value=\"User\",\n        ),\n    ],\n    feature_tags=[azuread.ApplicationFeatureTagArgs(\n        enterprise=True,\n        gallery=True,\n    )],\n    optional_claims=azuread.ApplicationOptionalClaimsArgs(\n        access_tokens=[\n            azuread.ApplicationOptionalClaimsAccessTokenArgs(\n                name=\"myclaim\",\n            ),\n            azuread.ApplicationOptionalClaimsAccessTokenArgs(\n                name=\"otherclaim\",\n            ),\n        ],\n        id_tokens=[azuread.ApplicationOptionalClaimsIdTokenArgs(\n            name=\"userclaim\",\n            source=\"user\",\n            essential=True,\n            additional_properties=[\"emit_as_roles\"],\n        )],\n        saml2_tokens=[azuread.ApplicationOptionalClaimsSaml2TokenArgs(\n            name=\"samlexample\",\n        )],\n    ),\n    required_resource_accesses=[\n        azuread.ApplicationRequiredResourceAccessArgs(\n            resource_app_id=\"00000003-0000-0000-c000-000000000000\",\n            resource_accesses=[\n                azuread.ApplicationRequiredResourceAccessResourceAccessArgs(\n                    id=\"df021288-bdef-4463-88db-98f22de89214\",\n                    type=\"Role\",\n                ),\n                azuread.ApplicationRequiredResourceAccessResourceAccessArgs(\n                    id=\"b4e74841-8e56-480b-be8b-910348b18b4c\",\n                    type=\"Scope\",\n                ),\n            ],\n        ),\n        azuread.ApplicationRequiredResourceAccessArgs(\n            resource_app_id=\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\n            resource_accesses=[azuread.ApplicationRequiredResourceAccessResourceAccessArgs(\n                id=\"594c1fb6-4f81-4475-ae41-0c394909246c\",\n                type=\"Role\",\n            )],\n        ),\n    ],\n    web=azuread.ApplicationWebArgs(\n        homepage_url=\"https://app.example.net\",\n        logout_url=\"https://app.example.net/logout\",\n        redirect_uris=[\"https://app.example.net/account\"],\n        implicit_grant=azuread.ApplicationWebImplicitGrantArgs(\n            access_token_issuance_enabled=True,\n            id_token_issuance_enabled=True,\n        ),\n    ))\n```\n```csharp\nusing System;\nusing System.Collections.Generic;\nusing System.IO;\nusing System.Linq;\nusing Pulumi;\nusing AzureAD = Pulumi.AzureAD;\n\n\tprivate static string ReadFileBase64(string path) {\n\t\treturn Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(File.ReadAllText(path)));\n\t}\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var current = AzureAD.GetClientConfig.Invoke();\n\n    var example = new AzureAD.Application(\"example\", new()\n    {\n        DisplayName = \"example\",\n        IdentifierUris = new[]\n        {\n            \"api://example-app\",\n        },\n        LogoImage = ReadFileBase64(\"/path/to/logo.png\"),\n        Owners = new[]\n        {\n            current.Apply(getClientConfigResult =\u003e getClientConfigResult.ObjectId),\n        },\n        SignInAudience = \"AzureADMultipleOrgs\",\n        Api = new AzureAD.Inputs.ApplicationApiArgs\n        {\n            MappedClaimsEnabled = true,\n            RequestedAccessTokenVersion = 2,\n            KnownClientApplications = new[]\n            {\n                azuread_application.Known1.Application_id,\n                azuread_application.Known2.Application_id,\n            },\n            Oauth2PermissionScopes = new[]\n            {\n                new AzureAD.Inputs.ApplicationApiOauth2PermissionScopeArgs\n                {\n                    AdminConsentDescription = \"Allow the application to access example on behalf of the signed-in user.\",\n                    AdminConsentDisplayName = \"Access example\",\n                    Enabled = true,\n                    Id = \"96183846-204b-4b43-82e1-5d2222eb4b9b\",\n                    Type = \"User\",\n                    UserConsentDescription = \"Allow the application to access example on your behalf.\",\n                    UserConsentDisplayName = \"Access example\",\n                    Value = \"user_impersonation\",\n                },\n                new AzureAD.Inputs.ApplicationApiOauth2PermissionScopeArgs\n                {\n                    AdminConsentDescription = \"Administer the example application\",\n                    AdminConsentDisplayName = \"Administer\",\n                    Enabled = true,\n                    Id = \"be98fa3e-ab5b-4b11-83d9-04ba2b7946bc\",\n                    Type = \"Admin\",\n                    Value = \"administer\",\n                },\n            },\n        },\n        AppRoles = new[]\n        {\n            new AzureAD.Inputs.ApplicationAppRoleArgs\n            {\n                AllowedMemberTypes = new[]\n                {\n                    \"User\",\n                    \"Application\",\n                },\n                Description = \"Admins can manage roles and perform all task actions\",\n                DisplayName = \"Admin\",\n                Enabled = true,\n                Id = \"1b19509b-32b1-4e9f-b71d-4992aa991967\",\n                Value = \"admin\",\n            },\n            new AzureAD.Inputs.ApplicationAppRoleArgs\n            {\n                AllowedMemberTypes = new[]\n                {\n                    \"User\",\n                },\n                Description = \"ReadOnly roles have limited query access\",\n                DisplayName = \"ReadOnly\",\n                Enabled = true,\n                Id = \"497406e4-012a-4267-bf18-45a1cb148a01\",\n                Value = \"User\",\n            },\n        },\n        FeatureTags = new[]\n        {\n            new AzureAD.Inputs.ApplicationFeatureTagArgs\n            {\n                Enterprise = true,\n                Gallery = true,\n            },\n        },\n        OptionalClaims = new AzureAD.Inputs.ApplicationOptionalClaimsArgs\n        {\n            AccessTokens = new[]\n            {\n                new AzureAD.Inputs.ApplicationOptionalClaimsAccessTokenArgs\n                {\n                    Name = \"myclaim\",\n                },\n                new AzureAD.Inputs.ApplicationOptionalClaimsAccessTokenArgs\n                {\n                    Name = \"otherclaim\",\n                },\n            },\n            IdTokens = new[]\n            {\n                new AzureAD.Inputs.ApplicationOptionalClaimsIdTokenArgs\n                {\n                    Name = \"userclaim\",\n                    Source = \"user\",\n                    Essential = true,\n                    AdditionalProperties = new[]\n                    {\n                        \"emit_as_roles\",\n                    },\n                },\n            },\n            Saml2Tokens = new[]\n            {\n                new AzureAD.Inputs.ApplicationOptionalClaimsSaml2TokenArgs\n                {\n                    Name = \"samlexample\",\n                },\n            },\n        },\n        RequiredResourceAccesses = new[]\n        {\n            new AzureAD.Inputs.ApplicationRequiredResourceAccessArgs\n            {\n                ResourceAppId = \"00000003-0000-0000-c000-000000000000\",\n                ResourceAccesses = new[]\n                {\n                    new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs\n                    {\n                        Id = \"df021288-bdef-4463-88db-98f22de89214\",\n                        Type = \"Role\",\n                    },\n                    new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs\n                    {\n                        Id = \"b4e74841-8e56-480b-be8b-910348b18b4c\",\n                        Type = \"Scope\",\n                    },\n                },\n            },\n            new AzureAD.Inputs.ApplicationRequiredResourceAccessArgs\n            {\n                ResourceAppId = \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\n                ResourceAccesses = new[]\n                {\n                    new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs\n                    {\n                        Id = \"594c1fb6-4f81-4475-ae41-0c394909246c\",\n                        Type = \"Role\",\n                    },\n                },\n            },\n        },\n        Web = new AzureAD.Inputs.ApplicationWebArgs\n        {\n            HomepageUrl = \"https://app.example.net\",\n            LogoutUrl = \"https://app.example.net/logout\",\n            RedirectUris = new[]\n            {\n                \"https://app.example.net/account\",\n            },\n            ImplicitGrant = new AzureAD.Inputs.ApplicationWebImplicitGrantArgs\n            {\n                AccessTokenIssuanceEnabled = true,\n                IdTokenIssuanceEnabled = true,\n            },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"encoding/base64\"\n\t\"os\"\n\n\t\"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc filebase64OrPanic(path string) pulumi.StringPtrInput {\n\tif fileData, err := os.ReadFile(path); err == nil {\n\t\treturn pulumi.String(base64.StdEncoding.EncodeToString(fileData[:]))\n\t} else {\n\t\tpanic(err.Error())\n\t}\n}\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tcurrent, err := azuread.GetClientConfig(ctx, nil, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = azuread.NewApplication(ctx, \"example\", \u0026azuread.ApplicationArgs{\n\t\t\tDisplayName: pulumi.String(\"example\"),\n\t\t\tIdentifierUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"api://example-app\"),\n\t\t\t},\n\t\t\tLogoImage: filebase64OrPanic(\"/path/to/logo.png\"),\n\t\t\tOwners: pulumi.StringArray{\n\t\t\t\t*pulumi.String(current.ObjectId),\n\t\t\t},\n\t\t\tSignInAudience: pulumi.String(\"AzureADMultipleOrgs\"),\n\t\t\tApi: \u0026azuread.ApplicationApiArgs{\n\t\t\t\tMappedClaimsEnabled:         pulumi.Bool(true),\n\t\t\t\tRequestedAccessTokenVersion: pulumi.Int(2),\n\t\t\t\tKnownClientApplications: pulumi.StringArray{\n\t\t\t\t\tazuread_application.Known1.Application_id,\n\t\t\t\t\tazuread_application.Known2.Application_id,\n\t\t\t\t},\n\t\t\t\tOauth2PermissionScopes: azuread.ApplicationApiOauth2PermissionScopeArray{\n\t\t\t\t\t\u0026azuread.ApplicationApiOauth2PermissionScopeArgs{\n\t\t\t\t\t\tAdminConsentDescription: pulumi.String(\"Allow the application to access example on behalf of the signed-in user.\"),\n\t\t\t\t\t\tAdminConsentDisplayName: pulumi.String(\"Access example\"),\n\t\t\t\t\t\tEnabled:                 pulumi.Bool(true),\n\t\t\t\t\t\tId:                      pulumi.String(\"96183846-204b-4b43-82e1-5d2222eb4b9b\"),\n\t\t\t\t\t\tType:                    pulumi.String(\"User\"),\n\t\t\t\t\t\tUserConsentDescription:  pulumi.String(\"Allow the application to access example on your behalf.\"),\n\t\t\t\t\t\tUserConsentDisplayName:  pulumi.String(\"Access example\"),\n\t\t\t\t\t\tValue:                   pulumi.String(\"user_impersonation\"),\n\t\t\t\t\t},\n\t\t\t\t\t\u0026azuread.ApplicationApiOauth2PermissionScopeArgs{\n\t\t\t\t\t\tAdminConsentDescription: pulumi.String(\"Administer the example application\"),\n\t\t\t\t\t\tAdminConsentDisplayName: pulumi.String(\"Administer\"),\n\t\t\t\t\t\tEnabled:                 pulumi.Bool(true),\n\t\t\t\t\t\tId:                      pulumi.String(\"be98fa3e-ab5b-4b11-83d9-04ba2b7946bc\"),\n\t\t\t\t\t\tType:                    pulumi.String(\"Admin\"),\n\t\t\t\t\t\tValue:                   pulumi.String(\"administer\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tAppRoles: azuread.ApplicationAppRoleTypeArray{\n\t\t\t\t\u0026azuread.ApplicationAppRoleTypeArgs{\n\t\t\t\t\tAllowedMemberTypes: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"User\"),\n\t\t\t\t\t\tpulumi.String(\"Application\"),\n\t\t\t\t\t},\n\t\t\t\t\tDescription: pulumi.String(\"Admins can manage roles and perform all task actions\"),\n\t\t\t\t\tDisplayName: pulumi.String(\"Admin\"),\n\t\t\t\t\tEnabled:     pulumi.Bool(true),\n\t\t\t\t\tId:          pulumi.String(\"1b19509b-32b1-4e9f-b71d-4992aa991967\"),\n\t\t\t\t\tValue:       pulumi.String(\"admin\"),\n\t\t\t\t},\n\t\t\t\t\u0026azuread.ApplicationAppRoleTypeArgs{\n\t\t\t\t\tAllowedMemberTypes: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"User\"),\n\t\t\t\t\t},\n\t\t\t\t\tDescription: pulumi.String(\"ReadOnly roles have limited query access\"),\n\t\t\t\t\tDisplayName: pulumi.String(\"ReadOnly\"),\n\t\t\t\t\tEnabled:     pulumi.Bool(true),\n\t\t\t\t\tId:          pulumi.String(\"497406e4-012a-4267-bf18-45a1cb148a01\"),\n\t\t\t\t\tValue:       pulumi.String(\"User\"),\n\t\t\t\t},\n\t\t\t},\n\t\t\tFeatureTags: azuread.ApplicationFeatureTagArray{\n\t\t\t\t\u0026azuread.ApplicationFeatureTagArgs{\n\t\t\t\t\tEnterprise: pulumi.Bool(true),\n\t\t\t\t\tGallery:    pulumi.Bool(true),\n\t\t\t\t},\n\t\t\t},\n\t\t\tOptionalClaims: \u0026azuread.ApplicationOptionalClaimsArgs{\n\t\t\t\tAccessTokens: azuread.ApplicationOptionalClaimsAccessTokenArray{\n\t\t\t\t\t\u0026azuread.ApplicationOptionalClaimsAccessTokenArgs{\n\t\t\t\t\t\tName: pulumi.String(\"myclaim\"),\n\t\t\t\t\t},\n\t\t\t\t\t\u0026azuread.ApplicationOptionalClaimsAccessTokenArgs{\n\t\t\t\t\t\tName: pulumi.String(\"otherclaim\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tIdTokens: azuread.ApplicationOptionalClaimsIdTokenArray{\n\t\t\t\t\t\u0026azuread.ApplicationOptionalClaimsIdTokenArgs{\n\t\t\t\t\t\tName:      pulumi.String(\"userclaim\"),\n\t\t\t\t\t\tSource:    pulumi.String(\"user\"),\n\t\t\t\t\t\tEssential: pulumi.Bool(true),\n\t\t\t\t\t\tAdditionalProperties: pulumi.StringArray{\n\t\t\t\t\t\t\tpulumi.String(\"emit_as_roles\"),\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tSaml2Tokens: azuread.ApplicationOptionalClaimsSaml2TokenArray{\n\t\t\t\t\t\u0026azuread.ApplicationOptionalClaimsSaml2TokenArgs{\n\t\t\t\t\t\tName: pulumi.String(\"samlexample\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tRequiredResourceAccesses: azuread.ApplicationRequiredResourceAccessArray{\n\t\t\t\t\u0026azuread.ApplicationRequiredResourceAccessArgs{\n\t\t\t\t\tResourceAppId: pulumi.String(\"00000003-0000-0000-c000-000000000000\"),\n\t\t\t\t\tResourceAccesses: azuread.ApplicationRequiredResourceAccessResourceAccessArray{\n\t\t\t\t\t\t\u0026azuread.ApplicationRequiredResourceAccessResourceAccessArgs{\n\t\t\t\t\t\t\tId:   pulumi.String(\"df021288-bdef-4463-88db-98f22de89214\"),\n\t\t\t\t\t\t\tType: pulumi.String(\"Role\"),\n\t\t\t\t\t\t},\n\t\t\t\t\t\t\u0026azuread.ApplicationRequiredResourceAccessResourceAccessArgs{\n\t\t\t\t\t\t\tId:   pulumi.String(\"b4e74841-8e56-480b-be8b-910348b18b4c\"),\n\t\t\t\t\t\t\tType: pulumi.String(\"Scope\"),\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t\u0026azuread.ApplicationRequiredResourceAccessArgs{\n\t\t\t\t\tResourceAppId: pulumi.String(\"c5393580-f805-4401-95e8-94b7a6ef2fc2\"),\n\t\t\t\t\tResourceAccesses: azuread.ApplicationRequiredResourceAccessResourceAccessArray{\n\t\t\t\t\t\t\u0026azuread.ApplicationRequiredResourceAccessResourceAccessArgs{\n\t\t\t\t\t\t\tId:   pulumi.String(\"594c1fb6-4f81-4475-ae41-0c394909246c\"),\n\t\t\t\t\t\t\tType: pulumi.String(\"Role\"),\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tWeb: \u0026azuread.ApplicationWebArgs{\n\t\t\t\tHomepageUrl: pulumi.String(\"https://app.example.net\"),\n\t\t\t\tLogoutUrl:   pulumi.String(\"https://app.example.net/logout\"),\n\t\t\t\tRedirectUris: pulumi.StringArray{\n\t\t\t\t\tpulumi.String(\"https://app.example.net/account\"),\n\t\t\t\t},\n\t\t\t\tImplicitGrant: \u0026azuread.ApplicationWebImplicitGrantArgs{\n\t\t\t\t\tAccessTokenIssuanceEnabled: pulumi.Bool(true),\n\t\t\t\t\tIdTokenIssuanceEnabled:     pulumi.Bool(true),\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.azuread.AzureadFunctions;\nimport com.pulumi.azuread.Application;\nimport com.pulumi.azuread.ApplicationArgs;\nimport com.pulumi.azuread.inputs.ApplicationApiArgs;\nimport com.pulumi.azuread.inputs.ApplicationAppRoleArgs;\nimport com.pulumi.azuread.inputs.ApplicationFeatureTagArgs;\nimport com.pulumi.azuread.inputs.ApplicationOptionalClaimsArgs;\nimport com.pulumi.azuread.inputs.ApplicationRequiredResourceAccessArgs;\nimport com.pulumi.azuread.inputs.ApplicationWebArgs;\nimport com.pulumi.azuread.inputs.ApplicationWebImplicitGrantArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var current = AzureadFunctions.getClientConfig();\n\n        var example = new Application(\"example\", ApplicationArgs.builder()        \n            .displayName(\"example\")\n            .identifierUris(\"api://example-app\")\n            .logoImage(Base64.getEncoder().encodeToString(Files.readAllBytes(Paths.get(\"/path/to/logo.png\"))))\n            .owners(current.applyValue(getClientConfigResult -\u003e getClientConfigResult.objectId()))\n            .signInAudience(\"AzureADMultipleOrgs\")\n            .api(ApplicationApiArgs.builder()\n                .mappedClaimsEnabled(true)\n                .requestedAccessTokenVersion(2)\n                .knownClientApplications(                \n                    azuread_application.known1().application_id(),\n                    azuread_application.known2().application_id())\n                .oauth2PermissionScopes(                \n                    ApplicationApiOauth2PermissionScopeArgs.builder()\n                        .adminConsentDescription(\"Allow the application to access example on behalf of the signed-in user.\")\n                        .adminConsentDisplayName(\"Access example\")\n                        .enabled(true)\n                        .id(\"96183846-204b-4b43-82e1-5d2222eb4b9b\")\n                        .type(\"User\")\n                        .userConsentDescription(\"Allow the application to access example on your behalf.\")\n                        .userConsentDisplayName(\"Access example\")\n                        .value(\"user_impersonation\")\n                        .build(),\n                    ApplicationApiOauth2PermissionScopeArgs.builder()\n                        .adminConsentDescription(\"Administer the example application\")\n                        .adminConsentDisplayName(\"Administer\")\n                        .enabled(true)\n                        .id(\"be98fa3e-ab5b-4b11-83d9-04ba2b7946bc\")\n                        .type(\"Admin\")\n                        .value(\"administer\")\n                        .build())\n                .build())\n            .appRoles(            \n                ApplicationAppRoleArgs.builder()\n                    .allowedMemberTypes(                    \n                        \"User\",\n                        \"Application\")\n                    .description(\"Admins can manage roles and perform all task actions\")\n                    .displayName(\"Admin\")\n                    .enabled(true)\n                    .id(\"1b19509b-32b1-4e9f-b71d-4992aa991967\")\n                    .value(\"admin\")\n                    .build(),\n                ApplicationAppRoleArgs.builder()\n                    .allowedMemberTypes(\"User\")\n                    .description(\"ReadOnly roles have limited query access\")\n                    .displayName(\"ReadOnly\")\n                    .enabled(true)\n                    .id(\"497406e4-012a-4267-bf18-45a1cb148a01\")\n                    .value(\"User\")\n                    .build())\n            .featureTags(ApplicationFeatureTagArgs.builder()\n                .enterprise(true)\n                .gallery(true)\n                .build())\n            .optionalClaims(ApplicationOptionalClaimsArgs.builder()\n                .accessTokens(                \n                    ApplicationOptionalClaimsAccessTokenArgs.builder()\n                        .name(\"myclaim\")\n                        .build(),\n                    ApplicationOptionalClaimsAccessTokenArgs.builder()\n                        .name(\"otherclaim\")\n                        .build())\n                .idTokens(ApplicationOptionalClaimsIdTokenArgs.builder()\n                    .name(\"userclaim\")\n                    .source(\"user\")\n                    .essential(true)\n                    .additionalProperties(\"emit_as_roles\")\n                    .build())\n                .saml2Tokens(ApplicationOptionalClaimsSaml2TokenArgs.builder()\n                    .name(\"samlexample\")\n                    .build())\n                .build())\n            .requiredResourceAccesses(            \n                ApplicationRequiredResourceAccessArgs.builder()\n                    .resourceAppId(\"00000003-0000-0000-c000-000000000000\")\n                    .resourceAccesses(                    \n                        ApplicationRequiredResourceAccessResourceAccessArgs.builder()\n                            .id(\"df021288-bdef-4463-88db-98f22de89214\")\n                            .type(\"Role\")\n                            .build(),\n                        ApplicationRequiredResourceAccessResourceAccessArgs.builder()\n                            .id(\"b4e74841-8e56-480b-be8b-910348b18b4c\")\n                            .type(\"Scope\")\n                            .build())\n                    .build(),\n                ApplicationRequiredResourceAccessArgs.builder()\n                    .resourceAppId(\"c5393580-f805-4401-95e8-94b7a6ef2fc2\")\n                    .resourceAccesses(ApplicationRequiredResourceAccessResourceAccessArgs.builder()\n                        .id(\"594c1fb6-4f81-4475-ae41-0c394909246c\")\n                        .type(\"Role\")\n                        .build())\n                    .build())\n            .web(ApplicationWebArgs.builder()\n                .homepageUrl(\"https://app.example.net\")\n                .logoutUrl(\"https://app.example.net/logout\")\n                .redirectUris(\"https://app.example.net/account\")\n                .implicitGrant(ApplicationWebImplicitGrantArgs.builder()\n                    .accessTokenIssuanceEnabled(true)\n                    .idTokenIssuanceEnabled(true)\n                    .build())\n                .build())\n            .build());\n\n    }\n}\n```\n\n*Create application from a gallery template*\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azuread from \"@pulumi/azuread\";\n\nconst exampleApplicationTemplate = azuread.getApplicationTemplate({\n    displayName: \"Marketo\",\n});\nconst exampleApplication = new azuread.Application(\"exampleApplication\", {\n    displayName: \"example\",\n    templateId: exampleApplicationTemplate.then(exampleApplicationTemplate =\u003e exampleApplicationTemplate.templateId),\n});\nconst exampleServicePrincipal = new azuread.ServicePrincipal(\"exampleServicePrincipal\", {\n    applicationId: exampleApplication.applicationId,\n    useExisting: true,\n});\n```\n```python\nimport pulumi\nimport pulumi_azuread as azuread\n\nexample_application_template = azuread.get_application_template(display_name=\"Marketo\")\nexample_application = azuread.Application(\"exampleApplication\",\n    display_name=\"example\",\n    template_id=example_application_template.template_id)\nexample_service_principal = azuread.ServicePrincipal(\"exampleServicePrincipal\",\n    application_id=example_application.application_id,\n    use_existing=True)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing AzureAD = Pulumi.AzureAD;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var exampleApplicationTemplate = AzureAD.GetApplicationTemplate.Invoke(new()\n    {\n        DisplayName = \"Marketo\",\n    });\n\n    var exampleApplication = new AzureAD.Application(\"exampleApplication\", new()\n    {\n        DisplayName = \"example\",\n        TemplateId = exampleApplicationTemplate.Apply(getApplicationTemplateResult =\u003e getApplicationTemplateResult.TemplateId),\n    });\n\n    var exampleServicePrincipal = new AzureAD.ServicePrincipal(\"exampleServicePrincipal\", new()\n    {\n        ApplicationId = exampleApplication.ApplicationId,\n        UseExisting = true,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texampleApplicationTemplate, err := azuread.GetApplicationTemplate(ctx, \u0026azuread.GetApplicationTemplateArgs{\n\t\t\tDisplayName: pulumi.StringRef(\"Marketo\"),\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\texampleApplication, err := azuread.NewApplication(ctx, \"exampleApplication\", \u0026azuread.ApplicationArgs{\n\t\t\tDisplayName: pulumi.String(\"example\"),\n\t\t\tTemplateId:  *pulumi.String(exampleApplicationTemplate.TemplateId),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = azuread.NewServicePrincipal(ctx, \"exampleServicePrincipal\", \u0026azuread.ServicePrincipalArgs{\n\t\t\tApplicationId: exampleApplication.ApplicationId,\n\t\t\tUseExisting:   pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.azuread.AzureadFunctions;\nimport com.pulumi.azuread.inputs.GetApplicationTemplateArgs;\nimport com.pulumi.azuread.Application;\nimport com.pulumi.azuread.ApplicationArgs;\nimport com.pulumi.azuread.ServicePrincipal;\nimport com.pulumi.azuread.ServicePrincipalArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var exampleApplicationTemplate = AzureadFunctions.getApplicationTemplate(GetApplicationTemplateArgs.builder()\n            .displayName(\"Marketo\")\n            .build());\n\n        var exampleApplication = new Application(\"exampleApplication\", ApplicationArgs.builder()        \n            .displayName(\"example\")\n            .templateId(exampleApplicationTemplate.applyValue(getApplicationTemplateResult -\u003e getApplicationTemplateResult.templateId()))\n            .build());\n\n        var exampleServicePrincipal = new ServicePrincipal(\"exampleServicePrincipal\", ServicePrincipalArgs.builder()        \n            .applicationId(exampleApplication.applicationId())\n            .useExisting(true)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  exampleApplication:\n    type: azuread:Application\n    properties:\n      displayName: example\n      templateId: ${exampleApplicationTemplate.templateId}\n  exampleServicePrincipal:\n    type: azuread:ServicePrincipal\n    properties:\n      applicationId: ${exampleApplication.applicationId}\n      useExisting: true\nvariables:\n  exampleApplicationTemplate:\n    fn::invoke:\n      Function: azuread:getApplicationTemplate\n      Arguments:\n        displayName: Marketo\n```\n{{% /example %}}\n{{% /examples %}}\n\n## Import\n\nApplications can be imported using their object ID, e.g.\n\n```sh\n $ pulumi import azuread:index/application:Application example 00000000-0000-0000-0000-000000000000\n```\n\n ",
+            "description": "{{% examples %}}\n## Example Usage\n{{% example %}}\n\n*Create an application*\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azuread from \"@pulumi/azuread\";\nimport * as fs from \"fs\";\n\nconst current = azuread.getClientConfig({});\nconst example = new azuread.Application(\"example\", {\n    displayName: \"example\",\n    identifierUris: [\"api://example-app\"],\n    logoImage: Buffer.from(fs.readFileSync(\"/path/to/logo.png\"), 'binary').toString('base64'),\n    owners: [current.then(current =\u003e current.objectId)],\n    signInAudience: \"AzureADMultipleOrgs\",\n    api: {\n        mappedClaimsEnabled: true,\n        requestedAccessTokenVersion: 2,\n        knownClientApplications: [\n            azuread_application.known1.application_id,\n            azuread_application.known2.application_id,\n        ],\n        oauth2PermissionScopes: [\n            {\n                adminConsentDescription: \"Allow the application to access example on behalf of the signed-in user.\",\n                adminConsentDisplayName: \"Access example\",\n                enabled: true,\n                id: \"96183846-204b-4b43-82e1-5d2222eb4b9b\",\n                type: \"User\",\n                userConsentDescription: \"Allow the application to access example on your behalf.\",\n                userConsentDisplayName: \"Access example\",\n                value: \"user_impersonation\",\n            },\n            {\n                adminConsentDescription: \"Administer the example application\",\n                adminConsentDisplayName: \"Administer\",\n                enabled: true,\n                id: \"be98fa3e-ab5b-4b11-83d9-04ba2b7946bc\",\n                type: \"Admin\",\n                value: \"administer\",\n            },\n        ],\n    },\n    appRoles: [\n        {\n            allowedMemberTypes: [\n                \"User\",\n                \"Application\",\n            ],\n            description: \"Admins can manage roles and perform all task actions\",\n            displayName: \"Admin\",\n            enabled: true,\n            id: \"1b19509b-32b1-4e9f-b71d-4992aa991967\",\n            value: \"admin\",\n        },\n        {\n            allowedMemberTypes: [\"User\"],\n            description: \"ReadOnly roles have limited query access\",\n            displayName: \"ReadOnly\",\n            enabled: true,\n            id: \"497406e4-012a-4267-bf18-45a1cb148a01\",\n            value: \"User\",\n        },\n    ],\n    featureTags: [{\n        enterprise: true,\n        gallery: true,\n    }],\n    optionalClaims: {\n        accessTokens: [\n            {\n                name: \"myclaim\",\n            },\n            {\n                name: \"otherclaim\",\n            },\n        ],\n        idTokens: [{\n            name: \"userclaim\",\n            source: \"user\",\n            essential: true,\n            additionalProperties: [\"emit_as_roles\"],\n        }],\n        saml2Tokens: [{\n            name: \"samlexample\",\n        }],\n    },\n    requiredResourceAccesses: [\n        {\n            resourceAppId: \"00000003-0000-0000-c000-000000000000\",\n            resourceAccesses: [\n                {\n                    id: \"df021288-bdef-4463-88db-98f22de89214\",\n                    type: \"Role\",\n                },\n                {\n                    id: \"b4e74841-8e56-480b-be8b-910348b18b4c\",\n                    type: \"Scope\",\n                },\n            ],\n        },\n        {\n            resourceAppId: \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\n            resourceAccesses: [{\n                id: \"594c1fb6-4f81-4475-ae41-0c394909246c\",\n                type: \"Role\",\n            }],\n        },\n    ],\n    web: {\n        homepageUrl: \"https://app.example.net\",\n        logoutUrl: \"https://app.example.net/logout\",\n        redirectUris: [\"https://app.example.net/account\"],\n        implicitGrant: {\n            accessTokenIssuanceEnabled: true,\n            idTokenIssuanceEnabled: true,\n        },\n    },\n});\n```\n```python\nimport pulumi\nimport base64\nimport pulumi_azuread as azuread\n\ncurrent = azuread.get_client_config()\nexample = azuread.Application(\"example\",\n    display_name=\"example\",\n    identifier_uris=[\"api://example-app\"],\n    logo_image=(lambda path: base64.b64encode(open(path).read().encode()).decode())(\"/path/to/logo.png\"),\n    owners=[current.object_id],\n    sign_in_audience=\"AzureADMultipleOrgs\",\n    api=azuread.ApplicationApiArgs(\n        mapped_claims_enabled=True,\n        requested_access_token_version=2,\n        known_client_applications=[\n            azuread_application[\"known1\"][\"application_id\"],\n            azuread_application[\"known2\"][\"application_id\"],\n        ],\n        oauth2_permission_scopes=[\n            azuread.ApplicationApiOauth2PermissionScopeArgs(\n                admin_consent_description=\"Allow the application to access example on behalf of the signed-in user.\",\n                admin_consent_display_name=\"Access example\",\n                enabled=True,\n                id=\"96183846-204b-4b43-82e1-5d2222eb4b9b\",\n                type=\"User\",\n                user_consent_description=\"Allow the application to access example on your behalf.\",\n                user_consent_display_name=\"Access example\",\n                value=\"user_impersonation\",\n            ),\n            azuread.ApplicationApiOauth2PermissionScopeArgs(\n                admin_consent_description=\"Administer the example application\",\n                admin_consent_display_name=\"Administer\",\n                enabled=True,\n                id=\"be98fa3e-ab5b-4b11-83d9-04ba2b7946bc\",\n                type=\"Admin\",\n                value=\"administer\",\n            ),\n        ],\n    ),\n    app_roles=[\n        azuread.ApplicationAppRoleArgs(\n            allowed_member_types=[\n                \"User\",\n                \"Application\",\n            ],\n            description=\"Admins can manage roles and perform all task actions\",\n            display_name=\"Admin\",\n            enabled=True,\n            id=\"1b19509b-32b1-4e9f-b71d-4992aa991967\",\n            value=\"admin\",\n        ),\n        azuread.ApplicationAppRoleArgs(\n            allowed_member_types=[\"User\"],\n            description=\"ReadOnly roles have limited query access\",\n            display_name=\"ReadOnly\",\n            enabled=True,\n            id=\"497406e4-012a-4267-bf18-45a1cb148a01\",\n            value=\"User\",\n        ),\n    ],\n    feature_tags=[azuread.ApplicationFeatureTagArgs(\n        enterprise=True,\n        gallery=True,\n    )],\n    optional_claims=azuread.ApplicationOptionalClaimsArgs(\n        access_tokens=[\n            azuread.ApplicationOptionalClaimsAccessTokenArgs(\n                name=\"myclaim\",\n            ),\n            azuread.ApplicationOptionalClaimsAccessTokenArgs(\n                name=\"otherclaim\",\n            ),\n        ],\n        id_tokens=[azuread.ApplicationOptionalClaimsIdTokenArgs(\n            name=\"userclaim\",\n            source=\"user\",\n            essential=True,\n            additional_properties=[\"emit_as_roles\"],\n        )],\n        saml2_tokens=[azuread.ApplicationOptionalClaimsSaml2TokenArgs(\n            name=\"samlexample\",\n        )],\n    ),\n    required_resource_accesses=[\n        azuread.ApplicationRequiredResourceAccessArgs(\n            resource_app_id=\"00000003-0000-0000-c000-000000000000\",\n            resource_accesses=[\n                azuread.ApplicationRequiredResourceAccessResourceAccessArgs(\n                    id=\"df021288-bdef-4463-88db-98f22de89214\",\n                    type=\"Role\",\n                ),\n                azuread.ApplicationRequiredResourceAccessResourceAccessArgs(\n                    id=\"b4e74841-8e56-480b-be8b-910348b18b4c\",\n                    type=\"Scope\",\n                ),\n            ],\n        ),\n        azuread.ApplicationRequiredResourceAccessArgs(\n            resource_app_id=\"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\n            resource_accesses=[azuread.ApplicationRequiredResourceAccessResourceAccessArgs(\n                id=\"594c1fb6-4f81-4475-ae41-0c394909246c\",\n                type=\"Role\",\n            )],\n        ),\n    ],\n    web=azuread.ApplicationWebArgs(\n        homepage_url=\"https://app.example.net\",\n        logout_url=\"https://app.example.net/logout\",\n        redirect_uris=[\"https://app.example.net/account\"],\n        implicit_grant=azuread.ApplicationWebImplicitGrantArgs(\n            access_token_issuance_enabled=True,\n            id_token_issuance_enabled=True,\n        ),\n    ))\n```\n```csharp\nusing System;\nusing System.Collections.Generic;\nusing System.IO;\nusing System.Linq;\nusing Pulumi;\nusing AzureAD = Pulumi.AzureAD;\n\n\tprivate static string ReadFileBase64(string path) {\n\t\treturn Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(File.ReadAllText(path)));\n\t}\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var current = AzureAD.GetClientConfig.Invoke();\n\n    var example = new AzureAD.Application(\"example\", new()\n    {\n        DisplayName = \"example\",\n        IdentifierUris = new[]\n        {\n            \"api://example-app\",\n        },\n        LogoImage = ReadFileBase64(\"/path/to/logo.png\"),\n        Owners = new[]\n        {\n            current.Apply(getClientConfigResult =\u003e getClientConfigResult.ObjectId),\n        },\n        SignInAudience = \"AzureADMultipleOrgs\",\n        Api = new AzureAD.Inputs.ApplicationApiArgs\n        {\n            MappedClaimsEnabled = true,\n            RequestedAccessTokenVersion = 2,\n            KnownClientApplications = new[]\n            {\n                azuread_application.Known1.Application_id,\n                azuread_application.Known2.Application_id,\n            },\n            Oauth2PermissionScopes = new[]\n            {\n                new AzureAD.Inputs.ApplicationApiOauth2PermissionScopeArgs\n                {\n                    AdminConsentDescription = \"Allow the application to access example on behalf of the signed-in user.\",\n                    AdminConsentDisplayName = \"Access example\",\n                    Enabled = true,\n                    Id = \"96183846-204b-4b43-82e1-5d2222eb4b9b\",\n                    Type = \"User\",\n                    UserConsentDescription = \"Allow the application to access example on your behalf.\",\n                    UserConsentDisplayName = \"Access example\",\n                    Value = \"user_impersonation\",\n                },\n                new AzureAD.Inputs.ApplicationApiOauth2PermissionScopeArgs\n                {\n                    AdminConsentDescription = \"Administer the example application\",\n                    AdminConsentDisplayName = \"Administer\",\n                    Enabled = true,\n                    Id = \"be98fa3e-ab5b-4b11-83d9-04ba2b7946bc\",\n                    Type = \"Admin\",\n                    Value = \"administer\",\n                },\n            },\n        },\n        AppRoles = new[]\n        {\n            new AzureAD.Inputs.ApplicationAppRoleArgs\n            {\n                AllowedMemberTypes = new[]\n                {\n                    \"User\",\n                    \"Application\",\n                },\n                Description = \"Admins can manage roles and perform all task actions\",\n                DisplayName = \"Admin\",\n                Enabled = true,\n                Id = \"1b19509b-32b1-4e9f-b71d-4992aa991967\",\n                Value = \"admin\",\n            },\n            new AzureAD.Inputs.ApplicationAppRoleArgs\n            {\n                AllowedMemberTypes = new[]\n                {\n                    \"User\",\n                },\n                Description = \"ReadOnly roles have limited query access\",\n                DisplayName = \"ReadOnly\",\n                Enabled = true,\n                Id = \"497406e4-012a-4267-bf18-45a1cb148a01\",\n                Value = \"User\",\n            },\n        },\n        FeatureTags = new[]\n        {\n            new AzureAD.Inputs.ApplicationFeatureTagArgs\n            {\n                Enterprise = true,\n                Gallery = true,\n            },\n        },\n        OptionalClaims = new AzureAD.Inputs.ApplicationOptionalClaimsArgs\n        {\n            AccessTokens = new[]\n            {\n                new AzureAD.Inputs.ApplicationOptionalClaimsAccessTokenArgs\n                {\n                    Name = \"myclaim\",\n                },\n                new AzureAD.Inputs.ApplicationOptionalClaimsAccessTokenArgs\n                {\n                    Name = \"otherclaim\",\n                },\n            },\n            IdTokens = new[]\n            {\n                new AzureAD.Inputs.ApplicationOptionalClaimsIdTokenArgs\n                {\n                    Name = \"userclaim\",\n                    Source = \"user\",\n                    Essential = true,\n                    AdditionalProperties = new[]\n                    {\n                        \"emit_as_roles\",\n                    },\n                },\n            },\n            Saml2Tokens = new[]\n            {\n                new AzureAD.Inputs.ApplicationOptionalClaimsSaml2TokenArgs\n                {\n                    Name = \"samlexample\",\n                },\n            },\n        },\n        RequiredResourceAccesses = new[]\n        {\n            new AzureAD.Inputs.ApplicationRequiredResourceAccessArgs\n            {\n                ResourceAppId = \"00000003-0000-0000-c000-000000000000\",\n                ResourceAccesses = new[]\n                {\n                    new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs\n                    {\n                        Id = \"df021288-bdef-4463-88db-98f22de89214\",\n                        Type = \"Role\",\n                    },\n                    new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs\n                    {\n                        Id = \"b4e74841-8e56-480b-be8b-910348b18b4c\",\n                        Type = \"Scope\",\n                    },\n                },\n            },\n            new AzureAD.Inputs.ApplicationRequiredResourceAccessArgs\n            {\n                ResourceAppId = \"c5393580-f805-4401-95e8-94b7a6ef2fc2\",\n                ResourceAccesses = new[]\n                {\n                    new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs\n                    {\n                        Id = \"594c1fb6-4f81-4475-ae41-0c394909246c\",\n                        Type = \"Role\",\n                    },\n                },\n            },\n        },\n        Web = new AzureAD.Inputs.ApplicationWebArgs\n        {\n            HomepageUrl = \"https://app.example.net\",\n            LogoutUrl = \"https://app.example.net/logout\",\n            RedirectUris = new[]\n            {\n                \"https://app.example.net/account\",\n            },\n            ImplicitGrant = new AzureAD.Inputs.ApplicationWebImplicitGrantArgs\n            {\n                AccessTokenIssuanceEnabled = true,\n                IdTokenIssuanceEnabled = true,\n            },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"encoding/base64\"\n\t\"os\"\n\n\t\"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc filebase64OrPanic(path string) pulumi.StringPtrInput {\n\tif fileData, err := os.ReadFile(path); err == nil {\n\t\treturn pulumi.String(base64.StdEncoding.EncodeToString(fileData[:]))\n\t} else {\n\t\tpanic(err.Error())\n\t}\n}\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tcurrent, err := azuread.GetClientConfig(ctx, nil, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = azuread.NewApplication(ctx, \"example\", \u0026azuread.ApplicationArgs{\n\t\t\tDisplayName: pulumi.String(\"example\"),\n\t\t\tIdentifierUris: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"api://example-app\"),\n\t\t\t},\n\t\t\tLogoImage: filebase64OrPanic(\"/path/to/logo.png\"),\n\t\t\tOwners: pulumi.StringArray{\n\t\t\t\t*pulumi.String(current.ObjectId),\n\t\t\t},\n\t\t\tSignInAudience: pulumi.String(\"AzureADMultipleOrgs\"),\n\t\t\tApi: \u0026azuread.ApplicationApiArgs{\n\t\t\t\tMappedClaimsEnabled:         pulumi.Bool(true),\n\t\t\t\tRequestedAccessTokenVersion: pulumi.Int(2),\n\t\t\t\tKnownClientApplications: pulumi.StringArray{\n\t\t\t\t\tazuread_application.Known1.Application_id,\n\t\t\t\t\tazuread_application.Known2.Application_id,\n\t\t\t\t},\n\t\t\t\tOauth2PermissionScopes: azuread.ApplicationApiOauth2PermissionScopeArray{\n\t\t\t\t\t\u0026azuread.ApplicationApiOauth2PermissionScopeArgs{\n\t\t\t\t\t\tAdminConsentDescription: pulumi.String(\"Allow the application to access example on behalf of the signed-in user.\"),\n\t\t\t\t\t\tAdminConsentDisplayName: pulumi.String(\"Access example\"),\n\t\t\t\t\t\tEnabled:                 pulumi.Bool(true),\n\t\t\t\t\t\tId:                      pulumi.String(\"96183846-204b-4b43-82e1-5d2222eb4b9b\"),\n\t\t\t\t\t\tType:                    pulumi.String(\"User\"),\n\t\t\t\t\t\tUserConsentDescription:  pulumi.String(\"Allow the application to access example on your behalf.\"),\n\t\t\t\t\t\tUserConsentDisplayName:  pulumi.String(\"Access example\"),\n\t\t\t\t\t\tValue:                   pulumi.String(\"user_impersonation\"),\n\t\t\t\t\t},\n\t\t\t\t\t\u0026azuread.ApplicationApiOauth2PermissionScopeArgs{\n\t\t\t\t\t\tAdminConsentDescription: pulumi.String(\"Administer the example application\"),\n\t\t\t\t\t\tAdminConsentDisplayName: pulumi.String(\"Administer\"),\n\t\t\t\t\t\tEnabled:                 pulumi.Bool(true),\n\t\t\t\t\t\tId:                      pulumi.String(\"be98fa3e-ab5b-4b11-83d9-04ba2b7946bc\"),\n\t\t\t\t\t\tType:                    pulumi.String(\"Admin\"),\n\t\t\t\t\t\tValue:                   pulumi.String(\"administer\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tAppRoles: azuread.ApplicationAppRoleTypeArray{\n\t\t\t\t\u0026azuread.ApplicationAppRoleTypeArgs{\n\t\t\t\t\tAllowedMemberTypes: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"User\"),\n\t\t\t\t\t\tpulumi.String(\"Application\"),\n\t\t\t\t\t},\n\t\t\t\t\tDescription: pulumi.String(\"Admins can manage roles and perform all task actions\"),\n\t\t\t\t\tDisplayName: pulumi.String(\"Admin\"),\n\t\t\t\t\tEnabled:     pulumi.Bool(true),\n\t\t\t\t\tId:          pulumi.String(\"1b19509b-32b1-4e9f-b71d-4992aa991967\"),\n\t\t\t\t\tValue:       pulumi.String(\"admin\"),\n\t\t\t\t},\n\t\t\t\t\u0026azuread.ApplicationAppRoleTypeArgs{\n\t\t\t\t\tAllowedMemberTypes: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"User\"),\n\t\t\t\t\t},\n\t\t\t\t\tDescription: pulumi.String(\"ReadOnly roles have limited query access\"),\n\t\t\t\t\tDisplayName: pulumi.String(\"ReadOnly\"),\n\t\t\t\t\tEnabled:     pulumi.Bool(true),\n\t\t\t\t\tId:          pulumi.String(\"497406e4-012a-4267-bf18-45a1cb148a01\"),\n\t\t\t\t\tValue:       pulumi.String(\"User\"),\n\t\t\t\t},\n\t\t\t},\n\t\t\tFeatureTags: azuread.ApplicationFeatureTagArray{\n\t\t\t\t\u0026azuread.ApplicationFeatureTagArgs{\n\t\t\t\t\tEnterprise: pulumi.Bool(true),\n\t\t\t\t\tGallery:    pulumi.Bool(true),\n\t\t\t\t},\n\t\t\t},\n\t\t\tOptionalClaims: \u0026azuread.ApplicationOptionalClaimsTypeArgs{\n\t\t\t\tAccessTokens: azuread.ApplicationOptionalClaimsAccessTokenArray{\n\t\t\t\t\t\u0026azuread.ApplicationOptionalClaimsAccessTokenArgs{\n\t\t\t\t\t\tName: pulumi.String(\"myclaim\"),\n\t\t\t\t\t},\n\t\t\t\t\t\u0026azuread.ApplicationOptionalClaimsAccessTokenArgs{\n\t\t\t\t\t\tName: pulumi.String(\"otherclaim\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tIdTokens: azuread.ApplicationOptionalClaimsIdTokenArray{\n\t\t\t\t\t\u0026azuread.ApplicationOptionalClaimsIdTokenArgs{\n\t\t\t\t\t\tName:      pulumi.String(\"userclaim\"),\n\t\t\t\t\t\tSource:    pulumi.String(\"user\"),\n\t\t\t\t\t\tEssential: pulumi.Bool(true),\n\t\t\t\t\t\tAdditionalProperties: pulumi.StringArray{\n\t\t\t\t\t\t\tpulumi.String(\"emit_as_roles\"),\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tSaml2Tokens: azuread.ApplicationOptionalClaimsSaml2TokenArray{\n\t\t\t\t\t\u0026azuread.ApplicationOptionalClaimsSaml2TokenArgs{\n\t\t\t\t\t\tName: pulumi.String(\"samlexample\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tRequiredResourceAccesses: azuread.ApplicationRequiredResourceAccessArray{\n\t\t\t\t\u0026azuread.ApplicationRequiredResourceAccessArgs{\n\t\t\t\t\tResourceAppId: pulumi.String(\"00000003-0000-0000-c000-000000000000\"),\n\t\t\t\t\tResourceAccesses: azuread.ApplicationRequiredResourceAccessResourceAccessArray{\n\t\t\t\t\t\t\u0026azuread.ApplicationRequiredResourceAccessResourceAccessArgs{\n\t\t\t\t\t\t\tId:   pulumi.String(\"df021288-bdef-4463-88db-98f22de89214\"),\n\t\t\t\t\t\t\tType: pulumi.String(\"Role\"),\n\t\t\t\t\t\t},\n\t\t\t\t\t\t\u0026azuread.ApplicationRequiredResourceAccessResourceAccessArgs{\n\t\t\t\t\t\t\tId:   pulumi.String(\"b4e74841-8e56-480b-be8b-910348b18b4c\"),\n\t\t\t\t\t\t\tType: pulumi.String(\"Scope\"),\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t\u0026azuread.ApplicationRequiredResourceAccessArgs{\n\t\t\t\t\tResourceAppId: pulumi.String(\"c5393580-f805-4401-95e8-94b7a6ef2fc2\"),\n\t\t\t\t\tResourceAccesses: azuread.ApplicationRequiredResourceAccessResourceAccessArray{\n\t\t\t\t\t\t\u0026azuread.ApplicationRequiredResourceAccessResourceAccessArgs{\n\t\t\t\t\t\t\tId:   pulumi.String(\"594c1fb6-4f81-4475-ae41-0c394909246c\"),\n\t\t\t\t\t\t\tType: pulumi.String(\"Role\"),\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tWeb: \u0026azuread.ApplicationWebArgs{\n\t\t\t\tHomepageUrl: pulumi.String(\"https://app.example.net\"),\n\t\t\t\tLogoutUrl:   pulumi.String(\"https://app.example.net/logout\"),\n\t\t\t\tRedirectUris: pulumi.StringArray{\n\t\t\t\t\tpulumi.String(\"https://app.example.net/account\"),\n\t\t\t\t},\n\t\t\t\tImplicitGrant: \u0026azuread.ApplicationWebImplicitGrantArgs{\n\t\t\t\t\tAccessTokenIssuanceEnabled: pulumi.Bool(true),\n\t\t\t\t\tIdTokenIssuanceEnabled:     pulumi.Bool(true),\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.azuread.AzureadFunctions;\nimport com.pulumi.azuread.Application;\nimport com.pulumi.azuread.ApplicationArgs;\nimport com.pulumi.azuread.inputs.ApplicationApiArgs;\nimport com.pulumi.azuread.inputs.ApplicationAppRoleArgs;\nimport com.pulumi.azuread.inputs.ApplicationFeatureTagArgs;\nimport com.pulumi.azuread.inputs.ApplicationOptionalClaimsArgs;\nimport com.pulumi.azuread.inputs.ApplicationRequiredResourceAccessArgs;\nimport com.pulumi.azuread.inputs.ApplicationWebArgs;\nimport com.pulumi.azuread.inputs.ApplicationWebImplicitGrantArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var current = AzureadFunctions.getClientConfig();\n\n        var example = new Application(\"example\", ApplicationArgs.builder()        \n            .displayName(\"example\")\n            .identifierUris(\"api://example-app\")\n            .logoImage(Base64.getEncoder().encodeToString(Files.readAllBytes(Paths.get(\"/path/to/logo.png\"))))\n            .owners(current.applyValue(getClientConfigResult -\u003e getClientConfigResult.objectId()))\n            .signInAudience(\"AzureADMultipleOrgs\")\n            .api(ApplicationApiArgs.builder()\n                .mappedClaimsEnabled(true)\n                .requestedAccessTokenVersion(2)\n                .knownClientApplications(                \n                    azuread_application.known1().application_id(),\n                    azuread_application.known2().application_id())\n                .oauth2PermissionScopes(                \n                    ApplicationApiOauth2PermissionScopeArgs.builder()\n                        .adminConsentDescription(\"Allow the application to access example on behalf of the signed-in user.\")\n                        .adminConsentDisplayName(\"Access example\")\n                        .enabled(true)\n                        .id(\"96183846-204b-4b43-82e1-5d2222eb4b9b\")\n                        .type(\"User\")\n                        .userConsentDescription(\"Allow the application to access example on your behalf.\")\n                        .userConsentDisplayName(\"Access example\")\n                        .value(\"user_impersonation\")\n                        .build(),\n                    ApplicationApiOauth2PermissionScopeArgs.builder()\n                        .adminConsentDescription(\"Administer the example application\")\n                        .adminConsentDisplayName(\"Administer\")\n                        .enabled(true)\n                        .id(\"be98fa3e-ab5b-4b11-83d9-04ba2b7946bc\")\n                        .type(\"Admin\")\n                        .value(\"administer\")\n                        .build())\n                .build())\n            .appRoles(            \n                ApplicationAppRoleArgs.builder()\n                    .allowedMemberTypes(                    \n                        \"User\",\n                        \"Application\")\n                    .description(\"Admins can manage roles and perform all task actions\")\n                    .displayName(\"Admin\")\n                    .enabled(true)\n                    .id(\"1b19509b-32b1-4e9f-b71d-4992aa991967\")\n                    .value(\"admin\")\n                    .build(),\n                ApplicationAppRoleArgs.builder()\n                    .allowedMemberTypes(\"User\")\n                    .description(\"ReadOnly roles have limited query access\")\n                    .displayName(\"ReadOnly\")\n                    .enabled(true)\n                    .id(\"497406e4-012a-4267-bf18-45a1cb148a01\")\n                    .value(\"User\")\n                    .build())\n            .featureTags(ApplicationFeatureTagArgs.builder()\n                .enterprise(true)\n                .gallery(true)\n                .build())\n            .optionalClaims(ApplicationOptionalClaimsArgs.builder()\n                .accessTokens(                \n                    ApplicationOptionalClaimsAccessTokenArgs.builder()\n                        .name(\"myclaim\")\n                        .build(),\n                    ApplicationOptionalClaimsAccessTokenArgs.builder()\n                        .name(\"otherclaim\")\n                        .build())\n                .idTokens(ApplicationOptionalClaimsIdTokenArgs.builder()\n                    .name(\"userclaim\")\n                    .source(\"user\")\n                    .essential(true)\n                    .additionalProperties(\"emit_as_roles\")\n                    .build())\n                .saml2Tokens(ApplicationOptionalClaimsSaml2TokenArgs.builder()\n                    .name(\"samlexample\")\n                    .build())\n                .build())\n            .requiredResourceAccesses(            \n                ApplicationRequiredResourceAccessArgs.builder()\n                    .resourceAppId(\"00000003-0000-0000-c000-000000000000\")\n                    .resourceAccesses(                    \n                        ApplicationRequiredResourceAccessResourceAccessArgs.builder()\n                            .id(\"df021288-bdef-4463-88db-98f22de89214\")\n                            .type(\"Role\")\n                            .build(),\n                        ApplicationRequiredResourceAccessResourceAccessArgs.builder()\n                            .id(\"b4e74841-8e56-480b-be8b-910348b18b4c\")\n                            .type(\"Scope\")\n                            .build())\n                    .build(),\n                ApplicationRequiredResourceAccessArgs.builder()\n                    .resourceAppId(\"c5393580-f805-4401-95e8-94b7a6ef2fc2\")\n                    .resourceAccesses(ApplicationRequiredResourceAccessResourceAccessArgs.builder()\n                        .id(\"594c1fb6-4f81-4475-ae41-0c394909246c\")\n                        .type(\"Role\")\n                        .build())\n                    .build())\n            .web(ApplicationWebArgs.builder()\n                .homepageUrl(\"https://app.example.net\")\n                .logoutUrl(\"https://app.example.net/logout\")\n                .redirectUris(\"https://app.example.net/account\")\n                .implicitGrant(ApplicationWebImplicitGrantArgs.builder()\n                    .accessTokenIssuanceEnabled(true)\n                    .idTokenIssuanceEnabled(true)\n                    .build())\n                .build())\n            .build());\n\n    }\n}\n```\n\n*Create application from a gallery template*\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azuread from \"@pulumi/azuread\";\n\nconst exampleApplicationTemplate = azuread.getApplicationTemplate({\n    displayName: \"Marketo\",\n});\nconst exampleApplication = new azuread.Application(\"exampleApplication\", {\n    displayName: \"example\",\n    templateId: exampleApplicationTemplate.then(exampleApplicationTemplate =\u003e exampleApplicationTemplate.templateId),\n});\nconst exampleServicePrincipal = new azuread.ServicePrincipal(\"exampleServicePrincipal\", {\n    applicationId: exampleApplication.applicationId,\n    useExisting: true,\n});\n```\n```python\nimport pulumi\nimport pulumi_azuread as azuread\n\nexample_application_template = azuread.get_application_template(display_name=\"Marketo\")\nexample_application = azuread.Application(\"exampleApplication\",\n    display_name=\"example\",\n    template_id=example_application_template.template_id)\nexample_service_principal = azuread.ServicePrincipal(\"exampleServicePrincipal\",\n    application_id=example_application.application_id,\n    use_existing=True)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing AzureAD = Pulumi.AzureAD;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var exampleApplicationTemplate = AzureAD.GetApplicationTemplate.Invoke(new()\n    {\n        DisplayName = \"Marketo\",\n    });\n\n    var exampleApplication = new AzureAD.Application(\"exampleApplication\", new()\n    {\n        DisplayName = \"example\",\n        TemplateId = exampleApplicationTemplate.Apply(getApplicationTemplateResult =\u003e getApplicationTemplateResult.TemplateId),\n    });\n\n    var exampleServicePrincipal = new AzureAD.ServicePrincipal(\"exampleServicePrincipal\", new()\n    {\n        ApplicationId = exampleApplication.ApplicationId,\n        UseExisting = true,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texampleApplicationTemplate, err := azuread.GetApplicationTemplate(ctx, \u0026azuread.GetApplicationTemplateArgs{\n\t\t\tDisplayName: pulumi.StringRef(\"Marketo\"),\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\texampleApplication, err := azuread.NewApplication(ctx, \"exampleApplication\", \u0026azuread.ApplicationArgs{\n\t\t\tDisplayName: pulumi.String(\"example\"),\n\t\t\tTemplateId:  *pulumi.String(exampleApplicationTemplate.TemplateId),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = azuread.NewServicePrincipal(ctx, \"exampleServicePrincipal\", \u0026azuread.ServicePrincipalArgs{\n\t\t\tApplicationId: exampleApplication.ApplicationId,\n\t\t\tUseExisting:   pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.azuread.AzureadFunctions;\nimport com.pulumi.azuread.inputs.GetApplicationTemplateArgs;\nimport com.pulumi.azuread.Application;\nimport com.pulumi.azuread.ApplicationArgs;\nimport com.pulumi.azuread.ServicePrincipal;\nimport com.pulumi.azuread.ServicePrincipalArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var exampleApplicationTemplate = AzureadFunctions.getApplicationTemplate(GetApplicationTemplateArgs.builder()\n            .displayName(\"Marketo\")\n            .build());\n\n        var exampleApplication = new Application(\"exampleApplication\", ApplicationArgs.builder()        \n            .displayName(\"example\")\n            .templateId(exampleApplicationTemplate.applyValue(getApplicationTemplateResult -\u003e getApplicationTemplateResult.templateId()))\n            .build());\n\n        var exampleServicePrincipal = new ServicePrincipal(\"exampleServicePrincipal\", ServicePrincipalArgs.builder()        \n            .applicationId(exampleApplication.applicationId())\n            .useExisting(true)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  exampleApplication:\n    type: azuread:Application\n    properties:\n      displayName: example\n      templateId: ${exampleApplicationTemplate.templateId}\n  exampleServicePrincipal:\n    type: azuread:ServicePrincipal\n    properties:\n      applicationId: ${exampleApplication.applicationId}\n      useExisting: true\nvariables:\n  exampleApplicationTemplate:\n    fn::invoke:\n      Function: azuread:getApplicationTemplate\n      Arguments:\n        displayName: Marketo\n```\n{{% /example %}}\n{{% /examples %}}\n\n## Import\n\nApplications can be imported using their object ID, e.g.\n\n```sh\n $ pulumi import azuread:index/application:Application example 00000000-0000-0000-0000-000000000000\n```\n\n ",
             "properties": {
                 "api": {
                     "$ref": "#/types/azuread:index/ApplicationApi:ApplicationApi",
@@ -4504,6 +4608,102 @@
                 "type": "object"
             }
         },
+        "azuread:index/applicationOptionalClaims:ApplicationOptionalClaims": {
+            "description": "{{% examples %}}\n## Example Usage\n{{% example %}}\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azuread from \"@pulumi/azuread\";\n\nconst exampleApplicationRegistration = new azuread.ApplicationRegistration(\"exampleApplicationRegistration\", {displayName: \"example\"});\nconst exampleApplicationOptionalClaims = new azuread.ApplicationOptionalClaims(\"exampleApplicationOptionalClaims\", {\n    applicationId: exampleApplicationRegistration.id,\n    accessTokens: [\n        {\n            name: \"myclaim\",\n        },\n        {\n            name: \"otherclaim\",\n        },\n    ],\n    idTokens: [{\n        name: \"userclaim\",\n        source: \"user\",\n        essential: true,\n        additionalProperties: [\"emit_as_roles\"],\n    }],\n    saml2Tokens: [{\n        name: \"samlexample\",\n    }],\n});\n```\n```python\nimport pulumi\nimport pulumi_azuread as azuread\n\nexample_application_registration = azuread.ApplicationRegistration(\"exampleApplicationRegistration\", display_name=\"example\")\nexample_application_optional_claims = azuread.ApplicationOptionalClaims(\"exampleApplicationOptionalClaims\",\n    application_id=example_application_registration.id,\n    access_tokens=[\n        azuread.ApplicationOptionalClaimsAccessTokenArgs(\n            name=\"myclaim\",\n        ),\n        azuread.ApplicationOptionalClaimsAccessTokenArgs(\n            name=\"otherclaim\",\n        ),\n    ],\n    id_tokens=[azuread.ApplicationOptionalClaimsIdTokenArgs(\n        name=\"userclaim\",\n        source=\"user\",\n        essential=True,\n        additional_properties=[\"emit_as_roles\"],\n    )],\n    saml2_tokens=[azuread.ApplicationOptionalClaimsSaml2TokenArgs(\n        name=\"samlexample\",\n    )])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing AzureAD = Pulumi.AzureAD;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var exampleApplicationRegistration = new AzureAD.ApplicationRegistration(\"exampleApplicationRegistration\", new()\n    {\n        DisplayName = \"example\",\n    });\n\n    var exampleApplicationOptionalClaims = new AzureAD.ApplicationOptionalClaims(\"exampleApplicationOptionalClaims\", new()\n    {\n        ApplicationId = exampleApplicationRegistration.Id,\n        AccessTokens = new[]\n        {\n            new AzureAD.Inputs.ApplicationOptionalClaimsAccessTokenArgs\n            {\n                Name = \"myclaim\",\n            },\n            new AzureAD.Inputs.ApplicationOptionalClaimsAccessTokenArgs\n            {\n                Name = \"otherclaim\",\n            },\n        },\n        IdTokens = new[]\n        {\n            new AzureAD.Inputs.ApplicationOptionalClaimsIdTokenArgs\n            {\n                Name = \"userclaim\",\n                Source = \"user\",\n                Essential = true,\n                AdditionalProperties = new[]\n                {\n                    \"emit_as_roles\",\n                },\n            },\n        },\n        Saml2Tokens = new[]\n        {\n            new AzureAD.Inputs.ApplicationOptionalClaimsSaml2TokenArgs\n            {\n                Name = \"samlexample\",\n            },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texampleApplicationRegistration, err := azuread.NewApplicationRegistration(ctx, \"exampleApplicationRegistration\", \u0026azuread.ApplicationRegistrationArgs{\n\t\t\tDisplayName: pulumi.String(\"example\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = azuread.NewApplicationOptionalClaims(ctx, \"exampleApplicationOptionalClaims\", \u0026azuread.ApplicationOptionalClaimsArgs{\n\t\t\tApplicationId: exampleApplicationRegistration.ID(),\n\t\t\tAccessTokens: azuread.ApplicationOptionalClaimsAccessTokenArray{\n\t\t\t\t\u0026azuread.ApplicationOptionalClaimsAccessTokenArgs{\n\t\t\t\t\tName: pulumi.String(\"myclaim\"),\n\t\t\t\t},\n\t\t\t\t\u0026azuread.ApplicationOptionalClaimsAccessTokenArgs{\n\t\t\t\t\tName: pulumi.String(\"otherclaim\"),\n\t\t\t\t},\n\t\t\t},\n\t\t\tIdTokens: azuread.ApplicationOptionalClaimsIdTokenArray{\n\t\t\t\t\u0026azuread.ApplicationOptionalClaimsIdTokenArgs{\n\t\t\t\t\tName:      pulumi.String(\"userclaim\"),\n\t\t\t\t\tSource:    pulumi.String(\"user\"),\n\t\t\t\t\tEssential: pulumi.Bool(true),\n\t\t\t\t\tAdditionalProperties: pulumi.StringArray{\n\t\t\t\t\t\tpulumi.String(\"emit_as_roles\"),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tSaml2Tokens: azuread.ApplicationOptionalClaimsSaml2TokenArray{\n\t\t\t\t\u0026azuread.ApplicationOptionalClaimsSaml2TokenArgs{\n\t\t\t\t\tName: pulumi.String(\"samlexample\"),\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.azuread.ApplicationRegistration;\nimport com.pulumi.azuread.ApplicationRegistrationArgs;\nimport com.pulumi.azuread.ApplicationOptionalClaims;\nimport com.pulumi.azuread.ApplicationOptionalClaimsArgs;\nimport com.pulumi.azuread.inputs.ApplicationOptionalClaimsAccessTokenArgs;\nimport com.pulumi.azuread.inputs.ApplicationOptionalClaimsIdTokenArgs;\nimport com.pulumi.azuread.inputs.ApplicationOptionalClaimsSaml2TokenArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var exampleApplicationRegistration = new ApplicationRegistration(\"exampleApplicationRegistration\", ApplicationRegistrationArgs.builder()        \n            .displayName(\"example\")\n            .build());\n\n        var exampleApplicationOptionalClaims = new ApplicationOptionalClaims(\"exampleApplicationOptionalClaims\", ApplicationOptionalClaimsArgs.builder()        \n            .applicationId(exampleApplicationRegistration.id())\n            .accessTokens(            \n                ApplicationOptionalClaimsAccessTokenArgs.builder()\n                    .name(\"myclaim\")\n                    .build(),\n                ApplicationOptionalClaimsAccessTokenArgs.builder()\n                    .name(\"otherclaim\")\n                    .build())\n            .idTokens(ApplicationOptionalClaimsIdTokenArgs.builder()\n                .name(\"userclaim\")\n                .source(\"user\")\n                .essential(true)\n                .additionalProperties(\"emit_as_roles\")\n                .build())\n            .saml2Tokens(ApplicationOptionalClaimsSaml2TokenArgs.builder()\n                .name(\"samlexample\")\n                .build())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  exampleApplicationRegistration:\n    type: azuread:ApplicationRegistration\n    properties:\n      displayName: example\n  exampleApplicationOptionalClaims:\n    type: azuread:ApplicationOptionalClaims\n    properties:\n      applicationId: ${exampleApplicationRegistration.id}\n      accessTokens:\n        - name: myclaim\n        - name: otherclaim\n      idTokens:\n        - name: userclaim\n          source: user\n          essential: true\n          additionalProperties:\n            - emit_as_roles\n      saml2Tokens:\n        - name: samlexample\n```\n{{% /example %}}\n{{% /examples %}}\n\n## Import\n\nApplication Optional Claims can be imported using the object ID of the application, in the following format.\n\n```sh\n $ pulumi import azuread:index/applicationOptionalClaims:ApplicationOptionalClaims example /applications/00000000-0000-0000-0000-000000000000\n```\n\n ",
+            "properties": {
+                "accessTokens": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/types/azuread:index/ApplicationOptionalClaimsAccessToken:ApplicationOptionalClaimsAccessToken"
+                    },
+                    "description": "One or more `access_token` blocks as documented below.\n"
+                },
+                "applicationId": {
+                    "type": "string",
+                    "description": "The resource ID of the application registration. Changing this forces a new resource to be created.\n"
+                },
+                "idTokens": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/types/azuread:index/ApplicationOptionalClaimsIdToken:ApplicationOptionalClaimsIdToken"
+                    },
+                    "description": "One or more `id_token` blocks as documented below.\n"
+                },
+                "saml2Tokens": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/types/azuread:index/ApplicationOptionalClaimsSaml2Token:ApplicationOptionalClaimsSaml2Token"
+                    },
+                    "description": "One or more `saml2_token` blocks as documented below.\n\n\u003e At least one of `access_token`, `id_token` or `saml2_token` must be specified\n"
+                }
+            },
+            "required": [
+                "applicationId"
+            ],
+            "inputProperties": {
+                "accessTokens": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/types/azuread:index/ApplicationOptionalClaimsAccessToken:ApplicationOptionalClaimsAccessToken"
+                    },
+                    "description": "One or more `access_token` blocks as documented below.\n"
+                },
+                "applicationId": {
+                    "type": "string",
+                    "description": "The resource ID of the application registration. Changing this forces a new resource to be created.\n",
+                    "willReplaceOnChanges": true
+                },
+                "idTokens": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/types/azuread:index/ApplicationOptionalClaimsIdToken:ApplicationOptionalClaimsIdToken"
+                    },
+                    "description": "One or more `id_token` blocks as documented below.\n"
+                },
+                "saml2Tokens": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/types/azuread:index/ApplicationOptionalClaimsSaml2Token:ApplicationOptionalClaimsSaml2Token"
+                    },
+                    "description": "One or more `saml2_token` blocks as documented below.\n\n\u003e At least one of `access_token`, `id_token` or `saml2_token` must be specified\n"
+                }
+            },
+            "requiredInputs": [
+                "applicationId"
+            ],
+            "stateInputs": {
+                "description": "Input properties used for looking up and filtering ApplicationOptionalClaims resources.\n",
+                "properties": {
+                    "accessTokens": {
+                        "type": "array",
+                        "items": {
+                            "$ref": "#/types/azuread:index/ApplicationOptionalClaimsAccessToken:ApplicationOptionalClaimsAccessToken"
+                        },
+                        "description": "One or more `access_token` blocks as documented below.\n"
+                    },
+                    "applicationId": {
+                        "type": "string",
+                        "description": "The resource ID of the application registration. Changing this forces a new resource to be created.\n",
+                        "willReplaceOnChanges": true
+                    },
+                    "idTokens": {
+                        "type": "array",
+                        "items": {
+                            "$ref": "#/types/azuread:index/ApplicationOptionalClaimsIdToken:ApplicationOptionalClaimsIdToken"
+                        },
+                        "description": "One or more `id_token` blocks as documented below.\n"
+                    },
+                    "saml2Tokens": {
+                        "type": "array",
+                        "items": {
+                            "$ref": "#/types/azuread:index/ApplicationOptionalClaimsSaml2Token:ApplicationOptionalClaimsSaml2Token"
+                        },
+                        "description": "One or more `saml2_token` blocks as documented below.\n\n\u003e At least one of `access_token`, `id_token` or `saml2_token` must be specified\n"
+                    }
+                },
+                "type": "object"
+            }
+        },
         "azuread:index/applicationOwner:ApplicationOwner": {
             "description": "{{% examples %}}\n## Example Usage\n{{% example %}}\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azuread from \"@pulumi/azuread\";\n\nconst example = new azuread.ApplicationRegistration(\"example\", {displayName: \"example\"});\nconst jane = new azuread.User(\"jane\", {\n    userPrincipalName: \"jane.fischer@hashitown.com\",\n    displayName: \"Jane Fischer\",\n    password: \"Ch@ngeMe\",\n});\nconst exampleJane = new azuread.ApplicationOwner(\"exampleJane\", {\n    applicationId: example.id,\n    ownerObjectId: jane.objectId,\n});\n```\n```python\nimport pulumi\nimport pulumi_azuread as azuread\n\nexample = azuread.ApplicationRegistration(\"example\", display_name=\"example\")\njane = azuread.User(\"jane\",\n    user_principal_name=\"jane.fischer@hashitown.com\",\n    display_name=\"Jane Fischer\",\n    password=\"Ch@ngeMe\")\nexample_jane = azuread.ApplicationOwner(\"exampleJane\",\n    application_id=example.id,\n    owner_object_id=jane.object_id)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing AzureAD = Pulumi.AzureAD;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var example = new AzureAD.ApplicationRegistration(\"example\", new()\n    {\n        DisplayName = \"example\",\n    });\n\n    var jane = new AzureAD.User(\"jane\", new()\n    {\n        UserPrincipalName = \"jane.fischer@hashitown.com\",\n        DisplayName = \"Jane Fischer\",\n        Password = \"Ch@ngeMe\",\n    });\n\n    var exampleJane = new AzureAD.ApplicationOwner(\"exampleJane\", new()\n    {\n        ApplicationId = example.Id,\n        OwnerObjectId = jane.ObjectId,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texample, err := azuread.NewApplicationRegistration(ctx, \"example\", \u0026azuread.ApplicationRegistrationArgs{\n\t\t\tDisplayName: pulumi.String(\"example\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjane, err := azuread.NewUser(ctx, \"jane\", \u0026azuread.UserArgs{\n\t\t\tUserPrincipalName: pulumi.String(\"jane.fischer@hashitown.com\"),\n\t\t\tDisplayName:       pulumi.String(\"Jane Fischer\"),\n\t\t\tPassword:          pulumi.String(\"Ch@ngeMe\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = azuread.NewApplicationOwner(ctx, \"exampleJane\", \u0026azuread.ApplicationOwnerArgs{\n\t\t\tApplicationId: example.ID(),\n\t\t\tOwnerObjectId: jane.ObjectId,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.azuread.ApplicationRegistration;\nimport com.pulumi.azuread.ApplicationRegistrationArgs;\nimport com.pulumi.azuread.User;\nimport com.pulumi.azuread.UserArgs;\nimport com.pulumi.azuread.ApplicationOwner;\nimport com.pulumi.azuread.ApplicationOwnerArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        var example = new ApplicationRegistration(\"example\", ApplicationRegistrationArgs.builder()        \n            .displayName(\"example\")\n            .build());\n\n        var jane = new User(\"jane\", UserArgs.builder()        \n            .userPrincipalName(\"jane.fischer@hashitown.com\")\n            .displayName(\"Jane Fischer\")\n            .password(\"Ch@ngeMe\")\n            .build());\n\n        var exampleJane = new ApplicationOwner(\"exampleJane\", ApplicationOwnerArgs.builder()        \n            .applicationId(example.id())\n            .ownerObjectId(jane.objectId())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  example:\n    type: azuread:ApplicationRegistration\n    properties:\n      displayName: example\n  jane:\n    type: azuread:User\n    properties:\n      userPrincipalName: jane.fischer@hashitown.com\n      displayName: Jane Fischer\n      password: Ch@ngeMe\n  exampleJane:\n    type: azuread:ApplicationOwner\n    properties:\n      applicationId: ${example.id}\n      ownerObjectId: ${jane.objectId}\n```\n\n\u003e **Tip** For managing more application owners, create additional instances of this resource\n{{% /example %}}\n{{% /examples %}}\n\n## Import\n\nApplication Owners can be imported using the object ID of the application and the object ID of the owner, in the following format.\n\n```sh\n $ pulumi import azuread:index/applicationOwner:ApplicationOwner example /applications/00000000-0000-0000-0000-000000000000/owners/11111111-1111-1111-1111-111111111111\n```\n\n ",
             "properties": {
@@ -6531,7 +6731,7 @@
             }
         },
         "azuread:index/servicePrincipal:ServicePrincipal": {
-            "description": "{{% examples %}}\n## Example Usage\n{{% example %}}\n\n*Create a service principal for an application*\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azuread from \"@pulumi/azuread\";\n\nconst current = azuread.getClientConfig({});\nconst exampleApplication = new azuread.Application(\"exampleApplication\", {\n    displayName: \"example\",\n    owners: [current.then(current =\u003e current.objectId)],\n});\nconst exampleServicePrincipal = new azuread.ServicePrincipal(\"exampleServicePrincipal\", {\n    applicationId: exampleApplication.applicationId,\n    appRoleAssignmentRequired: false,\n    owners: [current.then(current =\u003e current.objectId)],\n});\n```\n```python\nimport pulumi\nimport pulumi_azuread as azuread\n\ncurrent = azuread.get_client_config()\nexample_application = azuread.Application(\"exampleApplication\",\n    display_name=\"example\",\n    owners=[current.object_id])\nexample_service_principal = azuread.ServicePrincipal(\"exampleServicePrincipal\",\n    application_id=example_application.application_id,\n    app_role_assignment_required=False,\n    owners=[current.object_id])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing AzureAD = Pulumi.AzureAD;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var current = AzureAD.GetClientConfig.Invoke();\n\n    var exampleApplication = new AzureAD.Application(\"exampleApplication\", new()\n    {\n        DisplayName = \"example\",\n        Owners = new[]\n        {\n            current.Apply(getClientConfigResult =\u003e getClientConfigResult.ObjectId),\n        },\n    });\n\n    var exampleServicePrincipal = new AzureAD.ServicePrincipal(\"exampleServicePrincipal\", new()\n    {\n        ApplicationId = exampleApplication.ApplicationId,\n        AppRoleAssignmentRequired = false,\n        Owners = new[]\n        {\n            current.Apply(getClientConfigResult =\u003e getClientConfigResult.ObjectId),\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tcurrent, err := azuread.GetClientConfig(ctx, nil, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\texampleApplication, err := azuread.NewApplication(ctx, \"exampleApplication\", \u0026azuread.ApplicationArgs{\n\t\t\tDisplayName: pulumi.String(\"example\"),\n\t\t\tOwners: pulumi.StringArray{\n\t\t\t\t*pulumi.String(current.ObjectId),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = azuread.NewServicePrincipal(ctx, \"exampleServicePrincipal\", \u0026azuread.ServicePrincipalArgs{\n\t\t\tApplicationId:             exampleApplication.ApplicationId,\n\t\t\tAppRoleAssignmentRequired: pulumi.Bool(false),\n\t\t\tOwners: pulumi.StringArray{\n\t\t\t\t*pulumi.String(current.ObjectId),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.azuread.AzureadFunctions;\nimport com.pulumi.azuread.Application;\nimport com.pulumi.azuread.ApplicationArgs;\nimport com.pulumi.azuread.ServicePrincipal;\nimport com.pulumi.azuread.ServicePrincipalArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var current = AzureadFunctions.getClientConfig();\n\n        var exampleApplication = new Application(\"exampleApplication\", ApplicationArgs.builder()        \n            .displayName(\"example\")\n            .owners(current.applyValue(getClientConfigResult -\u003e getClientConfigResult.objectId()))\n            .build());\n\n        var exampleServicePrincipal = new ServicePrincipal(\"exampleServicePrincipal\", ServicePrincipalArgs.builder()        \n            .applicationId(exampleApplication.applicationId())\n            .appRoleAssignmentRequired(false)\n            .owners(current.applyValue(getClientConfigResult -\u003e getClientConfigResult.objectId()))\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  exampleApplication:\n    type: azuread:Application\n    properties:\n      displayName: example\n      owners:\n        - ${current.objectId}\n  exampleServicePrincipal:\n    type: azuread:ServicePrincipal\n    properties:\n      applicationId: ${exampleApplication.applicationId}\n      appRoleAssignmentRequired: false\n      owners:\n        - ${current.objectId}\nvariables:\n  current:\n    fn::invoke:\n      Function: azuread:getClientConfig\n      Arguments: {}\n```\n\n*Create a service principal for an enterprise application*\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azuread from \"@pulumi/azuread\";\n\nconst current = azuread.getClientConfig({});\nconst exampleApplication = new azuread.Application(\"exampleApplication\", {\n    displayName: \"example\",\n    owners: [current.then(current =\u003e current.objectId)],\n});\nconst exampleServicePrincipal = new azuread.ServicePrincipal(\"exampleServicePrincipal\", {\n    applicationId: exampleApplication.applicationId,\n    appRoleAssignmentRequired: false,\n    owners: [current.then(current =\u003e current.objectId)],\n    featureTags: [{\n        enterprise: true,\n        gallery: true,\n    }],\n});\n```\n```python\nimport pulumi\nimport pulumi_azuread as azuread\n\ncurrent = azuread.get_client_config()\nexample_application = azuread.Application(\"exampleApplication\",\n    display_name=\"example\",\n    owners=[current.object_id])\nexample_service_principal = azuread.ServicePrincipal(\"exampleServicePrincipal\",\n    application_id=example_application.application_id,\n    app_role_assignment_required=False,\n    owners=[current.object_id],\n    feature_tags=[azuread.ServicePrincipalFeatureTagArgs(\n        enterprise=True,\n        gallery=True,\n    )])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing AzureAD = Pulumi.AzureAD;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var current = AzureAD.GetClientConfig.Invoke();\n\n    var exampleApplication = new AzureAD.Application(\"exampleApplication\", new()\n    {\n        DisplayName = \"example\",\n        Owners = new[]\n        {\n            current.Apply(getClientConfigResult =\u003e getClientConfigResult.ObjectId),\n        },\n    });\n\n    var exampleServicePrincipal = new AzureAD.ServicePrincipal(\"exampleServicePrincipal\", new()\n    {\n        ApplicationId = exampleApplication.ApplicationId,\n        AppRoleAssignmentRequired = false,\n        Owners = new[]\n        {\n            current.Apply(getClientConfigResult =\u003e getClientConfigResult.ObjectId),\n        },\n        FeatureTags = new[]\n        {\n            new AzureAD.Inputs.ServicePrincipalFeatureTagArgs\n            {\n                Enterprise = true,\n                Gallery = true,\n            },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tcurrent, err := azuread.GetClientConfig(ctx, nil, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\texampleApplication, err := azuread.NewApplication(ctx, \"exampleApplication\", \u0026azuread.ApplicationArgs{\n\t\t\tDisplayName: pulumi.String(\"example\"),\n\t\t\tOwners: pulumi.StringArray{\n\t\t\t\t*pulumi.String(current.ObjectId),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = azuread.NewServicePrincipal(ctx, \"exampleServicePrincipal\", \u0026azuread.ServicePrincipalArgs{\n\t\t\tApplicationId:             exampleApplication.ApplicationId,\n\t\t\tAppRoleAssignmentRequired: pulumi.Bool(false),\n\t\t\tOwners: pulumi.StringArray{\n\t\t\t\t*pulumi.String(current.ObjectId),\n\t\t\t},\n\t\t\tFeatureTags: azuread.ServicePrincipalFeatureTagArray{\n\t\t\t\t\u0026azuread.ServicePrincipalFeatureTagArgs{\n\t\t\t\t\tEnterprise: pulumi.Bool(true),\n\t\t\t\t\tGallery:    pulumi.Bool(true),\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.azuread.AzureadFunctions;\nimport com.pulumi.azuread.Application;\nimport com.pulumi.azuread.ApplicationArgs;\nimport com.pulumi.azuread.ServicePrincipal;\nimport com.pulumi.azuread.ServicePrincipalArgs;\nimport com.pulumi.azuread.inputs.ServicePrincipalFeatureTagArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var current = AzureadFunctions.getClientConfig();\n\n        var exampleApplication = new Application(\"exampleApplication\", ApplicationArgs.builder()        \n            .displayName(\"example\")\n            .owners(current.applyValue(getClientConfigResult -\u003e getClientConfigResult.objectId()))\n            .build());\n\n        var exampleServicePrincipal = new ServicePrincipal(\"exampleServicePrincipal\", ServicePrincipalArgs.builder()        \n            .applicationId(exampleApplication.applicationId())\n            .appRoleAssignmentRequired(false)\n            .owners(current.applyValue(getClientConfigResult -\u003e getClientConfigResult.objectId()))\n            .featureTags(ServicePrincipalFeatureTagArgs.builder()\n                .enterprise(true)\n                .gallery(true)\n                .build())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  exampleApplication:\n    type: azuread:Application\n    properties:\n      displayName: example\n      owners:\n        - ${current.objectId}\n  exampleServicePrincipal:\n    type: azuread:ServicePrincipal\n    properties:\n      applicationId: ${exampleApplication.applicationId}\n      appRoleAssignmentRequired: false\n      owners:\n        - ${current.objectId}\n      featureTags:\n        - enterprise: true\n          gallery: true\nvariables:\n  current:\n    fn::invoke:\n      Function: azuread:getClientConfig\n      Arguments: {}\n```\n\n*Manage a service principal for a first-party Microsoft application*\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azuread from \"@pulumi/azuread\";\n\nconst wellKnown = azuread.getApplicationPublishedAppIds({});\nconst msgraph = new azuread.ServicePrincipal(\"msgraph\", {\n    applicationId: wellKnown.then(wellKnown =\u003e wellKnown.result?.MicrosoftGraph),\n    useExisting: true,\n});\n```\n```python\nimport pulumi\nimport pulumi_azuread as azuread\n\nwell_known = azuread.get_application_published_app_ids()\nmsgraph = azuread.ServicePrincipal(\"msgraph\",\n    application_id=well_known.result[\"MicrosoftGraph\"],\n    use_existing=True)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing AzureAD = Pulumi.AzureAD;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var wellKnown = AzureAD.GetApplicationPublishedAppIds.Invoke();\n\n    var msgraph = new AzureAD.ServicePrincipal(\"msgraph\", new()\n    {\n        ApplicationId = wellKnown.Apply(getApplicationPublishedAppIdsResult =\u003e getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),\n        UseExisting = true,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\twellKnown, err := azuread.GetApplicationPublishedAppIds(ctx, nil, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = azuread.NewServicePrincipal(ctx, \"msgraph\", \u0026azuread.ServicePrincipalArgs{\n\t\t\tApplicationId: *pulumi.String(wellKnown.Result.MicrosoftGraph),\n\t\t\tUseExisting:   pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.azuread.AzureadFunctions;\nimport com.pulumi.azuread.ServicePrincipal;\nimport com.pulumi.azuread.ServicePrincipalArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();\n\n        var msgraph = new ServicePrincipal(\"msgraph\", ServicePrincipalArgs.builder()        \n            .applicationId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -\u003e getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))\n            .useExisting(true)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  msgraph:\n    type: azuread:ServicePrincipal\n    properties:\n      applicationId: ${wellKnown.result.MicrosoftGraph}\n      useExisting: true\nvariables:\n  wellKnown:\n    fn::invoke:\n      Function: azuread:getApplicationPublishedAppIds\n      Arguments: {}\n```\n\n*Create a service principal for an application created from a gallery template*\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azuread from \"@pulumi/azuread\";\n\nconst exampleApplicationTemplate = azuread.getApplicationTemplate({\n    displayName: \"Marketo\",\n});\nconst exampleApplication = new azuread.Application(\"exampleApplication\", {\n    displayName: \"example\",\n    templateId: exampleApplicationTemplate.then(exampleApplicationTemplate =\u003e exampleApplicationTemplate.templateId),\n});\nconst exampleServicePrincipal = new azuread.ServicePrincipal(\"exampleServicePrincipal\", {\n    applicationId: exampleApplication.applicationId,\n    useExisting: true,\n});\n```\n```python\nimport pulumi\nimport pulumi_azuread as azuread\n\nexample_application_template = azuread.get_application_template(display_name=\"Marketo\")\nexample_application = azuread.Application(\"exampleApplication\",\n    display_name=\"example\",\n    template_id=example_application_template.template_id)\nexample_service_principal = azuread.ServicePrincipal(\"exampleServicePrincipal\",\n    application_id=example_application.application_id,\n    use_existing=True)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing AzureAD = Pulumi.AzureAD;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var exampleApplicationTemplate = AzureAD.GetApplicationTemplate.Invoke(new()\n    {\n        DisplayName = \"Marketo\",\n    });\n\n    var exampleApplication = new AzureAD.Application(\"exampleApplication\", new()\n    {\n        DisplayName = \"example\",\n        TemplateId = exampleApplicationTemplate.Apply(getApplicationTemplateResult =\u003e getApplicationTemplateResult.TemplateId),\n    });\n\n    var exampleServicePrincipal = new AzureAD.ServicePrincipal(\"exampleServicePrincipal\", new()\n    {\n        ApplicationId = exampleApplication.ApplicationId,\n        UseExisting = true,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texampleApplicationTemplate, err := azuread.GetApplicationTemplate(ctx, \u0026azuread.GetApplicationTemplateArgs{\n\t\t\tDisplayName: pulumi.StringRef(\"Marketo\"),\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\texampleApplication, err := azuread.NewApplication(ctx, \"exampleApplication\", \u0026azuread.ApplicationArgs{\n\t\t\tDisplayName: pulumi.String(\"example\"),\n\t\t\tTemplateId:  *pulumi.String(exampleApplicationTemplate.TemplateId),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = azuread.NewServicePrincipal(ctx, \"exampleServicePrincipal\", \u0026azuread.ServicePrincipalArgs{\n\t\t\tApplicationId: exampleApplication.ApplicationId,\n\t\t\tUseExisting:   pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.azuread.AzureadFunctions;\nimport com.pulumi.azuread.inputs.GetApplicationTemplateArgs;\nimport com.pulumi.azuread.Application;\nimport com.pulumi.azuread.ApplicationArgs;\nimport com.pulumi.azuread.ServicePrincipal;\nimport com.pulumi.azuread.ServicePrincipalArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var exampleApplicationTemplate = AzureadFunctions.getApplicationTemplate(GetApplicationTemplateArgs.builder()\n            .displayName(\"Marketo\")\n            .build());\n\n        var exampleApplication = new Application(\"exampleApplication\", ApplicationArgs.builder()        \n            .displayName(\"example\")\n            .templateId(exampleApplicationTemplate.applyValue(getApplicationTemplateResult -\u003e getApplicationTemplateResult.templateId()))\n            .build());\n\n        var exampleServicePrincipal = new ServicePrincipal(\"exampleServicePrincipal\", ServicePrincipalArgs.builder()        \n            .applicationId(exampleApplication.applicationId())\n            .useExisting(true)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  exampleApplication:\n    type: azuread:Application\n    properties:\n      displayName: example\n      templateId: ${exampleApplicationTemplate.templateId}\n  exampleServicePrincipal:\n    type: azuread:ServicePrincipal\n    properties:\n      applicationId: ${exampleApplication.applicationId}\n      useExisting: true\nvariables:\n  exampleApplicationTemplate:\n    fn::invoke:\n      Function: azuread:getApplicationTemplate\n      Arguments:\n        displayName: Marketo\n```\n{{% /example %}}\n{{% /examples %}}\n\n## Import\n\nService principals can be imported using their object ID, e.g.\n\n```sh\n $ pulumi import azuread:index/servicePrincipal:ServicePrincipal example 00000000-0000-0000-0000-000000000000\n```\n\n ",
+            "description": "{{% examples %}}\n## Example Usage\n{{% example %}}\n\n*Create a service principal for an application*\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azuread from \"@pulumi/azuread\";\n\nconst current = azuread.getClientConfig({});\nconst exampleApplication = new azuread.Application(\"exampleApplication\", {\n    displayName: \"example\",\n    owners: [current.then(current =\u003e current.objectId)],\n});\nconst exampleServicePrincipal = new azuread.ServicePrincipal(\"exampleServicePrincipal\", {\n    clientId: exampleApplication.clientId,\n    appRoleAssignmentRequired: false,\n    owners: [current.then(current =\u003e current.objectId)],\n});\n```\n```python\nimport pulumi\nimport pulumi_azuread as azuread\n\ncurrent = azuread.get_client_config()\nexample_application = azuread.Application(\"exampleApplication\",\n    display_name=\"example\",\n    owners=[current.object_id])\nexample_service_principal = azuread.ServicePrincipal(\"exampleServicePrincipal\",\n    client_id=example_application.client_id,\n    app_role_assignment_required=False,\n    owners=[current.object_id])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing AzureAD = Pulumi.AzureAD;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var current = AzureAD.GetClientConfig.Invoke();\n\n    var exampleApplication = new AzureAD.Application(\"exampleApplication\", new()\n    {\n        DisplayName = \"example\",\n        Owners = new[]\n        {\n            current.Apply(getClientConfigResult =\u003e getClientConfigResult.ObjectId),\n        },\n    });\n\n    var exampleServicePrincipal = new AzureAD.ServicePrincipal(\"exampleServicePrincipal\", new()\n    {\n        ClientId = exampleApplication.ClientId,\n        AppRoleAssignmentRequired = false,\n        Owners = new[]\n        {\n            current.Apply(getClientConfigResult =\u003e getClientConfigResult.ObjectId),\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tcurrent, err := azuread.GetClientConfig(ctx, nil, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\texampleApplication, err := azuread.NewApplication(ctx, \"exampleApplication\", \u0026azuread.ApplicationArgs{\n\t\t\tDisplayName: pulumi.String(\"example\"),\n\t\t\tOwners: pulumi.StringArray{\n\t\t\t\t*pulumi.String(current.ObjectId),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = azuread.NewServicePrincipal(ctx, \"exampleServicePrincipal\", \u0026azuread.ServicePrincipalArgs{\n\t\t\tClientId:                  exampleApplication.ClientId,\n\t\t\tAppRoleAssignmentRequired: pulumi.Bool(false),\n\t\t\tOwners: pulumi.StringArray{\n\t\t\t\t*pulumi.String(current.ObjectId),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.azuread.AzureadFunctions;\nimport com.pulumi.azuread.Application;\nimport com.pulumi.azuread.ApplicationArgs;\nimport com.pulumi.azuread.ServicePrincipal;\nimport com.pulumi.azuread.ServicePrincipalArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var current = AzureadFunctions.getClientConfig();\n\n        var exampleApplication = new Application(\"exampleApplication\", ApplicationArgs.builder()        \n            .displayName(\"example\")\n            .owners(current.applyValue(getClientConfigResult -\u003e getClientConfigResult.objectId()))\n            .build());\n\n        var exampleServicePrincipal = new ServicePrincipal(\"exampleServicePrincipal\", ServicePrincipalArgs.builder()        \n            .clientId(exampleApplication.clientId())\n            .appRoleAssignmentRequired(false)\n            .owners(current.applyValue(getClientConfigResult -\u003e getClientConfigResult.objectId()))\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  exampleApplication:\n    type: azuread:Application\n    properties:\n      displayName: example\n      owners:\n        - ${current.objectId}\n  exampleServicePrincipal:\n    type: azuread:ServicePrincipal\n    properties:\n      clientId: ${exampleApplication.clientId}\n      appRoleAssignmentRequired: false\n      owners:\n        - ${current.objectId}\nvariables:\n  current:\n    fn::invoke:\n      Function: azuread:getClientConfig\n      Arguments: {}\n```\n\n*Create a service principal for an enterprise application*\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azuread from \"@pulumi/azuread\";\n\nconst current = azuread.getClientConfig({});\nconst exampleApplication = new azuread.Application(\"exampleApplication\", {\n    displayName: \"example\",\n    owners: [current.then(current =\u003e current.objectId)],\n});\nconst exampleServicePrincipal = new azuread.ServicePrincipal(\"exampleServicePrincipal\", {\n    clientId: exampleApplication.clientId,\n    appRoleAssignmentRequired: false,\n    owners: [current.then(current =\u003e current.objectId)],\n    featureTags: [{\n        enterprise: true,\n        gallery: true,\n    }],\n});\n```\n```python\nimport pulumi\nimport pulumi_azuread as azuread\n\ncurrent = azuread.get_client_config()\nexample_application = azuread.Application(\"exampleApplication\",\n    display_name=\"example\",\n    owners=[current.object_id])\nexample_service_principal = azuread.ServicePrincipal(\"exampleServicePrincipal\",\n    client_id=example_application.client_id,\n    app_role_assignment_required=False,\n    owners=[current.object_id],\n    feature_tags=[azuread.ServicePrincipalFeatureTagArgs(\n        enterprise=True,\n        gallery=True,\n    )])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing AzureAD = Pulumi.AzureAD;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var current = AzureAD.GetClientConfig.Invoke();\n\n    var exampleApplication = new AzureAD.Application(\"exampleApplication\", new()\n    {\n        DisplayName = \"example\",\n        Owners = new[]\n        {\n            current.Apply(getClientConfigResult =\u003e getClientConfigResult.ObjectId),\n        },\n    });\n\n    var exampleServicePrincipal = new AzureAD.ServicePrincipal(\"exampleServicePrincipal\", new()\n    {\n        ClientId = exampleApplication.ClientId,\n        AppRoleAssignmentRequired = false,\n        Owners = new[]\n        {\n            current.Apply(getClientConfigResult =\u003e getClientConfigResult.ObjectId),\n        },\n        FeatureTags = new[]\n        {\n            new AzureAD.Inputs.ServicePrincipalFeatureTagArgs\n            {\n                Enterprise = true,\n                Gallery = true,\n            },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tcurrent, err := azuread.GetClientConfig(ctx, nil, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\texampleApplication, err := azuread.NewApplication(ctx, \"exampleApplication\", \u0026azuread.ApplicationArgs{\n\t\t\tDisplayName: pulumi.String(\"example\"),\n\t\t\tOwners: pulumi.StringArray{\n\t\t\t\t*pulumi.String(current.ObjectId),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = azuread.NewServicePrincipal(ctx, \"exampleServicePrincipal\", \u0026azuread.ServicePrincipalArgs{\n\t\t\tClientId:                  exampleApplication.ClientId,\n\t\t\tAppRoleAssignmentRequired: pulumi.Bool(false),\n\t\t\tOwners: pulumi.StringArray{\n\t\t\t\t*pulumi.String(current.ObjectId),\n\t\t\t},\n\t\t\tFeatureTags: azuread.ServicePrincipalFeatureTagArray{\n\t\t\t\t\u0026azuread.ServicePrincipalFeatureTagArgs{\n\t\t\t\t\tEnterprise: pulumi.Bool(true),\n\t\t\t\t\tGallery:    pulumi.Bool(true),\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.azuread.AzureadFunctions;\nimport com.pulumi.azuread.Application;\nimport com.pulumi.azuread.ApplicationArgs;\nimport com.pulumi.azuread.ServicePrincipal;\nimport com.pulumi.azuread.ServicePrincipalArgs;\nimport com.pulumi.azuread.inputs.ServicePrincipalFeatureTagArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var current = AzureadFunctions.getClientConfig();\n\n        var exampleApplication = new Application(\"exampleApplication\", ApplicationArgs.builder()        \n            .displayName(\"example\")\n            .owners(current.applyValue(getClientConfigResult -\u003e getClientConfigResult.objectId()))\n            .build());\n\n        var exampleServicePrincipal = new ServicePrincipal(\"exampleServicePrincipal\", ServicePrincipalArgs.builder()        \n            .clientId(exampleApplication.clientId())\n            .appRoleAssignmentRequired(false)\n            .owners(current.applyValue(getClientConfigResult -\u003e getClientConfigResult.objectId()))\n            .featureTags(ServicePrincipalFeatureTagArgs.builder()\n                .enterprise(true)\n                .gallery(true)\n                .build())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  exampleApplication:\n    type: azuread:Application\n    properties:\n      displayName: example\n      owners:\n        - ${current.objectId}\n  exampleServicePrincipal:\n    type: azuread:ServicePrincipal\n    properties:\n      clientId: ${exampleApplication.clientId}\n      appRoleAssignmentRequired: false\n      owners:\n        - ${current.objectId}\n      featureTags:\n        - enterprise: true\n          gallery: true\nvariables:\n  current:\n    fn::invoke:\n      Function: azuread:getClientConfig\n      Arguments: {}\n```\n\n*Manage a service principal for a first-party Microsoft application*\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azuread from \"@pulumi/azuread\";\n\nconst wellKnown = azuread.getApplicationPublishedAppIds({});\nconst msgraph = new azuread.ServicePrincipal(\"msgraph\", {\n    clientId: wellKnown.then(wellKnown =\u003e wellKnown.result?.MicrosoftGraph),\n    useExisting: true,\n});\n```\n```python\nimport pulumi\nimport pulumi_azuread as azuread\n\nwell_known = azuread.get_application_published_app_ids()\nmsgraph = azuread.ServicePrincipal(\"msgraph\",\n    client_id=well_known.result[\"MicrosoftGraph\"],\n    use_existing=True)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing AzureAD = Pulumi.AzureAD;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var wellKnown = AzureAD.GetApplicationPublishedAppIds.Invoke();\n\n    var msgraph = new AzureAD.ServicePrincipal(\"msgraph\", new()\n    {\n        ClientId = wellKnown.Apply(getApplicationPublishedAppIdsResult =\u003e getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),\n        UseExisting = true,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\twellKnown, err := azuread.GetApplicationPublishedAppIds(ctx, nil, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = azuread.NewServicePrincipal(ctx, \"msgraph\", \u0026azuread.ServicePrincipalArgs{\n\t\t\tClientId:    *pulumi.String(wellKnown.Result.MicrosoftGraph),\n\t\t\tUseExisting: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.azuread.AzureadFunctions;\nimport com.pulumi.azuread.ServicePrincipal;\nimport com.pulumi.azuread.ServicePrincipalArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();\n\n        var msgraph = new ServicePrincipal(\"msgraph\", ServicePrincipalArgs.builder()        \n            .clientId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -\u003e getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))\n            .useExisting(true)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  msgraph:\n    type: azuread:ServicePrincipal\n    properties:\n      clientId: ${wellKnown.result.MicrosoftGraph}\n      useExisting: true\nvariables:\n  wellKnown:\n    fn::invoke:\n      Function: azuread:getApplicationPublishedAppIds\n      Arguments: {}\n```\n\n*Create a service principal for an application created from a gallery template*\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azuread from \"@pulumi/azuread\";\n\nconst exampleApplicationTemplate = azuread.getApplicationTemplate({\n    displayName: \"Marketo\",\n});\nconst exampleApplication = new azuread.Application(\"exampleApplication\", {\n    displayName: \"example\",\n    templateId: exampleApplicationTemplate.then(exampleApplicationTemplate =\u003e exampleApplicationTemplate.templateId),\n});\nconst exampleServicePrincipal = new azuread.ServicePrincipal(\"exampleServicePrincipal\", {\n    clientId: exampleApplication.clientId,\n    useExisting: true,\n});\n```\n```python\nimport pulumi\nimport pulumi_azuread as azuread\n\nexample_application_template = azuread.get_application_template(display_name=\"Marketo\")\nexample_application = azuread.Application(\"exampleApplication\",\n    display_name=\"example\",\n    template_id=example_application_template.template_id)\nexample_service_principal = azuread.ServicePrincipal(\"exampleServicePrincipal\",\n    client_id=example_application.client_id,\n    use_existing=True)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing AzureAD = Pulumi.AzureAD;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var exampleApplicationTemplate = AzureAD.GetApplicationTemplate.Invoke(new()\n    {\n        DisplayName = \"Marketo\",\n    });\n\n    var exampleApplication = new AzureAD.Application(\"exampleApplication\", new()\n    {\n        DisplayName = \"example\",\n        TemplateId = exampleApplicationTemplate.Apply(getApplicationTemplateResult =\u003e getApplicationTemplateResult.TemplateId),\n    });\n\n    var exampleServicePrincipal = new AzureAD.ServicePrincipal(\"exampleServicePrincipal\", new()\n    {\n        ClientId = exampleApplication.ClientId,\n        UseExisting = true,\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texampleApplicationTemplate, err := azuread.GetApplicationTemplate(ctx, \u0026azuread.GetApplicationTemplateArgs{\n\t\t\tDisplayName: pulumi.StringRef(\"Marketo\"),\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\texampleApplication, err := azuread.NewApplication(ctx, \"exampleApplication\", \u0026azuread.ApplicationArgs{\n\t\t\tDisplayName: pulumi.String(\"example\"),\n\t\t\tTemplateId:  *pulumi.String(exampleApplicationTemplate.TemplateId),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = azuread.NewServicePrincipal(ctx, \"exampleServicePrincipal\", \u0026azuread.ServicePrincipalArgs{\n\t\t\tClientId:    exampleApplication.ClientId,\n\t\t\tUseExisting: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.azuread.AzureadFunctions;\nimport com.pulumi.azuread.inputs.GetApplicationTemplateArgs;\nimport com.pulumi.azuread.Application;\nimport com.pulumi.azuread.ApplicationArgs;\nimport com.pulumi.azuread.ServicePrincipal;\nimport com.pulumi.azuread.ServicePrincipalArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var exampleApplicationTemplate = AzureadFunctions.getApplicationTemplate(GetApplicationTemplateArgs.builder()\n            .displayName(\"Marketo\")\n            .build());\n\n        var exampleApplication = new Application(\"exampleApplication\", ApplicationArgs.builder()        \n            .displayName(\"example\")\n            .templateId(exampleApplicationTemplate.applyValue(getApplicationTemplateResult -\u003e getApplicationTemplateResult.templateId()))\n            .build());\n\n        var exampleServicePrincipal = new ServicePrincipal(\"exampleServicePrincipal\", ServicePrincipalArgs.builder()        \n            .clientId(exampleApplication.clientId())\n            .useExisting(true)\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  exampleApplication:\n    type: azuread:Application\n    properties:\n      displayName: example\n      templateId: ${exampleApplicationTemplate.templateId}\n  exampleServicePrincipal:\n    type: azuread:ServicePrincipal\n    properties:\n      clientId: ${exampleApplication.clientId}\n      useExisting: true\nvariables:\n  exampleApplicationTemplate:\n    fn::invoke:\n      Function: azuread:getApplicationTemplate\n      Arguments:\n        displayName: Marketo\n```\n{{% /example %}}\n{{% /examples %}}\n\n## Import\n\nService principals can be imported using their object ID, e.g.\n\n```sh\n $ pulumi import azuread:index/servicePrincipal:ServicePrincipal example 00000000-0000-0000-0000-000000000000\n```\n\n ",
             "properties": {
                 "accountEnabled": {
                     "type": "boolean",
@@ -8735,7 +8935,7 @@
             }
         },
         "azuread:index/getApplicationPublishedAppIds:getApplicationPublishedAppIds": {
-            "description": "Use this data source to discover application IDs for APIs published by Microsoft.\n\nThis data source uses an [unofficial source of application IDs](https://github.com/hashicorp/go-azure-sdk/blob/main/sdk/environments/application_ids.go), as there is currently no available official indexed source for applications or APIs published by Microsoft.\n\nThe app IDs returned by this data source are sourced from the Azure Global (Public) Cloud, however some of them are known to work in government and national clouds.\n\n{{% examples %}}\n## Example Usage\n{{% example %}}\n\n*Listing well-known application IDs*\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azuread from \"@pulumi/azuread\";\n\nconst wellKnown = azuread.getApplicationPublishedAppIds({});\nexport const publishedAppIds = wellKnown.then(wellKnown =\u003e wellKnown.result);\n```\n```python\nimport pulumi\nimport pulumi_azuread as azuread\n\nwell_known = azuread.get_application_published_app_ids()\npulumi.export(\"publishedAppIds\", well_known.result)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing AzureAD = Pulumi.AzureAD;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var wellKnown = AzureAD.GetApplicationPublishedAppIds.Invoke();\n\n    return new Dictionary\u003cstring, object?\u003e\n    {\n        [\"publishedAppIds\"] = wellKnown.Apply(getApplicationPublishedAppIdsResult =\u003e getApplicationPublishedAppIdsResult.Result),\n    };\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\twellKnown, err := azuread.GetApplicationPublishedAppIds(ctx, nil, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tctx.Export(\"publishedAppIds\", wellKnown.Result)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.azuread.AzureadFunctions;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();\n\n        ctx.export(\"publishedAppIds\", wellKnown.applyValue(getApplicationPublishedAppIdsResult -\u003e getApplicationPublishedAppIdsResult.result()));\n    }\n}\n```\n```yaml\nvariables:\n  wellKnown:\n    fn::invoke:\n      Function: azuread:getApplicationPublishedAppIds\n      Arguments: {}\noutputs:\n  publishedAppIds: ${wellKnown.result}\n```\n\n*Granting access to an application*\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azuread from \"@pulumi/azuread\";\n\nconst wellKnown = azuread.getApplicationPublishedAppIds({});\nconst msgraph = new azuread.ServicePrincipal(\"msgraph\", {\n    applicationId: wellKnown.then(wellKnown =\u003e wellKnown.result?.MicrosoftGraph),\n    useExisting: true,\n});\nconst example = new azuread.Application(\"example\", {\n    displayName: \"example\",\n    requiredResourceAccesses: [{\n        resourceAppId: wellKnown.then(wellKnown =\u003e wellKnown.result?.MicrosoftGraph),\n        resourceAccesses: [\n            {\n                id: msgraph.appRoleIds[\"User.Read.All\"],\n                type: \"Role\",\n            },\n            {\n                id: msgraph.oauth2PermissionScopeIds[\"User.ReadWrite\"],\n                type: \"Scope\",\n            },\n        ],\n    }],\n});\n```\n```python\nimport pulumi\nimport pulumi_azuread as azuread\n\nwell_known = azuread.get_application_published_app_ids()\nmsgraph = azuread.ServicePrincipal(\"msgraph\",\n    application_id=well_known.result[\"MicrosoftGraph\"],\n    use_existing=True)\nexample = azuread.Application(\"example\",\n    display_name=\"example\",\n    required_resource_accesses=[azuread.ApplicationRequiredResourceAccessArgs(\n        resource_app_id=well_known.result[\"MicrosoftGraph\"],\n        resource_accesses=[\n            azuread.ApplicationRequiredResourceAccessResourceAccessArgs(\n                id=msgraph.app_role_ids[\"User.Read.All\"],\n                type=\"Role\",\n            ),\n            azuread.ApplicationRequiredResourceAccessResourceAccessArgs(\n                id=msgraph.oauth2_permission_scope_ids[\"User.ReadWrite\"],\n                type=\"Scope\",\n            ),\n        ],\n    )])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing AzureAD = Pulumi.AzureAD;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var wellKnown = AzureAD.GetApplicationPublishedAppIds.Invoke();\n\n    var msgraph = new AzureAD.ServicePrincipal(\"msgraph\", new()\n    {\n        ApplicationId = wellKnown.Apply(getApplicationPublishedAppIdsResult =\u003e getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),\n        UseExisting = true,\n    });\n\n    var example = new AzureAD.Application(\"example\", new()\n    {\n        DisplayName = \"example\",\n        RequiredResourceAccesses = new[]\n        {\n            new AzureAD.Inputs.ApplicationRequiredResourceAccessArgs\n            {\n                ResourceAppId = wellKnown.Apply(getApplicationPublishedAppIdsResult =\u003e getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),\n                ResourceAccesses = new[]\n                {\n                    new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs\n                    {\n                        Id = msgraph.AppRoleIds.Apply(appRoleIds =\u003e appRoleIds.User_Read_All),\n                        Type = \"Role\",\n                    },\n                    new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs\n                    {\n                        Id = msgraph.Oauth2PermissionScopeIds.Apply(oauth2PermissionScopeIds =\u003e oauth2PermissionScopeIds.User_ReadWrite),\n                        Type = \"Scope\",\n                    },\n                },\n            },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\twellKnown, err := azuread.GetApplicationPublishedAppIds(ctx, nil, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tmsgraph, err := azuread.NewServicePrincipal(ctx, \"msgraph\", \u0026azuread.ServicePrincipalArgs{\n\t\t\tApplicationId: *pulumi.String(wellKnown.Result.MicrosoftGraph),\n\t\t\tUseExisting:   pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = azuread.NewApplication(ctx, \"example\", \u0026azuread.ApplicationArgs{\n\t\t\tDisplayName: pulumi.String(\"example\"),\n\t\t\tRequiredResourceAccesses: azuread.ApplicationRequiredResourceAccessArray{\n\t\t\t\t\u0026azuread.ApplicationRequiredResourceAccessArgs{\n\t\t\t\t\tResourceAppId: *pulumi.String(wellKnown.Result.MicrosoftGraph),\n\t\t\t\t\tResourceAccesses: azuread.ApplicationRequiredResourceAccessResourceAccessArray{\n\t\t\t\t\t\t\u0026azuread.ApplicationRequiredResourceAccessResourceAccessArgs{\n\t\t\t\t\t\t\tId: msgraph.AppRoleIds.ApplyT(func(appRoleIds map[string]string) (string, error) {\n\t\t\t\t\t\t\t\treturn appRoleIds.User.Read.All, nil\n\t\t\t\t\t\t\t}).(pulumi.StringOutput),\n\t\t\t\t\t\t\tType: pulumi.String(\"Role\"),\n\t\t\t\t\t\t},\n\t\t\t\t\t\t\u0026azuread.ApplicationRequiredResourceAccessResourceAccessArgs{\n\t\t\t\t\t\t\tId: msgraph.Oauth2PermissionScopeIds.ApplyT(func(oauth2PermissionScopeIds map[string]string) (string, error) {\n\t\t\t\t\t\t\t\treturn oauth2PermissionScopeIds.User.ReadWrite, nil\n\t\t\t\t\t\t\t}).(pulumi.StringOutput),\n\t\t\t\t\t\t\tType: pulumi.String(\"Scope\"),\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.azuread.AzureadFunctions;\nimport com.pulumi.azuread.ServicePrincipal;\nimport com.pulumi.azuread.ServicePrincipalArgs;\nimport com.pulumi.azuread.Application;\nimport com.pulumi.azuread.ApplicationArgs;\nimport com.pulumi.azuread.inputs.ApplicationRequiredResourceAccessArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();\n\n        var msgraph = new ServicePrincipal(\"msgraph\", ServicePrincipalArgs.builder()        \n            .applicationId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -\u003e getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))\n            .useExisting(true)\n            .build());\n\n        var example = new Application(\"example\", ApplicationArgs.builder()        \n            .displayName(\"example\")\n            .requiredResourceAccesses(ApplicationRequiredResourceAccessArgs.builder()\n                .resourceAppId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -\u003e getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))\n                .resourceAccesses(                \n                    ApplicationRequiredResourceAccessResourceAccessArgs.builder()\n                        .id(msgraph.appRoleIds().applyValue(appRoleIds -\u003e appRoleIds.User.Read.All()))\n                        .type(\"Role\")\n                        .build(),\n                    ApplicationRequiredResourceAccessResourceAccessArgs.builder()\n                        .id(msgraph.oauth2PermissionScopeIds().applyValue(oauth2PermissionScopeIds -\u003e oauth2PermissionScopeIds.User.ReadWrite()))\n                        .type(\"Scope\")\n                        .build())\n                .build())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  msgraph:\n    type: azuread:ServicePrincipal\n    properties:\n      applicationId: ${wellKnown.result.MicrosoftGraph}\n      useExisting: true\n  example:\n    type: azuread:Application\n    properties:\n      displayName: example\n      requiredResourceAccesses:\n        - resourceAppId: ${wellKnown.result.MicrosoftGraph}\n          resourceAccesses:\n            - id: ${msgraph.appRoleIds\"User.Read.All\"[%!s(MISSING)]}\n              type: Role\n            - id: ${msgraph.oauth2PermissionScopeIds\"User.ReadWrite\"[%!s(MISSING)]}\n              type: Scope\nvariables:\n  wellKnown:\n    fn::invoke:\n      Function: azuread:getApplicationPublishedAppIds\n      Arguments: {}\n```\n{{% /example %}}\n{{% /examples %}}",
+            "description": "Use this data source to discover application IDs for APIs published by Microsoft.\n\nThis data source uses an [unofficial source of application IDs](https://github.com/hashicorp/go-azure-sdk/blob/main/sdk/environments/application_ids.go), as there is currently no available official indexed source for applications or APIs published by Microsoft.\n\nThe app IDs returned by this data source are sourced from the Azure Global (Public) Cloud, however some of them are known to work in government and national clouds.\n\n{{% examples %}}\n## Example Usage\n{{% example %}}\n\n*Listing well-known application IDs*\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azuread from \"@pulumi/azuread\";\n\nconst wellKnown = azuread.getApplicationPublishedAppIds({});\nexport const publishedAppIds = wellKnown.then(wellKnown =\u003e wellKnown.result);\n```\n```python\nimport pulumi\nimport pulumi_azuread as azuread\n\nwell_known = azuread.get_application_published_app_ids()\npulumi.export(\"publishedAppIds\", well_known.result)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing AzureAD = Pulumi.AzureAD;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var wellKnown = AzureAD.GetApplicationPublishedAppIds.Invoke();\n\n    return new Dictionary\u003cstring, object?\u003e\n    {\n        [\"publishedAppIds\"] = wellKnown.Apply(getApplicationPublishedAppIdsResult =\u003e getApplicationPublishedAppIdsResult.Result),\n    };\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\twellKnown, err := azuread.GetApplicationPublishedAppIds(ctx, nil, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tctx.Export(\"publishedAppIds\", wellKnown.Result)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.azuread.AzureadFunctions;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();\n\n        ctx.export(\"publishedAppIds\", wellKnown.applyValue(getApplicationPublishedAppIdsResult -\u003e getApplicationPublishedAppIdsResult.result()));\n    }\n}\n```\n```yaml\nvariables:\n  wellKnown:\n    fn::invoke:\n      Function: azuread:getApplicationPublishedAppIds\n      Arguments: {}\noutputs:\n  publishedAppIds: ${wellKnown.result}\n```\n\n*Granting access to an application*\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as azuread from \"@pulumi/azuread\";\n\nconst wellKnown = azuread.getApplicationPublishedAppIds({});\nconst msgraph = new azuread.ServicePrincipal(\"msgraph\", {\n    clientId: wellKnown.then(wellKnown =\u003e wellKnown.result?.MicrosoftGraph),\n    useExisting: true,\n});\nconst example = new azuread.Application(\"example\", {\n    displayName: \"example\",\n    requiredResourceAccesses: [{\n        resourceAppId: wellKnown.then(wellKnown =\u003e wellKnown.result?.MicrosoftGraph),\n        resourceAccesses: [\n            {\n                id: msgraph.appRoleIds[\"User.Read.All\"],\n                type: \"Role\",\n            },\n            {\n                id: msgraph.oauth2PermissionScopeIds[\"User.ReadWrite\"],\n                type: \"Scope\",\n            },\n        ],\n    }],\n});\n```\n```python\nimport pulumi\nimport pulumi_azuread as azuread\n\nwell_known = azuread.get_application_published_app_ids()\nmsgraph = azuread.ServicePrincipal(\"msgraph\",\n    client_id=well_known.result[\"MicrosoftGraph\"],\n    use_existing=True)\nexample = azuread.Application(\"example\",\n    display_name=\"example\",\n    required_resource_accesses=[azuread.ApplicationRequiredResourceAccessArgs(\n        resource_app_id=well_known.result[\"MicrosoftGraph\"],\n        resource_accesses=[\n            azuread.ApplicationRequiredResourceAccessResourceAccessArgs(\n                id=msgraph.app_role_ids[\"User.Read.All\"],\n                type=\"Role\",\n            ),\n            azuread.ApplicationRequiredResourceAccessResourceAccessArgs(\n                id=msgraph.oauth2_permission_scope_ids[\"User.ReadWrite\"],\n                type=\"Scope\",\n            ),\n        ],\n    )])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing AzureAD = Pulumi.AzureAD;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n    var wellKnown = AzureAD.GetApplicationPublishedAppIds.Invoke();\n\n    var msgraph = new AzureAD.ServicePrincipal(\"msgraph\", new()\n    {\n        ClientId = wellKnown.Apply(getApplicationPublishedAppIdsResult =\u003e getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),\n        UseExisting = true,\n    });\n\n    var example = new AzureAD.Application(\"example\", new()\n    {\n        DisplayName = \"example\",\n        RequiredResourceAccesses = new[]\n        {\n            new AzureAD.Inputs.ApplicationRequiredResourceAccessArgs\n            {\n                ResourceAppId = wellKnown.Apply(getApplicationPublishedAppIdsResult =\u003e getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),\n                ResourceAccesses = new[]\n                {\n                    new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs\n                    {\n                        Id = msgraph.AppRoleIds.Apply(appRoleIds =\u003e appRoleIds.User_Read_All),\n                        Type = \"Role\",\n                    },\n                    new AzureAD.Inputs.ApplicationRequiredResourceAccessResourceAccessArgs\n                    {\n                        Id = msgraph.Oauth2PermissionScopeIds.Apply(oauth2PermissionScopeIds =\u003e oauth2PermissionScopeIds.User_ReadWrite),\n                        Type = \"Scope\",\n                    },\n                },\n            },\n        },\n    });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\twellKnown, err := azuread.GetApplicationPublishedAppIds(ctx, nil, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tmsgraph, err := azuread.NewServicePrincipal(ctx, \"msgraph\", \u0026azuread.ServicePrincipalArgs{\n\t\t\tClientId:    *pulumi.String(wellKnown.Result.MicrosoftGraph),\n\t\t\tUseExisting: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = azuread.NewApplication(ctx, \"example\", \u0026azuread.ApplicationArgs{\n\t\t\tDisplayName: pulumi.String(\"example\"),\n\t\t\tRequiredResourceAccesses: azuread.ApplicationRequiredResourceAccessArray{\n\t\t\t\t\u0026azuread.ApplicationRequiredResourceAccessArgs{\n\t\t\t\t\tResourceAppId: *pulumi.String(wellKnown.Result.MicrosoftGraph),\n\t\t\t\t\tResourceAccesses: azuread.ApplicationRequiredResourceAccessResourceAccessArray{\n\t\t\t\t\t\t\u0026azuread.ApplicationRequiredResourceAccessResourceAccessArgs{\n\t\t\t\t\t\t\tId: msgraph.AppRoleIds.ApplyT(func(appRoleIds map[string]string) (string, error) {\n\t\t\t\t\t\t\t\treturn appRoleIds.User.Read.All, nil\n\t\t\t\t\t\t\t}).(pulumi.StringOutput),\n\t\t\t\t\t\t\tType: pulumi.String(\"Role\"),\n\t\t\t\t\t\t},\n\t\t\t\t\t\t\u0026azuread.ApplicationRequiredResourceAccessResourceAccessArgs{\n\t\t\t\t\t\t\tId: msgraph.Oauth2PermissionScopeIds.ApplyT(func(oauth2PermissionScopeIds map[string]string) (string, error) {\n\t\t\t\t\t\t\t\treturn oauth2PermissionScopeIds.User.ReadWrite, nil\n\t\t\t\t\t\t\t}).(pulumi.StringOutput),\n\t\t\t\t\t\t\tType: pulumi.String(\"Scope\"),\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.azuread.AzureadFunctions;\nimport com.pulumi.azuread.ServicePrincipal;\nimport com.pulumi.azuread.ServicePrincipalArgs;\nimport com.pulumi.azuread.Application;\nimport com.pulumi.azuread.ApplicationArgs;\nimport com.pulumi.azuread.inputs.ApplicationRequiredResourceAccessArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n    public static void main(String[] args) {\n        Pulumi.run(App::stack);\n    }\n\n    public static void stack(Context ctx) {\n        final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();\n\n        var msgraph = new ServicePrincipal(\"msgraph\", ServicePrincipalArgs.builder()        \n            .clientId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -\u003e getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))\n            .useExisting(true)\n            .build());\n\n        var example = new Application(\"example\", ApplicationArgs.builder()        \n            .displayName(\"example\")\n            .requiredResourceAccesses(ApplicationRequiredResourceAccessArgs.builder()\n                .resourceAppId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -\u003e getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))\n                .resourceAccesses(                \n                    ApplicationRequiredResourceAccessResourceAccessArgs.builder()\n                        .id(msgraph.appRoleIds().applyValue(appRoleIds -\u003e appRoleIds.User.Read.All()))\n                        .type(\"Role\")\n                        .build(),\n                    ApplicationRequiredResourceAccessResourceAccessArgs.builder()\n                        .id(msgraph.oauth2PermissionScopeIds().applyValue(oauth2PermissionScopeIds -\u003e oauth2PermissionScopeIds.User.ReadWrite()))\n                        .type(\"Scope\")\n                        .build())\n                .build())\n            .build());\n\n    }\n}\n```\n```yaml\nresources:\n  msgraph:\n    type: azuread:ServicePrincipal\n    properties:\n      clientId: ${wellKnown.result.MicrosoftGraph}\n      useExisting: true\n  example:\n    type: azuread:Application\n    properties:\n      displayName: example\n      requiredResourceAccesses:\n        - resourceAppId: ${wellKnown.result.MicrosoftGraph}\n          resourceAccesses:\n            - id: ${msgraph.appRoleIds\"User.Read.All\"[%!s(MISSING)]}\n              type: Role\n            - id: ${msgraph.oauth2PermissionScopeIds\"User.ReadWrite\"[%!s(MISSING)]}\n              type: Scope\nvariables:\n  wellKnown:\n    fn::invoke:\n      Function: azuread:getApplicationPublishedAppIds\n      Arguments: {}\n```\n{{% /example %}}\n{{% /examples %}}",
             "outputs": {
                 "description": "A collection of values returned by getApplicationPublishedAppIds.\n",
                 "properties": {
diff --git a/provider/go.mod b/provider/go.mod
index f940d0add..413ecc463 100644
--- a/provider/go.mod
+++ b/provider/go.mod
@@ -134,7 +134,7 @@ require (
 	github.com/hashicorp/terraform-plugin-log v0.9.0 // indirect
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.29.0 // indirect
 	github.com/hashicorp/terraform-plugin-testing v1.5.1 // indirect
-	github.com/hashicorp/terraform-provider-azuread v1.6.1-0.20231020024202-d25b6df7b9e6 // indirect
+	github.com/hashicorp/terraform-provider-azuread v1.6.1-0.20231027000318-c80b9971c660 // indirect
 	github.com/hashicorp/terraform-registry-address v0.2.2 // indirect
 	github.com/hashicorp/terraform-svchost v0.1.1 // indirect
 	github.com/hashicorp/vault/api v1.8.2 // indirect
@@ -150,7 +150,7 @@ require (
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/klauspost/compress v1.15.11 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
-	github.com/manicminer/hamilton v0.64.0 // indirect
+	github.com/manicminer/hamilton v0.65.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.19 // indirect
 	github.com/mattn/go-localereader v0.0.1 // indirect
@@ -238,7 +238,7 @@ require (
 	google.golang.org/genproto v0.0.0-20230726155614-23370e0ffb3e // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230706204954-ccb25ca9f130 // indirect
-	google.golang.org/grpc v1.57.0 // indirect
+	google.golang.org/grpc v1.57.1 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
diff --git a/provider/go.sum b/provider/go.sum
index e88771650..bdfe38c41 100644
--- a/provider/go.sum
+++ b/provider/go.sum
@@ -1665,8 +1665,8 @@ github.com/hashicorp/terraform-plugin-sdk v1.7.0/go.mod h1:OjgQmey5VxnPej/buEhe+
 github.com/hashicorp/terraform-plugin-test v1.2.0/go.mod h1:QIJHYz8j+xJtdtLrFTlzQVC0ocr3rf/OjIpgZLK56Hs=
 github.com/hashicorp/terraform-plugin-testing v1.5.1 h1:T4aQh9JAhmWo4+t1A7x+rnxAJHCDIYW9kXyo4sVO92c=
 github.com/hashicorp/terraform-plugin-testing v1.5.1/go.mod h1:dg8clO6K59rZ8w9EshBmDp1CxTIPu3yA4iaDpX1h5u0=
-github.com/hashicorp/terraform-provider-azuread v1.6.1-0.20231020024202-d25b6df7b9e6 h1:oILcvLfn63zgogmiSXPbuVFv6e270WPUnmvZOVc0dvY=
-github.com/hashicorp/terraform-provider-azuread v1.6.1-0.20231020024202-d25b6df7b9e6/go.mod h1:G7VsR1cnqPQpqIH4thfls4VVhQ7KpP9Oh6xpx1TNEnQ=
+github.com/hashicorp/terraform-provider-azuread v1.6.1-0.20231027000318-c80b9971c660 h1:Awcl4WoWqJsbS7JpDEMTdfmeEbt57lpFJRZOW7WPJHQ=
+github.com/hashicorp/terraform-provider-azuread v1.6.1-0.20231027000318-c80b9971c660/go.mod h1:iVryf2s08Hi6HLHh4W40fudtInXuK5Y1cWVOM/3szT8=
 github.com/hashicorp/terraform-registry-address v0.0.0-20220623143253-7d51757b572c/go.mod h1:Wn3Na71knbXc1G8Lh+yu/dQWWJeFQEpDeJMtWMtlmNI=
 github.com/hashicorp/terraform-registry-address v0.2.2 h1:lPQBg403El8PPicg/qONZJDC6YlgCVbWDtNmmZKtBno=
 github.com/hashicorp/terraform-registry-address v0.2.2/go.mod h1:LtwNbCihUoUZ3RYriyS2wF/lGPB6gF9ICLRtuDk7hSo=
@@ -1862,8 +1862,8 @@ github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN
 github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
 github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
-github.com/manicminer/hamilton v0.64.0 h1:m62sFHwhyhjd0BpIU7AESZPjTeEWaF1WKLKjXuV/+Ag=
-github.com/manicminer/hamilton v0.64.0/go.mod h1:va/X2sztcgQ5+BSxc2eU3FTHYIyxLnHvB4LudlPUZdE=
+github.com/manicminer/hamilton v0.65.0 h1:fCDLn+BqmM5bgFHSVzV6GVcb0o5S/oxA6Xp+COxKuNo=
+github.com/manicminer/hamilton v0.65.0/go.mod h1:va/X2sztcgQ5+BSxc2eU3FTHYIyxLnHvB4LudlPUZdE=
 github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE=
 github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0=
 github.com/marstr/guid v1.1.0/go.mod h1:74gB1z2wpxxInTG6yaqA7KrtM0NZ+RbrcqDvYHefzho=
@@ -3414,8 +3414,9 @@ google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsA
 google.golang.org/grpc v1.52.3/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5vorUY=
 google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw=
 google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g=
-google.golang.org/grpc v1.57.0 h1:kfzNeI/klCGD2YPMUlaGNT3pxvYfga7smW3Vth8Zsiw=
 google.golang.org/grpc v1.57.0/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
+google.golang.org/grpc v1.57.1 h1:upNTNqv0ES+2ZOOqACwVtS3Il8M12/+Hz41RCPzAjQg=
+google.golang.org/grpc v1.57.1/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.2.0/go.mod h1:DNq5QpG7LJqD2AamLZ7zvKE0DEpVl2BSEVjFycAAjRY=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
diff --git a/provider/shim/go.mod b/provider/shim/go.mod
index b59ace54f..812276ff4 100644
--- a/provider/shim/go.mod
+++ b/provider/shim/go.mod
@@ -4,7 +4,7 @@ go 1.21.3
 
 require (
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.29.0
-	github.com/hashicorp/terraform-provider-azuread v1.6.1-0.20231020024202-d25b6df7b9e6
+	github.com/hashicorp/terraform-provider-azuread v1.6.1-0.20231027000318-c80b9971c660
 )
 
 require (
@@ -38,7 +38,7 @@ require (
 	github.com/hashicorp/terraform-registry-address v0.2.2 // indirect
 	github.com/hashicorp/terraform-svchost v0.1.1 // indirect
 	github.com/hashicorp/yamux v0.1.1 // indirect
-	github.com/manicminer/hamilton v0.64.0 // indirect
+	github.com/manicminer/hamilton v0.65.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.19 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
@@ -60,7 +60,7 @@ require (
 	golang.org/x/text v0.13.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 // indirect
-	google.golang.org/grpc v1.57.0 // indirect
+	google.golang.org/grpc v1.57.1 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	software.sslmate.com/src/go-pkcs12 v0.2.0 // indirect
 )
diff --git a/provider/shim/go.sum b/provider/shim/go.sum
index afee38d42..3b8de2f9e 100644
--- a/provider/shim/go.sum
+++ b/provider/shim/go.sum
@@ -899,8 +899,8 @@ github.com/hashicorp/terraform-plugin-log v0.9.0 h1:i7hOA+vdAItN1/7UrfBqBwvYPQ9T
 github.com/hashicorp/terraform-plugin-log v0.9.0/go.mod h1:rKL8egZQ/eXSyDqzLUuwUYLVdlYeamldAHSxjUFADow=
 github.com/hashicorp/terraform-plugin-testing v1.5.1 h1:T4aQh9JAhmWo4+t1A7x+rnxAJHCDIYW9kXyo4sVO92c=
 github.com/hashicorp/terraform-plugin-testing v1.5.1/go.mod h1:dg8clO6K59rZ8w9EshBmDp1CxTIPu3yA4iaDpX1h5u0=
-github.com/hashicorp/terraform-provider-azuread v1.6.1-0.20231020024202-d25b6df7b9e6 h1:oILcvLfn63zgogmiSXPbuVFv6e270WPUnmvZOVc0dvY=
-github.com/hashicorp/terraform-provider-azuread v1.6.1-0.20231020024202-d25b6df7b9e6/go.mod h1:G7VsR1cnqPQpqIH4thfls4VVhQ7KpP9Oh6xpx1TNEnQ=
+github.com/hashicorp/terraform-provider-azuread v1.6.1-0.20231027000318-c80b9971c660 h1:Awcl4WoWqJsbS7JpDEMTdfmeEbt57lpFJRZOW7WPJHQ=
+github.com/hashicorp/terraform-provider-azuread v1.6.1-0.20231027000318-c80b9971c660/go.mod h1:iVryf2s08Hi6HLHh4W40fudtInXuK5Y1cWVOM/3szT8=
 github.com/hashicorp/terraform-registry-address v0.0.0-20220623143253-7d51757b572c/go.mod h1:Wn3Na71knbXc1G8Lh+yu/dQWWJeFQEpDeJMtWMtlmNI=
 github.com/hashicorp/terraform-registry-address v0.2.2 h1:lPQBg403El8PPicg/qONZJDC6YlgCVbWDtNmmZKtBno=
 github.com/hashicorp/terraform-registry-address v0.2.2/go.mod h1:LtwNbCihUoUZ3RYriyS2wF/lGPB6gF9ICLRtuDk7hSo=
@@ -955,8 +955,8 @@ github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+
 github.com/lyft/protoc-gen-star v0.6.0/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA=
 github.com/lyft/protoc-gen-star v0.6.1/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA=
 github.com/lyft/protoc-gen-star/v2 v2.0.1/go.mod h1:RcCdONR2ScXaYnQC5tUzxzlpA3WVYF7/opLeUgcQs/o=
-github.com/manicminer/hamilton v0.64.0 h1:m62sFHwhyhjd0BpIU7AESZPjTeEWaF1WKLKjXuV/+Ag=
-github.com/manicminer/hamilton v0.64.0/go.mod h1:va/X2sztcgQ5+BSxc2eU3FTHYIyxLnHvB4LudlPUZdE=
+github.com/manicminer/hamilton v0.65.0 h1:fCDLn+BqmM5bgFHSVzV6GVcb0o5S/oxA6Xp+COxKuNo=
+github.com/manicminer/hamilton v0.65.0/go.mod h1:va/X2sztcgQ5+BSxc2eU3FTHYIyxLnHvB4LudlPUZdE=
 github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
@@ -1750,8 +1750,9 @@ google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsA
 google.golang.org/grpc v1.52.3/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5vorUY=
 google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw=
 google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g=
-google.golang.org/grpc v1.57.0 h1:kfzNeI/klCGD2YPMUlaGNT3pxvYfga7smW3Vth8Zsiw=
 google.golang.org/grpc v1.57.0/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
+google.golang.org/grpc v1.57.1 h1:upNTNqv0ES+2ZOOqACwVtS3Il8M12/+Hz41RCPzAjQg=
+google.golang.org/grpc v1.57.1/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.2.0/go.mod h1:DNq5QpG7LJqD2AamLZ7zvKE0DEpVl2BSEVjFycAAjRY=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
diff --git a/sdk/dotnet/ApplicationOptionalClaims.cs b/sdk/dotnet/ApplicationOptionalClaims.cs
new file mode 100644
index 000000000..29048ea95
--- /dev/null
+++ b/sdk/dotnet/ApplicationOptionalClaims.cs
@@ -0,0 +1,251 @@
+// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+using System;
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.Threading.Tasks;
+using Pulumi.Serialization;
+
+namespace Pulumi.AzureAD
+{
+    /// <summary>
+    /// ## Example Usage
+    /// 
+    /// ```csharp
+    /// using System.Collections.Generic;
+    /// using System.Linq;
+    /// using Pulumi;
+    /// using AzureAD = Pulumi.AzureAD;
+    /// 
+    /// return await Deployment.RunAsync(() =&gt; 
+    /// {
+    ///     var exampleApplicationRegistration = new AzureAD.ApplicationRegistration("exampleApplicationRegistration", new()
+    ///     {
+    ///         DisplayName = "example",
+    ///     });
+    /// 
+    ///     var exampleApplicationOptionalClaims = new AzureAD.ApplicationOptionalClaims("exampleApplicationOptionalClaims", new()
+    ///     {
+    ///         ApplicationId = exampleApplicationRegistration.Id,
+    ///         AccessTokens = new[]
+    ///         {
+    ///             new AzureAD.Inputs.ApplicationOptionalClaimsAccessTokenArgs
+    ///             {
+    ///                 Name = "myclaim",
+    ///             },
+    ///             new AzureAD.Inputs.ApplicationOptionalClaimsAccessTokenArgs
+    ///             {
+    ///                 Name = "otherclaim",
+    ///             },
+    ///         },
+    ///         IdTokens = new[]
+    ///         {
+    ///             new AzureAD.Inputs.ApplicationOptionalClaimsIdTokenArgs
+    ///             {
+    ///                 Name = "userclaim",
+    ///                 Source = "user",
+    ///                 Essential = true,
+    ///                 AdditionalProperties = new[]
+    ///                 {
+    ///                     "emit_as_roles",
+    ///                 },
+    ///             },
+    ///         },
+    ///         Saml2Tokens = new[]
+    ///         {
+    ///             new AzureAD.Inputs.ApplicationOptionalClaimsSaml2TokenArgs
+    ///             {
+    ///                 Name = "samlexample",
+    ///             },
+    ///         },
+    ///     });
+    /// 
+    /// });
+    /// ```
+    /// 
+    /// ## Import
+    /// 
+    /// Application Optional Claims can be imported using the object ID of the application, in the following format.
+    /// 
+    /// ```sh
+    ///  $ pulumi import azuread:index/applicationOptionalClaims:ApplicationOptionalClaims example /applications/00000000-0000-0000-0000-000000000000
+    /// ```
+    /// </summary>
+    [AzureADResourceType("azuread:index/applicationOptionalClaims:ApplicationOptionalClaims")]
+    public partial class ApplicationOptionalClaims : global::Pulumi.CustomResource
+    {
+        /// <summary>
+        /// One or more `access_token` blocks as documented below.
+        /// </summary>
+        [Output("accessTokens")]
+        public Output<ImmutableArray<Outputs.ApplicationOptionalClaimsAccessToken>> AccessTokens { get; private set; } = null!;
+
+        /// <summary>
+        /// The resource ID of the application registration. Changing this forces a new resource to be created.
+        /// </summary>
+        [Output("applicationId")]
+        public Output<string> ApplicationId { get; private set; } = null!;
+
+        /// <summary>
+        /// One or more `id_token` blocks as documented below.
+        /// </summary>
+        [Output("idTokens")]
+        public Output<ImmutableArray<Outputs.ApplicationOptionalClaimsIdToken>> IdTokens { get; private set; } = null!;
+
+        /// <summary>
+        /// One or more `saml2_token` blocks as documented below.
+        /// 
+        /// &gt; At least one of `access_token`, `id_token` or `saml2_token` must be specified
+        /// </summary>
+        [Output("saml2Tokens")]
+        public Output<ImmutableArray<Outputs.ApplicationOptionalClaimsSaml2Token>> Saml2Tokens { get; private set; } = null!;
+
+
+        /// <summary>
+        /// Create a ApplicationOptionalClaims resource with the given unique name, arguments, and options.
+        /// </summary>
+        ///
+        /// <param name="name">The unique name of the resource</param>
+        /// <param name="args">The arguments used to populate this resource's properties</param>
+        /// <param name="options">A bag of options that control this resource's behavior</param>
+        public ApplicationOptionalClaims(string name, ApplicationOptionalClaimsArgs args, CustomResourceOptions? options = null)
+            : base("azuread:index/applicationOptionalClaims:ApplicationOptionalClaims", name, args ?? new ApplicationOptionalClaimsArgs(), MakeResourceOptions(options, ""))
+        {
+        }
+
+        private ApplicationOptionalClaims(string name, Input<string> id, ApplicationOptionalClaimsState? state = null, CustomResourceOptions? options = null)
+            : base("azuread:index/applicationOptionalClaims:ApplicationOptionalClaims", name, state, MakeResourceOptions(options, id))
+        {
+        }
+
+        private static CustomResourceOptions MakeResourceOptions(CustomResourceOptions? options, Input<string>? id)
+        {
+            var defaultOptions = new CustomResourceOptions
+            {
+                Version = Utilities.Version,
+            };
+            var merged = CustomResourceOptions.Merge(defaultOptions, options);
+            // Override the ID if one was specified for consistency with other language SDKs.
+            merged.Id = id ?? merged.Id;
+            return merged;
+        }
+        /// <summary>
+        /// Get an existing ApplicationOptionalClaims resource's state with the given name, ID, and optional extra
+        /// properties used to qualify the lookup.
+        /// </summary>
+        ///
+        /// <param name="name">The unique name of the resulting resource.</param>
+        /// <param name="id">The unique provider ID of the resource to lookup.</param>
+        /// <param name="state">Any extra arguments used during the lookup.</param>
+        /// <param name="options">A bag of options that control this resource's behavior</param>
+        public static ApplicationOptionalClaims Get(string name, Input<string> id, ApplicationOptionalClaimsState? state = null, CustomResourceOptions? options = null)
+        {
+            return new ApplicationOptionalClaims(name, id, state, options);
+        }
+    }
+
+    public sealed class ApplicationOptionalClaimsArgs : global::Pulumi.ResourceArgs
+    {
+        [Input("accessTokens")]
+        private InputList<Inputs.ApplicationOptionalClaimsAccessTokenArgs>? _accessTokens;
+
+        /// <summary>
+        /// One or more `access_token` blocks as documented below.
+        /// </summary>
+        public InputList<Inputs.ApplicationOptionalClaimsAccessTokenArgs> AccessTokens
+        {
+            get => _accessTokens ?? (_accessTokens = new InputList<Inputs.ApplicationOptionalClaimsAccessTokenArgs>());
+            set => _accessTokens = value;
+        }
+
+        /// <summary>
+        /// The resource ID of the application registration. Changing this forces a new resource to be created.
+        /// </summary>
+        [Input("applicationId", required: true)]
+        public Input<string> ApplicationId { get; set; } = null!;
+
+        [Input("idTokens")]
+        private InputList<Inputs.ApplicationOptionalClaimsIdTokenArgs>? _idTokens;
+
+        /// <summary>
+        /// One or more `id_token` blocks as documented below.
+        /// </summary>
+        public InputList<Inputs.ApplicationOptionalClaimsIdTokenArgs> IdTokens
+        {
+            get => _idTokens ?? (_idTokens = new InputList<Inputs.ApplicationOptionalClaimsIdTokenArgs>());
+            set => _idTokens = value;
+        }
+
+        [Input("saml2Tokens")]
+        private InputList<Inputs.ApplicationOptionalClaimsSaml2TokenArgs>? _saml2Tokens;
+
+        /// <summary>
+        /// One or more `saml2_token` blocks as documented below.
+        /// 
+        /// &gt; At least one of `access_token`, `id_token` or `saml2_token` must be specified
+        /// </summary>
+        public InputList<Inputs.ApplicationOptionalClaimsSaml2TokenArgs> Saml2Tokens
+        {
+            get => _saml2Tokens ?? (_saml2Tokens = new InputList<Inputs.ApplicationOptionalClaimsSaml2TokenArgs>());
+            set => _saml2Tokens = value;
+        }
+
+        public ApplicationOptionalClaimsArgs()
+        {
+        }
+        public static new ApplicationOptionalClaimsArgs Empty => new ApplicationOptionalClaimsArgs();
+    }
+
+    public sealed class ApplicationOptionalClaimsState : global::Pulumi.ResourceArgs
+    {
+        [Input("accessTokens")]
+        private InputList<Inputs.ApplicationOptionalClaimsAccessTokenGetArgs>? _accessTokens;
+
+        /// <summary>
+        /// One or more `access_token` blocks as documented below.
+        /// </summary>
+        public InputList<Inputs.ApplicationOptionalClaimsAccessTokenGetArgs> AccessTokens
+        {
+            get => _accessTokens ?? (_accessTokens = new InputList<Inputs.ApplicationOptionalClaimsAccessTokenGetArgs>());
+            set => _accessTokens = value;
+        }
+
+        /// <summary>
+        /// The resource ID of the application registration. Changing this forces a new resource to be created.
+        /// </summary>
+        [Input("applicationId")]
+        public Input<string>? ApplicationId { get; set; }
+
+        [Input("idTokens")]
+        private InputList<Inputs.ApplicationOptionalClaimsIdTokenGetArgs>? _idTokens;
+
+        /// <summary>
+        /// One or more `id_token` blocks as documented below.
+        /// </summary>
+        public InputList<Inputs.ApplicationOptionalClaimsIdTokenGetArgs> IdTokens
+        {
+            get => _idTokens ?? (_idTokens = new InputList<Inputs.ApplicationOptionalClaimsIdTokenGetArgs>());
+            set => _idTokens = value;
+        }
+
+        [Input("saml2Tokens")]
+        private InputList<Inputs.ApplicationOptionalClaimsSaml2TokenGetArgs>? _saml2Tokens;
+
+        /// <summary>
+        /// One or more `saml2_token` blocks as documented below.
+        /// 
+        /// &gt; At least one of `access_token`, `id_token` or `saml2_token` must be specified
+        /// </summary>
+        public InputList<Inputs.ApplicationOptionalClaimsSaml2TokenGetArgs> Saml2Tokens
+        {
+            get => _saml2Tokens ?? (_saml2Tokens = new InputList<Inputs.ApplicationOptionalClaimsSaml2TokenGetArgs>());
+            set => _saml2Tokens = value;
+        }
+
+        public ApplicationOptionalClaimsState()
+        {
+        }
+        public static new ApplicationOptionalClaimsState Empty => new ApplicationOptionalClaimsState();
+    }
+}
diff --git a/sdk/dotnet/GetApplicationPublishedAppIds.cs b/sdk/dotnet/GetApplicationPublishedAppIds.cs
index b4ff250cd..51db008d2 100644
--- a/sdk/dotnet/GetApplicationPublishedAppIds.cs
+++ b/sdk/dotnet/GetApplicationPublishedAppIds.cs
@@ -55,7 +55,7 @@ public static class GetApplicationPublishedAppIds
         /// 
         ///     var msgraph = new AzureAD.ServicePrincipal("msgraph", new()
         ///     {
-        ///         ApplicationId = wellKnown.Apply(getApplicationPublishedAppIdsResult =&gt; getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
+        ///         ClientId = wellKnown.Apply(getApplicationPublishedAppIdsResult =&gt; getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
         ///         UseExisting = true,
         ///     });
         /// 
@@ -136,7 +136,7 @@ public static Task<GetApplicationPublishedAppIdsResult> InvokeAsync(InvokeOption
         /// 
         ///     var msgraph = new AzureAD.ServicePrincipal("msgraph", new()
         ///     {
-        ///         ApplicationId = wellKnown.Apply(getApplicationPublishedAppIdsResult =&gt; getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
+        ///         ClientId = wellKnown.Apply(getApplicationPublishedAppIdsResult =&gt; getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
         ///         UseExisting = true,
         ///     });
         /// 
diff --git a/sdk/dotnet/Inputs/ApplicationOptionalClaimsAccessTokenArgs.cs b/sdk/dotnet/Inputs/ApplicationOptionalClaimsAccessTokenArgs.cs
index e9668df7f..2345aa132 100644
--- a/sdk/dotnet/Inputs/ApplicationOptionalClaimsAccessTokenArgs.cs
+++ b/sdk/dotnet/Inputs/ApplicationOptionalClaimsAccessTokenArgs.cs
@@ -16,7 +16,7 @@ public sealed class ApplicationOptionalClaimsAccessTokenArgs : global::Pulumi.Re
         private InputList<string>? _additionalProperties;
 
         /// <summary>
-        /// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+        /// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
         /// </summary>
         public InputList<string> AdditionalProperties
         {
diff --git a/sdk/dotnet/Inputs/ApplicationOptionalClaimsAccessTokenGetArgs.cs b/sdk/dotnet/Inputs/ApplicationOptionalClaimsAccessTokenGetArgs.cs
index eeb7514ae..046a5805c 100644
--- a/sdk/dotnet/Inputs/ApplicationOptionalClaimsAccessTokenGetArgs.cs
+++ b/sdk/dotnet/Inputs/ApplicationOptionalClaimsAccessTokenGetArgs.cs
@@ -16,7 +16,7 @@ public sealed class ApplicationOptionalClaimsAccessTokenGetArgs : global::Pulumi
         private InputList<string>? _additionalProperties;
 
         /// <summary>
-        /// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+        /// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
         /// </summary>
         public InputList<string> AdditionalProperties
         {
diff --git a/sdk/dotnet/Inputs/ApplicationOptionalClaimsIdTokenArgs.cs b/sdk/dotnet/Inputs/ApplicationOptionalClaimsIdTokenArgs.cs
index 3e42f310d..42afa2db7 100644
--- a/sdk/dotnet/Inputs/ApplicationOptionalClaimsIdTokenArgs.cs
+++ b/sdk/dotnet/Inputs/ApplicationOptionalClaimsIdTokenArgs.cs
@@ -16,7 +16,7 @@ public sealed class ApplicationOptionalClaimsIdTokenArgs : global::Pulumi.Resour
         private InputList<string>? _additionalProperties;
 
         /// <summary>
-        /// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+        /// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
         /// </summary>
         public InputList<string> AdditionalProperties
         {
diff --git a/sdk/dotnet/Inputs/ApplicationOptionalClaimsIdTokenGetArgs.cs b/sdk/dotnet/Inputs/ApplicationOptionalClaimsIdTokenGetArgs.cs
index 6f5bf4f42..14080c751 100644
--- a/sdk/dotnet/Inputs/ApplicationOptionalClaimsIdTokenGetArgs.cs
+++ b/sdk/dotnet/Inputs/ApplicationOptionalClaimsIdTokenGetArgs.cs
@@ -16,7 +16,7 @@ public sealed class ApplicationOptionalClaimsIdTokenGetArgs : global::Pulumi.Res
         private InputList<string>? _additionalProperties;
 
         /// <summary>
-        /// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+        /// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
         /// </summary>
         public InputList<string> AdditionalProperties
         {
diff --git a/sdk/dotnet/Inputs/ApplicationOptionalClaimsSaml2TokenArgs.cs b/sdk/dotnet/Inputs/ApplicationOptionalClaimsSaml2TokenArgs.cs
index 8b7e0544f..37c5b521e 100644
--- a/sdk/dotnet/Inputs/ApplicationOptionalClaimsSaml2TokenArgs.cs
+++ b/sdk/dotnet/Inputs/ApplicationOptionalClaimsSaml2TokenArgs.cs
@@ -16,7 +16,7 @@ public sealed class ApplicationOptionalClaimsSaml2TokenArgs : global::Pulumi.Res
         private InputList<string>? _additionalProperties;
 
         /// <summary>
-        /// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+        /// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
         /// </summary>
         public InputList<string> AdditionalProperties
         {
diff --git a/sdk/dotnet/Inputs/ApplicationOptionalClaimsSaml2TokenGetArgs.cs b/sdk/dotnet/Inputs/ApplicationOptionalClaimsSaml2TokenGetArgs.cs
index ed0e14127..6f34a278c 100644
--- a/sdk/dotnet/Inputs/ApplicationOptionalClaimsSaml2TokenGetArgs.cs
+++ b/sdk/dotnet/Inputs/ApplicationOptionalClaimsSaml2TokenGetArgs.cs
@@ -16,7 +16,7 @@ public sealed class ApplicationOptionalClaimsSaml2TokenGetArgs : global::Pulumi.
         private InputList<string>? _additionalProperties;
 
         /// <summary>
-        /// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+        /// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
         /// </summary>
         public InputList<string> AdditionalProperties
         {
diff --git a/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsDevicesArgs.cs b/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsDevicesArgs.cs
index 59090f3b0..91bc9d187 100644
--- a/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsDevicesArgs.cs
+++ b/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsDevicesArgs.cs
@@ -13,7 +13,7 @@ namespace Pulumi.AzureAD.Inputs
     public sealed class ConditionalAccessPolicyConditionsDevicesArgs : global::Pulumi.ResourceArgs
     {
         /// <summary>
-        /// A `filter` block as described below. A `filter` block can be added to an existing policy, but removing the `filter` block forces a new resource to be created.
+        /// A `filter` block as described below.
         /// </summary>
         [Input("filter")]
         public Input<Inputs.ConditionalAccessPolicyConditionsDevicesFilterArgs>? Filter { get; set; }
diff --git a/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsDevicesGetArgs.cs b/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsDevicesGetArgs.cs
index d1636cd5d..59b93916b 100644
--- a/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsDevicesGetArgs.cs
+++ b/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsDevicesGetArgs.cs
@@ -13,7 +13,7 @@ namespace Pulumi.AzureAD.Inputs
     public sealed class ConditionalAccessPolicyConditionsDevicesGetArgs : global::Pulumi.ResourceArgs
     {
         /// <summary>
-        /// A `filter` block as described below. A `filter` block can be added to an existing policy, but removing the `filter` block forces a new resource to be created.
+        /// A `filter` block as described below.
         /// </summary>
         [Input("filter")]
         public Input<Inputs.ConditionalAccessPolicyConditionsDevicesFilterGetArgs>? Filter { get; set; }
diff --git a/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersArgs.cs b/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersArgs.cs
index f671efaee..869d2c298 100644
--- a/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersArgs.cs
+++ b/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersArgs.cs
@@ -24,6 +24,18 @@ public InputList<string> ExcludedGroups
             set => _excludedGroups = value;
         }
 
+        [Input("excludedGuestsOrExternalUsers")]
+        private InputList<Inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs>? _excludedGuestsOrExternalUsers;
+
+        /// <summary>
+        /// A `guests_or_external_users` block as documented below, which specifies internal guests and external users excluded from scope of policy.
+        /// </summary>
+        public InputList<Inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs> ExcludedGuestsOrExternalUsers
+        {
+            get => _excludedGuestsOrExternalUsers ?? (_excludedGuestsOrExternalUsers = new InputList<Inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs>());
+            set => _excludedGuestsOrExternalUsers = value;
+        }
+
         [Input("excludedRoles")]
         private InputList<string>? _excludedRoles;
 
@@ -60,6 +72,18 @@ public InputList<string> IncludedGroups
             set => _includedGroups = value;
         }
 
+        [Input("includedGuestsOrExternalUsers")]
+        private InputList<Inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs>? _includedGuestsOrExternalUsers;
+
+        /// <summary>
+        /// A `guests_or_external_users` block as documented below, which specifies internal guests and external users in scope of policy.
+        /// </summary>
+        public InputList<Inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs> IncludedGuestsOrExternalUsers
+        {
+            get => _includedGuestsOrExternalUsers ?? (_includedGuestsOrExternalUsers = new InputList<Inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs>());
+            set => _includedGuestsOrExternalUsers = value;
+        }
+
         [Input("includedRoles")]
         private InputList<string>? _includedRoles;
 
@@ -78,7 +102,7 @@ public InputList<string> IncludedRoles
         /// <summary>
         /// A list of user IDs in scope of policy unless explicitly excluded, or `None` or `All` or `GuestsOrExternalUsers`.
         /// 
-        /// &gt; At least one of `included_groups`, `included_roles` or `included_users` must be specified.
+        /// &gt; At least one of `included_groups`, `included_guests_or_external_users`, `included_roles` or `included_users` must be specified.
         /// </summary>
         public InputList<string> IncludedUsers
         {
diff --git a/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs.cs b/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs.cs
new file mode 100644
index 000000000..dee9fcd63
--- /dev/null
+++ b/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs.cs
@@ -0,0 +1,44 @@
+// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+using System;
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.Threading.Tasks;
+using Pulumi.Serialization;
+
+namespace Pulumi.AzureAD.Inputs
+{
+
+    public sealed class ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs : global::Pulumi.ResourceArgs
+    {
+        [Input("externalTenants")]
+        private InputList<Inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs>? _externalTenants;
+
+        /// <summary>
+        /// An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+        /// </summary>
+        public InputList<Inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs> ExternalTenants
+        {
+            get => _externalTenants ?? (_externalTenants = new InputList<Inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs>());
+            set => _externalTenants = value;
+        }
+
+        [Input("guestOrExternalUserTypes", required: true)]
+        private InputList<string>? _guestOrExternalUserTypes;
+
+        /// <summary>
+        /// A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+        /// </summary>
+        public InputList<string> GuestOrExternalUserTypes
+        {
+            get => _guestOrExternalUserTypes ?? (_guestOrExternalUserTypes = new InputList<string>());
+            set => _guestOrExternalUserTypes = value;
+        }
+
+        public ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs()
+        {
+        }
+        public static new ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs Empty => new ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs();
+    }
+}
diff --git a/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs.cs b/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs.cs
new file mode 100644
index 000000000..3df9bfe94
--- /dev/null
+++ b/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs.cs
@@ -0,0 +1,38 @@
+// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+using System;
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.Threading.Tasks;
+using Pulumi.Serialization;
+
+namespace Pulumi.AzureAD.Inputs
+{
+
+    public sealed class ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs : global::Pulumi.ResourceArgs
+    {
+        [Input("members")]
+        private InputList<string>? _members;
+
+        /// <summary>
+        /// A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+        /// </summary>
+        public InputList<string> Members
+        {
+            get => _members ?? (_members = new InputList<string>());
+            set => _members = value;
+        }
+
+        /// <summary>
+        /// The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+        /// </summary>
+        [Input("membershipKind", required: true)]
+        public Input<string> MembershipKind { get; set; } = null!;
+
+        public ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs()
+        {
+        }
+        public static new ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs Empty => new ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs();
+    }
+}
diff --git a/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantGetArgs.cs b/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantGetArgs.cs
new file mode 100644
index 000000000..0dfd4babf
--- /dev/null
+++ b/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantGetArgs.cs
@@ -0,0 +1,38 @@
+// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+using System;
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.Threading.Tasks;
+using Pulumi.Serialization;
+
+namespace Pulumi.AzureAD.Inputs
+{
+
+    public sealed class ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantGetArgs : global::Pulumi.ResourceArgs
+    {
+        [Input("members")]
+        private InputList<string>? _members;
+
+        /// <summary>
+        /// A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+        /// </summary>
+        public InputList<string> Members
+        {
+            get => _members ?? (_members = new InputList<string>());
+            set => _members = value;
+        }
+
+        /// <summary>
+        /// The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+        /// </summary>
+        [Input("membershipKind", required: true)]
+        public Input<string> MembershipKind { get; set; } = null!;
+
+        public ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantGetArgs()
+        {
+        }
+        public static new ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantGetArgs Empty => new ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantGetArgs();
+    }
+}
diff --git a/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserGetArgs.cs b/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserGetArgs.cs
new file mode 100644
index 000000000..942fe8b4b
--- /dev/null
+++ b/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserGetArgs.cs
@@ -0,0 +1,44 @@
+// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+using System;
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.Threading.Tasks;
+using Pulumi.Serialization;
+
+namespace Pulumi.AzureAD.Inputs
+{
+
+    public sealed class ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserGetArgs : global::Pulumi.ResourceArgs
+    {
+        [Input("externalTenants")]
+        private InputList<Inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantGetArgs>? _externalTenants;
+
+        /// <summary>
+        /// An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+        /// </summary>
+        public InputList<Inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantGetArgs> ExternalTenants
+        {
+            get => _externalTenants ?? (_externalTenants = new InputList<Inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantGetArgs>());
+            set => _externalTenants = value;
+        }
+
+        [Input("guestOrExternalUserTypes", required: true)]
+        private InputList<string>? _guestOrExternalUserTypes;
+
+        /// <summary>
+        /// A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+        /// </summary>
+        public InputList<string> GuestOrExternalUserTypes
+        {
+            get => _guestOrExternalUserTypes ?? (_guestOrExternalUserTypes = new InputList<string>());
+            set => _guestOrExternalUserTypes = value;
+        }
+
+        public ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserGetArgs()
+        {
+        }
+        public static new ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserGetArgs Empty => new ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserGetArgs();
+    }
+}
diff --git a/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersGetArgs.cs b/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersGetArgs.cs
index c1455ee46..a5b34ed8f 100644
--- a/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersGetArgs.cs
+++ b/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersGetArgs.cs
@@ -24,6 +24,18 @@ public InputList<string> ExcludedGroups
             set => _excludedGroups = value;
         }
 
+        [Input("excludedGuestsOrExternalUsers")]
+        private InputList<Inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserGetArgs>? _excludedGuestsOrExternalUsers;
+
+        /// <summary>
+        /// A `guests_or_external_users` block as documented below, which specifies internal guests and external users excluded from scope of policy.
+        /// </summary>
+        public InputList<Inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserGetArgs> ExcludedGuestsOrExternalUsers
+        {
+            get => _excludedGuestsOrExternalUsers ?? (_excludedGuestsOrExternalUsers = new InputList<Inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserGetArgs>());
+            set => _excludedGuestsOrExternalUsers = value;
+        }
+
         [Input("excludedRoles")]
         private InputList<string>? _excludedRoles;
 
@@ -60,6 +72,18 @@ public InputList<string> IncludedGroups
             set => _includedGroups = value;
         }
 
+        [Input("includedGuestsOrExternalUsers")]
+        private InputList<Inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserGetArgs>? _includedGuestsOrExternalUsers;
+
+        /// <summary>
+        /// A `guests_or_external_users` block as documented below, which specifies internal guests and external users in scope of policy.
+        /// </summary>
+        public InputList<Inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserGetArgs> IncludedGuestsOrExternalUsers
+        {
+            get => _includedGuestsOrExternalUsers ?? (_includedGuestsOrExternalUsers = new InputList<Inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserGetArgs>());
+            set => _includedGuestsOrExternalUsers = value;
+        }
+
         [Input("includedRoles")]
         private InputList<string>? _includedRoles;
 
@@ -78,7 +102,7 @@ public InputList<string> IncludedRoles
         /// <summary>
         /// A list of user IDs in scope of policy unless explicitly excluded, or `None` or `All` or `GuestsOrExternalUsers`.
         /// 
-        /// &gt; At least one of `included_groups`, `included_roles` or `included_users` must be specified.
+        /// &gt; At least one of `included_groups`, `included_guests_or_external_users`, `included_roles` or `included_users` must be specified.
         /// </summary>
         public InputList<string> IncludedUsers
         {
diff --git a/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs.cs b/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs.cs
new file mode 100644
index 000000000..04005fe49
--- /dev/null
+++ b/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs.cs
@@ -0,0 +1,44 @@
+// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+using System;
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.Threading.Tasks;
+using Pulumi.Serialization;
+
+namespace Pulumi.AzureAD.Inputs
+{
+
+    public sealed class ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs : global::Pulumi.ResourceArgs
+    {
+        [Input("externalTenants")]
+        private InputList<Inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs>? _externalTenants;
+
+        /// <summary>
+        /// An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+        /// </summary>
+        public InputList<Inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs> ExternalTenants
+        {
+            get => _externalTenants ?? (_externalTenants = new InputList<Inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs>());
+            set => _externalTenants = value;
+        }
+
+        [Input("guestOrExternalUserTypes", required: true)]
+        private InputList<string>? _guestOrExternalUserTypes;
+
+        /// <summary>
+        /// A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+        /// </summary>
+        public InputList<string> GuestOrExternalUserTypes
+        {
+            get => _guestOrExternalUserTypes ?? (_guestOrExternalUserTypes = new InputList<string>());
+            set => _guestOrExternalUserTypes = value;
+        }
+
+        public ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs()
+        {
+        }
+        public static new ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs Empty => new ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs();
+    }
+}
diff --git a/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs.cs b/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs.cs
new file mode 100644
index 000000000..1a6df66db
--- /dev/null
+++ b/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs.cs
@@ -0,0 +1,38 @@
+// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+using System;
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.Threading.Tasks;
+using Pulumi.Serialization;
+
+namespace Pulumi.AzureAD.Inputs
+{
+
+    public sealed class ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs : global::Pulumi.ResourceArgs
+    {
+        [Input("members")]
+        private InputList<string>? _members;
+
+        /// <summary>
+        /// A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+        /// </summary>
+        public InputList<string> Members
+        {
+            get => _members ?? (_members = new InputList<string>());
+            set => _members = value;
+        }
+
+        /// <summary>
+        /// The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+        /// </summary>
+        [Input("membershipKind", required: true)]
+        public Input<string> MembershipKind { get; set; } = null!;
+
+        public ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs()
+        {
+        }
+        public static new ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs Empty => new ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs();
+    }
+}
diff --git a/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantGetArgs.cs b/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantGetArgs.cs
new file mode 100644
index 000000000..ac08541d8
--- /dev/null
+++ b/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantGetArgs.cs
@@ -0,0 +1,38 @@
+// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+using System;
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.Threading.Tasks;
+using Pulumi.Serialization;
+
+namespace Pulumi.AzureAD.Inputs
+{
+
+    public sealed class ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantGetArgs : global::Pulumi.ResourceArgs
+    {
+        [Input("members")]
+        private InputList<string>? _members;
+
+        /// <summary>
+        /// A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+        /// </summary>
+        public InputList<string> Members
+        {
+            get => _members ?? (_members = new InputList<string>());
+            set => _members = value;
+        }
+
+        /// <summary>
+        /// The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+        /// </summary>
+        [Input("membershipKind", required: true)]
+        public Input<string> MembershipKind { get; set; } = null!;
+
+        public ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantGetArgs()
+        {
+        }
+        public static new ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantGetArgs Empty => new ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantGetArgs();
+    }
+}
diff --git a/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserGetArgs.cs b/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserGetArgs.cs
new file mode 100644
index 000000000..74885d6e3
--- /dev/null
+++ b/sdk/dotnet/Inputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserGetArgs.cs
@@ -0,0 +1,44 @@
+// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+using System;
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.Threading.Tasks;
+using Pulumi.Serialization;
+
+namespace Pulumi.AzureAD.Inputs
+{
+
+    public sealed class ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserGetArgs : global::Pulumi.ResourceArgs
+    {
+        [Input("externalTenants")]
+        private InputList<Inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantGetArgs>? _externalTenants;
+
+        /// <summary>
+        /// An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+        /// </summary>
+        public InputList<Inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantGetArgs> ExternalTenants
+        {
+            get => _externalTenants ?? (_externalTenants = new InputList<Inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantGetArgs>());
+            set => _externalTenants = value;
+        }
+
+        [Input("guestOrExternalUserTypes", required: true)]
+        private InputList<string>? _guestOrExternalUserTypes;
+
+        /// <summary>
+        /// A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+        /// </summary>
+        public InputList<string> GuestOrExternalUserTypes
+        {
+            get => _guestOrExternalUserTypes ?? (_guestOrExternalUserTypes = new InputList<string>());
+            set => _guestOrExternalUserTypes = value;
+        }
+
+        public ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserGetArgs()
+        {
+        }
+        public static new ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserGetArgs Empty => new ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserGetArgs();
+    }
+}
diff --git a/sdk/dotnet/Inputs/ConditionalAccessPolicySessionControlsArgs.cs b/sdk/dotnet/Inputs/ConditionalAccessPolicySessionControlsArgs.cs
index ea0e62f61..19f9758af 100644
--- a/sdk/dotnet/Inputs/ConditionalAccessPolicySessionControlsArgs.cs
+++ b/sdk/dotnet/Inputs/ConditionalAccessPolicySessionControlsArgs.cs
@@ -39,13 +39,25 @@ public sealed class ConditionalAccessPolicySessionControlsArgs : global::Pulumi.
         public Input<string>? PersistentBrowserMode { get; set; }
 
         /// <summary>
-        /// Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
+        /// Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified.
         /// </summary>
         [Input("signInFrequency")]
         public Input<int>? SignInFrequency { get; set; }
 
         /// <summary>
-        /// The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
+        /// Authentication type for enforcing sign-in frequency. Possible values are: `primaryAndSecondaryAuthentication` or `secondaryAuthentication`. Defaults to `primaryAndSecondaryAuthentication`.
+        /// </summary>
+        [Input("signInFrequencyAuthenticationType")]
+        public Input<string>? SignInFrequencyAuthenticationType { get; set; }
+
+        /// <summary>
+        /// The interval to apply to sign-in frequency control. Possible values are: `timeBased` or `everyTime`. Defaults to `timeBased`.
+        /// </summary>
+        [Input("signInFrequencyInterval")]
+        public Input<string>? SignInFrequencyInterval { get; set; }
+
+        /// <summary>
+        /// The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified.
         /// </summary>
         [Input("signInFrequencyPeriod")]
         public Input<string>? SignInFrequencyPeriod { get; set; }
diff --git a/sdk/dotnet/Inputs/ConditionalAccessPolicySessionControlsGetArgs.cs b/sdk/dotnet/Inputs/ConditionalAccessPolicySessionControlsGetArgs.cs
index aecc51593..544ad5540 100644
--- a/sdk/dotnet/Inputs/ConditionalAccessPolicySessionControlsGetArgs.cs
+++ b/sdk/dotnet/Inputs/ConditionalAccessPolicySessionControlsGetArgs.cs
@@ -39,13 +39,25 @@ public sealed class ConditionalAccessPolicySessionControlsGetArgs : global::Pulu
         public Input<string>? PersistentBrowserMode { get; set; }
 
         /// <summary>
-        /// Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
+        /// Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified.
         /// </summary>
         [Input("signInFrequency")]
         public Input<int>? SignInFrequency { get; set; }
 
         /// <summary>
-        /// The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
+        /// Authentication type for enforcing sign-in frequency. Possible values are: `primaryAndSecondaryAuthentication` or `secondaryAuthentication`. Defaults to `primaryAndSecondaryAuthentication`.
+        /// </summary>
+        [Input("signInFrequencyAuthenticationType")]
+        public Input<string>? SignInFrequencyAuthenticationType { get; set; }
+
+        /// <summary>
+        /// The interval to apply to sign-in frequency control. Possible values are: `timeBased` or `everyTime`. Defaults to `timeBased`.
+        /// </summary>
+        [Input("signInFrequencyInterval")]
+        public Input<string>? SignInFrequencyInterval { get; set; }
+
+        /// <summary>
+        /// The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified.
         /// </summary>
         [Input("signInFrequencyPeriod")]
         public Input<string>? SignInFrequencyPeriod { get; set; }
diff --git a/sdk/dotnet/Outputs/ApplicationOptionalClaimsAccessToken.cs b/sdk/dotnet/Outputs/ApplicationOptionalClaimsAccessToken.cs
index 498a176ab..7adeaa178 100644
--- a/sdk/dotnet/Outputs/ApplicationOptionalClaimsAccessToken.cs
+++ b/sdk/dotnet/Outputs/ApplicationOptionalClaimsAccessToken.cs
@@ -14,7 +14,7 @@ namespace Pulumi.AzureAD.Outputs
     public sealed class ApplicationOptionalClaimsAccessToken
     {
         /// <summary>
-        /// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+        /// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
         /// </summary>
         public readonly ImmutableArray<string> AdditionalProperties;
         /// <summary>
diff --git a/sdk/dotnet/Outputs/ApplicationOptionalClaimsIdToken.cs b/sdk/dotnet/Outputs/ApplicationOptionalClaimsIdToken.cs
index 445e83a55..5d51b3ab5 100644
--- a/sdk/dotnet/Outputs/ApplicationOptionalClaimsIdToken.cs
+++ b/sdk/dotnet/Outputs/ApplicationOptionalClaimsIdToken.cs
@@ -14,7 +14,7 @@ namespace Pulumi.AzureAD.Outputs
     public sealed class ApplicationOptionalClaimsIdToken
     {
         /// <summary>
-        /// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+        /// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
         /// </summary>
         public readonly ImmutableArray<string> AdditionalProperties;
         /// <summary>
diff --git a/sdk/dotnet/Outputs/ApplicationOptionalClaimsSaml2Token.cs b/sdk/dotnet/Outputs/ApplicationOptionalClaimsSaml2Token.cs
index 151de9fb5..d18ae8d82 100644
--- a/sdk/dotnet/Outputs/ApplicationOptionalClaimsSaml2Token.cs
+++ b/sdk/dotnet/Outputs/ApplicationOptionalClaimsSaml2Token.cs
@@ -14,7 +14,7 @@ namespace Pulumi.AzureAD.Outputs
     public sealed class ApplicationOptionalClaimsSaml2Token
     {
         /// <summary>
-        /// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+        /// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
         /// </summary>
         public readonly ImmutableArray<string> AdditionalProperties;
         /// <summary>
diff --git a/sdk/dotnet/Outputs/ConditionalAccessPolicyConditionsDevices.cs b/sdk/dotnet/Outputs/ConditionalAccessPolicyConditionsDevices.cs
index 2cd967d34..232650087 100644
--- a/sdk/dotnet/Outputs/ConditionalAccessPolicyConditionsDevices.cs
+++ b/sdk/dotnet/Outputs/ConditionalAccessPolicyConditionsDevices.cs
@@ -14,7 +14,7 @@ namespace Pulumi.AzureAD.Outputs
     public sealed class ConditionalAccessPolicyConditionsDevices
     {
         /// <summary>
-        /// A `filter` block as described below. A `filter` block can be added to an existing policy, but removing the `filter` block forces a new resource to be created.
+        /// A `filter` block as described below.
         /// </summary>
         public readonly Outputs.ConditionalAccessPolicyConditionsDevicesFilter? Filter;
 
diff --git a/sdk/dotnet/Outputs/ConditionalAccessPolicyConditionsUsers.cs b/sdk/dotnet/Outputs/ConditionalAccessPolicyConditionsUsers.cs
index d605364c8..088faee0c 100644
--- a/sdk/dotnet/Outputs/ConditionalAccessPolicyConditionsUsers.cs
+++ b/sdk/dotnet/Outputs/ConditionalAccessPolicyConditionsUsers.cs
@@ -18,6 +18,10 @@ public sealed class ConditionalAccessPolicyConditionsUsers
         /// </summary>
         public readonly ImmutableArray<string> ExcludedGroups;
         /// <summary>
+        /// A `guests_or_external_users` block as documented below, which specifies internal guests and external users excluded from scope of policy.
+        /// </summary>
+        public readonly ImmutableArray<Outputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser> ExcludedGuestsOrExternalUsers;
+        /// <summary>
         /// A list of role IDs excluded from scope of policy.
         /// </summary>
         public readonly ImmutableArray<string> ExcludedRoles;
@@ -30,13 +34,17 @@ public sealed class ConditionalAccessPolicyConditionsUsers
         /// </summary>
         public readonly ImmutableArray<string> IncludedGroups;
         /// <summary>
+        /// A `guests_or_external_users` block as documented below, which specifies internal guests and external users in scope of policy.
+        /// </summary>
+        public readonly ImmutableArray<Outputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser> IncludedGuestsOrExternalUsers;
+        /// <summary>
         /// A list of role IDs in scope of policy unless explicitly excluded.
         /// </summary>
         public readonly ImmutableArray<string> IncludedRoles;
         /// <summary>
         /// A list of user IDs in scope of policy unless explicitly excluded, or `None` or `All` or `GuestsOrExternalUsers`.
         /// 
-        /// &gt; At least one of `included_groups`, `included_roles` or `included_users` must be specified.
+        /// &gt; At least one of `included_groups`, `included_guests_or_external_users`, `included_roles` or `included_users` must be specified.
         /// </summary>
         public readonly ImmutableArray<string> IncludedUsers;
 
@@ -44,20 +52,26 @@ public sealed class ConditionalAccessPolicyConditionsUsers
         private ConditionalAccessPolicyConditionsUsers(
             ImmutableArray<string> excludedGroups,
 
+            ImmutableArray<Outputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser> excludedGuestsOrExternalUsers,
+
             ImmutableArray<string> excludedRoles,
 
             ImmutableArray<string> excludedUsers,
 
             ImmutableArray<string> includedGroups,
 
+            ImmutableArray<Outputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser> includedGuestsOrExternalUsers,
+
             ImmutableArray<string> includedRoles,
 
             ImmutableArray<string> includedUsers)
         {
             ExcludedGroups = excludedGroups;
+            ExcludedGuestsOrExternalUsers = excludedGuestsOrExternalUsers;
             ExcludedRoles = excludedRoles;
             ExcludedUsers = excludedUsers;
             IncludedGroups = includedGroups;
+            IncludedGuestsOrExternalUsers = includedGuestsOrExternalUsers;
             IncludedRoles = includedRoles;
             IncludedUsers = includedUsers;
         }
diff --git a/sdk/dotnet/Outputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser.cs b/sdk/dotnet/Outputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser.cs
new file mode 100644
index 000000000..1e84c2596
--- /dev/null
+++ b/sdk/dotnet/Outputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser.cs
@@ -0,0 +1,35 @@
+// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+using System;
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.Threading.Tasks;
+using Pulumi.Serialization;
+
+namespace Pulumi.AzureAD.Outputs
+{
+
+    [OutputType]
+    public sealed class ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser
+    {
+        /// <summary>
+        /// An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+        /// </summary>
+        public readonly ImmutableArray<Outputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant> ExternalTenants;
+        /// <summary>
+        /// A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+        /// </summary>
+        public readonly ImmutableArray<string> GuestOrExternalUserTypes;
+
+        [OutputConstructor]
+        private ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser(
+            ImmutableArray<Outputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant> externalTenants,
+
+            ImmutableArray<string> guestOrExternalUserTypes)
+        {
+            ExternalTenants = externalTenants;
+            GuestOrExternalUserTypes = guestOrExternalUserTypes;
+        }
+    }
+}
diff --git a/sdk/dotnet/Outputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant.cs b/sdk/dotnet/Outputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant.cs
new file mode 100644
index 000000000..fa08f165c
--- /dev/null
+++ b/sdk/dotnet/Outputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant.cs
@@ -0,0 +1,35 @@
+// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+using System;
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.Threading.Tasks;
+using Pulumi.Serialization;
+
+namespace Pulumi.AzureAD.Outputs
+{
+
+    [OutputType]
+    public sealed class ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant
+    {
+        /// <summary>
+        /// A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+        /// </summary>
+        public readonly ImmutableArray<string> Members;
+        /// <summary>
+        /// The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+        /// </summary>
+        public readonly string MembershipKind;
+
+        [OutputConstructor]
+        private ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant(
+            ImmutableArray<string> members,
+
+            string membershipKind)
+        {
+            Members = members;
+            MembershipKind = membershipKind;
+        }
+    }
+}
diff --git a/sdk/dotnet/Outputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser.cs b/sdk/dotnet/Outputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser.cs
new file mode 100644
index 000000000..c93d14a0c
--- /dev/null
+++ b/sdk/dotnet/Outputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser.cs
@@ -0,0 +1,35 @@
+// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+using System;
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.Threading.Tasks;
+using Pulumi.Serialization;
+
+namespace Pulumi.AzureAD.Outputs
+{
+
+    [OutputType]
+    public sealed class ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser
+    {
+        /// <summary>
+        /// An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+        /// </summary>
+        public readonly ImmutableArray<Outputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant> ExternalTenants;
+        /// <summary>
+        /// A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+        /// </summary>
+        public readonly ImmutableArray<string> GuestOrExternalUserTypes;
+
+        [OutputConstructor]
+        private ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser(
+            ImmutableArray<Outputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant> externalTenants,
+
+            ImmutableArray<string> guestOrExternalUserTypes)
+        {
+            ExternalTenants = externalTenants;
+            GuestOrExternalUserTypes = guestOrExternalUserTypes;
+        }
+    }
+}
diff --git a/sdk/dotnet/Outputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant.cs b/sdk/dotnet/Outputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant.cs
new file mode 100644
index 000000000..b5e617569
--- /dev/null
+++ b/sdk/dotnet/Outputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant.cs
@@ -0,0 +1,35 @@
+// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+using System;
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.Threading.Tasks;
+using Pulumi.Serialization;
+
+namespace Pulumi.AzureAD.Outputs
+{
+
+    [OutputType]
+    public sealed class ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant
+    {
+        /// <summary>
+        /// A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+        /// </summary>
+        public readonly ImmutableArray<string> Members;
+        /// <summary>
+        /// The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+        /// </summary>
+        public readonly string MembershipKind;
+
+        [OutputConstructor]
+        private ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant(
+            ImmutableArray<string> members,
+
+            string membershipKind)
+        {
+            Members = members;
+            MembershipKind = membershipKind;
+        }
+    }
+}
diff --git a/sdk/dotnet/Outputs/ConditionalAccessPolicySessionControls.cs b/sdk/dotnet/Outputs/ConditionalAccessPolicySessionControls.cs
index fe1bec58b..36434fa44 100644
--- a/sdk/dotnet/Outputs/ConditionalAccessPolicySessionControls.cs
+++ b/sdk/dotnet/Outputs/ConditionalAccessPolicySessionControls.cs
@@ -32,11 +32,19 @@ public sealed class ConditionalAccessPolicySessionControls
         /// </summary>
         public readonly string? PersistentBrowserMode;
         /// <summary>
-        /// Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
+        /// Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified.
         /// </summary>
         public readonly int? SignInFrequency;
         /// <summary>
-        /// The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
+        /// Authentication type for enforcing sign-in frequency. Possible values are: `primaryAndSecondaryAuthentication` or `secondaryAuthentication`. Defaults to `primaryAndSecondaryAuthentication`.
+        /// </summary>
+        public readonly string? SignInFrequencyAuthenticationType;
+        /// <summary>
+        /// The interval to apply to sign-in frequency control. Possible values are: `timeBased` or `everyTime`. Defaults to `timeBased`.
+        /// </summary>
+        public readonly string? SignInFrequencyInterval;
+        /// <summary>
+        /// The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified.
         /// </summary>
         public readonly string? SignInFrequencyPeriod;
 
@@ -52,6 +60,10 @@ private ConditionalAccessPolicySessionControls(
 
             int? signInFrequency,
 
+            string? signInFrequencyAuthenticationType,
+
+            string? signInFrequencyInterval,
+
             string? signInFrequencyPeriod)
         {
             ApplicationEnforcedRestrictionsEnabled = applicationEnforcedRestrictionsEnabled;
@@ -59,6 +71,8 @@ private ConditionalAccessPolicySessionControls(
             DisableResilienceDefaults = disableResilienceDefaults;
             PersistentBrowserMode = persistentBrowserMode;
             SignInFrequency = signInFrequency;
+            SignInFrequencyAuthenticationType = signInFrequencyAuthenticationType;
+            SignInFrequencyInterval = signInFrequencyInterval;
             SignInFrequencyPeriod = signInFrequencyPeriod;
         }
     }
diff --git a/sdk/dotnet/ServicePrincipal.cs b/sdk/dotnet/ServicePrincipal.cs
index 73ff6b674..6078e2032 100644
--- a/sdk/dotnet/ServicePrincipal.cs
+++ b/sdk/dotnet/ServicePrincipal.cs
@@ -35,7 +35,7 @@ namespace Pulumi.AzureAD
     /// 
     ///     var exampleServicePrincipal = new AzureAD.ServicePrincipal("exampleServicePrincipal", new()
     ///     {
-    ///         ApplicationId = exampleApplication.ApplicationId,
+    ///         ClientId = exampleApplication.ClientId,
     ///         AppRoleAssignmentRequired = false,
     ///         Owners = new[]
     ///         {
@@ -69,7 +69,7 @@ namespace Pulumi.AzureAD
     /// 
     ///     var exampleServicePrincipal = new AzureAD.ServicePrincipal("exampleServicePrincipal", new()
     ///     {
-    ///         ApplicationId = exampleApplication.ApplicationId,
+    ///         ClientId = exampleApplication.ClientId,
     ///         AppRoleAssignmentRequired = false,
     ///         Owners = new[]
     ///         {
@@ -102,7 +102,7 @@ namespace Pulumi.AzureAD
     /// 
     ///     var msgraph = new AzureAD.ServicePrincipal("msgraph", new()
     ///     {
-    ///         ApplicationId = wellKnown.Apply(getApplicationPublishedAppIdsResult =&gt; getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
+    ///         ClientId = wellKnown.Apply(getApplicationPublishedAppIdsResult =&gt; getApplicationPublishedAppIdsResult.Result?.MicrosoftGraph),
     ///         UseExisting = true,
     ///     });
     /// 
@@ -132,7 +132,7 @@ namespace Pulumi.AzureAD
     /// 
     ///     var exampleServicePrincipal = new AzureAD.ServicePrincipal("exampleServicePrincipal", new()
     ///     {
-    ///         ApplicationId = exampleApplication.ApplicationId,
+    ///         ClientId = exampleApplication.ClientId,
     ///         UseExisting = true,
     ///     });
     /// 
diff --git a/sdk/go/azuread/application.go b/sdk/go/azuread/application.go
index 2e7f7b576..151440e83 100644
--- a/sdk/go/azuread/application.go
+++ b/sdk/go/azuread/application.go
@@ -111,7 +111,7 @@ import (
 //						Gallery:    pulumi.Bool(true),
 //					},
 //				},
-//				OptionalClaims: &azuread.ApplicationOptionalClaimsArgs{
+//				OptionalClaims: &azuread.ApplicationOptionalClaimsTypeArgs{
 //					AccessTokens: azuread.ApplicationOptionalClaimsAccessTokenArray{
 //						&azuread.ApplicationOptionalClaimsAccessTokenArgs{
 //							Name: pulumi.String("myclaim"),
@@ -278,7 +278,7 @@ type Application struct {
 	// The application's object ID.
 	ObjectId pulumi.StringOutput `pulumi:"objectId"`
 	// An `optionalClaims` block as documented below.
-	OptionalClaims ApplicationOptionalClaimsPtrOutput `pulumi:"optionalClaims"`
+	OptionalClaims ApplicationOptionalClaimsTypePtrOutput `pulumi:"optionalClaims"`
 	// A list of object IDs of principals that will be granted ownership of the application
 	Owners pulumi.StringArrayOutput `pulumi:"owners"`
 	// If `true`, will return an error if an existing application is found with the same name. Defaults to `false`.
@@ -395,7 +395,7 @@ type applicationState struct {
 	// The application's object ID.
 	ObjectId *string `pulumi:"objectId"`
 	// An `optionalClaims` block as documented below.
-	OptionalClaims *ApplicationOptionalClaims `pulumi:"optionalClaims"`
+	OptionalClaims *ApplicationOptionalClaimsType `pulumi:"optionalClaims"`
 	// A list of object IDs of principals that will be granted ownership of the application
 	Owners []string `pulumi:"owners"`
 	// If `true`, will return an error if an existing application is found with the same name. Defaults to `false`.
@@ -480,7 +480,7 @@ type ApplicationState struct {
 	// The application's object ID.
 	ObjectId pulumi.StringPtrInput
 	// An `optionalClaims` block as documented below.
-	OptionalClaims ApplicationOptionalClaimsPtrInput
+	OptionalClaims ApplicationOptionalClaimsTypePtrInput
 	// A list of object IDs of principals that will be granted ownership of the application
 	Owners pulumi.StringArrayInput
 	// If `true`, will return an error if an existing application is found with the same name. Defaults to `false`.
@@ -553,7 +553,7 @@ type applicationArgs struct {
 	// Specifies whether, as part of OAuth 2.0 token requests, Azure AD allows POST requests, as opposed to GET requests. Defaults to `false`, which specifies that only GET requests are allowed.
 	Oauth2PostResponseRequired *bool `pulumi:"oauth2PostResponseRequired"`
 	// An `optionalClaims` block as documented below.
-	OptionalClaims *ApplicationOptionalClaims `pulumi:"optionalClaims"`
+	OptionalClaims *ApplicationOptionalClaimsType `pulumi:"optionalClaims"`
 	// A list of object IDs of principals that will be granted ownership of the application
 	Owners []string `pulumi:"owners"`
 	// If `true`, will return an error if an existing application is found with the same name. Defaults to `false`.
@@ -621,7 +621,7 @@ type ApplicationArgs struct {
 	// Specifies whether, as part of OAuth 2.0 token requests, Azure AD allows POST requests, as opposed to GET requests. Defaults to `false`, which specifies that only GET requests are allowed.
 	Oauth2PostResponseRequired pulumi.BoolPtrInput
 	// An `optionalClaims` block as documented below.
-	OptionalClaims ApplicationOptionalClaimsPtrInput
+	OptionalClaims ApplicationOptionalClaimsTypePtrInput
 	// A list of object IDs of principals that will be granted ownership of the application
 	Owners pulumi.StringArrayInput
 	// If `true`, will return an error if an existing application is found with the same name. Defaults to `false`.
@@ -874,8 +874,8 @@ func (o ApplicationOutput) ObjectId() pulumi.StringOutput {
 }
 
 // An `optionalClaims` block as documented below.
-func (o ApplicationOutput) OptionalClaims() ApplicationOptionalClaimsPtrOutput {
-	return o.ApplyT(func(v *Application) ApplicationOptionalClaimsPtrOutput { return v.OptionalClaims }).(ApplicationOptionalClaimsPtrOutput)
+func (o ApplicationOutput) OptionalClaims() ApplicationOptionalClaimsTypePtrOutput {
+	return o.ApplyT(func(v *Application) ApplicationOptionalClaimsTypePtrOutput { return v.OptionalClaims }).(ApplicationOptionalClaimsTypePtrOutput)
 }
 
 // A list of object IDs of principals that will be granted ownership of the application
diff --git a/sdk/go/azuread/applicationOptionalClaims.go b/sdk/go/azuread/applicationOptionalClaims.go
new file mode 100644
index 000000000..284d93f03
--- /dev/null
+++ b/sdk/go/azuread/applicationOptionalClaims.go
@@ -0,0 +1,380 @@
+// Code generated by the Pulumi Terraform Bridge (tfgen) Tool DO NOT EDIT.
+// *** WARNING: Do not edit by hand unless you're certain you know what you are doing! ***
+
+package azuread
+
+import (
+	"context"
+	"reflect"
+
+	"errors"
+	"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread/internal"
+	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
+	"github.com/pulumi/pulumi/sdk/v3/go/pulumix"
+)
+
+// ## Example Usage
+//
+// ```go
+// package main
+//
+// import (
+//
+//	"github.com/pulumi/pulumi-azuread/sdk/v5/go/azuread"
+//	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
+//
+// )
+//
+//	func main() {
+//		pulumi.Run(func(ctx *pulumi.Context) error {
+//			exampleApplicationRegistration, err := azuread.NewApplicationRegistration(ctx, "exampleApplicationRegistration", &azuread.ApplicationRegistrationArgs{
+//				DisplayName: pulumi.String("example"),
+//			})
+//			if err != nil {
+//				return err
+//			}
+//			_, err = azuread.NewApplicationOptionalClaims(ctx, "exampleApplicationOptionalClaims", &azuread.ApplicationOptionalClaimsArgs{
+//				ApplicationId: exampleApplicationRegistration.ID(),
+//				AccessTokens: azuread.ApplicationOptionalClaimsAccessTokenArray{
+//					&azuread.ApplicationOptionalClaimsAccessTokenArgs{
+//						Name: pulumi.String("myclaim"),
+//					},
+//					&azuread.ApplicationOptionalClaimsAccessTokenArgs{
+//						Name: pulumi.String("otherclaim"),
+//					},
+//				},
+//				IdTokens: azuread.ApplicationOptionalClaimsIdTokenArray{
+//					&azuread.ApplicationOptionalClaimsIdTokenArgs{
+//						Name:      pulumi.String("userclaim"),
+//						Source:    pulumi.String("user"),
+//						Essential: pulumi.Bool(true),
+//						AdditionalProperties: pulumi.StringArray{
+//							pulumi.String("emit_as_roles"),
+//						},
+//					},
+//				},
+//				Saml2Tokens: azuread.ApplicationOptionalClaimsSaml2TokenArray{
+//					&azuread.ApplicationOptionalClaimsSaml2TokenArgs{
+//						Name: pulumi.String("samlexample"),
+//					},
+//				},
+//			})
+//			if err != nil {
+//				return err
+//			}
+//			return nil
+//		})
+//	}
+//
+// ```
+//
+// ## Import
+//
+// Application Optional Claims can be imported using the object ID of the application, in the following format.
+//
+// ```sh
+//
+//	$ pulumi import azuread:index/applicationOptionalClaims:ApplicationOptionalClaims example /applications/00000000-0000-0000-0000-000000000000
+//
+// ```
+type ApplicationOptionalClaims struct {
+	pulumi.CustomResourceState
+
+	// One or more `accessToken` blocks as documented below.
+	AccessTokens ApplicationOptionalClaimsAccessTokenArrayOutput `pulumi:"accessTokens"`
+	// The resource ID of the application registration. Changing this forces a new resource to be created.
+	ApplicationId pulumi.StringOutput `pulumi:"applicationId"`
+	// One or more `idToken` blocks as documented below.
+	IdTokens ApplicationOptionalClaimsIdTokenArrayOutput `pulumi:"idTokens"`
+	// One or more `saml2Token` blocks as documented below.
+	//
+	// > At least one of `accessToken`, `idToken` or `saml2Token` must be specified
+	Saml2Tokens ApplicationOptionalClaimsSaml2TokenArrayOutput `pulumi:"saml2Tokens"`
+}
+
+// NewApplicationOptionalClaims registers a new resource with the given unique name, arguments, and options.
+func NewApplicationOptionalClaims(ctx *pulumi.Context,
+	name string, args *ApplicationOptionalClaimsArgs, opts ...pulumi.ResourceOption) (*ApplicationOptionalClaims, error) {
+	if args == nil {
+		return nil, errors.New("missing one or more required arguments")
+	}
+
+	if args.ApplicationId == nil {
+		return nil, errors.New("invalid value for required argument 'ApplicationId'")
+	}
+	opts = internal.PkgResourceDefaultOpts(opts)
+	var resource ApplicationOptionalClaims
+	err := ctx.RegisterResource("azuread:index/applicationOptionalClaims:ApplicationOptionalClaims", name, args, &resource, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return &resource, nil
+}
+
+// GetApplicationOptionalClaims gets an existing ApplicationOptionalClaims resource's state with the given name, ID, and optional
+// state properties that are used to uniquely qualify the lookup (nil if not required).
+func GetApplicationOptionalClaims(ctx *pulumi.Context,
+	name string, id pulumi.IDInput, state *ApplicationOptionalClaimsState, opts ...pulumi.ResourceOption) (*ApplicationOptionalClaims, error) {
+	var resource ApplicationOptionalClaims
+	err := ctx.ReadResource("azuread:index/applicationOptionalClaims:ApplicationOptionalClaims", name, id, state, &resource, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return &resource, nil
+}
+
+// Input properties used for looking up and filtering ApplicationOptionalClaims resources.
+type applicationOptionalClaimsState struct {
+	// One or more `accessToken` blocks as documented below.
+	AccessTokens []ApplicationOptionalClaimsAccessToken `pulumi:"accessTokens"`
+	// The resource ID of the application registration. Changing this forces a new resource to be created.
+	ApplicationId *string `pulumi:"applicationId"`
+	// One or more `idToken` blocks as documented below.
+	IdTokens []ApplicationOptionalClaimsIdToken `pulumi:"idTokens"`
+	// One or more `saml2Token` blocks as documented below.
+	//
+	// > At least one of `accessToken`, `idToken` or `saml2Token` must be specified
+	Saml2Tokens []ApplicationOptionalClaimsSaml2Token `pulumi:"saml2Tokens"`
+}
+
+type ApplicationOptionalClaimsState struct {
+	// One or more `accessToken` blocks as documented below.
+	AccessTokens ApplicationOptionalClaimsAccessTokenArrayInput
+	// The resource ID of the application registration. Changing this forces a new resource to be created.
+	ApplicationId pulumi.StringPtrInput
+	// One or more `idToken` blocks as documented below.
+	IdTokens ApplicationOptionalClaimsIdTokenArrayInput
+	// One or more `saml2Token` blocks as documented below.
+	//
+	// > At least one of `accessToken`, `idToken` or `saml2Token` must be specified
+	Saml2Tokens ApplicationOptionalClaimsSaml2TokenArrayInput
+}
+
+func (ApplicationOptionalClaimsState) ElementType() reflect.Type {
+	return reflect.TypeOf((*applicationOptionalClaimsState)(nil)).Elem()
+}
+
+type applicationOptionalClaimsArgs struct {
+	// One or more `accessToken` blocks as documented below.
+	AccessTokens []ApplicationOptionalClaimsAccessToken `pulumi:"accessTokens"`
+	// The resource ID of the application registration. Changing this forces a new resource to be created.
+	ApplicationId string `pulumi:"applicationId"`
+	// One or more `idToken` blocks as documented below.
+	IdTokens []ApplicationOptionalClaimsIdToken `pulumi:"idTokens"`
+	// One or more `saml2Token` blocks as documented below.
+	//
+	// > At least one of `accessToken`, `idToken` or `saml2Token` must be specified
+	Saml2Tokens []ApplicationOptionalClaimsSaml2Token `pulumi:"saml2Tokens"`
+}
+
+// The set of arguments for constructing a ApplicationOptionalClaims resource.
+type ApplicationOptionalClaimsArgs struct {
+	// One or more `accessToken` blocks as documented below.
+	AccessTokens ApplicationOptionalClaimsAccessTokenArrayInput
+	// The resource ID of the application registration. Changing this forces a new resource to be created.
+	ApplicationId pulumi.StringInput
+	// One or more `idToken` blocks as documented below.
+	IdTokens ApplicationOptionalClaimsIdTokenArrayInput
+	// One or more `saml2Token` blocks as documented below.
+	//
+	// > At least one of `accessToken`, `idToken` or `saml2Token` must be specified
+	Saml2Tokens ApplicationOptionalClaimsSaml2TokenArrayInput
+}
+
+func (ApplicationOptionalClaimsArgs) ElementType() reflect.Type {
+	return reflect.TypeOf((*applicationOptionalClaimsArgs)(nil)).Elem()
+}
+
+type ApplicationOptionalClaimsInput interface {
+	pulumi.Input
+
+	ToApplicationOptionalClaimsOutput() ApplicationOptionalClaimsOutput
+	ToApplicationOptionalClaimsOutputWithContext(ctx context.Context) ApplicationOptionalClaimsOutput
+}
+
+func (*ApplicationOptionalClaims) ElementType() reflect.Type {
+	return reflect.TypeOf((**ApplicationOptionalClaims)(nil)).Elem()
+}
+
+func (i *ApplicationOptionalClaims) ToApplicationOptionalClaimsOutput() ApplicationOptionalClaimsOutput {
+	return i.ToApplicationOptionalClaimsOutputWithContext(context.Background())
+}
+
+func (i *ApplicationOptionalClaims) ToApplicationOptionalClaimsOutputWithContext(ctx context.Context) ApplicationOptionalClaimsOutput {
+	return pulumi.ToOutputWithContext(ctx, i).(ApplicationOptionalClaimsOutput)
+}
+
+func (i *ApplicationOptionalClaims) ToOutput(ctx context.Context) pulumix.Output[*ApplicationOptionalClaims] {
+	return pulumix.Output[*ApplicationOptionalClaims]{
+		OutputState: i.ToApplicationOptionalClaimsOutputWithContext(ctx).OutputState,
+	}
+}
+
+// ApplicationOptionalClaimsArrayInput is an input type that accepts ApplicationOptionalClaimsArray and ApplicationOptionalClaimsArrayOutput values.
+// You can construct a concrete instance of `ApplicationOptionalClaimsArrayInput` via:
+//
+//	ApplicationOptionalClaimsArray{ ApplicationOptionalClaimsArgs{...} }
+type ApplicationOptionalClaimsArrayInput interface {
+	pulumi.Input
+
+	ToApplicationOptionalClaimsArrayOutput() ApplicationOptionalClaimsArrayOutput
+	ToApplicationOptionalClaimsArrayOutputWithContext(context.Context) ApplicationOptionalClaimsArrayOutput
+}
+
+type ApplicationOptionalClaimsArray []ApplicationOptionalClaimsInput
+
+func (ApplicationOptionalClaimsArray) ElementType() reflect.Type {
+	return reflect.TypeOf((*[]*ApplicationOptionalClaims)(nil)).Elem()
+}
+
+func (i ApplicationOptionalClaimsArray) ToApplicationOptionalClaimsArrayOutput() ApplicationOptionalClaimsArrayOutput {
+	return i.ToApplicationOptionalClaimsArrayOutputWithContext(context.Background())
+}
+
+func (i ApplicationOptionalClaimsArray) ToApplicationOptionalClaimsArrayOutputWithContext(ctx context.Context) ApplicationOptionalClaimsArrayOutput {
+	return pulumi.ToOutputWithContext(ctx, i).(ApplicationOptionalClaimsArrayOutput)
+}
+
+func (i ApplicationOptionalClaimsArray) ToOutput(ctx context.Context) pulumix.Output[[]*ApplicationOptionalClaims] {
+	return pulumix.Output[[]*ApplicationOptionalClaims]{
+		OutputState: i.ToApplicationOptionalClaimsArrayOutputWithContext(ctx).OutputState,
+	}
+}
+
+// ApplicationOptionalClaimsMapInput is an input type that accepts ApplicationOptionalClaimsMap and ApplicationOptionalClaimsMapOutput values.
+// You can construct a concrete instance of `ApplicationOptionalClaimsMapInput` via:
+//
+//	ApplicationOptionalClaimsMap{ "key": ApplicationOptionalClaimsArgs{...} }
+type ApplicationOptionalClaimsMapInput interface {
+	pulumi.Input
+
+	ToApplicationOptionalClaimsMapOutput() ApplicationOptionalClaimsMapOutput
+	ToApplicationOptionalClaimsMapOutputWithContext(context.Context) ApplicationOptionalClaimsMapOutput
+}
+
+type ApplicationOptionalClaimsMap map[string]ApplicationOptionalClaimsInput
+
+func (ApplicationOptionalClaimsMap) ElementType() reflect.Type {
+	return reflect.TypeOf((*map[string]*ApplicationOptionalClaims)(nil)).Elem()
+}
+
+func (i ApplicationOptionalClaimsMap) ToApplicationOptionalClaimsMapOutput() ApplicationOptionalClaimsMapOutput {
+	return i.ToApplicationOptionalClaimsMapOutputWithContext(context.Background())
+}
+
+func (i ApplicationOptionalClaimsMap) ToApplicationOptionalClaimsMapOutputWithContext(ctx context.Context) ApplicationOptionalClaimsMapOutput {
+	return pulumi.ToOutputWithContext(ctx, i).(ApplicationOptionalClaimsMapOutput)
+}
+
+func (i ApplicationOptionalClaimsMap) ToOutput(ctx context.Context) pulumix.Output[map[string]*ApplicationOptionalClaims] {
+	return pulumix.Output[map[string]*ApplicationOptionalClaims]{
+		OutputState: i.ToApplicationOptionalClaimsMapOutputWithContext(ctx).OutputState,
+	}
+}
+
+type ApplicationOptionalClaimsOutput struct{ *pulumi.OutputState }
+
+func (ApplicationOptionalClaimsOutput) ElementType() reflect.Type {
+	return reflect.TypeOf((**ApplicationOptionalClaims)(nil)).Elem()
+}
+
+func (o ApplicationOptionalClaimsOutput) ToApplicationOptionalClaimsOutput() ApplicationOptionalClaimsOutput {
+	return o
+}
+
+func (o ApplicationOptionalClaimsOutput) ToApplicationOptionalClaimsOutputWithContext(ctx context.Context) ApplicationOptionalClaimsOutput {
+	return o
+}
+
+func (o ApplicationOptionalClaimsOutput) ToOutput(ctx context.Context) pulumix.Output[*ApplicationOptionalClaims] {
+	return pulumix.Output[*ApplicationOptionalClaims]{
+		OutputState: o.OutputState,
+	}
+}
+
+// One or more `accessToken` blocks as documented below.
+func (o ApplicationOptionalClaimsOutput) AccessTokens() ApplicationOptionalClaimsAccessTokenArrayOutput {
+	return o.ApplyT(func(v *ApplicationOptionalClaims) ApplicationOptionalClaimsAccessTokenArrayOutput {
+		return v.AccessTokens
+	}).(ApplicationOptionalClaimsAccessTokenArrayOutput)
+}
+
+// The resource ID of the application registration. Changing this forces a new resource to be created.
+func (o ApplicationOptionalClaimsOutput) ApplicationId() pulumi.StringOutput {
+	return o.ApplyT(func(v *ApplicationOptionalClaims) pulumi.StringOutput { return v.ApplicationId }).(pulumi.StringOutput)
+}
+
+// One or more `idToken` blocks as documented below.
+func (o ApplicationOptionalClaimsOutput) IdTokens() ApplicationOptionalClaimsIdTokenArrayOutput {
+	return o.ApplyT(func(v *ApplicationOptionalClaims) ApplicationOptionalClaimsIdTokenArrayOutput { return v.IdTokens }).(ApplicationOptionalClaimsIdTokenArrayOutput)
+}
+
+// One or more `saml2Token` blocks as documented below.
+//
+// > At least one of `accessToken`, `idToken` or `saml2Token` must be specified
+func (o ApplicationOptionalClaimsOutput) Saml2Tokens() ApplicationOptionalClaimsSaml2TokenArrayOutput {
+	return o.ApplyT(func(v *ApplicationOptionalClaims) ApplicationOptionalClaimsSaml2TokenArrayOutput {
+		return v.Saml2Tokens
+	}).(ApplicationOptionalClaimsSaml2TokenArrayOutput)
+}
+
+type ApplicationOptionalClaimsArrayOutput struct{ *pulumi.OutputState }
+
+func (ApplicationOptionalClaimsArrayOutput) ElementType() reflect.Type {
+	return reflect.TypeOf((*[]*ApplicationOptionalClaims)(nil)).Elem()
+}
+
+func (o ApplicationOptionalClaimsArrayOutput) ToApplicationOptionalClaimsArrayOutput() ApplicationOptionalClaimsArrayOutput {
+	return o
+}
+
+func (o ApplicationOptionalClaimsArrayOutput) ToApplicationOptionalClaimsArrayOutputWithContext(ctx context.Context) ApplicationOptionalClaimsArrayOutput {
+	return o
+}
+
+func (o ApplicationOptionalClaimsArrayOutput) ToOutput(ctx context.Context) pulumix.Output[[]*ApplicationOptionalClaims] {
+	return pulumix.Output[[]*ApplicationOptionalClaims]{
+		OutputState: o.OutputState,
+	}
+}
+
+func (o ApplicationOptionalClaimsArrayOutput) Index(i pulumi.IntInput) ApplicationOptionalClaimsOutput {
+	return pulumi.All(o, i).ApplyT(func(vs []interface{}) *ApplicationOptionalClaims {
+		return vs[0].([]*ApplicationOptionalClaims)[vs[1].(int)]
+	}).(ApplicationOptionalClaimsOutput)
+}
+
+type ApplicationOptionalClaimsMapOutput struct{ *pulumi.OutputState }
+
+func (ApplicationOptionalClaimsMapOutput) ElementType() reflect.Type {
+	return reflect.TypeOf((*map[string]*ApplicationOptionalClaims)(nil)).Elem()
+}
+
+func (o ApplicationOptionalClaimsMapOutput) ToApplicationOptionalClaimsMapOutput() ApplicationOptionalClaimsMapOutput {
+	return o
+}
+
+func (o ApplicationOptionalClaimsMapOutput) ToApplicationOptionalClaimsMapOutputWithContext(ctx context.Context) ApplicationOptionalClaimsMapOutput {
+	return o
+}
+
+func (o ApplicationOptionalClaimsMapOutput) ToOutput(ctx context.Context) pulumix.Output[map[string]*ApplicationOptionalClaims] {
+	return pulumix.Output[map[string]*ApplicationOptionalClaims]{
+		OutputState: o.OutputState,
+	}
+}
+
+func (o ApplicationOptionalClaimsMapOutput) MapIndex(k pulumi.StringInput) ApplicationOptionalClaimsOutput {
+	return pulumi.All(o, k).ApplyT(func(vs []interface{}) *ApplicationOptionalClaims {
+		return vs[0].(map[string]*ApplicationOptionalClaims)[vs[1].(string)]
+	}).(ApplicationOptionalClaimsOutput)
+}
+
+func init() {
+	pulumi.RegisterInputType(reflect.TypeOf((*ApplicationOptionalClaimsInput)(nil)).Elem(), &ApplicationOptionalClaims{})
+	pulumi.RegisterInputType(reflect.TypeOf((*ApplicationOptionalClaimsArrayInput)(nil)).Elem(), ApplicationOptionalClaimsArray{})
+	pulumi.RegisterInputType(reflect.TypeOf((*ApplicationOptionalClaimsMapInput)(nil)).Elem(), ApplicationOptionalClaimsMap{})
+	pulumi.RegisterOutputType(ApplicationOptionalClaimsOutput{})
+	pulumi.RegisterOutputType(ApplicationOptionalClaimsArrayOutput{})
+	pulumi.RegisterOutputType(ApplicationOptionalClaimsMapOutput{})
+}
diff --git a/sdk/go/azuread/getApplicationPublishedAppIds.go b/sdk/go/azuread/getApplicationPublishedAppIds.go
index 7613925ba..e9d63268d 100644
--- a/sdk/go/azuread/getApplicationPublishedAppIds.go
+++ b/sdk/go/azuread/getApplicationPublishedAppIds.go
@@ -64,8 +64,8 @@ import (
 //				return err
 //			}
 //			msgraph, err := azuread.NewServicePrincipal(ctx, "msgraph", &azuread.ServicePrincipalArgs{
-//				ApplicationId: *pulumi.String(wellKnown.Result.MicrosoftGraph),
-//				UseExisting:   pulumi.Bool(true),
+//				ClientId:    *pulumi.String(wellKnown.Result.MicrosoftGraph),
+//				UseExisting: pulumi.Bool(true),
 //			})
 //			if err != nil {
 //				return err
diff --git a/sdk/go/azuread/init.go b/sdk/go/azuread/init.go
index 4d171d10c..99898a649 100644
--- a/sdk/go/azuread/init.go
+++ b/sdk/go/azuread/init.go
@@ -59,6 +59,8 @@ func (m *module) Construct(ctx *pulumi.Context, name, typ, urn string) (r pulumi
 		r = &ApplicationIdentifierUri{}
 	case "azuread:index/applicationKnownClients:ApplicationKnownClients":
 		r = &ApplicationKnownClients{}
+	case "azuread:index/applicationOptionalClaims:ApplicationOptionalClaims":
+		r = &ApplicationOptionalClaims{}
 	case "azuread:index/applicationOwner:ApplicationOwner":
 		r = &ApplicationOwner{}
 	case "azuread:index/applicationPassword:ApplicationPassword":
@@ -241,6 +243,11 @@ func init() {
 		"index/applicationKnownClients",
 		&module{version},
 	)
+	pulumi.RegisterResourceModule(
+		"azuread",
+		"index/applicationOptionalClaims",
+		&module{version},
+	)
 	pulumi.RegisterResourceModule(
 		"azuread",
 		"index/applicationOwner",
diff --git a/sdk/go/azuread/pulumiTypes.go b/sdk/go/azuread/pulumiTypes.go
index be1e27aa9..37bd9e2df 100644
--- a/sdk/go/azuread/pulumiTypes.go
+++ b/sdk/go/azuread/pulumiTypes.go
@@ -2898,7 +2898,7 @@ func (o ApplicationFeatureTagArrayOutput) Index(i pulumi.IntInput) ApplicationFe
 	}).(ApplicationFeatureTagOutput)
 }
 
-type ApplicationOptionalClaims struct {
+type ApplicationOptionalClaimsType struct {
 	// One or more `accessToken` blocks as documented below.
 	AccessTokens []ApplicationOptionalClaimsAccessToken `pulumi:"accessTokens"`
 	// One or more `idToken` blocks as documented below.
@@ -2907,18 +2907,18 @@ type ApplicationOptionalClaims struct {
 	Saml2Tokens []ApplicationOptionalClaimsSaml2Token `pulumi:"saml2Tokens"`
 }
 
-// ApplicationOptionalClaimsInput is an input type that accepts ApplicationOptionalClaimsArgs and ApplicationOptionalClaimsOutput values.
-// You can construct a concrete instance of `ApplicationOptionalClaimsInput` via:
+// ApplicationOptionalClaimsTypeInput is an input type that accepts ApplicationOptionalClaimsTypeArgs and ApplicationOptionalClaimsTypeOutput values.
+// You can construct a concrete instance of `ApplicationOptionalClaimsTypeInput` via:
 //
-//	ApplicationOptionalClaimsArgs{...}
-type ApplicationOptionalClaimsInput interface {
+//	ApplicationOptionalClaimsTypeArgs{...}
+type ApplicationOptionalClaimsTypeInput interface {
 	pulumi.Input
 
-	ToApplicationOptionalClaimsOutput() ApplicationOptionalClaimsOutput
-	ToApplicationOptionalClaimsOutputWithContext(context.Context) ApplicationOptionalClaimsOutput
+	ToApplicationOptionalClaimsTypeOutput() ApplicationOptionalClaimsTypeOutput
+	ToApplicationOptionalClaimsTypeOutputWithContext(context.Context) ApplicationOptionalClaimsTypeOutput
 }
 
-type ApplicationOptionalClaimsArgs struct {
+type ApplicationOptionalClaimsTypeArgs struct {
 	// One or more `accessToken` blocks as documented below.
 	AccessTokens ApplicationOptionalClaimsAccessTokenArrayInput `pulumi:"accessTokens"`
 	// One or more `idToken` blocks as documented below.
@@ -2927,149 +2927,149 @@ type ApplicationOptionalClaimsArgs struct {
 	Saml2Tokens ApplicationOptionalClaimsSaml2TokenArrayInput `pulumi:"saml2Tokens"`
 }
 
-func (ApplicationOptionalClaimsArgs) ElementType() reflect.Type {
-	return reflect.TypeOf((*ApplicationOptionalClaims)(nil)).Elem()
+func (ApplicationOptionalClaimsTypeArgs) ElementType() reflect.Type {
+	return reflect.TypeOf((*ApplicationOptionalClaimsType)(nil)).Elem()
 }
 
-func (i ApplicationOptionalClaimsArgs) ToApplicationOptionalClaimsOutput() ApplicationOptionalClaimsOutput {
-	return i.ToApplicationOptionalClaimsOutputWithContext(context.Background())
+func (i ApplicationOptionalClaimsTypeArgs) ToApplicationOptionalClaimsTypeOutput() ApplicationOptionalClaimsTypeOutput {
+	return i.ToApplicationOptionalClaimsTypeOutputWithContext(context.Background())
 }
 
-func (i ApplicationOptionalClaimsArgs) ToApplicationOptionalClaimsOutputWithContext(ctx context.Context) ApplicationOptionalClaimsOutput {
-	return pulumi.ToOutputWithContext(ctx, i).(ApplicationOptionalClaimsOutput)
+func (i ApplicationOptionalClaimsTypeArgs) ToApplicationOptionalClaimsTypeOutputWithContext(ctx context.Context) ApplicationOptionalClaimsTypeOutput {
+	return pulumi.ToOutputWithContext(ctx, i).(ApplicationOptionalClaimsTypeOutput)
 }
 
-func (i ApplicationOptionalClaimsArgs) ToOutput(ctx context.Context) pulumix.Output[ApplicationOptionalClaims] {
-	return pulumix.Output[ApplicationOptionalClaims]{
-		OutputState: i.ToApplicationOptionalClaimsOutputWithContext(ctx).OutputState,
+func (i ApplicationOptionalClaimsTypeArgs) ToOutput(ctx context.Context) pulumix.Output[ApplicationOptionalClaimsType] {
+	return pulumix.Output[ApplicationOptionalClaimsType]{
+		OutputState: i.ToApplicationOptionalClaimsTypeOutputWithContext(ctx).OutputState,
 	}
 }
 
-func (i ApplicationOptionalClaimsArgs) ToApplicationOptionalClaimsPtrOutput() ApplicationOptionalClaimsPtrOutput {
-	return i.ToApplicationOptionalClaimsPtrOutputWithContext(context.Background())
+func (i ApplicationOptionalClaimsTypeArgs) ToApplicationOptionalClaimsTypePtrOutput() ApplicationOptionalClaimsTypePtrOutput {
+	return i.ToApplicationOptionalClaimsTypePtrOutputWithContext(context.Background())
 }
 
-func (i ApplicationOptionalClaimsArgs) ToApplicationOptionalClaimsPtrOutputWithContext(ctx context.Context) ApplicationOptionalClaimsPtrOutput {
-	return pulumi.ToOutputWithContext(ctx, i).(ApplicationOptionalClaimsOutput).ToApplicationOptionalClaimsPtrOutputWithContext(ctx)
+func (i ApplicationOptionalClaimsTypeArgs) ToApplicationOptionalClaimsTypePtrOutputWithContext(ctx context.Context) ApplicationOptionalClaimsTypePtrOutput {
+	return pulumi.ToOutputWithContext(ctx, i).(ApplicationOptionalClaimsTypeOutput).ToApplicationOptionalClaimsTypePtrOutputWithContext(ctx)
 }
 
-// ApplicationOptionalClaimsPtrInput is an input type that accepts ApplicationOptionalClaimsArgs, ApplicationOptionalClaimsPtr and ApplicationOptionalClaimsPtrOutput values.
-// You can construct a concrete instance of `ApplicationOptionalClaimsPtrInput` via:
+// ApplicationOptionalClaimsTypePtrInput is an input type that accepts ApplicationOptionalClaimsTypeArgs, ApplicationOptionalClaimsTypePtr and ApplicationOptionalClaimsTypePtrOutput values.
+// You can construct a concrete instance of `ApplicationOptionalClaimsTypePtrInput` via:
 //
-//	        ApplicationOptionalClaimsArgs{...}
+//	        ApplicationOptionalClaimsTypeArgs{...}
 //
 //	or:
 //
 //	        nil
-type ApplicationOptionalClaimsPtrInput interface {
+type ApplicationOptionalClaimsTypePtrInput interface {
 	pulumi.Input
 
-	ToApplicationOptionalClaimsPtrOutput() ApplicationOptionalClaimsPtrOutput
-	ToApplicationOptionalClaimsPtrOutputWithContext(context.Context) ApplicationOptionalClaimsPtrOutput
+	ToApplicationOptionalClaimsTypePtrOutput() ApplicationOptionalClaimsTypePtrOutput
+	ToApplicationOptionalClaimsTypePtrOutputWithContext(context.Context) ApplicationOptionalClaimsTypePtrOutput
 }
 
-type applicationOptionalClaimsPtrType ApplicationOptionalClaimsArgs
+type applicationOptionalClaimsTypePtrType ApplicationOptionalClaimsTypeArgs
 
-func ApplicationOptionalClaimsPtr(v *ApplicationOptionalClaimsArgs) ApplicationOptionalClaimsPtrInput {
-	return (*applicationOptionalClaimsPtrType)(v)
+func ApplicationOptionalClaimsTypePtr(v *ApplicationOptionalClaimsTypeArgs) ApplicationOptionalClaimsTypePtrInput {
+	return (*applicationOptionalClaimsTypePtrType)(v)
 }
 
-func (*applicationOptionalClaimsPtrType) ElementType() reflect.Type {
-	return reflect.TypeOf((**ApplicationOptionalClaims)(nil)).Elem()
+func (*applicationOptionalClaimsTypePtrType) ElementType() reflect.Type {
+	return reflect.TypeOf((**ApplicationOptionalClaimsType)(nil)).Elem()
 }
 
-func (i *applicationOptionalClaimsPtrType) ToApplicationOptionalClaimsPtrOutput() ApplicationOptionalClaimsPtrOutput {
-	return i.ToApplicationOptionalClaimsPtrOutputWithContext(context.Background())
+func (i *applicationOptionalClaimsTypePtrType) ToApplicationOptionalClaimsTypePtrOutput() ApplicationOptionalClaimsTypePtrOutput {
+	return i.ToApplicationOptionalClaimsTypePtrOutputWithContext(context.Background())
 }
 
-func (i *applicationOptionalClaimsPtrType) ToApplicationOptionalClaimsPtrOutputWithContext(ctx context.Context) ApplicationOptionalClaimsPtrOutput {
-	return pulumi.ToOutputWithContext(ctx, i).(ApplicationOptionalClaimsPtrOutput)
+func (i *applicationOptionalClaimsTypePtrType) ToApplicationOptionalClaimsTypePtrOutputWithContext(ctx context.Context) ApplicationOptionalClaimsTypePtrOutput {
+	return pulumi.ToOutputWithContext(ctx, i).(ApplicationOptionalClaimsTypePtrOutput)
 }
 
-func (i *applicationOptionalClaimsPtrType) ToOutput(ctx context.Context) pulumix.Output[*ApplicationOptionalClaims] {
-	return pulumix.Output[*ApplicationOptionalClaims]{
-		OutputState: i.ToApplicationOptionalClaimsPtrOutputWithContext(ctx).OutputState,
+func (i *applicationOptionalClaimsTypePtrType) ToOutput(ctx context.Context) pulumix.Output[*ApplicationOptionalClaimsType] {
+	return pulumix.Output[*ApplicationOptionalClaimsType]{
+		OutputState: i.ToApplicationOptionalClaimsTypePtrOutputWithContext(ctx).OutputState,
 	}
 }
 
-type ApplicationOptionalClaimsOutput struct{ *pulumi.OutputState }
+type ApplicationOptionalClaimsTypeOutput struct{ *pulumi.OutputState }
 
-func (ApplicationOptionalClaimsOutput) ElementType() reflect.Type {
-	return reflect.TypeOf((*ApplicationOptionalClaims)(nil)).Elem()
+func (ApplicationOptionalClaimsTypeOutput) ElementType() reflect.Type {
+	return reflect.TypeOf((*ApplicationOptionalClaimsType)(nil)).Elem()
 }
 
-func (o ApplicationOptionalClaimsOutput) ToApplicationOptionalClaimsOutput() ApplicationOptionalClaimsOutput {
+func (o ApplicationOptionalClaimsTypeOutput) ToApplicationOptionalClaimsTypeOutput() ApplicationOptionalClaimsTypeOutput {
 	return o
 }
 
-func (o ApplicationOptionalClaimsOutput) ToApplicationOptionalClaimsOutputWithContext(ctx context.Context) ApplicationOptionalClaimsOutput {
+func (o ApplicationOptionalClaimsTypeOutput) ToApplicationOptionalClaimsTypeOutputWithContext(ctx context.Context) ApplicationOptionalClaimsTypeOutput {
 	return o
 }
 
-func (o ApplicationOptionalClaimsOutput) ToApplicationOptionalClaimsPtrOutput() ApplicationOptionalClaimsPtrOutput {
-	return o.ToApplicationOptionalClaimsPtrOutputWithContext(context.Background())
+func (o ApplicationOptionalClaimsTypeOutput) ToApplicationOptionalClaimsTypePtrOutput() ApplicationOptionalClaimsTypePtrOutput {
+	return o.ToApplicationOptionalClaimsTypePtrOutputWithContext(context.Background())
 }
 
-func (o ApplicationOptionalClaimsOutput) ToApplicationOptionalClaimsPtrOutputWithContext(ctx context.Context) ApplicationOptionalClaimsPtrOutput {
-	return o.ApplyTWithContext(ctx, func(_ context.Context, v ApplicationOptionalClaims) *ApplicationOptionalClaims {
+func (o ApplicationOptionalClaimsTypeOutput) ToApplicationOptionalClaimsTypePtrOutputWithContext(ctx context.Context) ApplicationOptionalClaimsTypePtrOutput {
+	return o.ApplyTWithContext(ctx, func(_ context.Context, v ApplicationOptionalClaimsType) *ApplicationOptionalClaimsType {
 		return &v
-	}).(ApplicationOptionalClaimsPtrOutput)
+	}).(ApplicationOptionalClaimsTypePtrOutput)
 }
 
-func (o ApplicationOptionalClaimsOutput) ToOutput(ctx context.Context) pulumix.Output[ApplicationOptionalClaims] {
-	return pulumix.Output[ApplicationOptionalClaims]{
+func (o ApplicationOptionalClaimsTypeOutput) ToOutput(ctx context.Context) pulumix.Output[ApplicationOptionalClaimsType] {
+	return pulumix.Output[ApplicationOptionalClaimsType]{
 		OutputState: o.OutputState,
 	}
 }
 
 // One or more `accessToken` blocks as documented below.
-func (o ApplicationOptionalClaimsOutput) AccessTokens() ApplicationOptionalClaimsAccessTokenArrayOutput {
-	return o.ApplyT(func(v ApplicationOptionalClaims) []ApplicationOptionalClaimsAccessToken { return v.AccessTokens }).(ApplicationOptionalClaimsAccessTokenArrayOutput)
+func (o ApplicationOptionalClaimsTypeOutput) AccessTokens() ApplicationOptionalClaimsAccessTokenArrayOutput {
+	return o.ApplyT(func(v ApplicationOptionalClaimsType) []ApplicationOptionalClaimsAccessToken { return v.AccessTokens }).(ApplicationOptionalClaimsAccessTokenArrayOutput)
 }
 
 // One or more `idToken` blocks as documented below.
-func (o ApplicationOptionalClaimsOutput) IdTokens() ApplicationOptionalClaimsIdTokenArrayOutput {
-	return o.ApplyT(func(v ApplicationOptionalClaims) []ApplicationOptionalClaimsIdToken { return v.IdTokens }).(ApplicationOptionalClaimsIdTokenArrayOutput)
+func (o ApplicationOptionalClaimsTypeOutput) IdTokens() ApplicationOptionalClaimsIdTokenArrayOutput {
+	return o.ApplyT(func(v ApplicationOptionalClaimsType) []ApplicationOptionalClaimsIdToken { return v.IdTokens }).(ApplicationOptionalClaimsIdTokenArrayOutput)
 }
 
 // One or more `saml2Token` blocks as documented below.
-func (o ApplicationOptionalClaimsOutput) Saml2Tokens() ApplicationOptionalClaimsSaml2TokenArrayOutput {
-	return o.ApplyT(func(v ApplicationOptionalClaims) []ApplicationOptionalClaimsSaml2Token { return v.Saml2Tokens }).(ApplicationOptionalClaimsSaml2TokenArrayOutput)
+func (o ApplicationOptionalClaimsTypeOutput) Saml2Tokens() ApplicationOptionalClaimsSaml2TokenArrayOutput {
+	return o.ApplyT(func(v ApplicationOptionalClaimsType) []ApplicationOptionalClaimsSaml2Token { return v.Saml2Tokens }).(ApplicationOptionalClaimsSaml2TokenArrayOutput)
 }
 
-type ApplicationOptionalClaimsPtrOutput struct{ *pulumi.OutputState }
+type ApplicationOptionalClaimsTypePtrOutput struct{ *pulumi.OutputState }
 
-func (ApplicationOptionalClaimsPtrOutput) ElementType() reflect.Type {
-	return reflect.TypeOf((**ApplicationOptionalClaims)(nil)).Elem()
+func (ApplicationOptionalClaimsTypePtrOutput) ElementType() reflect.Type {
+	return reflect.TypeOf((**ApplicationOptionalClaimsType)(nil)).Elem()
 }
 
-func (o ApplicationOptionalClaimsPtrOutput) ToApplicationOptionalClaimsPtrOutput() ApplicationOptionalClaimsPtrOutput {
+func (o ApplicationOptionalClaimsTypePtrOutput) ToApplicationOptionalClaimsTypePtrOutput() ApplicationOptionalClaimsTypePtrOutput {
 	return o
 }
 
-func (o ApplicationOptionalClaimsPtrOutput) ToApplicationOptionalClaimsPtrOutputWithContext(ctx context.Context) ApplicationOptionalClaimsPtrOutput {
+func (o ApplicationOptionalClaimsTypePtrOutput) ToApplicationOptionalClaimsTypePtrOutputWithContext(ctx context.Context) ApplicationOptionalClaimsTypePtrOutput {
 	return o
 }
 
-func (o ApplicationOptionalClaimsPtrOutput) ToOutput(ctx context.Context) pulumix.Output[*ApplicationOptionalClaims] {
-	return pulumix.Output[*ApplicationOptionalClaims]{
+func (o ApplicationOptionalClaimsTypePtrOutput) ToOutput(ctx context.Context) pulumix.Output[*ApplicationOptionalClaimsType] {
+	return pulumix.Output[*ApplicationOptionalClaimsType]{
 		OutputState: o.OutputState,
 	}
 }
 
-func (o ApplicationOptionalClaimsPtrOutput) Elem() ApplicationOptionalClaimsOutput {
-	return o.ApplyT(func(v *ApplicationOptionalClaims) ApplicationOptionalClaims {
+func (o ApplicationOptionalClaimsTypePtrOutput) Elem() ApplicationOptionalClaimsTypeOutput {
+	return o.ApplyT(func(v *ApplicationOptionalClaimsType) ApplicationOptionalClaimsType {
 		if v != nil {
 			return *v
 		}
-		var ret ApplicationOptionalClaims
+		var ret ApplicationOptionalClaimsType
 		return ret
-	}).(ApplicationOptionalClaimsOutput)
+	}).(ApplicationOptionalClaimsTypeOutput)
 }
 
 // One or more `accessToken` blocks as documented below.
-func (o ApplicationOptionalClaimsPtrOutput) AccessTokens() ApplicationOptionalClaimsAccessTokenArrayOutput {
-	return o.ApplyT(func(v *ApplicationOptionalClaims) []ApplicationOptionalClaimsAccessToken {
+func (o ApplicationOptionalClaimsTypePtrOutput) AccessTokens() ApplicationOptionalClaimsAccessTokenArrayOutput {
+	return o.ApplyT(func(v *ApplicationOptionalClaimsType) []ApplicationOptionalClaimsAccessToken {
 		if v == nil {
 			return nil
 		}
@@ -3078,8 +3078,8 @@ func (o ApplicationOptionalClaimsPtrOutput) AccessTokens() ApplicationOptionalCl
 }
 
 // One or more `idToken` blocks as documented below.
-func (o ApplicationOptionalClaimsPtrOutput) IdTokens() ApplicationOptionalClaimsIdTokenArrayOutput {
-	return o.ApplyT(func(v *ApplicationOptionalClaims) []ApplicationOptionalClaimsIdToken {
+func (o ApplicationOptionalClaimsTypePtrOutput) IdTokens() ApplicationOptionalClaimsIdTokenArrayOutput {
+	return o.ApplyT(func(v *ApplicationOptionalClaimsType) []ApplicationOptionalClaimsIdToken {
 		if v == nil {
 			return nil
 		}
@@ -3088,8 +3088,8 @@ func (o ApplicationOptionalClaimsPtrOutput) IdTokens() ApplicationOptionalClaims
 }
 
 // One or more `saml2Token` blocks as documented below.
-func (o ApplicationOptionalClaimsPtrOutput) Saml2Tokens() ApplicationOptionalClaimsSaml2TokenArrayOutput {
-	return o.ApplyT(func(v *ApplicationOptionalClaims) []ApplicationOptionalClaimsSaml2Token {
+func (o ApplicationOptionalClaimsTypePtrOutput) Saml2Tokens() ApplicationOptionalClaimsSaml2TokenArrayOutput {
+	return o.ApplyT(func(v *ApplicationOptionalClaimsType) []ApplicationOptionalClaimsSaml2Token {
 		if v == nil {
 			return nil
 		}
@@ -3098,7 +3098,7 @@ func (o ApplicationOptionalClaimsPtrOutput) Saml2Tokens() ApplicationOptionalCla
 }
 
 type ApplicationOptionalClaimsAccessToken struct {
-	// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+	// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloudDisplayname`, `dnsDomainAndSamAccountName`, `emitAsRoles`, `includeExternallyAuthenticatedUpnWithoutHash`, `includeExternallyAuthenticatedUpn`, `maxSizeLimit`, `netbiosDomainAndSamAccountName`, `onPremiseSecurityIdentifier`, `samAccountName`, and `useGuid`.
 	AdditionalProperties []string `pulumi:"additionalProperties"`
 	// Whether the claim specified by the client is necessary to ensure a smooth authorization experience.
 	Essential *bool `pulumi:"essential"`
@@ -3120,7 +3120,7 @@ type ApplicationOptionalClaimsAccessTokenInput interface {
 }
 
 type ApplicationOptionalClaimsAccessTokenArgs struct {
-	// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+	// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloudDisplayname`, `dnsDomainAndSamAccountName`, `emitAsRoles`, `includeExternallyAuthenticatedUpnWithoutHash`, `includeExternallyAuthenticatedUpn`, `maxSizeLimit`, `netbiosDomainAndSamAccountName`, `onPremiseSecurityIdentifier`, `samAccountName`, and `useGuid`.
 	AdditionalProperties pulumi.StringArrayInput `pulumi:"additionalProperties"`
 	// Whether the claim specified by the client is necessary to ensure a smooth authorization experience.
 	Essential pulumi.BoolPtrInput `pulumi:"essential"`
@@ -3199,7 +3199,7 @@ func (o ApplicationOptionalClaimsAccessTokenOutput) ToOutput(ctx context.Context
 	}
 }
 
-// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloudDisplayname`, `dnsDomainAndSamAccountName`, `emitAsRoles`, `includeExternallyAuthenticatedUpnWithoutHash`, `includeExternallyAuthenticatedUpn`, `maxSizeLimit`, `netbiosDomainAndSamAccountName`, `onPremiseSecurityIdentifier`, `samAccountName`, and `useGuid`.
 func (o ApplicationOptionalClaimsAccessTokenOutput) AdditionalProperties() pulumi.StringArrayOutput {
 	return o.ApplyT(func(v ApplicationOptionalClaimsAccessToken) []string { return v.AdditionalProperties }).(pulumi.StringArrayOutput)
 }
@@ -3246,7 +3246,7 @@ func (o ApplicationOptionalClaimsAccessTokenArrayOutput) Index(i pulumi.IntInput
 }
 
 type ApplicationOptionalClaimsIdToken struct {
-	// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+	// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloudDisplayname`, `dnsDomainAndSamAccountName`, `emitAsRoles`, `includeExternallyAuthenticatedUpnWithoutHash`, `includeExternallyAuthenticatedUpn`, `maxSizeLimit`, `netbiosDomainAndSamAccountName`, `onPremiseSecurityIdentifier`, `samAccountName`, and `useGuid`.
 	AdditionalProperties []string `pulumi:"additionalProperties"`
 	// Whether the claim specified by the client is necessary to ensure a smooth authorization experience.
 	Essential *bool `pulumi:"essential"`
@@ -3268,7 +3268,7 @@ type ApplicationOptionalClaimsIdTokenInput interface {
 }
 
 type ApplicationOptionalClaimsIdTokenArgs struct {
-	// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+	// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloudDisplayname`, `dnsDomainAndSamAccountName`, `emitAsRoles`, `includeExternallyAuthenticatedUpnWithoutHash`, `includeExternallyAuthenticatedUpn`, `maxSizeLimit`, `netbiosDomainAndSamAccountName`, `onPremiseSecurityIdentifier`, `samAccountName`, and `useGuid`.
 	AdditionalProperties pulumi.StringArrayInput `pulumi:"additionalProperties"`
 	// Whether the claim specified by the client is necessary to ensure a smooth authorization experience.
 	Essential pulumi.BoolPtrInput `pulumi:"essential"`
@@ -3347,7 +3347,7 @@ func (o ApplicationOptionalClaimsIdTokenOutput) ToOutput(ctx context.Context) pu
 	}
 }
 
-// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloudDisplayname`, `dnsDomainAndSamAccountName`, `emitAsRoles`, `includeExternallyAuthenticatedUpnWithoutHash`, `includeExternallyAuthenticatedUpn`, `maxSizeLimit`, `netbiosDomainAndSamAccountName`, `onPremiseSecurityIdentifier`, `samAccountName`, and `useGuid`.
 func (o ApplicationOptionalClaimsIdTokenOutput) AdditionalProperties() pulumi.StringArrayOutput {
 	return o.ApplyT(func(v ApplicationOptionalClaimsIdToken) []string { return v.AdditionalProperties }).(pulumi.StringArrayOutput)
 }
@@ -3394,7 +3394,7 @@ func (o ApplicationOptionalClaimsIdTokenArrayOutput) Index(i pulumi.IntInput) Ap
 }
 
 type ApplicationOptionalClaimsSaml2Token struct {
-	// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+	// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloudDisplayname`, `dnsDomainAndSamAccountName`, `emitAsRoles`, `includeExternallyAuthenticatedUpnWithoutHash`, `includeExternallyAuthenticatedUpn`, `maxSizeLimit`, `netbiosDomainAndSamAccountName`, `onPremiseSecurityIdentifier`, `samAccountName`, and `useGuid`.
 	AdditionalProperties []string `pulumi:"additionalProperties"`
 	// Whether the claim specified by the client is necessary to ensure a smooth authorization experience.
 	Essential *bool `pulumi:"essential"`
@@ -3416,7 +3416,7 @@ type ApplicationOptionalClaimsSaml2TokenInput interface {
 }
 
 type ApplicationOptionalClaimsSaml2TokenArgs struct {
-	// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+	// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloudDisplayname`, `dnsDomainAndSamAccountName`, `emitAsRoles`, `includeExternallyAuthenticatedUpnWithoutHash`, `includeExternallyAuthenticatedUpn`, `maxSizeLimit`, `netbiosDomainAndSamAccountName`, `onPremiseSecurityIdentifier`, `samAccountName`, and `useGuid`.
 	AdditionalProperties pulumi.StringArrayInput `pulumi:"additionalProperties"`
 	// Whether the claim specified by the client is necessary to ensure a smooth authorization experience.
 	Essential pulumi.BoolPtrInput `pulumi:"essential"`
@@ -3495,7 +3495,7 @@ func (o ApplicationOptionalClaimsSaml2TokenOutput) ToOutput(ctx context.Context)
 	}
 }
 
-// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+// List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloudDisplayname`, `dnsDomainAndSamAccountName`, `emitAsRoles`, `includeExternallyAuthenticatedUpnWithoutHash`, `includeExternallyAuthenticatedUpn`, `maxSizeLimit`, `netbiosDomainAndSamAccountName`, `onPremiseSecurityIdentifier`, `samAccountName`, and `useGuid`.
 func (o ApplicationOptionalClaimsSaml2TokenOutput) AdditionalProperties() pulumi.StringArrayOutput {
 	return o.ApplyT(func(v ApplicationOptionalClaimsSaml2Token) []string { return v.AdditionalProperties }).(pulumi.StringArrayOutput)
 }
@@ -5253,7 +5253,7 @@ func (o ConditionalAccessPolicyConditionsClientApplicationsPtrOutput) IncludedSe
 }
 
 type ConditionalAccessPolicyConditionsDevices struct {
-	// A `filter` block as described below. A `filter` block can be added to an existing policy, but removing the `filter` block forces a new resource to be created.
+	// A `filter` block as described below.
 	Filter *ConditionalAccessPolicyConditionsDevicesFilter `pulumi:"filter"`
 }
 
@@ -5269,7 +5269,7 @@ type ConditionalAccessPolicyConditionsDevicesInput interface {
 }
 
 type ConditionalAccessPolicyConditionsDevicesArgs struct {
-	// A `filter` block as described below. A `filter` block can be added to an existing policy, but removing the `filter` block forces a new resource to be created.
+	// A `filter` block as described below.
 	Filter ConditionalAccessPolicyConditionsDevicesFilterPtrInput `pulumi:"filter"`
 }
 
@@ -5368,7 +5368,7 @@ func (o ConditionalAccessPolicyConditionsDevicesOutput) ToOutput(ctx context.Con
 	}
 }
 
-// A `filter` block as described below. A `filter` block can be added to an existing policy, but removing the `filter` block forces a new resource to be created.
+// A `filter` block as described below.
 func (o ConditionalAccessPolicyConditionsDevicesOutput) Filter() ConditionalAccessPolicyConditionsDevicesFilterPtrOutput {
 	return o.ApplyT(func(v ConditionalAccessPolicyConditionsDevices) *ConditionalAccessPolicyConditionsDevicesFilter {
 		return v.Filter
@@ -5405,7 +5405,7 @@ func (o ConditionalAccessPolicyConditionsDevicesPtrOutput) Elem() ConditionalAcc
 	}).(ConditionalAccessPolicyConditionsDevicesOutput)
 }
 
-// A `filter` block as described below. A `filter` block can be added to an existing policy, but removing the `filter` block forces a new resource to be created.
+// A `filter` block as described below.
 func (o ConditionalAccessPolicyConditionsDevicesPtrOutput) Filter() ConditionalAccessPolicyConditionsDevicesFilterPtrOutput {
 	return o.ApplyT(func(v *ConditionalAccessPolicyConditionsDevices) *ConditionalAccessPolicyConditionsDevicesFilter {
 		if v == nil {
@@ -5958,17 +5958,21 @@ func (o ConditionalAccessPolicyConditionsPlatformsPtrOutput) IncludedPlatforms()
 type ConditionalAccessPolicyConditionsUsers struct {
 	// A list of group IDs excluded from scope of policy.
 	ExcludedGroups []string `pulumi:"excludedGroups"`
+	// A `guestsOrExternalUsers` block as documented below, which specifies internal guests and external users excluded from scope of policy.
+	ExcludedGuestsOrExternalUsers []ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser `pulumi:"excludedGuestsOrExternalUsers"`
 	// A list of role IDs excluded from scope of policy.
 	ExcludedRoles []string `pulumi:"excludedRoles"`
 	// A list of user IDs excluded from scope of policy and/or `GuestsOrExternalUsers`.
 	ExcludedUsers []string `pulumi:"excludedUsers"`
 	// A list of group IDs in scope of policy unless explicitly excluded.
 	IncludedGroups []string `pulumi:"includedGroups"`
+	// A `guestsOrExternalUsers` block as documented below, which specifies internal guests and external users in scope of policy.
+	IncludedGuestsOrExternalUsers []ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser `pulumi:"includedGuestsOrExternalUsers"`
 	// A list of role IDs in scope of policy unless explicitly excluded.
 	IncludedRoles []string `pulumi:"includedRoles"`
 	// A list of user IDs in scope of policy unless explicitly excluded, or `None` or `All` or `GuestsOrExternalUsers`.
 	//
-	// > At least one of `includedGroups`, `includedRoles` or `includedUsers` must be specified.
+	// > At least one of `includedGroups`, `includedGuestsOrExternalUsers`, `includedRoles` or `includedUsers` must be specified.
 	IncludedUsers []string `pulumi:"includedUsers"`
 }
 
@@ -5986,17 +5990,21 @@ type ConditionalAccessPolicyConditionsUsersInput interface {
 type ConditionalAccessPolicyConditionsUsersArgs struct {
 	// A list of group IDs excluded from scope of policy.
 	ExcludedGroups pulumi.StringArrayInput `pulumi:"excludedGroups"`
+	// A `guestsOrExternalUsers` block as documented below, which specifies internal guests and external users excluded from scope of policy.
+	ExcludedGuestsOrExternalUsers ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayInput `pulumi:"excludedGuestsOrExternalUsers"`
 	// A list of role IDs excluded from scope of policy.
 	ExcludedRoles pulumi.StringArrayInput `pulumi:"excludedRoles"`
 	// A list of user IDs excluded from scope of policy and/or `GuestsOrExternalUsers`.
 	ExcludedUsers pulumi.StringArrayInput `pulumi:"excludedUsers"`
 	// A list of group IDs in scope of policy unless explicitly excluded.
 	IncludedGroups pulumi.StringArrayInput `pulumi:"includedGroups"`
+	// A `guestsOrExternalUsers` block as documented below, which specifies internal guests and external users in scope of policy.
+	IncludedGuestsOrExternalUsers ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayInput `pulumi:"includedGuestsOrExternalUsers"`
 	// A list of role IDs in scope of policy unless explicitly excluded.
 	IncludedRoles pulumi.StringArrayInput `pulumi:"includedRoles"`
 	// A list of user IDs in scope of policy unless explicitly excluded, or `None` or `All` or `GuestsOrExternalUsers`.
 	//
-	// > At least one of `includedGroups`, `includedRoles` or `includedUsers` must be specified.
+	// > At least one of `includedGroups`, `includedGuestsOrExternalUsers`, `includedRoles` or `includedUsers` must be specified.
 	IncludedUsers pulumi.StringArrayInput `pulumi:"includedUsers"`
 }
 
@@ -6100,6 +6108,13 @@ func (o ConditionalAccessPolicyConditionsUsersOutput) ExcludedGroups() pulumi.St
 	return o.ApplyT(func(v ConditionalAccessPolicyConditionsUsers) []string { return v.ExcludedGroups }).(pulumi.StringArrayOutput)
 }
 
+// A `guestsOrExternalUsers` block as documented below, which specifies internal guests and external users excluded from scope of policy.
+func (o ConditionalAccessPolicyConditionsUsersOutput) ExcludedGuestsOrExternalUsers() ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutput {
+	return o.ApplyT(func(v ConditionalAccessPolicyConditionsUsers) []ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser {
+		return v.ExcludedGuestsOrExternalUsers
+	}).(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutput)
+}
+
 // A list of role IDs excluded from scope of policy.
 func (o ConditionalAccessPolicyConditionsUsersOutput) ExcludedRoles() pulumi.StringArrayOutput {
 	return o.ApplyT(func(v ConditionalAccessPolicyConditionsUsers) []string { return v.ExcludedRoles }).(pulumi.StringArrayOutput)
@@ -6115,6 +6130,13 @@ func (o ConditionalAccessPolicyConditionsUsersOutput) IncludedGroups() pulumi.St
 	return o.ApplyT(func(v ConditionalAccessPolicyConditionsUsers) []string { return v.IncludedGroups }).(pulumi.StringArrayOutput)
 }
 
+// A `guestsOrExternalUsers` block as documented below, which specifies internal guests and external users in scope of policy.
+func (o ConditionalAccessPolicyConditionsUsersOutput) IncludedGuestsOrExternalUsers() ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutput {
+	return o.ApplyT(func(v ConditionalAccessPolicyConditionsUsers) []ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser {
+		return v.IncludedGuestsOrExternalUsers
+	}).(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutput)
+}
+
 // A list of role IDs in scope of policy unless explicitly excluded.
 func (o ConditionalAccessPolicyConditionsUsersOutput) IncludedRoles() pulumi.StringArrayOutput {
 	return o.ApplyT(func(v ConditionalAccessPolicyConditionsUsers) []string { return v.IncludedRoles }).(pulumi.StringArrayOutput)
@@ -6122,7 +6144,7 @@ func (o ConditionalAccessPolicyConditionsUsersOutput) IncludedRoles() pulumi.Str
 
 // A list of user IDs in scope of policy unless explicitly excluded, or `None` or `All` or `GuestsOrExternalUsers`.
 //
-// > At least one of `includedGroups`, `includedRoles` or `includedUsers` must be specified.
+// > At least one of `includedGroups`, `includedGuestsOrExternalUsers`, `includedRoles` or `includedUsers` must be specified.
 func (o ConditionalAccessPolicyConditionsUsersOutput) IncludedUsers() pulumi.StringArrayOutput {
 	return o.ApplyT(func(v ConditionalAccessPolicyConditionsUsers) []string { return v.IncludedUsers }).(pulumi.StringArrayOutput)
 }
@@ -6167,6 +6189,16 @@ func (o ConditionalAccessPolicyConditionsUsersPtrOutput) ExcludedGroups() pulumi
 	}).(pulumi.StringArrayOutput)
 }
 
+// A `guestsOrExternalUsers` block as documented below, which specifies internal guests and external users excluded from scope of policy.
+func (o ConditionalAccessPolicyConditionsUsersPtrOutput) ExcludedGuestsOrExternalUsers() ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutput {
+	return o.ApplyT(func(v *ConditionalAccessPolicyConditionsUsers) []ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser {
+		if v == nil {
+			return nil
+		}
+		return v.ExcludedGuestsOrExternalUsers
+	}).(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutput)
+}
+
 // A list of role IDs excluded from scope of policy.
 func (o ConditionalAccessPolicyConditionsUsersPtrOutput) ExcludedRoles() pulumi.StringArrayOutput {
 	return o.ApplyT(func(v *ConditionalAccessPolicyConditionsUsers) []string {
@@ -6197,6 +6229,16 @@ func (o ConditionalAccessPolicyConditionsUsersPtrOutput) IncludedGroups() pulumi
 	}).(pulumi.StringArrayOutput)
 }
 
+// A `guestsOrExternalUsers` block as documented below, which specifies internal guests and external users in scope of policy.
+func (o ConditionalAccessPolicyConditionsUsersPtrOutput) IncludedGuestsOrExternalUsers() ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutput {
+	return o.ApplyT(func(v *ConditionalAccessPolicyConditionsUsers) []ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser {
+		if v == nil {
+			return nil
+		}
+		return v.IncludedGuestsOrExternalUsers
+	}).(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutput)
+}
+
 // A list of role IDs in scope of policy unless explicitly excluded.
 func (o ConditionalAccessPolicyConditionsUsersPtrOutput) IncludedRoles() pulumi.StringArrayOutput {
 	return o.ApplyT(func(v *ConditionalAccessPolicyConditionsUsers) []string {
@@ -6209,7 +6251,7 @@ func (o ConditionalAccessPolicyConditionsUsersPtrOutput) IncludedRoles() pulumi.
 
 // A list of user IDs in scope of policy unless explicitly excluded, or `None` or `All` or `GuestsOrExternalUsers`.
 //
-// > At least one of `includedGroups`, `includedRoles` or `includedUsers` must be specified.
+// > At least one of `includedGroups`, `includedGuestsOrExternalUsers`, `includedRoles` or `includedUsers` must be specified.
 func (o ConditionalAccessPolicyConditionsUsersPtrOutput) IncludedUsers() pulumi.StringArrayOutput {
 	return o.ApplyT(func(v *ConditionalAccessPolicyConditionsUsers) []string {
 		if v == nil {
@@ -6219,6 +6261,542 @@ func (o ConditionalAccessPolicyConditionsUsersPtrOutput) IncludedUsers() pulumi.
 	}).(pulumi.StringArrayOutput)
 }
 
+type ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser struct {
+	// An `externalTenants` block as documented below, which specifies external tenants in a policy scope.
+	ExternalTenants []ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant `pulumi:"externalTenants"`
+	// A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+	GuestOrExternalUserTypes []string `pulumi:"guestOrExternalUserTypes"`
+}
+
+// ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserInput is an input type that accepts ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs and ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutput values.
+// You can construct a concrete instance of `ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserInput` via:
+//
+//	ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs{...}
+type ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserInput interface {
+	pulumi.Input
+
+	ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutput() ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutput
+	ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutputWithContext(context.Context) ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutput
+}
+
+type ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs struct {
+	// An `externalTenants` block as documented below, which specifies external tenants in a policy scope.
+	ExternalTenants ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayInput `pulumi:"externalTenants"`
+	// A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+	GuestOrExternalUserTypes pulumi.StringArrayInput `pulumi:"guestOrExternalUserTypes"`
+}
+
+func (ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs) ElementType() reflect.Type {
+	return reflect.TypeOf((*ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser)(nil)).Elem()
+}
+
+func (i ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs) ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutput() ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutput {
+	return i.ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutputWithContext(context.Background())
+}
+
+func (i ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs) ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutputWithContext(ctx context.Context) ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutput {
+	return pulumi.ToOutputWithContext(ctx, i).(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutput)
+}
+
+func (i ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs) ToOutput(ctx context.Context) pulumix.Output[ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser] {
+	return pulumix.Output[ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser]{
+		OutputState: i.ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutputWithContext(ctx).OutputState,
+	}
+}
+
+// ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayInput is an input type that accepts ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArray and ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutput values.
+// You can construct a concrete instance of `ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayInput` via:
+//
+//	ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArray{ ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs{...} }
+type ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayInput interface {
+	pulumi.Input
+
+	ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutput() ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutput
+	ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutputWithContext(context.Context) ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutput
+}
+
+type ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArray []ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserInput
+
+func (ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArray) ElementType() reflect.Type {
+	return reflect.TypeOf((*[]ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser)(nil)).Elem()
+}
+
+func (i ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArray) ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutput() ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutput {
+	return i.ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutputWithContext(context.Background())
+}
+
+func (i ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArray) ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutputWithContext(ctx context.Context) ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutput {
+	return pulumi.ToOutputWithContext(ctx, i).(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutput)
+}
+
+func (i ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArray) ToOutput(ctx context.Context) pulumix.Output[[]ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser] {
+	return pulumix.Output[[]ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser]{
+		OutputState: i.ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutputWithContext(ctx).OutputState,
+	}
+}
+
+type ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutput struct{ *pulumi.OutputState }
+
+func (ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutput) ElementType() reflect.Type {
+	return reflect.TypeOf((*ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser)(nil)).Elem()
+}
+
+func (o ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutput) ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutput() ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutput {
+	return o
+}
+
+func (o ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutput) ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutputWithContext(ctx context.Context) ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutput {
+	return o
+}
+
+func (o ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutput) ToOutput(ctx context.Context) pulumix.Output[ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser] {
+	return pulumix.Output[ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser]{
+		OutputState: o.OutputState,
+	}
+}
+
+// An `externalTenants` block as documented below, which specifies external tenants in a policy scope.
+func (o ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutput) ExternalTenants() ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutput {
+	return o.ApplyT(func(v ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser) []ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant {
+		return v.ExternalTenants
+	}).(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutput)
+}
+
+// A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+func (o ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutput) GuestOrExternalUserTypes() pulumi.StringArrayOutput {
+	return o.ApplyT(func(v ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser) []string {
+		return v.GuestOrExternalUserTypes
+	}).(pulumi.StringArrayOutput)
+}
+
+type ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutput struct{ *pulumi.OutputState }
+
+func (ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutput) ElementType() reflect.Type {
+	return reflect.TypeOf((*[]ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser)(nil)).Elem()
+}
+
+func (o ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutput) ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutput() ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutput {
+	return o
+}
+
+func (o ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutput) ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutputWithContext(ctx context.Context) ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutput {
+	return o
+}
+
+func (o ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutput) ToOutput(ctx context.Context) pulumix.Output[[]ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser] {
+	return pulumix.Output[[]ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser]{
+		OutputState: o.OutputState,
+	}
+}
+
+func (o ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutput) Index(i pulumi.IntInput) ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutput {
+	return pulumi.All(o, i).ApplyT(func(vs []interface{}) ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser {
+		return vs[0].([]ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser)[vs[1].(int)]
+	}).(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutput)
+}
+
+type ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant struct {
+	// A list tenant IDs. Can only be specified if `membershipKind` is `enumerated`.
+	Members []string `pulumi:"members"`
+	// The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+	MembershipKind string `pulumi:"membershipKind"`
+}
+
+// ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantInput is an input type that accepts ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs and ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutput values.
+// You can construct a concrete instance of `ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantInput` via:
+//
+//	ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs{...}
+type ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantInput interface {
+	pulumi.Input
+
+	ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutput() ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutput
+	ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutputWithContext(context.Context) ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutput
+}
+
+type ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs struct {
+	// A list tenant IDs. Can only be specified if `membershipKind` is `enumerated`.
+	Members pulumi.StringArrayInput `pulumi:"members"`
+	// The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+	MembershipKind pulumi.StringInput `pulumi:"membershipKind"`
+}
+
+func (ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs) ElementType() reflect.Type {
+	return reflect.TypeOf((*ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant)(nil)).Elem()
+}
+
+func (i ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs) ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutput() ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutput {
+	return i.ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutputWithContext(context.Background())
+}
+
+func (i ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs) ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutputWithContext(ctx context.Context) ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutput {
+	return pulumi.ToOutputWithContext(ctx, i).(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutput)
+}
+
+func (i ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs) ToOutput(ctx context.Context) pulumix.Output[ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant] {
+	return pulumix.Output[ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant]{
+		OutputState: i.ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutputWithContext(ctx).OutputState,
+	}
+}
+
+// ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayInput is an input type that accepts ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArray and ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutput values.
+// You can construct a concrete instance of `ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayInput` via:
+//
+//	ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArray{ ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs{...} }
+type ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayInput interface {
+	pulumi.Input
+
+	ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutput() ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutput
+	ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutputWithContext(context.Context) ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutput
+}
+
+type ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArray []ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantInput
+
+func (ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArray) ElementType() reflect.Type {
+	return reflect.TypeOf((*[]ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant)(nil)).Elem()
+}
+
+func (i ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArray) ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutput() ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutput {
+	return i.ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutputWithContext(context.Background())
+}
+
+func (i ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArray) ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutputWithContext(ctx context.Context) ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutput {
+	return pulumi.ToOutputWithContext(ctx, i).(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutput)
+}
+
+func (i ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArray) ToOutput(ctx context.Context) pulumix.Output[[]ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant] {
+	return pulumix.Output[[]ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant]{
+		OutputState: i.ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutputWithContext(ctx).OutputState,
+	}
+}
+
+type ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutput struct{ *pulumi.OutputState }
+
+func (ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutput) ElementType() reflect.Type {
+	return reflect.TypeOf((*ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant)(nil)).Elem()
+}
+
+func (o ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutput) ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutput() ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutput {
+	return o
+}
+
+func (o ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutput) ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutputWithContext(ctx context.Context) ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutput {
+	return o
+}
+
+func (o ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutput) ToOutput(ctx context.Context) pulumix.Output[ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant] {
+	return pulumix.Output[ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant]{
+		OutputState: o.OutputState,
+	}
+}
+
+// A list tenant IDs. Can only be specified if `membershipKind` is `enumerated`.
+func (o ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutput) Members() pulumi.StringArrayOutput {
+	return o.ApplyT(func(v ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant) []string {
+		return v.Members
+	}).(pulumi.StringArrayOutput)
+}
+
+// The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+func (o ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutput) MembershipKind() pulumi.StringOutput {
+	return o.ApplyT(func(v ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant) string {
+		return v.MembershipKind
+	}).(pulumi.StringOutput)
+}
+
+type ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutput struct{ *pulumi.OutputState }
+
+func (ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutput) ElementType() reflect.Type {
+	return reflect.TypeOf((*[]ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant)(nil)).Elem()
+}
+
+func (o ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutput) ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutput() ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutput {
+	return o
+}
+
+func (o ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutput) ToConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutputWithContext(ctx context.Context) ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutput {
+	return o
+}
+
+func (o ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutput) ToOutput(ctx context.Context) pulumix.Output[[]ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant] {
+	return pulumix.Output[[]ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant]{
+		OutputState: o.OutputState,
+	}
+}
+
+func (o ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutput) Index(i pulumi.IntInput) ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutput {
+	return pulumi.All(o, i).ApplyT(func(vs []interface{}) ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant {
+		return vs[0].([]ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant)[vs[1].(int)]
+	}).(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutput)
+}
+
+type ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser struct {
+	// An `externalTenants` block as documented below, which specifies external tenants in a policy scope.
+	ExternalTenants []ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant `pulumi:"externalTenants"`
+	// A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+	GuestOrExternalUserTypes []string `pulumi:"guestOrExternalUserTypes"`
+}
+
+// ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserInput is an input type that accepts ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs and ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutput values.
+// You can construct a concrete instance of `ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserInput` via:
+//
+//	ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs{...}
+type ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserInput interface {
+	pulumi.Input
+
+	ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutput() ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutput
+	ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutputWithContext(context.Context) ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutput
+}
+
+type ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs struct {
+	// An `externalTenants` block as documented below, which specifies external tenants in a policy scope.
+	ExternalTenants ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayInput `pulumi:"externalTenants"`
+	// A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+	GuestOrExternalUserTypes pulumi.StringArrayInput `pulumi:"guestOrExternalUserTypes"`
+}
+
+func (ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs) ElementType() reflect.Type {
+	return reflect.TypeOf((*ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser)(nil)).Elem()
+}
+
+func (i ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs) ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutput() ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutput {
+	return i.ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutputWithContext(context.Background())
+}
+
+func (i ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs) ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutputWithContext(ctx context.Context) ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutput {
+	return pulumi.ToOutputWithContext(ctx, i).(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutput)
+}
+
+func (i ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs) ToOutput(ctx context.Context) pulumix.Output[ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser] {
+	return pulumix.Output[ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser]{
+		OutputState: i.ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutputWithContext(ctx).OutputState,
+	}
+}
+
+// ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayInput is an input type that accepts ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArray and ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutput values.
+// You can construct a concrete instance of `ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayInput` via:
+//
+//	ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArray{ ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs{...} }
+type ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayInput interface {
+	pulumi.Input
+
+	ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutput() ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutput
+	ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutputWithContext(context.Context) ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutput
+}
+
+type ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArray []ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserInput
+
+func (ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArray) ElementType() reflect.Type {
+	return reflect.TypeOf((*[]ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser)(nil)).Elem()
+}
+
+func (i ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArray) ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutput() ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutput {
+	return i.ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutputWithContext(context.Background())
+}
+
+func (i ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArray) ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutputWithContext(ctx context.Context) ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutput {
+	return pulumi.ToOutputWithContext(ctx, i).(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutput)
+}
+
+func (i ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArray) ToOutput(ctx context.Context) pulumix.Output[[]ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser] {
+	return pulumix.Output[[]ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser]{
+		OutputState: i.ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutputWithContext(ctx).OutputState,
+	}
+}
+
+type ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutput struct{ *pulumi.OutputState }
+
+func (ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutput) ElementType() reflect.Type {
+	return reflect.TypeOf((*ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser)(nil)).Elem()
+}
+
+func (o ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutput) ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutput() ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutput {
+	return o
+}
+
+func (o ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutput) ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutputWithContext(ctx context.Context) ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutput {
+	return o
+}
+
+func (o ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutput) ToOutput(ctx context.Context) pulumix.Output[ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser] {
+	return pulumix.Output[ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser]{
+		OutputState: o.OutputState,
+	}
+}
+
+// An `externalTenants` block as documented below, which specifies external tenants in a policy scope.
+func (o ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutput) ExternalTenants() ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutput {
+	return o.ApplyT(func(v ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser) []ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant {
+		return v.ExternalTenants
+	}).(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutput)
+}
+
+// A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+func (o ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutput) GuestOrExternalUserTypes() pulumi.StringArrayOutput {
+	return o.ApplyT(func(v ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser) []string {
+		return v.GuestOrExternalUserTypes
+	}).(pulumi.StringArrayOutput)
+}
+
+type ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutput struct{ *pulumi.OutputState }
+
+func (ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutput) ElementType() reflect.Type {
+	return reflect.TypeOf((*[]ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser)(nil)).Elem()
+}
+
+func (o ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutput) ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutput() ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutput {
+	return o
+}
+
+func (o ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutput) ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutputWithContext(ctx context.Context) ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutput {
+	return o
+}
+
+func (o ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutput) ToOutput(ctx context.Context) pulumix.Output[[]ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser] {
+	return pulumix.Output[[]ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser]{
+		OutputState: o.OutputState,
+	}
+}
+
+func (o ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutput) Index(i pulumi.IntInput) ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutput {
+	return pulumi.All(o, i).ApplyT(func(vs []interface{}) ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser {
+		return vs[0].([]ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser)[vs[1].(int)]
+	}).(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutput)
+}
+
+type ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant struct {
+	// A list tenant IDs. Can only be specified if `membershipKind` is `enumerated`.
+	Members []string `pulumi:"members"`
+	// The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+	MembershipKind string `pulumi:"membershipKind"`
+}
+
+// ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantInput is an input type that accepts ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs and ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutput values.
+// You can construct a concrete instance of `ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantInput` via:
+//
+//	ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs{...}
+type ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantInput interface {
+	pulumi.Input
+
+	ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutput() ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutput
+	ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutputWithContext(context.Context) ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutput
+}
+
+type ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs struct {
+	// A list tenant IDs. Can only be specified if `membershipKind` is `enumerated`.
+	Members pulumi.StringArrayInput `pulumi:"members"`
+	// The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+	MembershipKind pulumi.StringInput `pulumi:"membershipKind"`
+}
+
+func (ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs) ElementType() reflect.Type {
+	return reflect.TypeOf((*ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant)(nil)).Elem()
+}
+
+func (i ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs) ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutput() ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutput {
+	return i.ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutputWithContext(context.Background())
+}
+
+func (i ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs) ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutputWithContext(ctx context.Context) ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutput {
+	return pulumi.ToOutputWithContext(ctx, i).(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutput)
+}
+
+func (i ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs) ToOutput(ctx context.Context) pulumix.Output[ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant] {
+	return pulumix.Output[ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant]{
+		OutputState: i.ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutputWithContext(ctx).OutputState,
+	}
+}
+
+// ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayInput is an input type that accepts ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArray and ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutput values.
+// You can construct a concrete instance of `ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayInput` via:
+//
+//	ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArray{ ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs{...} }
+type ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayInput interface {
+	pulumi.Input
+
+	ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutput() ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutput
+	ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutputWithContext(context.Context) ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutput
+}
+
+type ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArray []ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantInput
+
+func (ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArray) ElementType() reflect.Type {
+	return reflect.TypeOf((*[]ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant)(nil)).Elem()
+}
+
+func (i ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArray) ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutput() ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutput {
+	return i.ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutputWithContext(context.Background())
+}
+
+func (i ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArray) ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutputWithContext(ctx context.Context) ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutput {
+	return pulumi.ToOutputWithContext(ctx, i).(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutput)
+}
+
+func (i ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArray) ToOutput(ctx context.Context) pulumix.Output[[]ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant] {
+	return pulumix.Output[[]ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant]{
+		OutputState: i.ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutputWithContext(ctx).OutputState,
+	}
+}
+
+type ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutput struct{ *pulumi.OutputState }
+
+func (ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutput) ElementType() reflect.Type {
+	return reflect.TypeOf((*ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant)(nil)).Elem()
+}
+
+func (o ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutput) ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutput() ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutput {
+	return o
+}
+
+func (o ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutput) ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutputWithContext(ctx context.Context) ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutput {
+	return o
+}
+
+func (o ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutput) ToOutput(ctx context.Context) pulumix.Output[ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant] {
+	return pulumix.Output[ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant]{
+		OutputState: o.OutputState,
+	}
+}
+
+// A list tenant IDs. Can only be specified if `membershipKind` is `enumerated`.
+func (o ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutput) Members() pulumi.StringArrayOutput {
+	return o.ApplyT(func(v ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant) []string {
+		return v.Members
+	}).(pulumi.StringArrayOutput)
+}
+
+// The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+func (o ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutput) MembershipKind() pulumi.StringOutput {
+	return o.ApplyT(func(v ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant) string {
+		return v.MembershipKind
+	}).(pulumi.StringOutput)
+}
+
+type ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutput struct{ *pulumi.OutputState }
+
+func (ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutput) ElementType() reflect.Type {
+	return reflect.TypeOf((*[]ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant)(nil)).Elem()
+}
+
+func (o ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutput) ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutput() ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutput {
+	return o
+}
+
+func (o ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutput) ToConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutputWithContext(ctx context.Context) ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutput {
+	return o
+}
+
+func (o ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutput) ToOutput(ctx context.Context) pulumix.Output[[]ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant] {
+	return pulumix.Output[[]ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant]{
+		OutputState: o.OutputState,
+	}
+}
+
+func (o ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutput) Index(i pulumi.IntInput) ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutput {
+	return pulumi.All(o, i).ApplyT(func(vs []interface{}) ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant {
+		return vs[0].([]ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant)[vs[1].(int)]
+	}).(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutput)
+}
+
 type ConditionalAccessPolicyGrantControls struct {
 	// ID of an Authentication Strength Policy to use in this policy.
 	AuthenticationStrengthPolicyId *string `pulumi:"authenticationStrengthPolicyId"`
@@ -6475,9 +7053,13 @@ type ConditionalAccessPolicySessionControls struct {
 	DisableResilienceDefaults *bool `pulumi:"disableResilienceDefaults"`
 	// Session control to define whether to persist cookies. Possible values are: `always` or `never`.
 	PersistentBrowserMode *string `pulumi:"persistentBrowserMode"`
-	// Number of days or hours to enforce sign-in frequency. Required when `signInFrequencyPeriod` is specified. Due to an API issue, removing this property forces a new resource to be created.
+	// Number of days or hours to enforce sign-in frequency. Required when `signInFrequencyPeriod` is specified.
 	SignInFrequency *int `pulumi:"signInFrequency"`
-	// The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `signInFrequencyPeriod` is specified. Due to an API issue, removing this property forces a new resource to be created.
+	// Authentication type for enforcing sign-in frequency. Possible values are: `primaryAndSecondaryAuthentication` or `secondaryAuthentication`. Defaults to `primaryAndSecondaryAuthentication`.
+	SignInFrequencyAuthenticationType *string `pulumi:"signInFrequencyAuthenticationType"`
+	// The interval to apply to sign-in frequency control. Possible values are: `timeBased` or `everyTime`. Defaults to `timeBased`.
+	SignInFrequencyInterval *string `pulumi:"signInFrequencyInterval"`
+	// The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `signInFrequencyPeriod` is specified.
 	SignInFrequencyPeriod *string `pulumi:"signInFrequencyPeriod"`
 }
 
@@ -6503,9 +7085,13 @@ type ConditionalAccessPolicySessionControlsArgs struct {
 	DisableResilienceDefaults pulumi.BoolPtrInput `pulumi:"disableResilienceDefaults"`
 	// Session control to define whether to persist cookies. Possible values are: `always` or `never`.
 	PersistentBrowserMode pulumi.StringPtrInput `pulumi:"persistentBrowserMode"`
-	// Number of days or hours to enforce sign-in frequency. Required when `signInFrequencyPeriod` is specified. Due to an API issue, removing this property forces a new resource to be created.
+	// Number of days or hours to enforce sign-in frequency. Required when `signInFrequencyPeriod` is specified.
 	SignInFrequency pulumi.IntPtrInput `pulumi:"signInFrequency"`
-	// The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `signInFrequencyPeriod` is specified. Due to an API issue, removing this property forces a new resource to be created.
+	// Authentication type for enforcing sign-in frequency. Possible values are: `primaryAndSecondaryAuthentication` or `secondaryAuthentication`. Defaults to `primaryAndSecondaryAuthentication`.
+	SignInFrequencyAuthenticationType pulumi.StringPtrInput `pulumi:"signInFrequencyAuthenticationType"`
+	// The interval to apply to sign-in frequency control. Possible values are: `timeBased` or `everyTime`. Defaults to `timeBased`.
+	SignInFrequencyInterval pulumi.StringPtrInput `pulumi:"signInFrequencyInterval"`
+	// The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `signInFrequencyPeriod` is specified.
 	SignInFrequencyPeriod pulumi.StringPtrInput `pulumi:"signInFrequencyPeriod"`
 }
 
@@ -6626,12 +7212,22 @@ func (o ConditionalAccessPolicySessionControlsOutput) PersistentBrowserMode() pu
 	return o.ApplyT(func(v ConditionalAccessPolicySessionControls) *string { return v.PersistentBrowserMode }).(pulumi.StringPtrOutput)
 }
 
-// Number of days or hours to enforce sign-in frequency. Required when `signInFrequencyPeriod` is specified. Due to an API issue, removing this property forces a new resource to be created.
+// Number of days or hours to enforce sign-in frequency. Required when `signInFrequencyPeriod` is specified.
 func (o ConditionalAccessPolicySessionControlsOutput) SignInFrequency() pulumi.IntPtrOutput {
 	return o.ApplyT(func(v ConditionalAccessPolicySessionControls) *int { return v.SignInFrequency }).(pulumi.IntPtrOutput)
 }
 
-// The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `signInFrequencyPeriod` is specified. Due to an API issue, removing this property forces a new resource to be created.
+// Authentication type for enforcing sign-in frequency. Possible values are: `primaryAndSecondaryAuthentication` or `secondaryAuthentication`. Defaults to `primaryAndSecondaryAuthentication`.
+func (o ConditionalAccessPolicySessionControlsOutput) SignInFrequencyAuthenticationType() pulumi.StringPtrOutput {
+	return o.ApplyT(func(v ConditionalAccessPolicySessionControls) *string { return v.SignInFrequencyAuthenticationType }).(pulumi.StringPtrOutput)
+}
+
+// The interval to apply to sign-in frequency control. Possible values are: `timeBased` or `everyTime`. Defaults to `timeBased`.
+func (o ConditionalAccessPolicySessionControlsOutput) SignInFrequencyInterval() pulumi.StringPtrOutput {
+	return o.ApplyT(func(v ConditionalAccessPolicySessionControls) *string { return v.SignInFrequencyInterval }).(pulumi.StringPtrOutput)
+}
+
+// The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `signInFrequencyPeriod` is specified.
 func (o ConditionalAccessPolicySessionControlsOutput) SignInFrequencyPeriod() pulumi.StringPtrOutput {
 	return o.ApplyT(func(v ConditionalAccessPolicySessionControls) *string { return v.SignInFrequencyPeriod }).(pulumi.StringPtrOutput)
 }
@@ -6708,7 +7304,7 @@ func (o ConditionalAccessPolicySessionControlsPtrOutput) PersistentBrowserMode()
 	}).(pulumi.StringPtrOutput)
 }
 
-// Number of days or hours to enforce sign-in frequency. Required when `signInFrequencyPeriod` is specified. Due to an API issue, removing this property forces a new resource to be created.
+// Number of days or hours to enforce sign-in frequency. Required when `signInFrequencyPeriod` is specified.
 func (o ConditionalAccessPolicySessionControlsPtrOutput) SignInFrequency() pulumi.IntPtrOutput {
 	return o.ApplyT(func(v *ConditionalAccessPolicySessionControls) *int {
 		if v == nil {
@@ -6718,7 +7314,27 @@ func (o ConditionalAccessPolicySessionControlsPtrOutput) SignInFrequency() pulum
 	}).(pulumi.IntPtrOutput)
 }
 
-// The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `signInFrequencyPeriod` is specified. Due to an API issue, removing this property forces a new resource to be created.
+// Authentication type for enforcing sign-in frequency. Possible values are: `primaryAndSecondaryAuthentication` or `secondaryAuthentication`. Defaults to `primaryAndSecondaryAuthentication`.
+func (o ConditionalAccessPolicySessionControlsPtrOutput) SignInFrequencyAuthenticationType() pulumi.StringPtrOutput {
+	return o.ApplyT(func(v *ConditionalAccessPolicySessionControls) *string {
+		if v == nil {
+			return nil
+		}
+		return v.SignInFrequencyAuthenticationType
+	}).(pulumi.StringPtrOutput)
+}
+
+// The interval to apply to sign-in frequency control. Possible values are: `timeBased` or `everyTime`. Defaults to `timeBased`.
+func (o ConditionalAccessPolicySessionControlsPtrOutput) SignInFrequencyInterval() pulumi.StringPtrOutput {
+	return o.ApplyT(func(v *ConditionalAccessPolicySessionControls) *string {
+		if v == nil {
+			return nil
+		}
+		return v.SignInFrequencyInterval
+	}).(pulumi.StringPtrOutput)
+}
+
+// The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `signInFrequencyPeriod` is specified.
 func (o ConditionalAccessPolicySessionControlsPtrOutput) SignInFrequencyPeriod() pulumi.StringPtrOutput {
 	return o.ApplyT(func(v *ConditionalAccessPolicySessionControls) *string {
 		if v == nil {
@@ -12747,8 +13363,8 @@ func init() {
 	pulumi.RegisterInputType(reflect.TypeOf((*ApplicationAppRoleTypeArrayInput)(nil)).Elem(), ApplicationAppRoleTypeArray{})
 	pulumi.RegisterInputType(reflect.TypeOf((*ApplicationFeatureTagInput)(nil)).Elem(), ApplicationFeatureTagArgs{})
 	pulumi.RegisterInputType(reflect.TypeOf((*ApplicationFeatureTagArrayInput)(nil)).Elem(), ApplicationFeatureTagArray{})
-	pulumi.RegisterInputType(reflect.TypeOf((*ApplicationOptionalClaimsInput)(nil)).Elem(), ApplicationOptionalClaimsArgs{})
-	pulumi.RegisterInputType(reflect.TypeOf((*ApplicationOptionalClaimsPtrInput)(nil)).Elem(), ApplicationOptionalClaimsArgs{})
+	pulumi.RegisterInputType(reflect.TypeOf((*ApplicationOptionalClaimsTypeInput)(nil)).Elem(), ApplicationOptionalClaimsTypeArgs{})
+	pulumi.RegisterInputType(reflect.TypeOf((*ApplicationOptionalClaimsTypePtrInput)(nil)).Elem(), ApplicationOptionalClaimsTypeArgs{})
 	pulumi.RegisterInputType(reflect.TypeOf((*ApplicationOptionalClaimsAccessTokenInput)(nil)).Elem(), ApplicationOptionalClaimsAccessTokenArgs{})
 	pulumi.RegisterInputType(reflect.TypeOf((*ApplicationOptionalClaimsAccessTokenArrayInput)(nil)).Elem(), ApplicationOptionalClaimsAccessTokenArray{})
 	pulumi.RegisterInputType(reflect.TypeOf((*ApplicationOptionalClaimsIdTokenInput)(nil)).Elem(), ApplicationOptionalClaimsIdTokenArgs{})
@@ -12783,6 +13399,14 @@ func init() {
 	pulumi.RegisterInputType(reflect.TypeOf((*ConditionalAccessPolicyConditionsPlatformsPtrInput)(nil)).Elem(), ConditionalAccessPolicyConditionsPlatformsArgs{})
 	pulumi.RegisterInputType(reflect.TypeOf((*ConditionalAccessPolicyConditionsUsersInput)(nil)).Elem(), ConditionalAccessPolicyConditionsUsersArgs{})
 	pulumi.RegisterInputType(reflect.TypeOf((*ConditionalAccessPolicyConditionsUsersPtrInput)(nil)).Elem(), ConditionalAccessPolicyConditionsUsersArgs{})
+	pulumi.RegisterInputType(reflect.TypeOf((*ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserInput)(nil)).Elem(), ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs{})
+	pulumi.RegisterInputType(reflect.TypeOf((*ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayInput)(nil)).Elem(), ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArray{})
+	pulumi.RegisterInputType(reflect.TypeOf((*ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantInput)(nil)).Elem(), ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs{})
+	pulumi.RegisterInputType(reflect.TypeOf((*ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayInput)(nil)).Elem(), ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArray{})
+	pulumi.RegisterInputType(reflect.TypeOf((*ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserInput)(nil)).Elem(), ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs{})
+	pulumi.RegisterInputType(reflect.TypeOf((*ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayInput)(nil)).Elem(), ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArray{})
+	pulumi.RegisterInputType(reflect.TypeOf((*ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantInput)(nil)).Elem(), ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs{})
+	pulumi.RegisterInputType(reflect.TypeOf((*ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayInput)(nil)).Elem(), ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArray{})
 	pulumi.RegisterInputType(reflect.TypeOf((*ConditionalAccessPolicyGrantControlsInput)(nil)).Elem(), ConditionalAccessPolicyGrantControlsArgs{})
 	pulumi.RegisterInputType(reflect.TypeOf((*ConditionalAccessPolicyGrantControlsPtrInput)(nil)).Elem(), ConditionalAccessPolicyGrantControlsArgs{})
 	pulumi.RegisterInputType(reflect.TypeOf((*ConditionalAccessPolicySessionControlsInput)(nil)).Elem(), ConditionalAccessPolicySessionControlsArgs{})
@@ -12899,8 +13523,8 @@ func init() {
 	pulumi.RegisterOutputType(ApplicationAppRoleTypeArrayOutput{})
 	pulumi.RegisterOutputType(ApplicationFeatureTagOutput{})
 	pulumi.RegisterOutputType(ApplicationFeatureTagArrayOutput{})
-	pulumi.RegisterOutputType(ApplicationOptionalClaimsOutput{})
-	pulumi.RegisterOutputType(ApplicationOptionalClaimsPtrOutput{})
+	pulumi.RegisterOutputType(ApplicationOptionalClaimsTypeOutput{})
+	pulumi.RegisterOutputType(ApplicationOptionalClaimsTypePtrOutput{})
 	pulumi.RegisterOutputType(ApplicationOptionalClaimsAccessTokenOutput{})
 	pulumi.RegisterOutputType(ApplicationOptionalClaimsAccessTokenArrayOutput{})
 	pulumi.RegisterOutputType(ApplicationOptionalClaimsIdTokenOutput{})
@@ -12935,6 +13559,14 @@ func init() {
 	pulumi.RegisterOutputType(ConditionalAccessPolicyConditionsPlatformsPtrOutput{})
 	pulumi.RegisterOutputType(ConditionalAccessPolicyConditionsUsersOutput{})
 	pulumi.RegisterOutputType(ConditionalAccessPolicyConditionsUsersPtrOutput{})
+	pulumi.RegisterOutputType(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserOutput{})
+	pulumi.RegisterOutputType(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArrayOutput{})
+	pulumi.RegisterOutputType(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantOutput{})
+	pulumi.RegisterOutputType(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArrayOutput{})
+	pulumi.RegisterOutputType(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserOutput{})
+	pulumi.RegisterOutputType(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArrayOutput{})
+	pulumi.RegisterOutputType(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantOutput{})
+	pulumi.RegisterOutputType(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArrayOutput{})
 	pulumi.RegisterOutputType(ConditionalAccessPolicyGrantControlsOutput{})
 	pulumi.RegisterOutputType(ConditionalAccessPolicyGrantControlsPtrOutput{})
 	pulumi.RegisterOutputType(ConditionalAccessPolicySessionControlsOutput{})
diff --git a/sdk/go/azuread/servicePrincipal.go b/sdk/go/azuread/servicePrincipal.go
index f76673a14..67821462b 100644
--- a/sdk/go/azuread/servicePrincipal.go
+++ b/sdk/go/azuread/servicePrincipal.go
@@ -42,7 +42,7 @@ import (
 //				return err
 //			}
 //			_, err = azuread.NewServicePrincipal(ctx, "exampleServicePrincipal", &azuread.ServicePrincipalArgs{
-//				ApplicationId:             exampleApplication.ApplicationId,
+//				ClientId:                  exampleApplication.ClientId,
 //				AppRoleAssignmentRequired: pulumi.Bool(false),
 //				Owners: pulumi.StringArray{
 //					*pulumi.String(current.ObjectId),
@@ -85,7 +85,7 @@ import (
 //				return err
 //			}
 //			_, err = azuread.NewServicePrincipal(ctx, "exampleServicePrincipal", &azuread.ServicePrincipalArgs{
-//				ApplicationId:             exampleApplication.ApplicationId,
+//				ClientId:                  exampleApplication.ClientId,
 //				AppRoleAssignmentRequired: pulumi.Bool(false),
 //				Owners: pulumi.StringArray{
 //					*pulumi.String(current.ObjectId),
@@ -125,8 +125,8 @@ import (
 //				return err
 //			}
 //			_, err = azuread.NewServicePrincipal(ctx, "msgraph", &azuread.ServicePrincipalArgs{
-//				ApplicationId: *pulumi.String(wellKnown.Result.MicrosoftGraph),
-//				UseExisting:   pulumi.Bool(true),
+//				ClientId:    *pulumi.String(wellKnown.Result.MicrosoftGraph),
+//				UseExisting: pulumi.Bool(true),
 //			})
 //			if err != nil {
 //				return err
@@ -165,8 +165,8 @@ import (
 //				return err
 //			}
 //			_, err = azuread.NewServicePrincipal(ctx, "exampleServicePrincipal", &azuread.ServicePrincipalArgs{
-//				ApplicationId: exampleApplication.ApplicationId,
-//				UseExisting:   pulumi.Bool(true),
+//				ClientId:    exampleApplication.ClientId,
+//				UseExisting: pulumi.Bool(true),
 //			})
 //			if err != nil {
 //				return err
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/ApplicationOptionalClaims.java b/sdk/java/src/main/java/com/pulumi/azuread/ApplicationOptionalClaims.java
new file mode 100644
index 000000000..ed6b86905
--- /dev/null
+++ b/sdk/java/src/main/java/com/pulumi/azuread/ApplicationOptionalClaims.java
@@ -0,0 +1,197 @@
+// *** WARNING: this file was generated by pulumi-java-gen. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+package com.pulumi.azuread;
+
+import com.pulumi.azuread.ApplicationOptionalClaimsArgs;
+import com.pulumi.azuread.Utilities;
+import com.pulumi.azuread.inputs.ApplicationOptionalClaimsState;
+import com.pulumi.azuread.outputs.ApplicationOptionalClaimsAccessToken;
+import com.pulumi.azuread.outputs.ApplicationOptionalClaimsIdToken;
+import com.pulumi.azuread.outputs.ApplicationOptionalClaimsSaml2Token;
+import com.pulumi.core.Output;
+import com.pulumi.core.annotations.Export;
+import com.pulumi.core.annotations.ResourceType;
+import com.pulumi.core.internal.Codegen;
+import java.lang.String;
+import java.util.List;
+import java.util.Optional;
+import javax.annotation.Nullable;
+
+/**
+ * ## Example Usage
+ * ```java
+ * package generated_program;
+ * 
+ * import com.pulumi.Context;
+ * import com.pulumi.Pulumi;
+ * import com.pulumi.core.Output;
+ * import com.pulumi.azuread.ApplicationRegistration;
+ * import com.pulumi.azuread.ApplicationRegistrationArgs;
+ * import com.pulumi.azuread.ApplicationOptionalClaims;
+ * import com.pulumi.azuread.ApplicationOptionalClaimsArgs;
+ * import com.pulumi.azuread.inputs.ApplicationOptionalClaimsAccessTokenArgs;
+ * import com.pulumi.azuread.inputs.ApplicationOptionalClaimsIdTokenArgs;
+ * import com.pulumi.azuread.inputs.ApplicationOptionalClaimsSaml2TokenArgs;
+ * import java.util.List;
+ * import java.util.ArrayList;
+ * import java.util.Map;
+ * import java.io.File;
+ * import java.nio.file.Files;
+ * import java.nio.file.Paths;
+ * 
+ * public class App {
+ *     public static void main(String[] args) {
+ *         Pulumi.run(App::stack);
+ *     }
+ * 
+ *     public static void stack(Context ctx) {
+ *         var exampleApplicationRegistration = new ApplicationRegistration(&#34;exampleApplicationRegistration&#34;, ApplicationRegistrationArgs.builder()        
+ *             .displayName(&#34;example&#34;)
+ *             .build());
+ * 
+ *         var exampleApplicationOptionalClaims = new ApplicationOptionalClaims(&#34;exampleApplicationOptionalClaims&#34;, ApplicationOptionalClaimsArgs.builder()        
+ *             .applicationId(exampleApplicationRegistration.id())
+ *             .accessTokens(            
+ *                 ApplicationOptionalClaimsAccessTokenArgs.builder()
+ *                     .name(&#34;myclaim&#34;)
+ *                     .build(),
+ *                 ApplicationOptionalClaimsAccessTokenArgs.builder()
+ *                     .name(&#34;otherclaim&#34;)
+ *                     .build())
+ *             .idTokens(ApplicationOptionalClaimsIdTokenArgs.builder()
+ *                 .name(&#34;userclaim&#34;)
+ *                 .source(&#34;user&#34;)
+ *                 .essential(true)
+ *                 .additionalProperties(&#34;emit_as_roles&#34;)
+ *                 .build())
+ *             .saml2Tokens(ApplicationOptionalClaimsSaml2TokenArgs.builder()
+ *                 .name(&#34;samlexample&#34;)
+ *                 .build())
+ *             .build());
+ * 
+ *     }
+ * }
+ * ```
+ * 
+ * ## Import
+ * 
+ * Application Optional Claims can be imported using the object ID of the application, in the following format.
+ * 
+ * ```sh
+ *  $ pulumi import azuread:index/applicationOptionalClaims:ApplicationOptionalClaims example /applications/00000000-0000-0000-0000-000000000000
+ * ```
+ * 
+ */
+@ResourceType(type="azuread:index/applicationOptionalClaims:ApplicationOptionalClaims")
+public class ApplicationOptionalClaims extends com.pulumi.resources.CustomResource {
+    /**
+     * One or more `access_token` blocks as documented below.
+     * 
+     */
+    @Export(name="accessTokens", refs={List.class,ApplicationOptionalClaimsAccessToken.class}, tree="[0,1]")
+    private Output</* @Nullable */ List<ApplicationOptionalClaimsAccessToken>> accessTokens;
+
+    /**
+     * @return One or more `access_token` blocks as documented below.
+     * 
+     */
+    public Output<Optional<List<ApplicationOptionalClaimsAccessToken>>> accessTokens() {
+        return Codegen.optional(this.accessTokens);
+    }
+    /**
+     * The resource ID of the application registration. Changing this forces a new resource to be created.
+     * 
+     */
+    @Export(name="applicationId", refs={String.class}, tree="[0]")
+    private Output<String> applicationId;
+
+    /**
+     * @return The resource ID of the application registration. Changing this forces a new resource to be created.
+     * 
+     */
+    public Output<String> applicationId() {
+        return this.applicationId;
+    }
+    /**
+     * One or more `id_token` blocks as documented below.
+     * 
+     */
+    @Export(name="idTokens", refs={List.class,ApplicationOptionalClaimsIdToken.class}, tree="[0,1]")
+    private Output</* @Nullable */ List<ApplicationOptionalClaimsIdToken>> idTokens;
+
+    /**
+     * @return One or more `id_token` blocks as documented below.
+     * 
+     */
+    public Output<Optional<List<ApplicationOptionalClaimsIdToken>>> idTokens() {
+        return Codegen.optional(this.idTokens);
+    }
+    /**
+     * One or more `saml2_token` blocks as documented below.
+     * 
+     * &gt; At least one of `access_token`, `id_token` or `saml2_token` must be specified
+     * 
+     */
+    @Export(name="saml2Tokens", refs={List.class,ApplicationOptionalClaimsSaml2Token.class}, tree="[0,1]")
+    private Output</* @Nullable */ List<ApplicationOptionalClaimsSaml2Token>> saml2Tokens;
+
+    /**
+     * @return One or more `saml2_token` blocks as documented below.
+     * 
+     * &gt; At least one of `access_token`, `id_token` or `saml2_token` must be specified
+     * 
+     */
+    public Output<Optional<List<ApplicationOptionalClaimsSaml2Token>>> saml2Tokens() {
+        return Codegen.optional(this.saml2Tokens);
+    }
+
+    /**
+     *
+     * @param name The _unique_ name of the resulting resource.
+     */
+    public ApplicationOptionalClaims(String name) {
+        this(name, ApplicationOptionalClaimsArgs.Empty);
+    }
+    /**
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param args The arguments to use to populate this resource's properties.
+     */
+    public ApplicationOptionalClaims(String name, ApplicationOptionalClaimsArgs args) {
+        this(name, args, null);
+    }
+    /**
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param options A bag of options that control this resource's behavior.
+     */
+    public ApplicationOptionalClaims(String name, ApplicationOptionalClaimsArgs args, @Nullable com.pulumi.resources.CustomResourceOptions options) {
+        super("azuread:index/applicationOptionalClaims:ApplicationOptionalClaims", name, args == null ? ApplicationOptionalClaimsArgs.Empty : args, makeResourceOptions(options, Codegen.empty()));
+    }
+
+    private ApplicationOptionalClaims(String name, Output<String> id, @Nullable ApplicationOptionalClaimsState state, @Nullable com.pulumi.resources.CustomResourceOptions options) {
+        super("azuread:index/applicationOptionalClaims:ApplicationOptionalClaims", name, state, makeResourceOptions(options, id));
+    }
+
+    private static com.pulumi.resources.CustomResourceOptions makeResourceOptions(@Nullable com.pulumi.resources.CustomResourceOptions options, @Nullable Output<String> id) {
+        var defaultOptions = com.pulumi.resources.CustomResourceOptions.builder()
+            .version(Utilities.getVersion())
+            .build();
+        return com.pulumi.resources.CustomResourceOptions.merge(defaultOptions, options, id);
+    }
+
+    /**
+     * Get an existing Host resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param state
+     * @param options Optional settings to control the behavior of the CustomResource.
+     */
+    public static ApplicationOptionalClaims get(String name, Output<String> id, @Nullable ApplicationOptionalClaimsState state, @Nullable com.pulumi.resources.CustomResourceOptions options) {
+        return new ApplicationOptionalClaims(name, id, state, options);
+    }
+}
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/ApplicationOptionalClaimsArgs.java b/sdk/java/src/main/java/com/pulumi/azuread/ApplicationOptionalClaimsArgs.java
new file mode 100644
index 000000000..6a1897316
--- /dev/null
+++ b/sdk/java/src/main/java/com/pulumi/azuread/ApplicationOptionalClaimsArgs.java
@@ -0,0 +1,239 @@
+// *** WARNING: this file was generated by pulumi-java-gen. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+package com.pulumi.azuread;
+
+import com.pulumi.azuread.inputs.ApplicationOptionalClaimsAccessTokenArgs;
+import com.pulumi.azuread.inputs.ApplicationOptionalClaimsIdTokenArgs;
+import com.pulumi.azuread.inputs.ApplicationOptionalClaimsSaml2TokenArgs;
+import com.pulumi.core.Output;
+import com.pulumi.core.annotations.Import;
+import java.lang.String;
+import java.util.List;
+import java.util.Objects;
+import java.util.Optional;
+import javax.annotation.Nullable;
+
+
+public final class ApplicationOptionalClaimsArgs extends com.pulumi.resources.ResourceArgs {
+
+    public static final ApplicationOptionalClaimsArgs Empty = new ApplicationOptionalClaimsArgs();
+
+    /**
+     * One or more `access_token` blocks as documented below.
+     * 
+     */
+    @Import(name="accessTokens")
+    private @Nullable Output<List<ApplicationOptionalClaimsAccessTokenArgs>> accessTokens;
+
+    /**
+     * @return One or more `access_token` blocks as documented below.
+     * 
+     */
+    public Optional<Output<List<ApplicationOptionalClaimsAccessTokenArgs>>> accessTokens() {
+        return Optional.ofNullable(this.accessTokens);
+    }
+
+    /**
+     * The resource ID of the application registration. Changing this forces a new resource to be created.
+     * 
+     */
+    @Import(name="applicationId", required=true)
+    private Output<String> applicationId;
+
+    /**
+     * @return The resource ID of the application registration. Changing this forces a new resource to be created.
+     * 
+     */
+    public Output<String> applicationId() {
+        return this.applicationId;
+    }
+
+    /**
+     * One or more `id_token` blocks as documented below.
+     * 
+     */
+    @Import(name="idTokens")
+    private @Nullable Output<List<ApplicationOptionalClaimsIdTokenArgs>> idTokens;
+
+    /**
+     * @return One or more `id_token` blocks as documented below.
+     * 
+     */
+    public Optional<Output<List<ApplicationOptionalClaimsIdTokenArgs>>> idTokens() {
+        return Optional.ofNullable(this.idTokens);
+    }
+
+    /**
+     * One or more `saml2_token` blocks as documented below.
+     * 
+     * &gt; At least one of `access_token`, `id_token` or `saml2_token` must be specified
+     * 
+     */
+    @Import(name="saml2Tokens")
+    private @Nullable Output<List<ApplicationOptionalClaimsSaml2TokenArgs>> saml2Tokens;
+
+    /**
+     * @return One or more `saml2_token` blocks as documented below.
+     * 
+     * &gt; At least one of `access_token`, `id_token` or `saml2_token` must be specified
+     * 
+     */
+    public Optional<Output<List<ApplicationOptionalClaimsSaml2TokenArgs>>> saml2Tokens() {
+        return Optional.ofNullable(this.saml2Tokens);
+    }
+
+    private ApplicationOptionalClaimsArgs() {}
+
+    private ApplicationOptionalClaimsArgs(ApplicationOptionalClaimsArgs $) {
+        this.accessTokens = $.accessTokens;
+        this.applicationId = $.applicationId;
+        this.idTokens = $.idTokens;
+        this.saml2Tokens = $.saml2Tokens;
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+    public static Builder builder(ApplicationOptionalClaimsArgs defaults) {
+        return new Builder(defaults);
+    }
+
+    public static final class Builder {
+        private ApplicationOptionalClaimsArgs $;
+
+        public Builder() {
+            $ = new ApplicationOptionalClaimsArgs();
+        }
+
+        public Builder(ApplicationOptionalClaimsArgs defaults) {
+            $ = new ApplicationOptionalClaimsArgs(Objects.requireNonNull(defaults));
+        }
+
+        /**
+         * @param accessTokens One or more `access_token` blocks as documented below.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder accessTokens(@Nullable Output<List<ApplicationOptionalClaimsAccessTokenArgs>> accessTokens) {
+            $.accessTokens = accessTokens;
+            return this;
+        }
+
+        /**
+         * @param accessTokens One or more `access_token` blocks as documented below.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder accessTokens(List<ApplicationOptionalClaimsAccessTokenArgs> accessTokens) {
+            return accessTokens(Output.of(accessTokens));
+        }
+
+        /**
+         * @param accessTokens One or more `access_token` blocks as documented below.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder accessTokens(ApplicationOptionalClaimsAccessTokenArgs... accessTokens) {
+            return accessTokens(List.of(accessTokens));
+        }
+
+        /**
+         * @param applicationId The resource ID of the application registration. Changing this forces a new resource to be created.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder applicationId(Output<String> applicationId) {
+            $.applicationId = applicationId;
+            return this;
+        }
+
+        /**
+         * @param applicationId The resource ID of the application registration. Changing this forces a new resource to be created.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder applicationId(String applicationId) {
+            return applicationId(Output.of(applicationId));
+        }
+
+        /**
+         * @param idTokens One or more `id_token` blocks as documented below.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder idTokens(@Nullable Output<List<ApplicationOptionalClaimsIdTokenArgs>> idTokens) {
+            $.idTokens = idTokens;
+            return this;
+        }
+
+        /**
+         * @param idTokens One or more `id_token` blocks as documented below.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder idTokens(List<ApplicationOptionalClaimsIdTokenArgs> idTokens) {
+            return idTokens(Output.of(idTokens));
+        }
+
+        /**
+         * @param idTokens One or more `id_token` blocks as documented below.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder idTokens(ApplicationOptionalClaimsIdTokenArgs... idTokens) {
+            return idTokens(List.of(idTokens));
+        }
+
+        /**
+         * @param saml2Tokens One or more `saml2_token` blocks as documented below.
+         * 
+         * &gt; At least one of `access_token`, `id_token` or `saml2_token` must be specified
+         * 
+         * @return builder
+         * 
+         */
+        public Builder saml2Tokens(@Nullable Output<List<ApplicationOptionalClaimsSaml2TokenArgs>> saml2Tokens) {
+            $.saml2Tokens = saml2Tokens;
+            return this;
+        }
+
+        /**
+         * @param saml2Tokens One or more `saml2_token` blocks as documented below.
+         * 
+         * &gt; At least one of `access_token`, `id_token` or `saml2_token` must be specified
+         * 
+         * @return builder
+         * 
+         */
+        public Builder saml2Tokens(List<ApplicationOptionalClaimsSaml2TokenArgs> saml2Tokens) {
+            return saml2Tokens(Output.of(saml2Tokens));
+        }
+
+        /**
+         * @param saml2Tokens One or more `saml2_token` blocks as documented below.
+         * 
+         * &gt; At least one of `access_token`, `id_token` or `saml2_token` must be specified
+         * 
+         * @return builder
+         * 
+         */
+        public Builder saml2Tokens(ApplicationOptionalClaimsSaml2TokenArgs... saml2Tokens) {
+            return saml2Tokens(List.of(saml2Tokens));
+        }
+
+        public ApplicationOptionalClaimsArgs build() {
+            $.applicationId = Objects.requireNonNull($.applicationId, "expected parameter 'applicationId' to be non-null");
+            return $;
+        }
+    }
+
+}
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/AzureadFunctions.java b/sdk/java/src/main/java/com/pulumi/azuread/AzureadFunctions.java
index ee8d117ae..2a94bea56 100644
--- a/sdk/java/src/main/java/com/pulumi/azuread/AzureadFunctions.java
+++ b/sdk/java/src/main/java/com/pulumi/azuread/AzureadFunctions.java
@@ -2275,7 +2275,7 @@ public static CompletableFuture<GetApplicationResult> getApplicationPlain(GetApp
      *         final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();
      * 
      *         var msgraph = new ServicePrincipal(&#34;msgraph&#34;, ServicePrincipalArgs.builder()        
-     *             .applicationId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -&gt; getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))
+     *             .clientId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -&gt; getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))
      *             .useExisting(true)
      *             .build());
      * 
@@ -2369,7 +2369,7 @@ public static Output<GetApplicationPublishedAppIdsResult> getApplicationPublishe
      *         final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();
      * 
      *         var msgraph = new ServicePrincipal(&#34;msgraph&#34;, ServicePrincipalArgs.builder()        
-     *             .applicationId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -&gt; getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))
+     *             .clientId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -&gt; getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))
      *             .useExisting(true)
      *             .build());
      * 
@@ -2463,7 +2463,7 @@ public static CompletableFuture<GetApplicationPublishedAppIdsResult> getApplicat
      *         final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();
      * 
      *         var msgraph = new ServicePrincipal(&#34;msgraph&#34;, ServicePrincipalArgs.builder()        
-     *             .applicationId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -&gt; getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))
+     *             .clientId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -&gt; getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))
      *             .useExisting(true)
      *             .build());
      * 
@@ -2557,7 +2557,7 @@ public static Output<GetApplicationPublishedAppIdsResult> getApplicationPublishe
      *         final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();
      * 
      *         var msgraph = new ServicePrincipal(&#34;msgraph&#34;, ServicePrincipalArgs.builder()        
-     *             .applicationId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -&gt; getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))
+     *             .clientId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -&gt; getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))
      *             .useExisting(true)
      *             .build());
      * 
@@ -2651,7 +2651,7 @@ public static CompletableFuture<GetApplicationPublishedAppIdsResult> getApplicat
      *         final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();
      * 
      *         var msgraph = new ServicePrincipal(&#34;msgraph&#34;, ServicePrincipalArgs.builder()        
-     *             .applicationId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -&gt; getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))
+     *             .clientId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -&gt; getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))
      *             .useExisting(true)
      *             .build());
      * 
@@ -2745,7 +2745,7 @@ public static Output<GetApplicationPublishedAppIdsResult> getApplicationPublishe
      *         final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();
      * 
      *         var msgraph = new ServicePrincipal(&#34;msgraph&#34;, ServicePrincipalArgs.builder()        
-     *             .applicationId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -&gt; getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))
+     *             .clientId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -&gt; getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))
      *             .useExisting(true)
      *             .build());
      * 
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/ServicePrincipal.java b/sdk/java/src/main/java/com/pulumi/azuread/ServicePrincipal.java
index 3321ba4fc..ee27d5623 100644
--- a/sdk/java/src/main/java/com/pulumi/azuread/ServicePrincipal.java
+++ b/sdk/java/src/main/java/com/pulumi/azuread/ServicePrincipal.java
@@ -58,7 +58,7 @@
  *             .build());
  * 
  *         var exampleServicePrincipal = new ServicePrincipal(&#34;exampleServicePrincipal&#34;, ServicePrincipalArgs.builder()        
- *             .applicationId(exampleApplication.applicationId())
+ *             .clientId(exampleApplication.clientId())
  *             .appRoleAssignmentRequired(false)
  *             .owners(current.applyValue(getClientConfigResult -&gt; getClientConfigResult.objectId()))
  *             .build());
@@ -101,7 +101,7 @@
  *             .build());
  * 
  *         var exampleServicePrincipal = new ServicePrincipal(&#34;exampleServicePrincipal&#34;, ServicePrincipalArgs.builder()        
- *             .applicationId(exampleApplication.applicationId())
+ *             .clientId(exampleApplication.clientId())
  *             .appRoleAssignmentRequired(false)
  *             .owners(current.applyValue(getClientConfigResult -&gt; getClientConfigResult.objectId()))
  *             .featureTags(ServicePrincipalFeatureTagArgs.builder()
@@ -140,7 +140,7 @@
  *         final var wellKnown = AzureadFunctions.getApplicationPublishedAppIds();
  * 
  *         var msgraph = new ServicePrincipal(&#34;msgraph&#34;, ServicePrincipalArgs.builder()        
- *             .applicationId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -&gt; getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))
+ *             .clientId(wellKnown.applyValue(getApplicationPublishedAppIdsResult -&gt; getApplicationPublishedAppIdsResult.result().MicrosoftGraph()))
  *             .useExisting(true)
  *             .build());
  * 
@@ -184,7 +184,7 @@
  *             .build());
  * 
  *         var exampleServicePrincipal = new ServicePrincipal(&#34;exampleServicePrincipal&#34;, ServicePrincipalArgs.builder()        
- *             .applicationId(exampleApplication.applicationId())
+ *             .clientId(exampleApplication.clientId())
  *             .useExisting(true)
  *             .build());
  * 
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/inputs/ApplicationOptionalClaimsAccessTokenArgs.java b/sdk/java/src/main/java/com/pulumi/azuread/inputs/ApplicationOptionalClaimsAccessTokenArgs.java
index b9457b93d..8288e7a3b 100644
--- a/sdk/java/src/main/java/com/pulumi/azuread/inputs/ApplicationOptionalClaimsAccessTokenArgs.java
+++ b/sdk/java/src/main/java/com/pulumi/azuread/inputs/ApplicationOptionalClaimsAccessTokenArgs.java
@@ -18,14 +18,14 @@ public final class ApplicationOptionalClaimsAccessTokenArgs extends com.pulumi.r
     public static final ApplicationOptionalClaimsAccessTokenArgs Empty = new ApplicationOptionalClaimsAccessTokenArgs();
 
     /**
-     * List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+     * List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
      * 
      */
     @Import(name="additionalProperties")
     private @Nullable Output<List<String>> additionalProperties;
 
     /**
-     * @return List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+     * @return List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
      * 
      */
     public Optional<Output<List<String>>> additionalProperties() {
@@ -105,7 +105,7 @@ public Builder(ApplicationOptionalClaimsAccessTokenArgs defaults) {
         }
 
         /**
-         * @param additionalProperties List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+         * @param additionalProperties List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
          * 
          * @return builder
          * 
@@ -116,7 +116,7 @@ public Builder additionalProperties(@Nullable Output<List<String>> additionalPro
         }
 
         /**
-         * @param additionalProperties List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+         * @param additionalProperties List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
          * 
          * @return builder
          * 
@@ -126,7 +126,7 @@ public Builder additionalProperties(List<String> additionalProperties) {
         }
 
         /**
-         * @param additionalProperties List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+         * @param additionalProperties List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
          * 
          * @return builder
          * 
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/inputs/ApplicationOptionalClaimsIdTokenArgs.java b/sdk/java/src/main/java/com/pulumi/azuread/inputs/ApplicationOptionalClaimsIdTokenArgs.java
index c50626cd2..a2fea0f75 100644
--- a/sdk/java/src/main/java/com/pulumi/azuread/inputs/ApplicationOptionalClaimsIdTokenArgs.java
+++ b/sdk/java/src/main/java/com/pulumi/azuread/inputs/ApplicationOptionalClaimsIdTokenArgs.java
@@ -18,14 +18,14 @@ public final class ApplicationOptionalClaimsIdTokenArgs extends com.pulumi.resou
     public static final ApplicationOptionalClaimsIdTokenArgs Empty = new ApplicationOptionalClaimsIdTokenArgs();
 
     /**
-     * List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+     * List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
      * 
      */
     @Import(name="additionalProperties")
     private @Nullable Output<List<String>> additionalProperties;
 
     /**
-     * @return List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+     * @return List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
      * 
      */
     public Optional<Output<List<String>>> additionalProperties() {
@@ -105,7 +105,7 @@ public Builder(ApplicationOptionalClaimsIdTokenArgs defaults) {
         }
 
         /**
-         * @param additionalProperties List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+         * @param additionalProperties List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
          * 
          * @return builder
          * 
@@ -116,7 +116,7 @@ public Builder additionalProperties(@Nullable Output<List<String>> additionalPro
         }
 
         /**
-         * @param additionalProperties List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+         * @param additionalProperties List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
          * 
          * @return builder
          * 
@@ -126,7 +126,7 @@ public Builder additionalProperties(List<String> additionalProperties) {
         }
 
         /**
-         * @param additionalProperties List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+         * @param additionalProperties List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
          * 
          * @return builder
          * 
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/inputs/ApplicationOptionalClaimsSaml2TokenArgs.java b/sdk/java/src/main/java/com/pulumi/azuread/inputs/ApplicationOptionalClaimsSaml2TokenArgs.java
index 7dd0f6fc0..016aea3cb 100644
--- a/sdk/java/src/main/java/com/pulumi/azuread/inputs/ApplicationOptionalClaimsSaml2TokenArgs.java
+++ b/sdk/java/src/main/java/com/pulumi/azuread/inputs/ApplicationOptionalClaimsSaml2TokenArgs.java
@@ -18,14 +18,14 @@ public final class ApplicationOptionalClaimsSaml2TokenArgs extends com.pulumi.re
     public static final ApplicationOptionalClaimsSaml2TokenArgs Empty = new ApplicationOptionalClaimsSaml2TokenArgs();
 
     /**
-     * List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+     * List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
      * 
      */
     @Import(name="additionalProperties")
     private @Nullable Output<List<String>> additionalProperties;
 
     /**
-     * @return List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+     * @return List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
      * 
      */
     public Optional<Output<List<String>>> additionalProperties() {
@@ -105,7 +105,7 @@ public Builder(ApplicationOptionalClaimsSaml2TokenArgs defaults) {
         }
 
         /**
-         * @param additionalProperties List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+         * @param additionalProperties List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
          * 
          * @return builder
          * 
@@ -116,7 +116,7 @@ public Builder additionalProperties(@Nullable Output<List<String>> additionalPro
         }
 
         /**
-         * @param additionalProperties List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+         * @param additionalProperties List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
          * 
          * @return builder
          * 
@@ -126,7 +126,7 @@ public Builder additionalProperties(List<String> additionalProperties) {
         }
 
         /**
-         * @param additionalProperties List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+         * @param additionalProperties List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
          * 
          * @return builder
          * 
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/inputs/ApplicationOptionalClaimsState.java b/sdk/java/src/main/java/com/pulumi/azuread/inputs/ApplicationOptionalClaimsState.java
new file mode 100644
index 000000000..aeec20b2e
--- /dev/null
+++ b/sdk/java/src/main/java/com/pulumi/azuread/inputs/ApplicationOptionalClaimsState.java
@@ -0,0 +1,238 @@
+// *** WARNING: this file was generated by pulumi-java-gen. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+package com.pulumi.azuread.inputs;
+
+import com.pulumi.azuread.inputs.ApplicationOptionalClaimsAccessTokenArgs;
+import com.pulumi.azuread.inputs.ApplicationOptionalClaimsIdTokenArgs;
+import com.pulumi.azuread.inputs.ApplicationOptionalClaimsSaml2TokenArgs;
+import com.pulumi.core.Output;
+import com.pulumi.core.annotations.Import;
+import java.lang.String;
+import java.util.List;
+import java.util.Objects;
+import java.util.Optional;
+import javax.annotation.Nullable;
+
+
+public final class ApplicationOptionalClaimsState extends com.pulumi.resources.ResourceArgs {
+
+    public static final ApplicationOptionalClaimsState Empty = new ApplicationOptionalClaimsState();
+
+    /**
+     * One or more `access_token` blocks as documented below.
+     * 
+     */
+    @Import(name="accessTokens")
+    private @Nullable Output<List<ApplicationOptionalClaimsAccessTokenArgs>> accessTokens;
+
+    /**
+     * @return One or more `access_token` blocks as documented below.
+     * 
+     */
+    public Optional<Output<List<ApplicationOptionalClaimsAccessTokenArgs>>> accessTokens() {
+        return Optional.ofNullable(this.accessTokens);
+    }
+
+    /**
+     * The resource ID of the application registration. Changing this forces a new resource to be created.
+     * 
+     */
+    @Import(name="applicationId")
+    private @Nullable Output<String> applicationId;
+
+    /**
+     * @return The resource ID of the application registration. Changing this forces a new resource to be created.
+     * 
+     */
+    public Optional<Output<String>> applicationId() {
+        return Optional.ofNullable(this.applicationId);
+    }
+
+    /**
+     * One or more `id_token` blocks as documented below.
+     * 
+     */
+    @Import(name="idTokens")
+    private @Nullable Output<List<ApplicationOptionalClaimsIdTokenArgs>> idTokens;
+
+    /**
+     * @return One or more `id_token` blocks as documented below.
+     * 
+     */
+    public Optional<Output<List<ApplicationOptionalClaimsIdTokenArgs>>> idTokens() {
+        return Optional.ofNullable(this.idTokens);
+    }
+
+    /**
+     * One or more `saml2_token` blocks as documented below.
+     * 
+     * &gt; At least one of `access_token`, `id_token` or `saml2_token` must be specified
+     * 
+     */
+    @Import(name="saml2Tokens")
+    private @Nullable Output<List<ApplicationOptionalClaimsSaml2TokenArgs>> saml2Tokens;
+
+    /**
+     * @return One or more `saml2_token` blocks as documented below.
+     * 
+     * &gt; At least one of `access_token`, `id_token` or `saml2_token` must be specified
+     * 
+     */
+    public Optional<Output<List<ApplicationOptionalClaimsSaml2TokenArgs>>> saml2Tokens() {
+        return Optional.ofNullable(this.saml2Tokens);
+    }
+
+    private ApplicationOptionalClaimsState() {}
+
+    private ApplicationOptionalClaimsState(ApplicationOptionalClaimsState $) {
+        this.accessTokens = $.accessTokens;
+        this.applicationId = $.applicationId;
+        this.idTokens = $.idTokens;
+        this.saml2Tokens = $.saml2Tokens;
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+    public static Builder builder(ApplicationOptionalClaimsState defaults) {
+        return new Builder(defaults);
+    }
+
+    public static final class Builder {
+        private ApplicationOptionalClaimsState $;
+
+        public Builder() {
+            $ = new ApplicationOptionalClaimsState();
+        }
+
+        public Builder(ApplicationOptionalClaimsState defaults) {
+            $ = new ApplicationOptionalClaimsState(Objects.requireNonNull(defaults));
+        }
+
+        /**
+         * @param accessTokens One or more `access_token` blocks as documented below.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder accessTokens(@Nullable Output<List<ApplicationOptionalClaimsAccessTokenArgs>> accessTokens) {
+            $.accessTokens = accessTokens;
+            return this;
+        }
+
+        /**
+         * @param accessTokens One or more `access_token` blocks as documented below.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder accessTokens(List<ApplicationOptionalClaimsAccessTokenArgs> accessTokens) {
+            return accessTokens(Output.of(accessTokens));
+        }
+
+        /**
+         * @param accessTokens One or more `access_token` blocks as documented below.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder accessTokens(ApplicationOptionalClaimsAccessTokenArgs... accessTokens) {
+            return accessTokens(List.of(accessTokens));
+        }
+
+        /**
+         * @param applicationId The resource ID of the application registration. Changing this forces a new resource to be created.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder applicationId(@Nullable Output<String> applicationId) {
+            $.applicationId = applicationId;
+            return this;
+        }
+
+        /**
+         * @param applicationId The resource ID of the application registration. Changing this forces a new resource to be created.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder applicationId(String applicationId) {
+            return applicationId(Output.of(applicationId));
+        }
+
+        /**
+         * @param idTokens One or more `id_token` blocks as documented below.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder idTokens(@Nullable Output<List<ApplicationOptionalClaimsIdTokenArgs>> idTokens) {
+            $.idTokens = idTokens;
+            return this;
+        }
+
+        /**
+         * @param idTokens One or more `id_token` blocks as documented below.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder idTokens(List<ApplicationOptionalClaimsIdTokenArgs> idTokens) {
+            return idTokens(Output.of(idTokens));
+        }
+
+        /**
+         * @param idTokens One or more `id_token` blocks as documented below.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder idTokens(ApplicationOptionalClaimsIdTokenArgs... idTokens) {
+            return idTokens(List.of(idTokens));
+        }
+
+        /**
+         * @param saml2Tokens One or more `saml2_token` blocks as documented below.
+         * 
+         * &gt; At least one of `access_token`, `id_token` or `saml2_token` must be specified
+         * 
+         * @return builder
+         * 
+         */
+        public Builder saml2Tokens(@Nullable Output<List<ApplicationOptionalClaimsSaml2TokenArgs>> saml2Tokens) {
+            $.saml2Tokens = saml2Tokens;
+            return this;
+        }
+
+        /**
+         * @param saml2Tokens One or more `saml2_token` blocks as documented below.
+         * 
+         * &gt; At least one of `access_token`, `id_token` or `saml2_token` must be specified
+         * 
+         * @return builder
+         * 
+         */
+        public Builder saml2Tokens(List<ApplicationOptionalClaimsSaml2TokenArgs> saml2Tokens) {
+            return saml2Tokens(Output.of(saml2Tokens));
+        }
+
+        /**
+         * @param saml2Tokens One or more `saml2_token` blocks as documented below.
+         * 
+         * &gt; At least one of `access_token`, `id_token` or `saml2_token` must be specified
+         * 
+         * @return builder
+         * 
+         */
+        public Builder saml2Tokens(ApplicationOptionalClaimsSaml2TokenArgs... saml2Tokens) {
+            return saml2Tokens(List.of(saml2Tokens));
+        }
+
+        public ApplicationOptionalClaimsState build() {
+            return $;
+        }
+    }
+
+}
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicyConditionsDevicesArgs.java b/sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicyConditionsDevicesArgs.java
index 0705af1e4..753b3fc50 100644
--- a/sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicyConditionsDevicesArgs.java
+++ b/sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicyConditionsDevicesArgs.java
@@ -16,14 +16,14 @@ public final class ConditionalAccessPolicyConditionsDevicesArgs extends com.pulu
     public static final ConditionalAccessPolicyConditionsDevicesArgs Empty = new ConditionalAccessPolicyConditionsDevicesArgs();
 
     /**
-     * A `filter` block as described below. A `filter` block can be added to an existing policy, but removing the `filter` block forces a new resource to be created.
+     * A `filter` block as described below.
      * 
      */
     @Import(name="filter")
     private @Nullable Output<ConditionalAccessPolicyConditionsDevicesFilterArgs> filter;
 
     /**
-     * @return A `filter` block as described below. A `filter` block can be added to an existing policy, but removing the `filter` block forces a new resource to be created.
+     * @return A `filter` block as described below.
      * 
      */
     public Optional<Output<ConditionalAccessPolicyConditionsDevicesFilterArgs>> filter() {
@@ -55,7 +55,7 @@ public Builder(ConditionalAccessPolicyConditionsDevicesArgs defaults) {
         }
 
         /**
-         * @param filter A `filter` block as described below. A `filter` block can be added to an existing policy, but removing the `filter` block forces a new resource to be created.
+         * @param filter A `filter` block as described below.
          * 
          * @return builder
          * 
@@ -66,7 +66,7 @@ public Builder filter(@Nullable Output<ConditionalAccessPolicyConditionsDevicesF
         }
 
         /**
-         * @param filter A `filter` block as described below. A `filter` block can be added to an existing policy, but removing the `filter` block forces a new resource to be created.
+         * @param filter A `filter` block as described below.
          * 
          * @return builder
          * 
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicyConditionsUsersArgs.java b/sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicyConditionsUsersArgs.java
index 96857ba15..4db965bde 100644
--- a/sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicyConditionsUsersArgs.java
+++ b/sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicyConditionsUsersArgs.java
@@ -3,6 +3,8 @@
 
 package com.pulumi.azuread.inputs;
 
+import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs;
+import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs;
 import com.pulumi.core.Output;
 import com.pulumi.core.annotations.Import;
 import java.lang.String;
@@ -31,6 +33,21 @@ public Optional<Output<List<String>>> excludedGroups() {
         return Optional.ofNullable(this.excludedGroups);
     }
 
+    /**
+     * A `guests_or_external_users` block as documented below, which specifies internal guests and external users excluded from scope of policy.
+     * 
+     */
+    @Import(name="excludedGuestsOrExternalUsers")
+    private @Nullable Output<List<ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs>> excludedGuestsOrExternalUsers;
+
+    /**
+     * @return A `guests_or_external_users` block as documented below, which specifies internal guests and external users excluded from scope of policy.
+     * 
+     */
+    public Optional<Output<List<ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs>>> excludedGuestsOrExternalUsers() {
+        return Optional.ofNullable(this.excludedGuestsOrExternalUsers);
+    }
+
     /**
      * A list of role IDs excluded from scope of policy.
      * 
@@ -76,6 +93,21 @@ public Optional<Output<List<String>>> includedGroups() {
         return Optional.ofNullable(this.includedGroups);
     }
 
+    /**
+     * A `guests_or_external_users` block as documented below, which specifies internal guests and external users in scope of policy.
+     * 
+     */
+    @Import(name="includedGuestsOrExternalUsers")
+    private @Nullable Output<List<ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs>> includedGuestsOrExternalUsers;
+
+    /**
+     * @return A `guests_or_external_users` block as documented below, which specifies internal guests and external users in scope of policy.
+     * 
+     */
+    public Optional<Output<List<ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs>>> includedGuestsOrExternalUsers() {
+        return Optional.ofNullable(this.includedGuestsOrExternalUsers);
+    }
+
     /**
      * A list of role IDs in scope of policy unless explicitly excluded.
      * 
@@ -94,7 +126,7 @@ public Optional<Output<List<String>>> includedRoles() {
     /**
      * A list of user IDs in scope of policy unless explicitly excluded, or `None` or `All` or `GuestsOrExternalUsers`.
      * 
-     * &gt; At least one of `included_groups`, `included_roles` or `included_users` must be specified.
+     * &gt; At least one of `included_groups`, `included_guests_or_external_users`, `included_roles` or `included_users` must be specified.
      * 
      */
     @Import(name="includedUsers")
@@ -103,7 +135,7 @@ public Optional<Output<List<String>>> includedRoles() {
     /**
      * @return A list of user IDs in scope of policy unless explicitly excluded, or `None` or `All` or `GuestsOrExternalUsers`.
      * 
-     * &gt; At least one of `included_groups`, `included_roles` or `included_users` must be specified.
+     * &gt; At least one of `included_groups`, `included_guests_or_external_users`, `included_roles` or `included_users` must be specified.
      * 
      */
     public Optional<Output<List<String>>> includedUsers() {
@@ -114,9 +146,11 @@ private ConditionalAccessPolicyConditionsUsersArgs() {}
 
     private ConditionalAccessPolicyConditionsUsersArgs(ConditionalAccessPolicyConditionsUsersArgs $) {
         this.excludedGroups = $.excludedGroups;
+        this.excludedGuestsOrExternalUsers = $.excludedGuestsOrExternalUsers;
         this.excludedRoles = $.excludedRoles;
         this.excludedUsers = $.excludedUsers;
         this.includedGroups = $.includedGroups;
+        this.includedGuestsOrExternalUsers = $.includedGuestsOrExternalUsers;
         this.includedRoles = $.includedRoles;
         this.includedUsers = $.includedUsers;
     }
@@ -170,6 +204,37 @@ public Builder excludedGroups(String... excludedGroups) {
             return excludedGroups(List.of(excludedGroups));
         }
 
+        /**
+         * @param excludedGuestsOrExternalUsers A `guests_or_external_users` block as documented below, which specifies internal guests and external users excluded from scope of policy.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder excludedGuestsOrExternalUsers(@Nullable Output<List<ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs>> excludedGuestsOrExternalUsers) {
+            $.excludedGuestsOrExternalUsers = excludedGuestsOrExternalUsers;
+            return this;
+        }
+
+        /**
+         * @param excludedGuestsOrExternalUsers A `guests_or_external_users` block as documented below, which specifies internal guests and external users excluded from scope of policy.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder excludedGuestsOrExternalUsers(List<ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs> excludedGuestsOrExternalUsers) {
+            return excludedGuestsOrExternalUsers(Output.of(excludedGuestsOrExternalUsers));
+        }
+
+        /**
+         * @param excludedGuestsOrExternalUsers A `guests_or_external_users` block as documented below, which specifies internal guests and external users excluded from scope of policy.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder excludedGuestsOrExternalUsers(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs... excludedGuestsOrExternalUsers) {
+            return excludedGuestsOrExternalUsers(List.of(excludedGuestsOrExternalUsers));
+        }
+
         /**
          * @param excludedRoles A list of role IDs excluded from scope of policy.
          * 
@@ -263,6 +328,37 @@ public Builder includedGroups(String... includedGroups) {
             return includedGroups(List.of(includedGroups));
         }
 
+        /**
+         * @param includedGuestsOrExternalUsers A `guests_or_external_users` block as documented below, which specifies internal guests and external users in scope of policy.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder includedGuestsOrExternalUsers(@Nullable Output<List<ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs>> includedGuestsOrExternalUsers) {
+            $.includedGuestsOrExternalUsers = includedGuestsOrExternalUsers;
+            return this;
+        }
+
+        /**
+         * @param includedGuestsOrExternalUsers A `guests_or_external_users` block as documented below, which specifies internal guests and external users in scope of policy.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder includedGuestsOrExternalUsers(List<ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs> includedGuestsOrExternalUsers) {
+            return includedGuestsOrExternalUsers(Output.of(includedGuestsOrExternalUsers));
+        }
+
+        /**
+         * @param includedGuestsOrExternalUsers A `guests_or_external_users` block as documented below, which specifies internal guests and external users in scope of policy.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder includedGuestsOrExternalUsers(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs... includedGuestsOrExternalUsers) {
+            return includedGuestsOrExternalUsers(List.of(includedGuestsOrExternalUsers));
+        }
+
         /**
          * @param includedRoles A list of role IDs in scope of policy unless explicitly excluded.
          * 
@@ -297,7 +393,7 @@ public Builder includedRoles(String... includedRoles) {
         /**
          * @param includedUsers A list of user IDs in scope of policy unless explicitly excluded, or `None` or `All` or `GuestsOrExternalUsers`.
          * 
-         * &gt; At least one of `included_groups`, `included_roles` or `included_users` must be specified.
+         * &gt; At least one of `included_groups`, `included_guests_or_external_users`, `included_roles` or `included_users` must be specified.
          * 
          * @return builder
          * 
@@ -310,7 +406,7 @@ public Builder includedUsers(@Nullable Output<List<String>> includedUsers) {
         /**
          * @param includedUsers A list of user IDs in scope of policy unless explicitly excluded, or `None` or `All` or `GuestsOrExternalUsers`.
          * 
-         * &gt; At least one of `included_groups`, `included_roles` or `included_users` must be specified.
+         * &gt; At least one of `included_groups`, `included_guests_or_external_users`, `included_roles` or `included_users` must be specified.
          * 
          * @return builder
          * 
@@ -322,7 +418,7 @@ public Builder includedUsers(List<String> includedUsers) {
         /**
          * @param includedUsers A list of user IDs in scope of policy unless explicitly excluded, or `None` or `All` or `GuestsOrExternalUsers`.
          * 
-         * &gt; At least one of `included_groups`, `included_roles` or `included_users` must be specified.
+         * &gt; At least one of `included_groups`, `included_guests_or_external_users`, `included_roles` or `included_users` must be specified.
          * 
          * @return builder
          * 
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs.java b/sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs.java
new file mode 100644
index 000000000..cd1b4191c
--- /dev/null
+++ b/sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs.java
@@ -0,0 +1,143 @@
+// *** WARNING: this file was generated by pulumi-java-gen. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+package com.pulumi.azuread.inputs;
+
+import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs;
+import com.pulumi.core.Output;
+import com.pulumi.core.annotations.Import;
+import java.lang.String;
+import java.util.List;
+import java.util.Objects;
+import java.util.Optional;
+import javax.annotation.Nullable;
+
+
+public final class ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs extends com.pulumi.resources.ResourceArgs {
+
+    public static final ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs Empty = new ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs();
+
+    /**
+     * An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+     * 
+     */
+    @Import(name="externalTenants")
+    private @Nullable Output<List<ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs>> externalTenants;
+
+    /**
+     * @return An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+     * 
+     */
+    public Optional<Output<List<ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs>>> externalTenants() {
+        return Optional.ofNullable(this.externalTenants);
+    }
+
+    /**
+     * A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+     * 
+     */
+    @Import(name="guestOrExternalUserTypes", required=true)
+    private Output<List<String>> guestOrExternalUserTypes;
+
+    /**
+     * @return A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+     * 
+     */
+    public Output<List<String>> guestOrExternalUserTypes() {
+        return this.guestOrExternalUserTypes;
+    }
+
+    private ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs() {}
+
+    private ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs $) {
+        this.externalTenants = $.externalTenants;
+        this.guestOrExternalUserTypes = $.guestOrExternalUserTypes;
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+    public static Builder builder(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs defaults) {
+        return new Builder(defaults);
+    }
+
+    public static final class Builder {
+        private ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs $;
+
+        public Builder() {
+            $ = new ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs();
+        }
+
+        public Builder(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs defaults) {
+            $ = new ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs(Objects.requireNonNull(defaults));
+        }
+
+        /**
+         * @param externalTenants An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder externalTenants(@Nullable Output<List<ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs>> externalTenants) {
+            $.externalTenants = externalTenants;
+            return this;
+        }
+
+        /**
+         * @param externalTenants An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder externalTenants(List<ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs> externalTenants) {
+            return externalTenants(Output.of(externalTenants));
+        }
+
+        /**
+         * @param externalTenants An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder externalTenants(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs... externalTenants) {
+            return externalTenants(List.of(externalTenants));
+        }
+
+        /**
+         * @param guestOrExternalUserTypes A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder guestOrExternalUserTypes(Output<List<String>> guestOrExternalUserTypes) {
+            $.guestOrExternalUserTypes = guestOrExternalUserTypes;
+            return this;
+        }
+
+        /**
+         * @param guestOrExternalUserTypes A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder guestOrExternalUserTypes(List<String> guestOrExternalUserTypes) {
+            return guestOrExternalUserTypes(Output.of(guestOrExternalUserTypes));
+        }
+
+        /**
+         * @param guestOrExternalUserTypes A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder guestOrExternalUserTypes(String... guestOrExternalUserTypes) {
+            return guestOrExternalUserTypes(List.of(guestOrExternalUserTypes));
+        }
+
+        public ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs build() {
+            $.guestOrExternalUserTypes = Objects.requireNonNull($.guestOrExternalUserTypes, "expected parameter 'guestOrExternalUserTypes' to be non-null");
+            return $;
+        }
+    }
+
+}
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs.java b/sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs.java
new file mode 100644
index 000000000..fb047e071
--- /dev/null
+++ b/sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs.java
@@ -0,0 +1,132 @@
+// *** WARNING: this file was generated by pulumi-java-gen. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+package com.pulumi.azuread.inputs;
+
+import com.pulumi.core.Output;
+import com.pulumi.core.annotations.Import;
+import java.lang.String;
+import java.util.List;
+import java.util.Objects;
+import java.util.Optional;
+import javax.annotation.Nullable;
+
+
+public final class ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs extends com.pulumi.resources.ResourceArgs {
+
+    public static final ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs Empty = new ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs();
+
+    /**
+     * A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+     * 
+     */
+    @Import(name="members")
+    private @Nullable Output<List<String>> members;
+
+    /**
+     * @return A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+     * 
+     */
+    public Optional<Output<List<String>>> members() {
+        return Optional.ofNullable(this.members);
+    }
+
+    /**
+     * The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+     * 
+     */
+    @Import(name="membershipKind", required=true)
+    private Output<String> membershipKind;
+
+    /**
+     * @return The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+     * 
+     */
+    public Output<String> membershipKind() {
+        return this.membershipKind;
+    }
+
+    private ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs() {}
+
+    private ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs $) {
+        this.members = $.members;
+        this.membershipKind = $.membershipKind;
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+    public static Builder builder(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs defaults) {
+        return new Builder(defaults);
+    }
+
+    public static final class Builder {
+        private ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs $;
+
+        public Builder() {
+            $ = new ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs();
+        }
+
+        public Builder(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs defaults) {
+            $ = new ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs(Objects.requireNonNull(defaults));
+        }
+
+        /**
+         * @param members A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder members(@Nullable Output<List<String>> members) {
+            $.members = members;
+            return this;
+        }
+
+        /**
+         * @param members A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder members(List<String> members) {
+            return members(Output.of(members));
+        }
+
+        /**
+         * @param members A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder members(String... members) {
+            return members(List.of(members));
+        }
+
+        /**
+         * @param membershipKind The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder membershipKind(Output<String> membershipKind) {
+            $.membershipKind = membershipKind;
+            return this;
+        }
+
+        /**
+         * @param membershipKind The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder membershipKind(String membershipKind) {
+            return membershipKind(Output.of(membershipKind));
+        }
+
+        public ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs build() {
+            $.membershipKind = Objects.requireNonNull($.membershipKind, "expected parameter 'membershipKind' to be non-null");
+            return $;
+        }
+    }
+
+}
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs.java b/sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs.java
new file mode 100644
index 000000000..e2763aa89
--- /dev/null
+++ b/sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs.java
@@ -0,0 +1,143 @@
+// *** WARNING: this file was generated by pulumi-java-gen. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+package com.pulumi.azuread.inputs;
+
+import com.pulumi.azuread.inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs;
+import com.pulumi.core.Output;
+import com.pulumi.core.annotations.Import;
+import java.lang.String;
+import java.util.List;
+import java.util.Objects;
+import java.util.Optional;
+import javax.annotation.Nullable;
+
+
+public final class ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs extends com.pulumi.resources.ResourceArgs {
+
+    public static final ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs Empty = new ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs();
+
+    /**
+     * An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+     * 
+     */
+    @Import(name="externalTenants")
+    private @Nullable Output<List<ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs>> externalTenants;
+
+    /**
+     * @return An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+     * 
+     */
+    public Optional<Output<List<ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs>>> externalTenants() {
+        return Optional.ofNullable(this.externalTenants);
+    }
+
+    /**
+     * A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+     * 
+     */
+    @Import(name="guestOrExternalUserTypes", required=true)
+    private Output<List<String>> guestOrExternalUserTypes;
+
+    /**
+     * @return A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+     * 
+     */
+    public Output<List<String>> guestOrExternalUserTypes() {
+        return this.guestOrExternalUserTypes;
+    }
+
+    private ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs() {}
+
+    private ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs $) {
+        this.externalTenants = $.externalTenants;
+        this.guestOrExternalUserTypes = $.guestOrExternalUserTypes;
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+    public static Builder builder(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs defaults) {
+        return new Builder(defaults);
+    }
+
+    public static final class Builder {
+        private ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs $;
+
+        public Builder() {
+            $ = new ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs();
+        }
+
+        public Builder(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs defaults) {
+            $ = new ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs(Objects.requireNonNull(defaults));
+        }
+
+        /**
+         * @param externalTenants An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder externalTenants(@Nullable Output<List<ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs>> externalTenants) {
+            $.externalTenants = externalTenants;
+            return this;
+        }
+
+        /**
+         * @param externalTenants An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder externalTenants(List<ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs> externalTenants) {
+            return externalTenants(Output.of(externalTenants));
+        }
+
+        /**
+         * @param externalTenants An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder externalTenants(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs... externalTenants) {
+            return externalTenants(List.of(externalTenants));
+        }
+
+        /**
+         * @param guestOrExternalUserTypes A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder guestOrExternalUserTypes(Output<List<String>> guestOrExternalUserTypes) {
+            $.guestOrExternalUserTypes = guestOrExternalUserTypes;
+            return this;
+        }
+
+        /**
+         * @param guestOrExternalUserTypes A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder guestOrExternalUserTypes(List<String> guestOrExternalUserTypes) {
+            return guestOrExternalUserTypes(Output.of(guestOrExternalUserTypes));
+        }
+
+        /**
+         * @param guestOrExternalUserTypes A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder guestOrExternalUserTypes(String... guestOrExternalUserTypes) {
+            return guestOrExternalUserTypes(List.of(guestOrExternalUserTypes));
+        }
+
+        public ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs build() {
+            $.guestOrExternalUserTypes = Objects.requireNonNull($.guestOrExternalUserTypes, "expected parameter 'guestOrExternalUserTypes' to be non-null");
+            return $;
+        }
+    }
+
+}
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs.java b/sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs.java
new file mode 100644
index 000000000..2a5e56a0b
--- /dev/null
+++ b/sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs.java
@@ -0,0 +1,132 @@
+// *** WARNING: this file was generated by pulumi-java-gen. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+package com.pulumi.azuread.inputs;
+
+import com.pulumi.core.Output;
+import com.pulumi.core.annotations.Import;
+import java.lang.String;
+import java.util.List;
+import java.util.Objects;
+import java.util.Optional;
+import javax.annotation.Nullable;
+
+
+public final class ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs extends com.pulumi.resources.ResourceArgs {
+
+    public static final ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs Empty = new ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs();
+
+    /**
+     * A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+     * 
+     */
+    @Import(name="members")
+    private @Nullable Output<List<String>> members;
+
+    /**
+     * @return A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+     * 
+     */
+    public Optional<Output<List<String>>> members() {
+        return Optional.ofNullable(this.members);
+    }
+
+    /**
+     * The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+     * 
+     */
+    @Import(name="membershipKind", required=true)
+    private Output<String> membershipKind;
+
+    /**
+     * @return The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+     * 
+     */
+    public Output<String> membershipKind() {
+        return this.membershipKind;
+    }
+
+    private ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs() {}
+
+    private ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs $) {
+        this.members = $.members;
+        this.membershipKind = $.membershipKind;
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+    public static Builder builder(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs defaults) {
+        return new Builder(defaults);
+    }
+
+    public static final class Builder {
+        private ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs $;
+
+        public Builder() {
+            $ = new ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs();
+        }
+
+        public Builder(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs defaults) {
+            $ = new ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs(Objects.requireNonNull(defaults));
+        }
+
+        /**
+         * @param members A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder members(@Nullable Output<List<String>> members) {
+            $.members = members;
+            return this;
+        }
+
+        /**
+         * @param members A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder members(List<String> members) {
+            return members(Output.of(members));
+        }
+
+        /**
+         * @param members A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder members(String... members) {
+            return members(List.of(members));
+        }
+
+        /**
+         * @param membershipKind The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder membershipKind(Output<String> membershipKind) {
+            $.membershipKind = membershipKind;
+            return this;
+        }
+
+        /**
+         * @param membershipKind The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder membershipKind(String membershipKind) {
+            return membershipKind(Output.of(membershipKind));
+        }
+
+        public ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs build() {
+            $.membershipKind = Objects.requireNonNull($.membershipKind, "expected parameter 'membershipKind' to be non-null");
+            return $;
+        }
+    }
+
+}
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicySessionControlsArgs.java b/sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicySessionControlsArgs.java
index 659c75d18..f00111871 100644
--- a/sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicySessionControlsArgs.java
+++ b/sdk/java/src/main/java/com/pulumi/azuread/inputs/ConditionalAccessPolicySessionControlsArgs.java
@@ -82,14 +82,14 @@ public Optional<Output<String>> persistentBrowserMode() {
     }
 
     /**
-     * Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
+     * Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified.
      * 
      */
     @Import(name="signInFrequency")
     private @Nullable Output<Integer> signInFrequency;
 
     /**
-     * @return Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
+     * @return Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified.
      * 
      */
     public Optional<Output<Integer>> signInFrequency() {
@@ -97,14 +97,44 @@ public Optional<Output<Integer>> signInFrequency() {
     }
 
     /**
-     * The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
+     * Authentication type for enforcing sign-in frequency. Possible values are: `primaryAndSecondaryAuthentication` or `secondaryAuthentication`. Defaults to `primaryAndSecondaryAuthentication`.
+     * 
+     */
+    @Import(name="signInFrequencyAuthenticationType")
+    private @Nullable Output<String> signInFrequencyAuthenticationType;
+
+    /**
+     * @return Authentication type for enforcing sign-in frequency. Possible values are: `primaryAndSecondaryAuthentication` or `secondaryAuthentication`. Defaults to `primaryAndSecondaryAuthentication`.
+     * 
+     */
+    public Optional<Output<String>> signInFrequencyAuthenticationType() {
+        return Optional.ofNullable(this.signInFrequencyAuthenticationType);
+    }
+
+    /**
+     * The interval to apply to sign-in frequency control. Possible values are: `timeBased` or `everyTime`. Defaults to `timeBased`.
+     * 
+     */
+    @Import(name="signInFrequencyInterval")
+    private @Nullable Output<String> signInFrequencyInterval;
+
+    /**
+     * @return The interval to apply to sign-in frequency control. Possible values are: `timeBased` or `everyTime`. Defaults to `timeBased`.
+     * 
+     */
+    public Optional<Output<String>> signInFrequencyInterval() {
+        return Optional.ofNullable(this.signInFrequencyInterval);
+    }
+
+    /**
+     * The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified.
      * 
      */
     @Import(name="signInFrequencyPeriod")
     private @Nullable Output<String> signInFrequencyPeriod;
 
     /**
-     * @return The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
+     * @return The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified.
      * 
      */
     public Optional<Output<String>> signInFrequencyPeriod() {
@@ -119,6 +149,8 @@ private ConditionalAccessPolicySessionControlsArgs(ConditionalAccessPolicySessio
         this.disableResilienceDefaults = $.disableResilienceDefaults;
         this.persistentBrowserMode = $.persistentBrowserMode;
         this.signInFrequency = $.signInFrequency;
+        this.signInFrequencyAuthenticationType = $.signInFrequencyAuthenticationType;
+        this.signInFrequencyInterval = $.signInFrequencyInterval;
         this.signInFrequencyPeriod = $.signInFrequencyPeriod;
     }
 
@@ -229,7 +261,7 @@ public Builder persistentBrowserMode(String persistentBrowserMode) {
         }
 
         /**
-         * @param signInFrequency Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
+         * @param signInFrequency Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified.
          * 
          * @return builder
          * 
@@ -240,7 +272,7 @@ public Builder signInFrequency(@Nullable Output<Integer> signInFrequency) {
         }
 
         /**
-         * @param signInFrequency Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
+         * @param signInFrequency Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified.
          * 
          * @return builder
          * 
@@ -250,7 +282,49 @@ public Builder signInFrequency(Integer signInFrequency) {
         }
 
         /**
-         * @param signInFrequencyPeriod The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
+         * @param signInFrequencyAuthenticationType Authentication type for enforcing sign-in frequency. Possible values are: `primaryAndSecondaryAuthentication` or `secondaryAuthentication`. Defaults to `primaryAndSecondaryAuthentication`.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder signInFrequencyAuthenticationType(@Nullable Output<String> signInFrequencyAuthenticationType) {
+            $.signInFrequencyAuthenticationType = signInFrequencyAuthenticationType;
+            return this;
+        }
+
+        /**
+         * @param signInFrequencyAuthenticationType Authentication type for enforcing sign-in frequency. Possible values are: `primaryAndSecondaryAuthentication` or `secondaryAuthentication`. Defaults to `primaryAndSecondaryAuthentication`.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder signInFrequencyAuthenticationType(String signInFrequencyAuthenticationType) {
+            return signInFrequencyAuthenticationType(Output.of(signInFrequencyAuthenticationType));
+        }
+
+        /**
+         * @param signInFrequencyInterval The interval to apply to sign-in frequency control. Possible values are: `timeBased` or `everyTime`. Defaults to `timeBased`.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder signInFrequencyInterval(@Nullable Output<String> signInFrequencyInterval) {
+            $.signInFrequencyInterval = signInFrequencyInterval;
+            return this;
+        }
+
+        /**
+         * @param signInFrequencyInterval The interval to apply to sign-in frequency control. Possible values are: `timeBased` or `everyTime`. Defaults to `timeBased`.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder signInFrequencyInterval(String signInFrequencyInterval) {
+            return signInFrequencyInterval(Output.of(signInFrequencyInterval));
+        }
+
+        /**
+         * @param signInFrequencyPeriod The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified.
          * 
          * @return builder
          * 
@@ -261,7 +335,7 @@ public Builder signInFrequencyPeriod(@Nullable Output<String> signInFrequencyPer
         }
 
         /**
-         * @param signInFrequencyPeriod The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
+         * @param signInFrequencyPeriod The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified.
          * 
          * @return builder
          * 
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/outputs/ApplicationOptionalClaimsAccessToken.java b/sdk/java/src/main/java/com/pulumi/azuread/outputs/ApplicationOptionalClaimsAccessToken.java
index 30c378740..acfbd36a7 100644
--- a/sdk/java/src/main/java/com/pulumi/azuread/outputs/ApplicationOptionalClaimsAccessToken.java
+++ b/sdk/java/src/main/java/com/pulumi/azuread/outputs/ApplicationOptionalClaimsAccessToken.java
@@ -14,7 +14,7 @@
 @CustomType
 public final class ApplicationOptionalClaimsAccessToken {
     /**
-     * @return List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+     * @return List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
      * 
      */
     private @Nullable List<String> additionalProperties;
@@ -36,7 +36,7 @@ public final class ApplicationOptionalClaimsAccessToken {
 
     private ApplicationOptionalClaimsAccessToken() {}
     /**
-     * @return List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+     * @return List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
      * 
      */
     public List<String> additionalProperties() {
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/outputs/ApplicationOptionalClaimsIdToken.java b/sdk/java/src/main/java/com/pulumi/azuread/outputs/ApplicationOptionalClaimsIdToken.java
index 7a6f2295e..103cfa599 100644
--- a/sdk/java/src/main/java/com/pulumi/azuread/outputs/ApplicationOptionalClaimsIdToken.java
+++ b/sdk/java/src/main/java/com/pulumi/azuread/outputs/ApplicationOptionalClaimsIdToken.java
@@ -14,7 +14,7 @@
 @CustomType
 public final class ApplicationOptionalClaimsIdToken {
     /**
-     * @return List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+     * @return List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
      * 
      */
     private @Nullable List<String> additionalProperties;
@@ -36,7 +36,7 @@ public final class ApplicationOptionalClaimsIdToken {
 
     private ApplicationOptionalClaimsIdToken() {}
     /**
-     * @return List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+     * @return List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
      * 
      */
     public List<String> additionalProperties() {
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/outputs/ApplicationOptionalClaimsSaml2Token.java b/sdk/java/src/main/java/com/pulumi/azuread/outputs/ApplicationOptionalClaimsSaml2Token.java
index 38eb3776a..89173fe97 100644
--- a/sdk/java/src/main/java/com/pulumi/azuread/outputs/ApplicationOptionalClaimsSaml2Token.java
+++ b/sdk/java/src/main/java/com/pulumi/azuread/outputs/ApplicationOptionalClaimsSaml2Token.java
@@ -14,7 +14,7 @@
 @CustomType
 public final class ApplicationOptionalClaimsSaml2Token {
     /**
-     * @return List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+     * @return List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
      * 
      */
     private @Nullable List<String> additionalProperties;
@@ -36,7 +36,7 @@ public final class ApplicationOptionalClaimsSaml2Token {
 
     private ApplicationOptionalClaimsSaml2Token() {}
     /**
-     * @return List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+     * @return List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
      * 
      */
     public List<String> additionalProperties() {
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicyConditionsDevices.java b/sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicyConditionsDevices.java
index 5d756e7ba..3c3a12d66 100644
--- a/sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicyConditionsDevices.java
+++ b/sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicyConditionsDevices.java
@@ -12,14 +12,14 @@
 @CustomType
 public final class ConditionalAccessPolicyConditionsDevices {
     /**
-     * @return A `filter` block as described below. A `filter` block can be added to an existing policy, but removing the `filter` block forces a new resource to be created.
+     * @return A `filter` block as described below.
      * 
      */
     private @Nullable ConditionalAccessPolicyConditionsDevicesFilter filter;
 
     private ConditionalAccessPolicyConditionsDevices() {}
     /**
-     * @return A `filter` block as described below. A `filter` block can be added to an existing policy, but removing the `filter` block forces a new resource to be created.
+     * @return A `filter` block as described below.
      * 
      */
     public Optional<ConditionalAccessPolicyConditionsDevicesFilter> filter() {
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicyConditionsUsers.java b/sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicyConditionsUsers.java
index c299d8f64..c346ce9b6 100644
--- a/sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicyConditionsUsers.java
+++ b/sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicyConditionsUsers.java
@@ -3,6 +3,8 @@
 
 package com.pulumi.azuread.outputs;
 
+import com.pulumi.azuread.outputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser;
+import com.pulumi.azuread.outputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser;
 import com.pulumi.core.annotations.CustomType;
 import java.lang.String;
 import java.util.List;
@@ -16,6 +18,11 @@ public final class ConditionalAccessPolicyConditionsUsers {
      * 
      */
     private @Nullable List<String> excludedGroups;
+    /**
+     * @return A `guests_or_external_users` block as documented below, which specifies internal guests and external users excluded from scope of policy.
+     * 
+     */
+    private @Nullable List<ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser> excludedGuestsOrExternalUsers;
     /**
      * @return A list of role IDs excluded from scope of policy.
      * 
@@ -31,6 +38,11 @@ public final class ConditionalAccessPolicyConditionsUsers {
      * 
      */
     private @Nullable List<String> includedGroups;
+    /**
+     * @return A `guests_or_external_users` block as documented below, which specifies internal guests and external users in scope of policy.
+     * 
+     */
+    private @Nullable List<ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser> includedGuestsOrExternalUsers;
     /**
      * @return A list of role IDs in scope of policy unless explicitly excluded.
      * 
@@ -39,7 +51,7 @@ public final class ConditionalAccessPolicyConditionsUsers {
     /**
      * @return A list of user IDs in scope of policy unless explicitly excluded, or `None` or `All` or `GuestsOrExternalUsers`.
      * 
-     * &gt; At least one of `included_groups`, `included_roles` or `included_users` must be specified.
+     * &gt; At least one of `included_groups`, `included_guests_or_external_users`, `included_roles` or `included_users` must be specified.
      * 
      */
     private @Nullable List<String> includedUsers;
@@ -52,6 +64,13 @@ private ConditionalAccessPolicyConditionsUsers() {}
     public List<String> excludedGroups() {
         return this.excludedGroups == null ? List.of() : this.excludedGroups;
     }
+    /**
+     * @return A `guests_or_external_users` block as documented below, which specifies internal guests and external users excluded from scope of policy.
+     * 
+     */
+    public List<ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser> excludedGuestsOrExternalUsers() {
+        return this.excludedGuestsOrExternalUsers == null ? List.of() : this.excludedGuestsOrExternalUsers;
+    }
     /**
      * @return A list of role IDs excluded from scope of policy.
      * 
@@ -73,6 +92,13 @@ public List<String> excludedUsers() {
     public List<String> includedGroups() {
         return this.includedGroups == null ? List.of() : this.includedGroups;
     }
+    /**
+     * @return A `guests_or_external_users` block as documented below, which specifies internal guests and external users in scope of policy.
+     * 
+     */
+    public List<ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser> includedGuestsOrExternalUsers() {
+        return this.includedGuestsOrExternalUsers == null ? List.of() : this.includedGuestsOrExternalUsers;
+    }
     /**
      * @return A list of role IDs in scope of policy unless explicitly excluded.
      * 
@@ -83,7 +109,7 @@ public List<String> includedRoles() {
     /**
      * @return A list of user IDs in scope of policy unless explicitly excluded, or `None` or `All` or `GuestsOrExternalUsers`.
      * 
-     * &gt; At least one of `included_groups`, `included_roles` or `included_users` must be specified.
+     * &gt; At least one of `included_groups`, `included_guests_or_external_users`, `included_roles` or `included_users` must be specified.
      * 
      */
     public List<String> includedUsers() {
@@ -100,18 +126,22 @@ public static Builder builder(ConditionalAccessPolicyConditionsUsers defaults) {
     @CustomType.Builder
     public static final class Builder {
         private @Nullable List<String> excludedGroups;
+        private @Nullable List<ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser> excludedGuestsOrExternalUsers;
         private @Nullable List<String> excludedRoles;
         private @Nullable List<String> excludedUsers;
         private @Nullable List<String> includedGroups;
+        private @Nullable List<ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser> includedGuestsOrExternalUsers;
         private @Nullable List<String> includedRoles;
         private @Nullable List<String> includedUsers;
         public Builder() {}
         public Builder(ConditionalAccessPolicyConditionsUsers defaults) {
     	      Objects.requireNonNull(defaults);
     	      this.excludedGroups = defaults.excludedGroups;
+    	      this.excludedGuestsOrExternalUsers = defaults.excludedGuestsOrExternalUsers;
     	      this.excludedRoles = defaults.excludedRoles;
     	      this.excludedUsers = defaults.excludedUsers;
     	      this.includedGroups = defaults.includedGroups;
+    	      this.includedGuestsOrExternalUsers = defaults.includedGuestsOrExternalUsers;
     	      this.includedRoles = defaults.includedRoles;
     	      this.includedUsers = defaults.includedUsers;
         }
@@ -125,6 +155,14 @@ public Builder excludedGroups(String... excludedGroups) {
             return excludedGroups(List.of(excludedGroups));
         }
         @CustomType.Setter
+        public Builder excludedGuestsOrExternalUsers(@Nullable List<ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser> excludedGuestsOrExternalUsers) {
+            this.excludedGuestsOrExternalUsers = excludedGuestsOrExternalUsers;
+            return this;
+        }
+        public Builder excludedGuestsOrExternalUsers(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser... excludedGuestsOrExternalUsers) {
+            return excludedGuestsOrExternalUsers(List.of(excludedGuestsOrExternalUsers));
+        }
+        @CustomType.Setter
         public Builder excludedRoles(@Nullable List<String> excludedRoles) {
             this.excludedRoles = excludedRoles;
             return this;
@@ -149,6 +187,14 @@ public Builder includedGroups(String... includedGroups) {
             return includedGroups(List.of(includedGroups));
         }
         @CustomType.Setter
+        public Builder includedGuestsOrExternalUsers(@Nullable List<ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser> includedGuestsOrExternalUsers) {
+            this.includedGuestsOrExternalUsers = includedGuestsOrExternalUsers;
+            return this;
+        }
+        public Builder includedGuestsOrExternalUsers(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser... includedGuestsOrExternalUsers) {
+            return includedGuestsOrExternalUsers(List.of(includedGuestsOrExternalUsers));
+        }
+        @CustomType.Setter
         public Builder includedRoles(@Nullable List<String> includedRoles) {
             this.includedRoles = includedRoles;
             return this;
@@ -167,9 +213,11 @@ public Builder includedUsers(String... includedUsers) {
         public ConditionalAccessPolicyConditionsUsers build() {
             final var o = new ConditionalAccessPolicyConditionsUsers();
             o.excludedGroups = excludedGroups;
+            o.excludedGuestsOrExternalUsers = excludedGuestsOrExternalUsers;
             o.excludedRoles = excludedRoles;
             o.excludedUsers = excludedUsers;
             o.includedGroups = includedGroups;
+            o.includedGuestsOrExternalUsers = includedGuestsOrExternalUsers;
             o.includedRoles = includedRoles;
             o.includedUsers = includedUsers;
             return o;
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser.java b/sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser.java
new file mode 100644
index 000000000..38a6886c9
--- /dev/null
+++ b/sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser.java
@@ -0,0 +1,83 @@
+// *** WARNING: this file was generated by pulumi-java-gen. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+package com.pulumi.azuread.outputs;
+
+import com.pulumi.azuread.outputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant;
+import com.pulumi.core.annotations.CustomType;
+import java.lang.String;
+import java.util.List;
+import java.util.Objects;
+import javax.annotation.Nullable;
+
+@CustomType
+public final class ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser {
+    /**
+     * @return An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+     * 
+     */
+    private @Nullable List<ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant> externalTenants;
+    /**
+     * @return A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+     * 
+     */
+    private List<String> guestOrExternalUserTypes;
+
+    private ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser() {}
+    /**
+     * @return An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+     * 
+     */
+    public List<ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant> externalTenants() {
+        return this.externalTenants == null ? List.of() : this.externalTenants;
+    }
+    /**
+     * @return A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+     * 
+     */
+    public List<String> guestOrExternalUserTypes() {
+        return this.guestOrExternalUserTypes;
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+
+    public static Builder builder(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser defaults) {
+        return new Builder(defaults);
+    }
+    @CustomType.Builder
+    public static final class Builder {
+        private @Nullable List<ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant> externalTenants;
+        private List<String> guestOrExternalUserTypes;
+        public Builder() {}
+        public Builder(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser defaults) {
+    	      Objects.requireNonNull(defaults);
+    	      this.externalTenants = defaults.externalTenants;
+    	      this.guestOrExternalUserTypes = defaults.guestOrExternalUserTypes;
+        }
+
+        @CustomType.Setter
+        public Builder externalTenants(@Nullable List<ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant> externalTenants) {
+            this.externalTenants = externalTenants;
+            return this;
+        }
+        public Builder externalTenants(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant... externalTenants) {
+            return externalTenants(List.of(externalTenants));
+        }
+        @CustomType.Setter
+        public Builder guestOrExternalUserTypes(List<String> guestOrExternalUserTypes) {
+            this.guestOrExternalUserTypes = Objects.requireNonNull(guestOrExternalUserTypes);
+            return this;
+        }
+        public Builder guestOrExternalUserTypes(String... guestOrExternalUserTypes) {
+            return guestOrExternalUserTypes(List.of(guestOrExternalUserTypes));
+        }
+        public ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser build() {
+            final var o = new ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser();
+            o.externalTenants = externalTenants;
+            o.guestOrExternalUserTypes = guestOrExternalUserTypes;
+            return o;
+        }
+    }
+}
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant.java b/sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant.java
new file mode 100644
index 000000000..1c49a325b
--- /dev/null
+++ b/sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant.java
@@ -0,0 +1,79 @@
+// *** WARNING: this file was generated by pulumi-java-gen. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+package com.pulumi.azuread.outputs;
+
+import com.pulumi.core.annotations.CustomType;
+import java.lang.String;
+import java.util.List;
+import java.util.Objects;
+import javax.annotation.Nullable;
+
+@CustomType
+public final class ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant {
+    /**
+     * @return A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+     * 
+     */
+    private @Nullable List<String> members;
+    /**
+     * @return The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+     * 
+     */
+    private String membershipKind;
+
+    private ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant() {}
+    /**
+     * @return A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+     * 
+     */
+    public List<String> members() {
+        return this.members == null ? List.of() : this.members;
+    }
+    /**
+     * @return The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+     * 
+     */
+    public String membershipKind() {
+        return this.membershipKind;
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+
+    public static Builder builder(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant defaults) {
+        return new Builder(defaults);
+    }
+    @CustomType.Builder
+    public static final class Builder {
+        private @Nullable List<String> members;
+        private String membershipKind;
+        public Builder() {}
+        public Builder(ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant defaults) {
+    	      Objects.requireNonNull(defaults);
+    	      this.members = defaults.members;
+    	      this.membershipKind = defaults.membershipKind;
+        }
+
+        @CustomType.Setter
+        public Builder members(@Nullable List<String> members) {
+            this.members = members;
+            return this;
+        }
+        public Builder members(String... members) {
+            return members(List.of(members));
+        }
+        @CustomType.Setter
+        public Builder membershipKind(String membershipKind) {
+            this.membershipKind = Objects.requireNonNull(membershipKind);
+            return this;
+        }
+        public ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant build() {
+            final var o = new ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant();
+            o.members = members;
+            o.membershipKind = membershipKind;
+            return o;
+        }
+    }
+}
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser.java b/sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser.java
new file mode 100644
index 000000000..1f3d9f31d
--- /dev/null
+++ b/sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser.java
@@ -0,0 +1,83 @@
+// *** WARNING: this file was generated by pulumi-java-gen. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+package com.pulumi.azuread.outputs;
+
+import com.pulumi.azuread.outputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant;
+import com.pulumi.core.annotations.CustomType;
+import java.lang.String;
+import java.util.List;
+import java.util.Objects;
+import javax.annotation.Nullable;
+
+@CustomType
+public final class ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser {
+    /**
+     * @return An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+     * 
+     */
+    private @Nullable List<ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant> externalTenants;
+    /**
+     * @return A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+     * 
+     */
+    private List<String> guestOrExternalUserTypes;
+
+    private ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser() {}
+    /**
+     * @return An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+     * 
+     */
+    public List<ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant> externalTenants() {
+        return this.externalTenants == null ? List.of() : this.externalTenants;
+    }
+    /**
+     * @return A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+     * 
+     */
+    public List<String> guestOrExternalUserTypes() {
+        return this.guestOrExternalUserTypes;
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+
+    public static Builder builder(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser defaults) {
+        return new Builder(defaults);
+    }
+    @CustomType.Builder
+    public static final class Builder {
+        private @Nullable List<ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant> externalTenants;
+        private List<String> guestOrExternalUserTypes;
+        public Builder() {}
+        public Builder(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser defaults) {
+    	      Objects.requireNonNull(defaults);
+    	      this.externalTenants = defaults.externalTenants;
+    	      this.guestOrExternalUserTypes = defaults.guestOrExternalUserTypes;
+        }
+
+        @CustomType.Setter
+        public Builder externalTenants(@Nullable List<ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant> externalTenants) {
+            this.externalTenants = externalTenants;
+            return this;
+        }
+        public Builder externalTenants(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant... externalTenants) {
+            return externalTenants(List.of(externalTenants));
+        }
+        @CustomType.Setter
+        public Builder guestOrExternalUserTypes(List<String> guestOrExternalUserTypes) {
+            this.guestOrExternalUserTypes = Objects.requireNonNull(guestOrExternalUserTypes);
+            return this;
+        }
+        public Builder guestOrExternalUserTypes(String... guestOrExternalUserTypes) {
+            return guestOrExternalUserTypes(List.of(guestOrExternalUserTypes));
+        }
+        public ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser build() {
+            final var o = new ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser();
+            o.externalTenants = externalTenants;
+            o.guestOrExternalUserTypes = guestOrExternalUserTypes;
+            return o;
+        }
+    }
+}
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant.java b/sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant.java
new file mode 100644
index 000000000..0048ffb1b
--- /dev/null
+++ b/sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant.java
@@ -0,0 +1,79 @@
+// *** WARNING: this file was generated by pulumi-java-gen. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+package com.pulumi.azuread.outputs;
+
+import com.pulumi.core.annotations.CustomType;
+import java.lang.String;
+import java.util.List;
+import java.util.Objects;
+import javax.annotation.Nullable;
+
+@CustomType
+public final class ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant {
+    /**
+     * @return A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+     * 
+     */
+    private @Nullable List<String> members;
+    /**
+     * @return The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+     * 
+     */
+    private String membershipKind;
+
+    private ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant() {}
+    /**
+     * @return A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+     * 
+     */
+    public List<String> members() {
+        return this.members == null ? List.of() : this.members;
+    }
+    /**
+     * @return The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+     * 
+     */
+    public String membershipKind() {
+        return this.membershipKind;
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+
+    public static Builder builder(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant defaults) {
+        return new Builder(defaults);
+    }
+    @CustomType.Builder
+    public static final class Builder {
+        private @Nullable List<String> members;
+        private String membershipKind;
+        public Builder() {}
+        public Builder(ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant defaults) {
+    	      Objects.requireNonNull(defaults);
+    	      this.members = defaults.members;
+    	      this.membershipKind = defaults.membershipKind;
+        }
+
+        @CustomType.Setter
+        public Builder members(@Nullable List<String> members) {
+            this.members = members;
+            return this;
+        }
+        public Builder members(String... members) {
+            return members(List.of(members));
+        }
+        @CustomType.Setter
+        public Builder membershipKind(String membershipKind) {
+            this.membershipKind = Objects.requireNonNull(membershipKind);
+            return this;
+        }
+        public ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant build() {
+            final var o = new ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant();
+            o.members = members;
+            o.membershipKind = membershipKind;
+            return o;
+        }
+    }
+}
diff --git a/sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicySessionControls.java b/sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicySessionControls.java
index cd4ac266a..7d84fa28d 100644
--- a/sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicySessionControls.java
+++ b/sdk/java/src/main/java/com/pulumi/azuread/outputs/ConditionalAccessPolicySessionControls.java
@@ -36,12 +36,22 @@ public final class ConditionalAccessPolicySessionControls {
      */
     private @Nullable String persistentBrowserMode;
     /**
-     * @return Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
+     * @return Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified.
      * 
      */
     private @Nullable Integer signInFrequency;
     /**
-     * @return The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
+     * @return Authentication type for enforcing sign-in frequency. Possible values are: `primaryAndSecondaryAuthentication` or `secondaryAuthentication`. Defaults to `primaryAndSecondaryAuthentication`.
+     * 
+     */
+    private @Nullable String signInFrequencyAuthenticationType;
+    /**
+     * @return The interval to apply to sign-in frequency control. Possible values are: `timeBased` or `everyTime`. Defaults to `timeBased`.
+     * 
+     */
+    private @Nullable String signInFrequencyInterval;
+    /**
+     * @return The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified.
      * 
      */
     private @Nullable String signInFrequencyPeriod;
@@ -78,14 +88,28 @@ public Optional<String> persistentBrowserMode() {
         return Optional.ofNullable(this.persistentBrowserMode);
     }
     /**
-     * @return Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
+     * @return Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified.
      * 
      */
     public Optional<Integer> signInFrequency() {
         return Optional.ofNullable(this.signInFrequency);
     }
     /**
-     * @return The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
+     * @return Authentication type for enforcing sign-in frequency. Possible values are: `primaryAndSecondaryAuthentication` or `secondaryAuthentication`. Defaults to `primaryAndSecondaryAuthentication`.
+     * 
+     */
+    public Optional<String> signInFrequencyAuthenticationType() {
+        return Optional.ofNullable(this.signInFrequencyAuthenticationType);
+    }
+    /**
+     * @return The interval to apply to sign-in frequency control. Possible values are: `timeBased` or `everyTime`. Defaults to `timeBased`.
+     * 
+     */
+    public Optional<String> signInFrequencyInterval() {
+        return Optional.ofNullable(this.signInFrequencyInterval);
+    }
+    /**
+     * @return The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified.
      * 
      */
     public Optional<String> signInFrequencyPeriod() {
@@ -106,6 +130,8 @@ public static final class Builder {
         private @Nullable Boolean disableResilienceDefaults;
         private @Nullable String persistentBrowserMode;
         private @Nullable Integer signInFrequency;
+        private @Nullable String signInFrequencyAuthenticationType;
+        private @Nullable String signInFrequencyInterval;
         private @Nullable String signInFrequencyPeriod;
         public Builder() {}
         public Builder(ConditionalAccessPolicySessionControls defaults) {
@@ -115,6 +141,8 @@ public Builder(ConditionalAccessPolicySessionControls defaults) {
     	      this.disableResilienceDefaults = defaults.disableResilienceDefaults;
     	      this.persistentBrowserMode = defaults.persistentBrowserMode;
     	      this.signInFrequency = defaults.signInFrequency;
+    	      this.signInFrequencyAuthenticationType = defaults.signInFrequencyAuthenticationType;
+    	      this.signInFrequencyInterval = defaults.signInFrequencyInterval;
     	      this.signInFrequencyPeriod = defaults.signInFrequencyPeriod;
         }
 
@@ -144,6 +172,16 @@ public Builder signInFrequency(@Nullable Integer signInFrequency) {
             return this;
         }
         @CustomType.Setter
+        public Builder signInFrequencyAuthenticationType(@Nullable String signInFrequencyAuthenticationType) {
+            this.signInFrequencyAuthenticationType = signInFrequencyAuthenticationType;
+            return this;
+        }
+        @CustomType.Setter
+        public Builder signInFrequencyInterval(@Nullable String signInFrequencyInterval) {
+            this.signInFrequencyInterval = signInFrequencyInterval;
+            return this;
+        }
+        @CustomType.Setter
         public Builder signInFrequencyPeriod(@Nullable String signInFrequencyPeriod) {
             this.signInFrequencyPeriod = signInFrequencyPeriod;
             return this;
@@ -155,6 +193,8 @@ public ConditionalAccessPolicySessionControls build() {
             o.disableResilienceDefaults = disableResilienceDefaults;
             o.persistentBrowserMode = persistentBrowserMode;
             o.signInFrequency = signInFrequency;
+            o.signInFrequencyAuthenticationType = signInFrequencyAuthenticationType;
+            o.signInFrequencyInterval = signInFrequencyInterval;
             o.signInFrequencyPeriod = signInFrequencyPeriod;
             return o;
         }
diff --git a/sdk/nodejs/applicationOptionalClaims.ts b/sdk/nodejs/applicationOptionalClaims.ts
new file mode 100644
index 000000000..1f5af087a
--- /dev/null
+++ b/sdk/nodejs/applicationOptionalClaims.ts
@@ -0,0 +1,172 @@
+// *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+// *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import * as pulumi from "@pulumi/pulumi";
+import * as inputs from "./types/input";
+import * as outputs from "./types/output";
+import * as utilities from "./utilities";
+
+/**
+ * ## Example Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as azuread from "@pulumi/azuread";
+ *
+ * const exampleApplicationRegistration = new azuread.ApplicationRegistration("exampleApplicationRegistration", {displayName: "example"});
+ * const exampleApplicationOptionalClaims = new azuread.ApplicationOptionalClaims("exampleApplicationOptionalClaims", {
+ *     applicationId: exampleApplicationRegistration.id,
+ *     accessTokens: [
+ *         {
+ *             name: "myclaim",
+ *         },
+ *         {
+ *             name: "otherclaim",
+ *         },
+ *     ],
+ *     idTokens: [{
+ *         name: "userclaim",
+ *         source: "user",
+ *         essential: true,
+ *         additionalProperties: ["emit_as_roles"],
+ *     }],
+ *     saml2Tokens: [{
+ *         name: "samlexample",
+ *     }],
+ * });
+ * ```
+ *
+ * ## Import
+ *
+ * Application Optional Claims can be imported using the object ID of the application, in the following format.
+ *
+ * ```sh
+ *  $ pulumi import azuread:index/applicationOptionalClaims:ApplicationOptionalClaims example /applications/00000000-0000-0000-0000-000000000000
+ * ```
+ */
+export class ApplicationOptionalClaims extends pulumi.CustomResource {
+    /**
+     * Get an existing ApplicationOptionalClaims resource's state with the given name, ID, and optional extra
+     * properties used to qualify the lookup.
+     *
+     * @param name The _unique_ name of the resulting resource.
+     * @param id The _unique_ provider ID of the resource to lookup.
+     * @param state Any extra arguments used during the lookup.
+     * @param opts Optional settings to control the behavior of the CustomResource.
+     */
+    public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: ApplicationOptionalClaimsState, opts?: pulumi.CustomResourceOptions): ApplicationOptionalClaims {
+        return new ApplicationOptionalClaims(name, <any>state, { ...opts, id: id });
+    }
+
+    /** @internal */
+    public static readonly __pulumiType = 'azuread:index/applicationOptionalClaims:ApplicationOptionalClaims';
+
+    /**
+     * Returns true if the given object is an instance of ApplicationOptionalClaims.  This is designed to work even
+     * when multiple copies of the Pulumi SDK have been loaded into the same process.
+     */
+    public static isInstance(obj: any): obj is ApplicationOptionalClaims {
+        if (obj === undefined || obj === null) {
+            return false;
+        }
+        return obj['__pulumiType'] === ApplicationOptionalClaims.__pulumiType;
+    }
+
+    /**
+     * One or more `accessToken` blocks as documented below.
+     */
+    public readonly accessTokens!: pulumi.Output<outputs.ApplicationOptionalClaimsAccessToken[] | undefined>;
+    /**
+     * The resource ID of the application registration. Changing this forces a new resource to be created.
+     */
+    public readonly applicationId!: pulumi.Output<string>;
+    /**
+     * One or more `idToken` blocks as documented below.
+     */
+    public readonly idTokens!: pulumi.Output<outputs.ApplicationOptionalClaimsIdToken[] | undefined>;
+    /**
+     * One or more `saml2Token` blocks as documented below.
+     *
+     * > At least one of `accessToken`, `idToken` or `saml2Token` must be specified
+     */
+    public readonly saml2Tokens!: pulumi.Output<outputs.ApplicationOptionalClaimsSaml2Token[] | undefined>;
+
+    /**
+     * Create a ApplicationOptionalClaims resource with the given unique name, arguments, and options.
+     *
+     * @param name The _unique_ name of the resource.
+     * @param args The arguments to use to populate this resource's properties.
+     * @param opts A bag of options that control this resource's behavior.
+     */
+    constructor(name: string, args: ApplicationOptionalClaimsArgs, opts?: pulumi.CustomResourceOptions)
+    constructor(name: string, argsOrState?: ApplicationOptionalClaimsArgs | ApplicationOptionalClaimsState, opts?: pulumi.CustomResourceOptions) {
+        let resourceInputs: pulumi.Inputs = {};
+        opts = opts || {};
+        if (opts.id) {
+            const state = argsOrState as ApplicationOptionalClaimsState | undefined;
+            resourceInputs["accessTokens"] = state ? state.accessTokens : undefined;
+            resourceInputs["applicationId"] = state ? state.applicationId : undefined;
+            resourceInputs["idTokens"] = state ? state.idTokens : undefined;
+            resourceInputs["saml2Tokens"] = state ? state.saml2Tokens : undefined;
+        } else {
+            const args = argsOrState as ApplicationOptionalClaimsArgs | undefined;
+            if ((!args || args.applicationId === undefined) && !opts.urn) {
+                throw new Error("Missing required property 'applicationId'");
+            }
+            resourceInputs["accessTokens"] = args ? args.accessTokens : undefined;
+            resourceInputs["applicationId"] = args ? args.applicationId : undefined;
+            resourceInputs["idTokens"] = args ? args.idTokens : undefined;
+            resourceInputs["saml2Tokens"] = args ? args.saml2Tokens : undefined;
+        }
+        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
+        super(ApplicationOptionalClaims.__pulumiType, name, resourceInputs, opts);
+    }
+}
+
+/**
+ * Input properties used for looking up and filtering ApplicationOptionalClaims resources.
+ */
+export interface ApplicationOptionalClaimsState {
+    /**
+     * One or more `accessToken` blocks as documented below.
+     */
+    accessTokens?: pulumi.Input<pulumi.Input<inputs.ApplicationOptionalClaimsAccessToken>[]>;
+    /**
+     * The resource ID of the application registration. Changing this forces a new resource to be created.
+     */
+    applicationId?: pulumi.Input<string>;
+    /**
+     * One or more `idToken` blocks as documented below.
+     */
+    idTokens?: pulumi.Input<pulumi.Input<inputs.ApplicationOptionalClaimsIdToken>[]>;
+    /**
+     * One or more `saml2Token` blocks as documented below.
+     *
+     * > At least one of `accessToken`, `idToken` or `saml2Token` must be specified
+     */
+    saml2Tokens?: pulumi.Input<pulumi.Input<inputs.ApplicationOptionalClaimsSaml2Token>[]>;
+}
+
+/**
+ * The set of arguments for constructing a ApplicationOptionalClaims resource.
+ */
+export interface ApplicationOptionalClaimsArgs {
+    /**
+     * One or more `accessToken` blocks as documented below.
+     */
+    accessTokens?: pulumi.Input<pulumi.Input<inputs.ApplicationOptionalClaimsAccessToken>[]>;
+    /**
+     * The resource ID of the application registration. Changing this forces a new resource to be created.
+     */
+    applicationId: pulumi.Input<string>;
+    /**
+     * One or more `idToken` blocks as documented below.
+     */
+    idTokens?: pulumi.Input<pulumi.Input<inputs.ApplicationOptionalClaimsIdToken>[]>;
+    /**
+     * One or more `saml2Token` blocks as documented below.
+     *
+     * > At least one of `accessToken`, `idToken` or `saml2Token` must be specified
+     */
+    saml2Tokens?: pulumi.Input<pulumi.Input<inputs.ApplicationOptionalClaimsSaml2Token>[]>;
+}
diff --git a/sdk/nodejs/getApplicationPublishedAppIds.ts b/sdk/nodejs/getApplicationPublishedAppIds.ts
index 4ce70d4cb..d2771be6f 100644
--- a/sdk/nodejs/getApplicationPublishedAppIds.ts
+++ b/sdk/nodejs/getApplicationPublishedAppIds.ts
@@ -31,7 +31,7 @@ import * as utilities from "./utilities";
  *
  * const wellKnown = azuread.getApplicationPublishedAppIds({});
  * const msgraph = new azuread.ServicePrincipal("msgraph", {
- *     applicationId: wellKnown.then(wellKnown => wellKnown.result?.MicrosoftGraph),
+ *     clientId: wellKnown.then(wellKnown => wellKnown.result?.MicrosoftGraph),
  *     useExisting: true,
  * });
  * const example = new azuread.Application("example", {
@@ -99,7 +99,7 @@ export interface GetApplicationPublishedAppIdsResult {
  *
  * const wellKnown = azuread.getApplicationPublishedAppIds({});
  * const msgraph = new azuread.ServicePrincipal("msgraph", {
- *     applicationId: wellKnown.then(wellKnown => wellKnown.result?.MicrosoftGraph),
+ *     clientId: wellKnown.then(wellKnown => wellKnown.result?.MicrosoftGraph),
  *     useExisting: true,
  * });
  * const example = new azuread.Application("example", {
diff --git a/sdk/nodejs/index.ts b/sdk/nodejs/index.ts
index 0c9962f85..bc7bae6c9 100644
--- a/sdk/nodejs/index.ts
+++ b/sdk/nodejs/index.ts
@@ -100,6 +100,11 @@ export type ApplicationKnownClients = import("./applicationKnownClients").Applic
 export const ApplicationKnownClients: typeof import("./applicationKnownClients").ApplicationKnownClients = null as any;
 utilities.lazyLoad(exports, ["ApplicationKnownClients"], () => require("./applicationKnownClients"));
 
+export { ApplicationOptionalClaimsArgs, ApplicationOptionalClaimsState } from "./applicationOptionalClaims";
+export type ApplicationOptionalClaims = import("./applicationOptionalClaims").ApplicationOptionalClaims;
+export const ApplicationOptionalClaims: typeof import("./applicationOptionalClaims").ApplicationOptionalClaims = null as any;
+utilities.lazyLoad(exports, ["ApplicationOptionalClaims"], () => require("./applicationOptionalClaims"));
+
 export { ApplicationOwnerArgs, ApplicationOwnerState } from "./applicationOwner";
 export type ApplicationOwner = import("./applicationOwner").ApplicationOwner;
 export const ApplicationOwner: typeof import("./applicationOwner").ApplicationOwner = null as any;
@@ -392,6 +397,8 @@ const _module = {
                 return new ApplicationIdentifierUri(name, <any>undefined, { urn })
             case "azuread:index/applicationKnownClients:ApplicationKnownClients":
                 return new ApplicationKnownClients(name, <any>undefined, { urn })
+            case "azuread:index/applicationOptionalClaims:ApplicationOptionalClaims":
+                return new ApplicationOptionalClaims(name, <any>undefined, { urn })
             case "azuread:index/applicationOwner:ApplicationOwner":
                 return new ApplicationOwner(name, <any>undefined, { urn })
             case "azuread:index/applicationPassword:ApplicationPassword":
@@ -472,6 +479,7 @@ pulumi.runtime.registerResourceModule("azuread", "index/applicationFederatedIden
 pulumi.runtime.registerResourceModule("azuread", "index/applicationFromTemplate", _module)
 pulumi.runtime.registerResourceModule("azuread", "index/applicationIdentifierUri", _module)
 pulumi.runtime.registerResourceModule("azuread", "index/applicationKnownClients", _module)
+pulumi.runtime.registerResourceModule("azuread", "index/applicationOptionalClaims", _module)
 pulumi.runtime.registerResourceModule("azuread", "index/applicationOwner", _module)
 pulumi.runtime.registerResourceModule("azuread", "index/applicationPassword", _module)
 pulumi.runtime.registerResourceModule("azuread", "index/applicationPermissionScope", _module)
diff --git a/sdk/nodejs/servicePrincipal.ts b/sdk/nodejs/servicePrincipal.ts
index 54b985fad..d710e537f 100644
--- a/sdk/nodejs/servicePrincipal.ts
+++ b/sdk/nodejs/servicePrincipal.ts
@@ -21,7 +21,7 @@ import * as utilities from "./utilities";
  *     owners: [current.then(current => current.objectId)],
  * });
  * const exampleServicePrincipal = new azuread.ServicePrincipal("exampleServicePrincipal", {
- *     applicationId: exampleApplication.applicationId,
+ *     clientId: exampleApplication.clientId,
  *     appRoleAssignmentRequired: false,
  *     owners: [current.then(current => current.objectId)],
  * });
@@ -39,7 +39,7 @@ import * as utilities from "./utilities";
  *     owners: [current.then(current => current.objectId)],
  * });
  * const exampleServicePrincipal = new azuread.ServicePrincipal("exampleServicePrincipal", {
- *     applicationId: exampleApplication.applicationId,
+ *     clientId: exampleApplication.clientId,
  *     appRoleAssignmentRequired: false,
  *     owners: [current.then(current => current.objectId)],
  *     featureTags: [{
@@ -57,7 +57,7 @@ import * as utilities from "./utilities";
  *
  * const wellKnown = azuread.getApplicationPublishedAppIds({});
  * const msgraph = new azuread.ServicePrincipal("msgraph", {
- *     applicationId: wellKnown.then(wellKnown => wellKnown.result?.MicrosoftGraph),
+ *     clientId: wellKnown.then(wellKnown => wellKnown.result?.MicrosoftGraph),
  *     useExisting: true,
  * });
  * ```
@@ -76,7 +76,7 @@ import * as utilities from "./utilities";
  *     templateId: exampleApplicationTemplate.then(exampleApplicationTemplate => exampleApplicationTemplate.templateId),
  * });
  * const exampleServicePrincipal = new azuread.ServicePrincipal("exampleServicePrincipal", {
- *     applicationId: exampleApplication.applicationId,
+ *     clientId: exampleApplication.clientId,
  *     useExisting: true,
  * });
  * ```
diff --git a/sdk/nodejs/tsconfig.json b/sdk/nodejs/tsconfig.json
index c40b20c97..86b2134a9 100644
--- a/sdk/nodejs/tsconfig.json
+++ b/sdk/nodejs/tsconfig.json
@@ -32,6 +32,7 @@
         "applicationFromTemplate.ts",
         "applicationIdentifierUri.ts",
         "applicationKnownClients.ts",
+        "applicationOptionalClaims.ts",
         "applicationOwner.ts",
         "applicationPassword.ts",
         "applicationPermissionScope.ts",
diff --git a/sdk/nodejs/types/input.ts b/sdk/nodejs/types/input.ts
index 80e2fa703..4e9676046 100644
--- a/sdk/nodejs/types/input.ts
+++ b/sdk/nodejs/types/input.ts
@@ -344,7 +344,7 @@ export interface ApplicationOptionalClaims {
 
 export interface ApplicationOptionalClaimsAccessToken {
     /**
-     * List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+     * List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloudDisplayname`, `dnsDomainAndSamAccountName`, `emitAsRoles`, `includeExternallyAuthenticatedUpnWithoutHash`, `includeExternallyAuthenticatedUpn`, `maxSizeLimit`, `netbiosDomainAndSamAccountName`, `onPremiseSecurityIdentifier`, `samAccountName`, and `useGuid`.
      */
     additionalProperties?: pulumi.Input<pulumi.Input<string>[]>;
     /**
@@ -363,7 +363,7 @@ export interface ApplicationOptionalClaimsAccessToken {
 
 export interface ApplicationOptionalClaimsIdToken {
     /**
-     * List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+     * List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloudDisplayname`, `dnsDomainAndSamAccountName`, `emitAsRoles`, `includeExternallyAuthenticatedUpnWithoutHash`, `includeExternallyAuthenticatedUpn`, `maxSizeLimit`, `netbiosDomainAndSamAccountName`, `onPremiseSecurityIdentifier`, `samAccountName`, and `useGuid`.
      */
     additionalProperties?: pulumi.Input<pulumi.Input<string>[]>;
     /**
@@ -382,7 +382,7 @@ export interface ApplicationOptionalClaimsIdToken {
 
 export interface ApplicationOptionalClaimsSaml2Token {
     /**
-     * List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+     * List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloudDisplayname`, `dnsDomainAndSamAccountName`, `emitAsRoles`, `includeExternallyAuthenticatedUpnWithoutHash`, `includeExternallyAuthenticatedUpn`, `maxSizeLimit`, `netbiosDomainAndSamAccountName`, `onPremiseSecurityIdentifier`, `samAccountName`, and `useGuid`.
      */
     additionalProperties?: pulumi.Input<pulumi.Input<string>[]>;
     /**
@@ -538,7 +538,7 @@ export interface ConditionalAccessPolicyConditionsClientApplications {
 
 export interface ConditionalAccessPolicyConditionsDevices {
     /**
-     * A `filter` block as described below. A `filter` block can be added to an existing policy, but removing the `filter` block forces a new resource to be created.
+     * A `filter` block as described below.
      */
     filter?: pulumi.Input<inputs.ConditionalAccessPolicyConditionsDevicesFilter>;
 }
@@ -581,6 +581,10 @@ export interface ConditionalAccessPolicyConditionsUsers {
      * A list of group IDs excluded from scope of policy.
      */
     excludedGroups?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * A `guestsOrExternalUsers` block as documented below, which specifies internal guests and external users excluded from scope of policy.
+     */
+    excludedGuestsOrExternalUsers?: pulumi.Input<pulumi.Input<inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser>[]>;
     /**
      * A list of role IDs excluded from scope of policy.
      */
@@ -593,6 +597,10 @@ export interface ConditionalAccessPolicyConditionsUsers {
      * A list of group IDs in scope of policy unless explicitly excluded.
      */
     includedGroups?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * A `guestsOrExternalUsers` block as documented below, which specifies internal guests and external users in scope of policy.
+     */
+    includedGuestsOrExternalUsers?: pulumi.Input<pulumi.Input<inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser>[]>;
     /**
      * A list of role IDs in scope of policy unless explicitly excluded.
      */
@@ -600,11 +608,55 @@ export interface ConditionalAccessPolicyConditionsUsers {
     /**
      * A list of user IDs in scope of policy unless explicitly excluded, or `None` or `All` or `GuestsOrExternalUsers`.
      *
-     * > At least one of `includedGroups`, `includedRoles` or `includedUsers` must be specified.
+     * > At least one of `includedGroups`, `includedGuestsOrExternalUsers`, `includedRoles` or `includedUsers` must be specified.
      */
     includedUsers?: pulumi.Input<pulumi.Input<string>[]>;
 }
 
+export interface ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser {
+    /**
+     * An `externalTenants` block as documented below, which specifies external tenants in a policy scope.
+     */
+    externalTenants?: pulumi.Input<pulumi.Input<inputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant>[]>;
+    /**
+     * A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+     */
+    guestOrExternalUserTypes: pulumi.Input<pulumi.Input<string>[]>;
+}
+
+export interface ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant {
+    /**
+     * A list tenant IDs. Can only be specified if `membershipKind` is `enumerated`.
+     */
+    members?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+     */
+    membershipKind: pulumi.Input<string>;
+}
+
+export interface ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser {
+    /**
+     * An `externalTenants` block as documented below, which specifies external tenants in a policy scope.
+     */
+    externalTenants?: pulumi.Input<pulumi.Input<inputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant>[]>;
+    /**
+     * A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+     */
+    guestOrExternalUserTypes: pulumi.Input<pulumi.Input<string>[]>;
+}
+
+export interface ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant {
+    /**
+     * A list tenant IDs. Can only be specified if `membershipKind` is `enumerated`.
+     */
+    members?: pulumi.Input<pulumi.Input<string>[]>;
+    /**
+     * The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+     */
+    membershipKind: pulumi.Input<string>;
+}
+
 export interface ConditionalAccessPolicyGrantControls {
     /**
      * ID of an Authentication Strength Policy to use in this policy.
@@ -650,11 +702,19 @@ export interface ConditionalAccessPolicySessionControls {
      */
     persistentBrowserMode?: pulumi.Input<string>;
     /**
-     * Number of days or hours to enforce sign-in frequency. Required when `signInFrequencyPeriod` is specified. Due to an API issue, removing this property forces a new resource to be created.
+     * Number of days or hours to enforce sign-in frequency. Required when `signInFrequencyPeriod` is specified.
      */
     signInFrequency?: pulumi.Input<number>;
     /**
-     * The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `signInFrequencyPeriod` is specified. Due to an API issue, removing this property forces a new resource to be created.
+     * Authentication type for enforcing sign-in frequency. Possible values are: `primaryAndSecondaryAuthentication` or `secondaryAuthentication`. Defaults to `primaryAndSecondaryAuthentication`.
+     */
+    signInFrequencyAuthenticationType?: pulumi.Input<string>;
+    /**
+     * The interval to apply to sign-in frequency control. Possible values are: `timeBased` or `everyTime`. Defaults to `timeBased`.
+     */
+    signInFrequencyInterval?: pulumi.Input<string>;
+    /**
+     * The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `signInFrequencyPeriod` is specified.
      */
     signInFrequencyPeriod?: pulumi.Input<string>;
 }
diff --git a/sdk/nodejs/types/output.ts b/sdk/nodejs/types/output.ts
index be8d284dd..d79b150b1 100644
--- a/sdk/nodejs/types/output.ts
+++ b/sdk/nodejs/types/output.ts
@@ -344,7 +344,7 @@ export interface ApplicationOptionalClaims {
 
 export interface ApplicationOptionalClaimsAccessToken {
     /**
-     * List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+     * List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloudDisplayname`, `dnsDomainAndSamAccountName`, `emitAsRoles`, `includeExternallyAuthenticatedUpnWithoutHash`, `includeExternallyAuthenticatedUpn`, `maxSizeLimit`, `netbiosDomainAndSamAccountName`, `onPremiseSecurityIdentifier`, `samAccountName`, and `useGuid`.
      */
     additionalProperties?: string[];
     /**
@@ -363,7 +363,7 @@ export interface ApplicationOptionalClaimsAccessToken {
 
 export interface ApplicationOptionalClaimsIdToken {
     /**
-     * List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+     * List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloudDisplayname`, `dnsDomainAndSamAccountName`, `emitAsRoles`, `includeExternallyAuthenticatedUpnWithoutHash`, `includeExternallyAuthenticatedUpn`, `maxSizeLimit`, `netbiosDomainAndSamAccountName`, `onPremiseSecurityIdentifier`, `samAccountName`, and `useGuid`.
      */
     additionalProperties?: string[];
     /**
@@ -382,7 +382,7 @@ export interface ApplicationOptionalClaimsIdToken {
 
 export interface ApplicationOptionalClaimsSaml2Token {
     /**
-     * List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+     * List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloudDisplayname`, `dnsDomainAndSamAccountName`, `emitAsRoles`, `includeExternallyAuthenticatedUpnWithoutHash`, `includeExternallyAuthenticatedUpn`, `maxSizeLimit`, `netbiosDomainAndSamAccountName`, `onPremiseSecurityIdentifier`, `samAccountName`, and `useGuid`.
      */
     additionalProperties?: string[];
     /**
@@ -538,7 +538,7 @@ export interface ConditionalAccessPolicyConditionsClientApplications {
 
 export interface ConditionalAccessPolicyConditionsDevices {
     /**
-     * A `filter` block as described below. A `filter` block can be added to an existing policy, but removing the `filter` block forces a new resource to be created.
+     * A `filter` block as described below.
      */
     filter?: outputs.ConditionalAccessPolicyConditionsDevicesFilter;
 }
@@ -581,6 +581,10 @@ export interface ConditionalAccessPolicyConditionsUsers {
      * A list of group IDs excluded from scope of policy.
      */
     excludedGroups?: string[];
+    /**
+     * A `guestsOrExternalUsers` block as documented below, which specifies internal guests and external users excluded from scope of policy.
+     */
+    excludedGuestsOrExternalUsers?: outputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser[];
     /**
      * A list of role IDs excluded from scope of policy.
      */
@@ -593,6 +597,10 @@ export interface ConditionalAccessPolicyConditionsUsers {
      * A list of group IDs in scope of policy unless explicitly excluded.
      */
     includedGroups?: string[];
+    /**
+     * A `guestsOrExternalUsers` block as documented below, which specifies internal guests and external users in scope of policy.
+     */
+    includedGuestsOrExternalUsers?: outputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser[];
     /**
      * A list of role IDs in scope of policy unless explicitly excluded.
      */
@@ -600,11 +608,55 @@ export interface ConditionalAccessPolicyConditionsUsers {
     /**
      * A list of user IDs in scope of policy unless explicitly excluded, or `None` or `All` or `GuestsOrExternalUsers`.
      *
-     * > At least one of `includedGroups`, `includedRoles` or `includedUsers` must be specified.
+     * > At least one of `includedGroups`, `includedGuestsOrExternalUsers`, `includedRoles` or `includedUsers` must be specified.
      */
     includedUsers?: string[];
 }
 
+export interface ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser {
+    /**
+     * An `externalTenants` block as documented below, which specifies external tenants in a policy scope.
+     */
+    externalTenants?: outputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant[];
+    /**
+     * A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+     */
+    guestOrExternalUserTypes: string[];
+}
+
+export interface ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant {
+    /**
+     * A list tenant IDs. Can only be specified if `membershipKind` is `enumerated`.
+     */
+    members?: string[];
+    /**
+     * The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+     */
+    membershipKind: string;
+}
+
+export interface ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser {
+    /**
+     * An `externalTenants` block as documented below, which specifies external tenants in a policy scope.
+     */
+    externalTenants?: outputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant[];
+    /**
+     * A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+     */
+    guestOrExternalUserTypes: string[];
+}
+
+export interface ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant {
+    /**
+     * A list tenant IDs. Can only be specified if `membershipKind` is `enumerated`.
+     */
+    members?: string[];
+    /**
+     * The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+     */
+    membershipKind: string;
+}
+
 export interface ConditionalAccessPolicyGrantControls {
     /**
      * ID of an Authentication Strength Policy to use in this policy.
@@ -650,11 +702,19 @@ export interface ConditionalAccessPolicySessionControls {
      */
     persistentBrowserMode?: string;
     /**
-     * Number of days or hours to enforce sign-in frequency. Required when `signInFrequencyPeriod` is specified. Due to an API issue, removing this property forces a new resource to be created.
+     * Number of days or hours to enforce sign-in frequency. Required when `signInFrequencyPeriod` is specified.
      */
     signInFrequency?: number;
     /**
-     * The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `signInFrequencyPeriod` is specified. Due to an API issue, removing this property forces a new resource to be created.
+     * Authentication type for enforcing sign-in frequency. Possible values are: `primaryAndSecondaryAuthentication` or `secondaryAuthentication`. Defaults to `primaryAndSecondaryAuthentication`.
+     */
+    signInFrequencyAuthenticationType?: string;
+    /**
+     * The interval to apply to sign-in frequency control. Possible values are: `timeBased` or `everyTime`. Defaults to `timeBased`.
+     */
+    signInFrequencyInterval?: string;
+    /**
+     * The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `signInFrequencyPeriod` is specified.
      */
     signInFrequencyPeriod?: string;
 }
diff --git a/sdk/python/pulumi_azuread/__init__.py b/sdk/python/pulumi_azuread/__init__.py
index f22da7acc..ae116996c 100644
--- a/sdk/python/pulumi_azuread/__init__.py
+++ b/sdk/python/pulumi_azuread/__init__.py
@@ -24,6 +24,7 @@
 from .application_from_template import *
 from .application_identifier_uri import *
 from .application_known_clients import *
+from .application_optional_claims import *
 from .application_owner import *
 from .application_password import *
 from .application_permission_scope import *
@@ -237,6 +238,14 @@
    "azuread:index/applicationKnownClients:ApplicationKnownClients": "ApplicationKnownClients"
   }
  },
+ {
+  "pkg": "azuread",
+  "mod": "index/applicationOptionalClaims",
+  "fqn": "pulumi_azuread",
+  "classes": {
+   "azuread:index/applicationOptionalClaims:ApplicationOptionalClaims": "ApplicationOptionalClaims"
+  }
+ },
  {
   "pkg": "azuread",
   "mod": "index/applicationOwner",
diff --git a/sdk/python/pulumi_azuread/_inputs.py b/sdk/python/pulumi_azuread/_inputs.py
index 642099b11..2cc0fcf8d 100644
--- a/sdk/python/pulumi_azuread/_inputs.py
+++ b/sdk/python/pulumi_azuread/_inputs.py
@@ -46,6 +46,10 @@
     'ConditionalAccessPolicyConditionsLocationsArgs',
     'ConditionalAccessPolicyConditionsPlatformsArgs',
     'ConditionalAccessPolicyConditionsUsersArgs',
+    'ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs',
+    'ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs',
+    'ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs',
+    'ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs',
     'ConditionalAccessPolicyGrantControlsArgs',
     'ConditionalAccessPolicySessionControlsArgs',
     'CustomDirectoryRolePermissionArgs',
@@ -1337,7 +1341,7 @@ def __init__(__self__, *,
                  source: Optional[pulumi.Input[str]] = None):
         """
         :param pulumi.Input[str] name: The name of the optional claim.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] additional_properties: List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] additional_properties: List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
         :param pulumi.Input[bool] essential: Whether the claim specified by the client is necessary to ensure a smooth authorization experience.
         :param pulumi.Input[str] source: The source of the claim. If `source` is absent, the claim is a predefined optional claim. If `source` is `user`, the value of `name` is the extension property from the user object.
         """
@@ -1365,7 +1369,7 @@ def name(self, value: pulumi.Input[str]):
     @pulumi.getter(name="additionalProperties")
     def additional_properties(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
         """
-        List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+        List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
         """
         return pulumi.get(self, "additional_properties")
 
@@ -1407,7 +1411,7 @@ def __init__(__self__, *,
                  source: Optional[pulumi.Input[str]] = None):
         """
         :param pulumi.Input[str] name: The name of the optional claim.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] additional_properties: List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] additional_properties: List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
         :param pulumi.Input[bool] essential: Whether the claim specified by the client is necessary to ensure a smooth authorization experience.
         :param pulumi.Input[str] source: The source of the claim. If `source` is absent, the claim is a predefined optional claim. If `source` is `user`, the value of `name` is the extension property from the user object.
         """
@@ -1435,7 +1439,7 @@ def name(self, value: pulumi.Input[str]):
     @pulumi.getter(name="additionalProperties")
     def additional_properties(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
         """
-        List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+        List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
         """
         return pulumi.get(self, "additional_properties")
 
@@ -1477,7 +1481,7 @@ def __init__(__self__, *,
                  source: Optional[pulumi.Input[str]] = None):
         """
         :param pulumi.Input[str] name: The name of the optional claim.
-        :param pulumi.Input[Sequence[pulumi.Input[str]]] additional_properties: List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] additional_properties: List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
         :param pulumi.Input[bool] essential: Whether the claim specified by the client is necessary to ensure a smooth authorization experience.
         :param pulumi.Input[str] source: The source of the claim. If `source` is absent, the claim is a predefined optional claim. If `source` is `user`, the value of `name` is the extension property from the user object.
         """
@@ -1505,7 +1509,7 @@ def name(self, value: pulumi.Input[str]):
     @pulumi.getter(name="additionalProperties")
     def additional_properties(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
         """
-        List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+        List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
         """
         return pulumi.get(self, "additional_properties")
 
@@ -2035,7 +2039,7 @@ class ConditionalAccessPolicyConditionsDevicesArgs:
     def __init__(__self__, *,
                  filter: Optional[pulumi.Input['ConditionalAccessPolicyConditionsDevicesFilterArgs']] = None):
         """
-        :param pulumi.Input['ConditionalAccessPolicyConditionsDevicesFilterArgs'] filter: A `filter` block as described below. A `filter` block can be added to an existing policy, but removing the `filter` block forces a new resource to be created.
+        :param pulumi.Input['ConditionalAccessPolicyConditionsDevicesFilterArgs'] filter: A `filter` block as described below.
         """
         if filter is not None:
             pulumi.set(__self__, "filter", filter)
@@ -2044,7 +2048,7 @@ def __init__(__self__, *,
     @pulumi.getter
     def filter(self) -> Optional[pulumi.Input['ConditionalAccessPolicyConditionsDevicesFilterArgs']]:
         """
-        A `filter` block as described below. A `filter` block can be added to an existing policy, but removing the `filter` block forces a new resource to be created.
+        A `filter` block as described below.
         """
         return pulumi.get(self, "filter")
 
@@ -2170,29 +2174,37 @@ def excluded_platforms(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[
 class ConditionalAccessPolicyConditionsUsersArgs:
     def __init__(__self__, *,
                  excluded_groups: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 excluded_guests_or_external_users: Optional[pulumi.Input[Sequence[pulumi.Input['ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs']]]] = None,
                  excluded_roles: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  excluded_users: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  included_groups: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
+                 included_guests_or_external_users: Optional[pulumi.Input[Sequence[pulumi.Input['ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs']]]] = None,
                  included_roles: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                  included_users: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None):
         """
         :param pulumi.Input[Sequence[pulumi.Input[str]]] excluded_groups: A list of group IDs excluded from scope of policy.
+        :param pulumi.Input[Sequence[pulumi.Input['ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs']]] excluded_guests_or_external_users: A `guests_or_external_users` block as documented below, which specifies internal guests and external users excluded from scope of policy.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] excluded_roles: A list of role IDs excluded from scope of policy.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] excluded_users: A list of user IDs excluded from scope of policy and/or `GuestsOrExternalUsers`.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] included_groups: A list of group IDs in scope of policy unless explicitly excluded.
+        :param pulumi.Input[Sequence[pulumi.Input['ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs']]] included_guests_or_external_users: A `guests_or_external_users` block as documented below, which specifies internal guests and external users in scope of policy.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] included_roles: A list of role IDs in scope of policy unless explicitly excluded.
         :param pulumi.Input[Sequence[pulumi.Input[str]]] included_users: A list of user IDs in scope of policy unless explicitly excluded, or `None` or `All` or `GuestsOrExternalUsers`.
                
-               > At least one of `included_groups`, `included_roles` or `included_users` must be specified.
+               > At least one of `included_groups`, `included_guests_or_external_users`, `included_roles` or `included_users` must be specified.
         """
         if excluded_groups is not None:
             pulumi.set(__self__, "excluded_groups", excluded_groups)
+        if excluded_guests_or_external_users is not None:
+            pulumi.set(__self__, "excluded_guests_or_external_users", excluded_guests_or_external_users)
         if excluded_roles is not None:
             pulumi.set(__self__, "excluded_roles", excluded_roles)
         if excluded_users is not None:
             pulumi.set(__self__, "excluded_users", excluded_users)
         if included_groups is not None:
             pulumi.set(__self__, "included_groups", included_groups)
+        if included_guests_or_external_users is not None:
+            pulumi.set(__self__, "included_guests_or_external_users", included_guests_or_external_users)
         if included_roles is not None:
             pulumi.set(__self__, "included_roles", included_roles)
         if included_users is not None:
@@ -2210,6 +2222,18 @@ def excluded_groups(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]
     def excluded_groups(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
         pulumi.set(self, "excluded_groups", value)
 
+    @property
+    @pulumi.getter(name="excludedGuestsOrExternalUsers")
+    def excluded_guests_or_external_users(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs']]]]:
+        """
+        A `guests_or_external_users` block as documented below, which specifies internal guests and external users excluded from scope of policy.
+        """
+        return pulumi.get(self, "excluded_guests_or_external_users")
+
+    @excluded_guests_or_external_users.setter
+    def excluded_guests_or_external_users(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs']]]]):
+        pulumi.set(self, "excluded_guests_or_external_users", value)
+
     @property
     @pulumi.getter(name="excludedRoles")
     def excluded_roles(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
@@ -2246,6 +2270,18 @@ def included_groups(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]
     def included_groups(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
         pulumi.set(self, "included_groups", value)
 
+    @property
+    @pulumi.getter(name="includedGuestsOrExternalUsers")
+    def included_guests_or_external_users(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs']]]]:
+        """
+        A `guests_or_external_users` block as documented below, which specifies internal guests and external users in scope of policy.
+        """
+        return pulumi.get(self, "included_guests_or_external_users")
+
+    @included_guests_or_external_users.setter
+    def included_guests_or_external_users(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs']]]]):
+        pulumi.set(self, "included_guests_or_external_users", value)
+
     @property
     @pulumi.getter(name="includedRoles")
     def included_roles(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
@@ -2264,7 +2300,7 @@ def included_users(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
         """
         A list of user IDs in scope of policy unless explicitly excluded, or `None` or `All` or `GuestsOrExternalUsers`.
 
-        > At least one of `included_groups`, `included_roles` or `included_users` must be specified.
+        > At least one of `included_groups`, `included_guests_or_external_users`, `included_roles` or `included_users` must be specified.
         """
         return pulumi.get(self, "included_users")
 
@@ -2273,6 +2309,158 @@ def included_users(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]
         pulumi.set(self, "included_users", value)
 
 
+@pulumi.input_type
+class ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs:
+    def __init__(__self__, *,
+                 guest_or_external_user_types: pulumi.Input[Sequence[pulumi.Input[str]]],
+                 external_tenants: Optional[pulumi.Input[Sequence[pulumi.Input['ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs']]]] = None):
+        """
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] guest_or_external_user_types: A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+        :param pulumi.Input[Sequence[pulumi.Input['ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs']]] external_tenants: An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+        """
+        pulumi.set(__self__, "guest_or_external_user_types", guest_or_external_user_types)
+        if external_tenants is not None:
+            pulumi.set(__self__, "external_tenants", external_tenants)
+
+    @property
+    @pulumi.getter(name="guestOrExternalUserTypes")
+    def guest_or_external_user_types(self) -> pulumi.Input[Sequence[pulumi.Input[str]]]:
+        """
+        A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+        """
+        return pulumi.get(self, "guest_or_external_user_types")
+
+    @guest_or_external_user_types.setter
+    def guest_or_external_user_types(self, value: pulumi.Input[Sequence[pulumi.Input[str]]]):
+        pulumi.set(self, "guest_or_external_user_types", value)
+
+    @property
+    @pulumi.getter(name="externalTenants")
+    def external_tenants(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs']]]]:
+        """
+        An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+        """
+        return pulumi.get(self, "external_tenants")
+
+    @external_tenants.setter
+    def external_tenants(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs']]]]):
+        pulumi.set(self, "external_tenants", value)
+
+
+@pulumi.input_type
+class ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs:
+    def __init__(__self__, *,
+                 membership_kind: pulumi.Input[str],
+                 members: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None):
+        """
+        :param pulumi.Input[str] membership_kind: The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] members: A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+        """
+        pulumi.set(__self__, "membership_kind", membership_kind)
+        if members is not None:
+            pulumi.set(__self__, "members", members)
+
+    @property
+    @pulumi.getter(name="membershipKind")
+    def membership_kind(self) -> pulumi.Input[str]:
+        """
+        The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+        """
+        return pulumi.get(self, "membership_kind")
+
+    @membership_kind.setter
+    def membership_kind(self, value: pulumi.Input[str]):
+        pulumi.set(self, "membership_kind", value)
+
+    @property
+    @pulumi.getter
+    def members(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+        """
+        return pulumi.get(self, "members")
+
+    @members.setter
+    def members(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "members", value)
+
+
+@pulumi.input_type
+class ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs:
+    def __init__(__self__, *,
+                 guest_or_external_user_types: pulumi.Input[Sequence[pulumi.Input[str]]],
+                 external_tenants: Optional[pulumi.Input[Sequence[pulumi.Input['ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs']]]] = None):
+        """
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] guest_or_external_user_types: A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+        :param pulumi.Input[Sequence[pulumi.Input['ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs']]] external_tenants: An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+        """
+        pulumi.set(__self__, "guest_or_external_user_types", guest_or_external_user_types)
+        if external_tenants is not None:
+            pulumi.set(__self__, "external_tenants", external_tenants)
+
+    @property
+    @pulumi.getter(name="guestOrExternalUserTypes")
+    def guest_or_external_user_types(self) -> pulumi.Input[Sequence[pulumi.Input[str]]]:
+        """
+        A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+        """
+        return pulumi.get(self, "guest_or_external_user_types")
+
+    @guest_or_external_user_types.setter
+    def guest_or_external_user_types(self, value: pulumi.Input[Sequence[pulumi.Input[str]]]):
+        pulumi.set(self, "guest_or_external_user_types", value)
+
+    @property
+    @pulumi.getter(name="externalTenants")
+    def external_tenants(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs']]]]:
+        """
+        An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+        """
+        return pulumi.get(self, "external_tenants")
+
+    @external_tenants.setter
+    def external_tenants(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs']]]]):
+        pulumi.set(self, "external_tenants", value)
+
+
+@pulumi.input_type
+class ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs:
+    def __init__(__self__, *,
+                 membership_kind: pulumi.Input[str],
+                 members: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None):
+        """
+        :param pulumi.Input[str] membership_kind: The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+        :param pulumi.Input[Sequence[pulumi.Input[str]]] members: A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+        """
+        pulumi.set(__self__, "membership_kind", membership_kind)
+        if members is not None:
+            pulumi.set(__self__, "members", members)
+
+    @property
+    @pulumi.getter(name="membershipKind")
+    def membership_kind(self) -> pulumi.Input[str]:
+        """
+        The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+        """
+        return pulumi.get(self, "membership_kind")
+
+    @membership_kind.setter
+    def membership_kind(self, value: pulumi.Input[str]):
+        pulumi.set(self, "membership_kind", value)
+
+    @property
+    @pulumi.getter
+    def members(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]:
+        """
+        A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+        """
+        return pulumi.get(self, "members")
+
+    @members.setter
+    def members(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]):
+        pulumi.set(self, "members", value)
+
+
 @pulumi.input_type
 class ConditionalAccessPolicyGrantControlsArgs:
     def __init__(__self__, *,
@@ -2371,6 +2559,8 @@ def __init__(__self__, *,
                  disable_resilience_defaults: Optional[pulumi.Input[bool]] = None,
                  persistent_browser_mode: Optional[pulumi.Input[str]] = None,
                  sign_in_frequency: Optional[pulumi.Input[int]] = None,
+                 sign_in_frequency_authentication_type: Optional[pulumi.Input[str]] = None,
+                 sign_in_frequency_interval: Optional[pulumi.Input[str]] = None,
                  sign_in_frequency_period: Optional[pulumi.Input[str]] = None):
         """
         :param pulumi.Input[bool] application_enforced_restrictions_enabled: Whether application enforced restrictions are enabled. Defaults to `false`.
@@ -2379,8 +2569,10 @@ def __init__(__self__, *,
         :param pulumi.Input[str] cloud_app_security_policy: Enables cloud app security and specifies the cloud app security policy to use. Possible values are: `blockDownloads`, `mcasConfigured`, `monitorOnly` or `unknownFutureValue`.
         :param pulumi.Input[bool] disable_resilience_defaults: Disables [resilience defaults](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/resilience-defaults). Defaults to `false`.
         :param pulumi.Input[str] persistent_browser_mode: Session control to define whether to persist cookies. Possible values are: `always` or `never`.
-        :param pulumi.Input[int] sign_in_frequency: Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
-        :param pulumi.Input[str] sign_in_frequency_period: The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
+        :param pulumi.Input[int] sign_in_frequency: Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified.
+        :param pulumi.Input[str] sign_in_frequency_authentication_type: Authentication type for enforcing sign-in frequency. Possible values are: `primaryAndSecondaryAuthentication` or `secondaryAuthentication`. Defaults to `primaryAndSecondaryAuthentication`.
+        :param pulumi.Input[str] sign_in_frequency_interval: The interval to apply to sign-in frequency control. Possible values are: `timeBased` or `everyTime`. Defaults to `timeBased`.
+        :param pulumi.Input[str] sign_in_frequency_period: The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified.
         """
         if application_enforced_restrictions_enabled is not None:
             pulumi.set(__self__, "application_enforced_restrictions_enabled", application_enforced_restrictions_enabled)
@@ -2392,6 +2584,10 @@ def __init__(__self__, *,
             pulumi.set(__self__, "persistent_browser_mode", persistent_browser_mode)
         if sign_in_frequency is not None:
             pulumi.set(__self__, "sign_in_frequency", sign_in_frequency)
+        if sign_in_frequency_authentication_type is not None:
+            pulumi.set(__self__, "sign_in_frequency_authentication_type", sign_in_frequency_authentication_type)
+        if sign_in_frequency_interval is not None:
+            pulumi.set(__self__, "sign_in_frequency_interval", sign_in_frequency_interval)
         if sign_in_frequency_period is not None:
             pulumi.set(__self__, "sign_in_frequency_period", sign_in_frequency_period)
 
@@ -2449,7 +2645,7 @@ def persistent_browser_mode(self, value: Optional[pulumi.Input[str]]):
     @pulumi.getter(name="signInFrequency")
     def sign_in_frequency(self) -> Optional[pulumi.Input[int]]:
         """
-        Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
+        Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified.
         """
         return pulumi.get(self, "sign_in_frequency")
 
@@ -2457,11 +2653,35 @@ def sign_in_frequency(self) -> Optional[pulumi.Input[int]]:
     def sign_in_frequency(self, value: Optional[pulumi.Input[int]]):
         pulumi.set(self, "sign_in_frequency", value)
 
+    @property
+    @pulumi.getter(name="signInFrequencyAuthenticationType")
+    def sign_in_frequency_authentication_type(self) -> Optional[pulumi.Input[str]]:
+        """
+        Authentication type for enforcing sign-in frequency. Possible values are: `primaryAndSecondaryAuthentication` or `secondaryAuthentication`. Defaults to `primaryAndSecondaryAuthentication`.
+        """
+        return pulumi.get(self, "sign_in_frequency_authentication_type")
+
+    @sign_in_frequency_authentication_type.setter
+    def sign_in_frequency_authentication_type(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "sign_in_frequency_authentication_type", value)
+
+    @property
+    @pulumi.getter(name="signInFrequencyInterval")
+    def sign_in_frequency_interval(self) -> Optional[pulumi.Input[str]]:
+        """
+        The interval to apply to sign-in frequency control. Possible values are: `timeBased` or `everyTime`. Defaults to `timeBased`.
+        """
+        return pulumi.get(self, "sign_in_frequency_interval")
+
+    @sign_in_frequency_interval.setter
+    def sign_in_frequency_interval(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "sign_in_frequency_interval", value)
+
     @property
     @pulumi.getter(name="signInFrequencyPeriod")
     def sign_in_frequency_period(self) -> Optional[pulumi.Input[str]]:
         """
-        The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
+        The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified.
         """
         return pulumi.get(self, "sign_in_frequency_period")
 
diff --git a/sdk/python/pulumi_azuread/application_optional_claims.py b/sdk/python/pulumi_azuread/application_optional_claims.py
new file mode 100644
index 000000000..5baf1dcf7
--- /dev/null
+++ b/sdk/python/pulumi_azuread/application_optional_claims.py
@@ -0,0 +1,371 @@
+# coding=utf-8
+# *** WARNING: this file was generated by the Pulumi Terraform Bridge (tfgen) Tool. ***
+# *** Do not edit by hand unless you're certain you know what you are doing! ***
+
+import copy
+import warnings
+import pulumi
+import pulumi.runtime
+from typing import Any, Mapping, Optional, Sequence, Union, overload
+from . import _utilities
+from . import outputs
+from ._inputs import *
+
+__all__ = ['ApplicationOptionalClaimsInitArgs', 'ApplicationOptionalClaims']
+
+@pulumi.input_type
+class ApplicationOptionalClaimsInitArgs:
+    def __init__(__self__, *,
+                 application_id: pulumi.Input[str],
+                 access_tokens: Optional[pulumi.Input[Sequence[pulumi.Input['ApplicationOptionalClaimsAccessTokenArgs']]]] = None,
+                 id_tokens: Optional[pulumi.Input[Sequence[pulumi.Input['ApplicationOptionalClaimsIdTokenArgs']]]] = None,
+                 saml2_tokens: Optional[pulumi.Input[Sequence[pulumi.Input['ApplicationOptionalClaimsSaml2TokenArgs']]]] = None):
+        """
+        The set of arguments for constructing a ApplicationOptionalClaims resource.
+        :param pulumi.Input[str] application_id: The resource ID of the application registration. Changing this forces a new resource to be created.
+        :param pulumi.Input[Sequence[pulumi.Input['ApplicationOptionalClaimsAccessTokenArgs']]] access_tokens: One or more `access_token` blocks as documented below.
+        :param pulumi.Input[Sequence[pulumi.Input['ApplicationOptionalClaimsIdTokenArgs']]] id_tokens: One or more `id_token` blocks as documented below.
+        :param pulumi.Input[Sequence[pulumi.Input['ApplicationOptionalClaimsSaml2TokenArgs']]] saml2_tokens: One or more `saml2_token` blocks as documented below.
+               
+               > At least one of `access_token`, `id_token` or `saml2_token` must be specified
+        """
+        pulumi.set(__self__, "application_id", application_id)
+        if access_tokens is not None:
+            pulumi.set(__self__, "access_tokens", access_tokens)
+        if id_tokens is not None:
+            pulumi.set(__self__, "id_tokens", id_tokens)
+        if saml2_tokens is not None:
+            pulumi.set(__self__, "saml2_tokens", saml2_tokens)
+
+    @property
+    @pulumi.getter(name="applicationId")
+    def application_id(self) -> pulumi.Input[str]:
+        """
+        The resource ID of the application registration. Changing this forces a new resource to be created.
+        """
+        return pulumi.get(self, "application_id")
+
+    @application_id.setter
+    def application_id(self, value: pulumi.Input[str]):
+        pulumi.set(self, "application_id", value)
+
+    @property
+    @pulumi.getter(name="accessTokens")
+    def access_tokens(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['ApplicationOptionalClaimsAccessTokenArgs']]]]:
+        """
+        One or more `access_token` blocks as documented below.
+        """
+        return pulumi.get(self, "access_tokens")
+
+    @access_tokens.setter
+    def access_tokens(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['ApplicationOptionalClaimsAccessTokenArgs']]]]):
+        pulumi.set(self, "access_tokens", value)
+
+    @property
+    @pulumi.getter(name="idTokens")
+    def id_tokens(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['ApplicationOptionalClaimsIdTokenArgs']]]]:
+        """
+        One or more `id_token` blocks as documented below.
+        """
+        return pulumi.get(self, "id_tokens")
+
+    @id_tokens.setter
+    def id_tokens(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['ApplicationOptionalClaimsIdTokenArgs']]]]):
+        pulumi.set(self, "id_tokens", value)
+
+    @property
+    @pulumi.getter(name="saml2Tokens")
+    def saml2_tokens(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['ApplicationOptionalClaimsSaml2TokenArgs']]]]:
+        """
+        One or more `saml2_token` blocks as documented below.
+
+        > At least one of `access_token`, `id_token` or `saml2_token` must be specified
+        """
+        return pulumi.get(self, "saml2_tokens")
+
+    @saml2_tokens.setter
+    def saml2_tokens(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['ApplicationOptionalClaimsSaml2TokenArgs']]]]):
+        pulumi.set(self, "saml2_tokens", value)
+
+
+@pulumi.input_type
+class _ApplicationOptionalClaimsState:
+    def __init__(__self__, *,
+                 access_tokens: Optional[pulumi.Input[Sequence[pulumi.Input['ApplicationOptionalClaimsAccessTokenArgs']]]] = None,
+                 application_id: Optional[pulumi.Input[str]] = None,
+                 id_tokens: Optional[pulumi.Input[Sequence[pulumi.Input['ApplicationOptionalClaimsIdTokenArgs']]]] = None,
+                 saml2_tokens: Optional[pulumi.Input[Sequence[pulumi.Input['ApplicationOptionalClaimsSaml2TokenArgs']]]] = None):
+        """
+        Input properties used for looking up and filtering ApplicationOptionalClaims resources.
+        :param pulumi.Input[Sequence[pulumi.Input['ApplicationOptionalClaimsAccessTokenArgs']]] access_tokens: One or more `access_token` blocks as documented below.
+        :param pulumi.Input[str] application_id: The resource ID of the application registration. Changing this forces a new resource to be created.
+        :param pulumi.Input[Sequence[pulumi.Input['ApplicationOptionalClaimsIdTokenArgs']]] id_tokens: One or more `id_token` blocks as documented below.
+        :param pulumi.Input[Sequence[pulumi.Input['ApplicationOptionalClaimsSaml2TokenArgs']]] saml2_tokens: One or more `saml2_token` blocks as documented below.
+               
+               > At least one of `access_token`, `id_token` or `saml2_token` must be specified
+        """
+        if access_tokens is not None:
+            pulumi.set(__self__, "access_tokens", access_tokens)
+        if application_id is not None:
+            pulumi.set(__self__, "application_id", application_id)
+        if id_tokens is not None:
+            pulumi.set(__self__, "id_tokens", id_tokens)
+        if saml2_tokens is not None:
+            pulumi.set(__self__, "saml2_tokens", saml2_tokens)
+
+    @property
+    @pulumi.getter(name="accessTokens")
+    def access_tokens(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['ApplicationOptionalClaimsAccessTokenArgs']]]]:
+        """
+        One or more `access_token` blocks as documented below.
+        """
+        return pulumi.get(self, "access_tokens")
+
+    @access_tokens.setter
+    def access_tokens(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['ApplicationOptionalClaimsAccessTokenArgs']]]]):
+        pulumi.set(self, "access_tokens", value)
+
+    @property
+    @pulumi.getter(name="applicationId")
+    def application_id(self) -> Optional[pulumi.Input[str]]:
+        """
+        The resource ID of the application registration. Changing this forces a new resource to be created.
+        """
+        return pulumi.get(self, "application_id")
+
+    @application_id.setter
+    def application_id(self, value: Optional[pulumi.Input[str]]):
+        pulumi.set(self, "application_id", value)
+
+    @property
+    @pulumi.getter(name="idTokens")
+    def id_tokens(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['ApplicationOptionalClaimsIdTokenArgs']]]]:
+        """
+        One or more `id_token` blocks as documented below.
+        """
+        return pulumi.get(self, "id_tokens")
+
+    @id_tokens.setter
+    def id_tokens(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['ApplicationOptionalClaimsIdTokenArgs']]]]):
+        pulumi.set(self, "id_tokens", value)
+
+    @property
+    @pulumi.getter(name="saml2Tokens")
+    def saml2_tokens(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['ApplicationOptionalClaimsSaml2TokenArgs']]]]:
+        """
+        One or more `saml2_token` blocks as documented below.
+
+        > At least one of `access_token`, `id_token` or `saml2_token` must be specified
+        """
+        return pulumi.get(self, "saml2_tokens")
+
+    @saml2_tokens.setter
+    def saml2_tokens(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['ApplicationOptionalClaimsSaml2TokenArgs']]]]):
+        pulumi.set(self, "saml2_tokens", value)
+
+
+class ApplicationOptionalClaims(pulumi.CustomResource):
+    @overload
+    def __init__(__self__,
+                 resource_name: str,
+                 opts: Optional[pulumi.ResourceOptions] = None,
+                 access_tokens: Optional[pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['ApplicationOptionalClaimsAccessTokenArgs']]]]] = None,
+                 application_id: Optional[pulumi.Input[str]] = None,
+                 id_tokens: Optional[pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['ApplicationOptionalClaimsIdTokenArgs']]]]] = None,
+                 saml2_tokens: Optional[pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['ApplicationOptionalClaimsSaml2TokenArgs']]]]] = None,
+                 __props__=None):
+        """
+        ## Example Usage
+
+        ```python
+        import pulumi
+        import pulumi_azuread as azuread
+
+        example_application_registration = azuread.ApplicationRegistration("exampleApplicationRegistration", display_name="example")
+        example_application_optional_claims = azuread.ApplicationOptionalClaims("exampleApplicationOptionalClaims",
+            application_id=example_application_registration.id,
+            access_tokens=[
+                azuread.ApplicationOptionalClaimsAccessTokenArgs(
+                    name="myclaim",
+                ),
+                azuread.ApplicationOptionalClaimsAccessTokenArgs(
+                    name="otherclaim",
+                ),
+            ],
+            id_tokens=[azuread.ApplicationOptionalClaimsIdTokenArgs(
+                name="userclaim",
+                source="user",
+                essential=True,
+                additional_properties=["emit_as_roles"],
+            )],
+            saml2_tokens=[azuread.ApplicationOptionalClaimsSaml2TokenArgs(
+                name="samlexample",
+            )])
+        ```
+
+        ## Import
+
+        Application Optional Claims can be imported using the object ID of the application, in the following format.
+
+        ```sh
+         $ pulumi import azuread:index/applicationOptionalClaims:ApplicationOptionalClaims example /applications/00000000-0000-0000-0000-000000000000
+        ```
+
+        :param str resource_name: The name of the resource.
+        :param pulumi.ResourceOptions opts: Options for the resource.
+        :param pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['ApplicationOptionalClaimsAccessTokenArgs']]]] access_tokens: One or more `access_token` blocks as documented below.
+        :param pulumi.Input[str] application_id: The resource ID of the application registration. Changing this forces a new resource to be created.
+        :param pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['ApplicationOptionalClaimsIdTokenArgs']]]] id_tokens: One or more `id_token` blocks as documented below.
+        :param pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['ApplicationOptionalClaimsSaml2TokenArgs']]]] saml2_tokens: One or more `saml2_token` blocks as documented below.
+               
+               > At least one of `access_token`, `id_token` or `saml2_token` must be specified
+        """
+        ...
+    @overload
+    def __init__(__self__,
+                 resource_name: str,
+                 args: ApplicationOptionalClaimsInitArgs,
+                 opts: Optional[pulumi.ResourceOptions] = None):
+        """
+        ## Example Usage
+
+        ```python
+        import pulumi
+        import pulumi_azuread as azuread
+
+        example_application_registration = azuread.ApplicationRegistration("exampleApplicationRegistration", display_name="example")
+        example_application_optional_claims = azuread.ApplicationOptionalClaims("exampleApplicationOptionalClaims",
+            application_id=example_application_registration.id,
+            access_tokens=[
+                azuread.ApplicationOptionalClaimsAccessTokenArgs(
+                    name="myclaim",
+                ),
+                azuread.ApplicationOptionalClaimsAccessTokenArgs(
+                    name="otherclaim",
+                ),
+            ],
+            id_tokens=[azuread.ApplicationOptionalClaimsIdTokenArgs(
+                name="userclaim",
+                source="user",
+                essential=True,
+                additional_properties=["emit_as_roles"],
+            )],
+            saml2_tokens=[azuread.ApplicationOptionalClaimsSaml2TokenArgs(
+                name="samlexample",
+            )])
+        ```
+
+        ## Import
+
+        Application Optional Claims can be imported using the object ID of the application, in the following format.
+
+        ```sh
+         $ pulumi import azuread:index/applicationOptionalClaims:ApplicationOptionalClaims example /applications/00000000-0000-0000-0000-000000000000
+        ```
+
+        :param str resource_name: The name of the resource.
+        :param ApplicationOptionalClaimsInitArgs args: The arguments to use to populate this resource's properties.
+        :param pulumi.ResourceOptions opts: Options for the resource.
+        """
+        ...
+    def __init__(__self__, resource_name: str, *args, **kwargs):
+        resource_args, opts = _utilities.get_resource_args_opts(ApplicationOptionalClaimsInitArgs, pulumi.ResourceOptions, *args, **kwargs)
+        if resource_args is not None:
+            __self__._internal_init(resource_name, opts, **resource_args.__dict__)
+        else:
+            __self__._internal_init(resource_name, *args, **kwargs)
+
+    def _internal_init(__self__,
+                 resource_name: str,
+                 opts: Optional[pulumi.ResourceOptions] = None,
+                 access_tokens: Optional[pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['ApplicationOptionalClaimsAccessTokenArgs']]]]] = None,
+                 application_id: Optional[pulumi.Input[str]] = None,
+                 id_tokens: Optional[pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['ApplicationOptionalClaimsIdTokenArgs']]]]] = None,
+                 saml2_tokens: Optional[pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['ApplicationOptionalClaimsSaml2TokenArgs']]]]] = None,
+                 __props__=None):
+        opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
+        if not isinstance(opts, pulumi.ResourceOptions):
+            raise TypeError('Expected resource options to be a ResourceOptions instance')
+        if opts.id is None:
+            if __props__ is not None:
+                raise TypeError('__props__ is only valid when passed in combination with a valid opts.id to get an existing resource')
+            __props__ = ApplicationOptionalClaimsInitArgs.__new__(ApplicationOptionalClaimsInitArgs)
+
+            __props__.__dict__["access_tokens"] = access_tokens
+            if application_id is None and not opts.urn:
+                raise TypeError("Missing required property 'application_id'")
+            __props__.__dict__["application_id"] = application_id
+            __props__.__dict__["id_tokens"] = id_tokens
+            __props__.__dict__["saml2_tokens"] = saml2_tokens
+        super(ApplicationOptionalClaims, __self__).__init__(
+            'azuread:index/applicationOptionalClaims:ApplicationOptionalClaims',
+            resource_name,
+            __props__,
+            opts)
+
+    @staticmethod
+    def get(resource_name: str,
+            id: pulumi.Input[str],
+            opts: Optional[pulumi.ResourceOptions] = None,
+            access_tokens: Optional[pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['ApplicationOptionalClaimsAccessTokenArgs']]]]] = None,
+            application_id: Optional[pulumi.Input[str]] = None,
+            id_tokens: Optional[pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['ApplicationOptionalClaimsIdTokenArgs']]]]] = None,
+            saml2_tokens: Optional[pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['ApplicationOptionalClaimsSaml2TokenArgs']]]]] = None) -> 'ApplicationOptionalClaims':
+        """
+        Get an existing ApplicationOptionalClaims resource's state with the given name, id, and optional extra
+        properties used to qualify the lookup.
+
+        :param str resource_name: The unique name of the resulting resource.
+        :param pulumi.Input[str] id: The unique provider ID of the resource to lookup.
+        :param pulumi.ResourceOptions opts: Options for the resource.
+        :param pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['ApplicationOptionalClaimsAccessTokenArgs']]]] access_tokens: One or more `access_token` blocks as documented below.
+        :param pulumi.Input[str] application_id: The resource ID of the application registration. Changing this forces a new resource to be created.
+        :param pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['ApplicationOptionalClaimsIdTokenArgs']]]] id_tokens: One or more `id_token` blocks as documented below.
+        :param pulumi.Input[Sequence[pulumi.Input[pulumi.InputType['ApplicationOptionalClaimsSaml2TokenArgs']]]] saml2_tokens: One or more `saml2_token` blocks as documented below.
+               
+               > At least one of `access_token`, `id_token` or `saml2_token` must be specified
+        """
+        opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id))
+
+        __props__ = _ApplicationOptionalClaimsState.__new__(_ApplicationOptionalClaimsState)
+
+        __props__.__dict__["access_tokens"] = access_tokens
+        __props__.__dict__["application_id"] = application_id
+        __props__.__dict__["id_tokens"] = id_tokens
+        __props__.__dict__["saml2_tokens"] = saml2_tokens
+        return ApplicationOptionalClaims(resource_name, opts=opts, __props__=__props__)
+
+    @property
+    @pulumi.getter(name="accessTokens")
+    def access_tokens(self) -> pulumi.Output[Optional[Sequence['outputs.ApplicationOptionalClaimsAccessToken']]]:
+        """
+        One or more `access_token` blocks as documented below.
+        """
+        return pulumi.get(self, "access_tokens")
+
+    @property
+    @pulumi.getter(name="applicationId")
+    def application_id(self) -> pulumi.Output[str]:
+        """
+        The resource ID of the application registration. Changing this forces a new resource to be created.
+        """
+        return pulumi.get(self, "application_id")
+
+    @property
+    @pulumi.getter(name="idTokens")
+    def id_tokens(self) -> pulumi.Output[Optional[Sequence['outputs.ApplicationOptionalClaimsIdToken']]]:
+        """
+        One or more `id_token` blocks as documented below.
+        """
+        return pulumi.get(self, "id_tokens")
+
+    @property
+    @pulumi.getter(name="saml2Tokens")
+    def saml2_tokens(self) -> pulumi.Output[Optional[Sequence['outputs.ApplicationOptionalClaimsSaml2Token']]]:
+        """
+        One or more `saml2_token` blocks as documented below.
+
+        > At least one of `access_token`, `id_token` or `saml2_token` must be specified
+        """
+        return pulumi.get(self, "saml2_tokens")
+
diff --git a/sdk/python/pulumi_azuread/get_application_published_app_ids.py b/sdk/python/pulumi_azuread/get_application_published_app_ids.py
index 272a84132..297183198 100644
--- a/sdk/python/pulumi_azuread/get_application_published_app_ids.py
+++ b/sdk/python/pulumi_azuread/get_application_published_app_ids.py
@@ -84,7 +84,7 @@ def get_application_published_app_ids(opts: Optional[pulumi.InvokeOptions] = Non
 
     well_known = azuread.get_application_published_app_ids()
     msgraph = azuread.ServicePrincipal("msgraph",
-        application_id=well_known.result["MicrosoftGraph"],
+        client_id=well_known.result["MicrosoftGraph"],
         use_existing=True)
     example = azuread.Application("example",
         display_name="example",
@@ -141,7 +141,7 @@ def get_application_published_app_ids_output(opts: Optional[pulumi.InvokeOptions
 
     well_known = azuread.get_application_published_app_ids()
     msgraph = azuread.ServicePrincipal("msgraph",
-        application_id=well_known.result["MicrosoftGraph"],
+        client_id=well_known.result["MicrosoftGraph"],
         use_existing=True)
     example = azuread.Application("example",
         display_name="example",
diff --git a/sdk/python/pulumi_azuread/outputs.py b/sdk/python/pulumi_azuread/outputs.py
index 29e57b098..e63f44993 100644
--- a/sdk/python/pulumi_azuread/outputs.py
+++ b/sdk/python/pulumi_azuread/outputs.py
@@ -47,6 +47,10 @@
     'ConditionalAccessPolicyConditionsLocations',
     'ConditionalAccessPolicyConditionsPlatforms',
     'ConditionalAccessPolicyConditionsUsers',
+    'ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser',
+    'ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant',
+    'ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser',
+    'ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant',
     'ConditionalAccessPolicyGrantControls',
     'ConditionalAccessPolicySessionControls',
     'CustomDirectoryRolePermission',
@@ -1458,7 +1462,7 @@ def __init__(__self__, *,
                  source: Optional[str] = None):
         """
         :param str name: The name of the optional claim.
-        :param Sequence[str] additional_properties: List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+        :param Sequence[str] additional_properties: List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
         :param bool essential: Whether the claim specified by the client is necessary to ensure a smooth authorization experience.
         :param str source: The source of the claim. If `source` is absent, the claim is a predefined optional claim. If `source` is `user`, the value of `name` is the extension property from the user object.
         """
@@ -1482,7 +1486,7 @@ def name(self) -> str:
     @pulumi.getter(name="additionalProperties")
     def additional_properties(self) -> Optional[Sequence[str]]:
         """
-        List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+        List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
         """
         return pulumi.get(self, "additional_properties")
 
@@ -1529,7 +1533,7 @@ def __init__(__self__, *,
                  source: Optional[str] = None):
         """
         :param str name: The name of the optional claim.
-        :param Sequence[str] additional_properties: List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+        :param Sequence[str] additional_properties: List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
         :param bool essential: Whether the claim specified by the client is necessary to ensure a smooth authorization experience.
         :param str source: The source of the claim. If `source` is absent, the claim is a predefined optional claim. If `source` is `user`, the value of `name` is the extension property from the user object.
         """
@@ -1553,7 +1557,7 @@ def name(self) -> str:
     @pulumi.getter(name="additionalProperties")
     def additional_properties(self) -> Optional[Sequence[str]]:
         """
-        List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+        List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
         """
         return pulumi.get(self, "additional_properties")
 
@@ -1600,7 +1604,7 @@ def __init__(__self__, *,
                  source: Optional[str] = None):
         """
         :param str name: The name of the optional claim.
-        :param Sequence[str] additional_properties: List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+        :param Sequence[str] additional_properties: List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
         :param bool essential: Whether the claim specified by the client is necessary to ensure a smooth authorization experience.
         :param str source: The source of the claim. If `source` is absent, the claim is a predefined optional claim. If `source` is `user`, the value of `name` is the extension property from the user object.
         """
@@ -1624,7 +1628,7 @@ def name(self) -> str:
     @pulumi.getter(name="additionalProperties")
     def additional_properties(self) -> Optional[Sequence[str]]:
         """
-        List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim.
+        List of additional properties of the claim. If a property exists in this list, it modifies the behaviour of the optional claim. Possible values are: `cloud_displayname`, `dns_domain_and_sam_account_name`, `emit_as_roles`, `include_externally_authenticated_upn_without_hash`, `include_externally_authenticated_upn`, `max_size_limit`, `netbios_domain_and_sam_account_name`, `on_premise_security_identifier`, `sam_account_name`, and `use_guid`.
         """
         return pulumi.get(self, "additional_properties")
 
@@ -2194,7 +2198,7 @@ class ConditionalAccessPolicyConditionsDevices(dict):
     def __init__(__self__, *,
                  filter: Optional['outputs.ConditionalAccessPolicyConditionsDevicesFilter'] = None):
         """
-        :param 'ConditionalAccessPolicyConditionsDevicesFilterArgs' filter: A `filter` block as described below. A `filter` block can be added to an existing policy, but removing the `filter` block forces a new resource to be created.
+        :param 'ConditionalAccessPolicyConditionsDevicesFilterArgs' filter: A `filter` block as described below.
         """
         if filter is not None:
             pulumi.set(__self__, "filter", filter)
@@ -2203,7 +2207,7 @@ def __init__(__self__, *,
     @pulumi.getter
     def filter(self) -> Optional['outputs.ConditionalAccessPolicyConditionsDevicesFilter']:
         """
-        A `filter` block as described below. A `filter` block can be added to an existing policy, but removing the `filter` block forces a new resource to be created.
+        A `filter` block as described below.
         """
         return pulumi.get(self, "filter")
 
@@ -2342,12 +2346,16 @@ def __key_warning(key: str):
         suggest = None
         if key == "excludedGroups":
             suggest = "excluded_groups"
+        elif key == "excludedGuestsOrExternalUsers":
+            suggest = "excluded_guests_or_external_users"
         elif key == "excludedRoles":
             suggest = "excluded_roles"
         elif key == "excludedUsers":
             suggest = "excluded_users"
         elif key == "includedGroups":
             suggest = "included_groups"
+        elif key == "includedGuestsOrExternalUsers":
+            suggest = "included_guests_or_external_users"
         elif key == "includedRoles":
             suggest = "included_roles"
         elif key == "includedUsers":
@@ -2366,29 +2374,37 @@ def get(self, key: str, default = None) -> Any:
 
     def __init__(__self__, *,
                  excluded_groups: Optional[Sequence[str]] = None,
+                 excluded_guests_or_external_users: Optional[Sequence['outputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser']] = None,
                  excluded_roles: Optional[Sequence[str]] = None,
                  excluded_users: Optional[Sequence[str]] = None,
                  included_groups: Optional[Sequence[str]] = None,
+                 included_guests_or_external_users: Optional[Sequence['outputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser']] = None,
                  included_roles: Optional[Sequence[str]] = None,
                  included_users: Optional[Sequence[str]] = None):
         """
         :param Sequence[str] excluded_groups: A list of group IDs excluded from scope of policy.
+        :param Sequence['ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserArgs'] excluded_guests_or_external_users: A `guests_or_external_users` block as documented below, which specifies internal guests and external users excluded from scope of policy.
         :param Sequence[str] excluded_roles: A list of role IDs excluded from scope of policy.
         :param Sequence[str] excluded_users: A list of user IDs excluded from scope of policy and/or `GuestsOrExternalUsers`.
         :param Sequence[str] included_groups: A list of group IDs in scope of policy unless explicitly excluded.
+        :param Sequence['ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserArgs'] included_guests_or_external_users: A `guests_or_external_users` block as documented below, which specifies internal guests and external users in scope of policy.
         :param Sequence[str] included_roles: A list of role IDs in scope of policy unless explicitly excluded.
         :param Sequence[str] included_users: A list of user IDs in scope of policy unless explicitly excluded, or `None` or `All` or `GuestsOrExternalUsers`.
                
-               > At least one of `included_groups`, `included_roles` or `included_users` must be specified.
+               > At least one of `included_groups`, `included_guests_or_external_users`, `included_roles` or `included_users` must be specified.
         """
         if excluded_groups is not None:
             pulumi.set(__self__, "excluded_groups", excluded_groups)
+        if excluded_guests_or_external_users is not None:
+            pulumi.set(__self__, "excluded_guests_or_external_users", excluded_guests_or_external_users)
         if excluded_roles is not None:
             pulumi.set(__self__, "excluded_roles", excluded_roles)
         if excluded_users is not None:
             pulumi.set(__self__, "excluded_users", excluded_users)
         if included_groups is not None:
             pulumi.set(__self__, "included_groups", included_groups)
+        if included_guests_or_external_users is not None:
+            pulumi.set(__self__, "included_guests_or_external_users", included_guests_or_external_users)
         if included_roles is not None:
             pulumi.set(__self__, "included_roles", included_roles)
         if included_users is not None:
@@ -2402,6 +2418,14 @@ def excluded_groups(self) -> Optional[Sequence[str]]:
         """
         return pulumi.get(self, "excluded_groups")
 
+    @property
+    @pulumi.getter(name="excludedGuestsOrExternalUsers")
+    def excluded_guests_or_external_users(self) -> Optional[Sequence['outputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser']]:
+        """
+        A `guests_or_external_users` block as documented below, which specifies internal guests and external users excluded from scope of policy.
+        """
+        return pulumi.get(self, "excluded_guests_or_external_users")
+
     @property
     @pulumi.getter(name="excludedRoles")
     def excluded_roles(self) -> Optional[Sequence[str]]:
@@ -2426,6 +2450,14 @@ def included_groups(self) -> Optional[Sequence[str]]:
         """
         return pulumi.get(self, "included_groups")
 
+    @property
+    @pulumi.getter(name="includedGuestsOrExternalUsers")
+    def included_guests_or_external_users(self) -> Optional[Sequence['outputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser']]:
+        """
+        A `guests_or_external_users` block as documented below, which specifies internal guests and external users in scope of policy.
+        """
+        return pulumi.get(self, "included_guests_or_external_users")
+
     @property
     @pulumi.getter(name="includedRoles")
     def included_roles(self) -> Optional[Sequence[str]]:
@@ -2440,11 +2472,203 @@ def included_users(self) -> Optional[Sequence[str]]:
         """
         A list of user IDs in scope of policy unless explicitly excluded, or `None` or `All` or `GuestsOrExternalUsers`.
 
-        > At least one of `included_groups`, `included_roles` or `included_users` must be specified.
+        > At least one of `included_groups`, `included_guests_or_external_users`, `included_roles` or `included_users` must be specified.
         """
         return pulumi.get(self, "included_users")
 
 
+@pulumi.output_type
+class ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser(dict):
+    @staticmethod
+    def __key_warning(key: str):
+        suggest = None
+        if key == "guestOrExternalUserTypes":
+            suggest = "guest_or_external_user_types"
+        elif key == "externalTenants":
+            suggest = "external_tenants"
+
+        if suggest:
+            pulumi.log.warn(f"Key '{key}' not found in ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser. Access the value via the '{suggest}' property getter instead.")
+
+    def __getitem__(self, key: str) -> Any:
+        ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser.__key_warning(key)
+        return super().__getitem__(key)
+
+    def get(self, key: str, default = None) -> Any:
+        ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUser.__key_warning(key)
+        return super().get(key, default)
+
+    def __init__(__self__, *,
+                 guest_or_external_user_types: Sequence[str],
+                 external_tenants: Optional[Sequence['outputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant']] = None):
+        """
+        :param Sequence[str] guest_or_external_user_types: A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+        :param Sequence['ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenantArgs'] external_tenants: An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+        """
+        pulumi.set(__self__, "guest_or_external_user_types", guest_or_external_user_types)
+        if external_tenants is not None:
+            pulumi.set(__self__, "external_tenants", external_tenants)
+
+    @property
+    @pulumi.getter(name="guestOrExternalUserTypes")
+    def guest_or_external_user_types(self) -> Sequence[str]:
+        """
+        A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+        """
+        return pulumi.get(self, "guest_or_external_user_types")
+
+    @property
+    @pulumi.getter(name="externalTenants")
+    def external_tenants(self) -> Optional[Sequence['outputs.ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant']]:
+        """
+        An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+        """
+        return pulumi.get(self, "external_tenants")
+
+
+@pulumi.output_type
+class ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant(dict):
+    @staticmethod
+    def __key_warning(key: str):
+        suggest = None
+        if key == "membershipKind":
+            suggest = "membership_kind"
+
+        if suggest:
+            pulumi.log.warn(f"Key '{key}' not found in ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant. Access the value via the '{suggest}' property getter instead.")
+
+    def __getitem__(self, key: str) -> Any:
+        ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant.__key_warning(key)
+        return super().__getitem__(key)
+
+    def get(self, key: str, default = None) -> Any:
+        ConditionalAccessPolicyConditionsUsersExcludedGuestsOrExternalUserExternalTenant.__key_warning(key)
+        return super().get(key, default)
+
+    def __init__(__self__, *,
+                 membership_kind: str,
+                 members: Optional[Sequence[str]] = None):
+        """
+        :param str membership_kind: The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+        :param Sequence[str] members: A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+        """
+        pulumi.set(__self__, "membership_kind", membership_kind)
+        if members is not None:
+            pulumi.set(__self__, "members", members)
+
+    @property
+    @pulumi.getter(name="membershipKind")
+    def membership_kind(self) -> str:
+        """
+        The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+        """
+        return pulumi.get(self, "membership_kind")
+
+    @property
+    @pulumi.getter
+    def members(self) -> Optional[Sequence[str]]:
+        """
+        A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+        """
+        return pulumi.get(self, "members")
+
+
+@pulumi.output_type
+class ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser(dict):
+    @staticmethod
+    def __key_warning(key: str):
+        suggest = None
+        if key == "guestOrExternalUserTypes":
+            suggest = "guest_or_external_user_types"
+        elif key == "externalTenants":
+            suggest = "external_tenants"
+
+        if suggest:
+            pulumi.log.warn(f"Key '{key}' not found in ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser. Access the value via the '{suggest}' property getter instead.")
+
+    def __getitem__(self, key: str) -> Any:
+        ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser.__key_warning(key)
+        return super().__getitem__(key)
+
+    def get(self, key: str, default = None) -> Any:
+        ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUser.__key_warning(key)
+        return super().get(key, default)
+
+    def __init__(__self__, *,
+                 guest_or_external_user_types: Sequence[str],
+                 external_tenants: Optional[Sequence['outputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant']] = None):
+        """
+        :param Sequence[str] guest_or_external_user_types: A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+        :param Sequence['ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenantArgs'] external_tenants: An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+        """
+        pulumi.set(__self__, "guest_or_external_user_types", guest_or_external_user_types)
+        if external_tenants is not None:
+            pulumi.set(__self__, "external_tenants", external_tenants)
+
+    @property
+    @pulumi.getter(name="guestOrExternalUserTypes")
+    def guest_or_external_user_types(self) -> Sequence[str]:
+        """
+        A list of guest or external user types. Possible values are: `b2bCollaborationGuest`, `b2bCollaborationMember`, `b2bDirectConnectUser`, `internalGuest`, `none`, `otherExternalUser`, `serviceProvider`, `unknownFutureValue`.
+        """
+        return pulumi.get(self, "guest_or_external_user_types")
+
+    @property
+    @pulumi.getter(name="externalTenants")
+    def external_tenants(self) -> Optional[Sequence['outputs.ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant']]:
+        """
+        An `external_tenants` block as documented below, which specifies external tenants in a policy scope.
+        """
+        return pulumi.get(self, "external_tenants")
+
+
+@pulumi.output_type
+class ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant(dict):
+    @staticmethod
+    def __key_warning(key: str):
+        suggest = None
+        if key == "membershipKind":
+            suggest = "membership_kind"
+
+        if suggest:
+            pulumi.log.warn(f"Key '{key}' not found in ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant. Access the value via the '{suggest}' property getter instead.")
+
+    def __getitem__(self, key: str) -> Any:
+        ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant.__key_warning(key)
+        return super().__getitem__(key)
+
+    def get(self, key: str, default = None) -> Any:
+        ConditionalAccessPolicyConditionsUsersIncludedGuestsOrExternalUserExternalTenant.__key_warning(key)
+        return super().get(key, default)
+
+    def __init__(__self__, *,
+                 membership_kind: str,
+                 members: Optional[Sequence[str]] = None):
+        """
+        :param str membership_kind: The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+        :param Sequence[str] members: A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+        """
+        pulumi.set(__self__, "membership_kind", membership_kind)
+        if members is not None:
+            pulumi.set(__self__, "members", members)
+
+    @property
+    @pulumi.getter(name="membershipKind")
+    def membership_kind(self) -> str:
+        """
+        The external tenant membership kind. Possible values are: `all`, `enumerated`, `unknownFutureValue`.
+        """
+        return pulumi.get(self, "membership_kind")
+
+    @property
+    @pulumi.getter
+    def members(self) -> Optional[Sequence[str]]:
+        """
+        A list tenant IDs. Can only be specified if `membership_kind` is `enumerated`.
+        """
+        return pulumi.get(self, "members")
+
+
 @pulumi.output_type
 class ConditionalAccessPolicyGrantControls(dict):
     @staticmethod
@@ -2553,6 +2777,10 @@ def __key_warning(key: str):
             suggest = "persistent_browser_mode"
         elif key == "signInFrequency":
             suggest = "sign_in_frequency"
+        elif key == "signInFrequencyAuthenticationType":
+            suggest = "sign_in_frequency_authentication_type"
+        elif key == "signInFrequencyInterval":
+            suggest = "sign_in_frequency_interval"
         elif key == "signInFrequencyPeriod":
             suggest = "sign_in_frequency_period"
 
@@ -2573,6 +2801,8 @@ def __init__(__self__, *,
                  disable_resilience_defaults: Optional[bool] = None,
                  persistent_browser_mode: Optional[str] = None,
                  sign_in_frequency: Optional[int] = None,
+                 sign_in_frequency_authentication_type: Optional[str] = None,
+                 sign_in_frequency_interval: Optional[str] = None,
                  sign_in_frequency_period: Optional[str] = None):
         """
         :param bool application_enforced_restrictions_enabled: Whether application enforced restrictions are enabled. Defaults to `false`.
@@ -2581,8 +2811,10 @@ def __init__(__self__, *,
         :param str cloud_app_security_policy: Enables cloud app security and specifies the cloud app security policy to use. Possible values are: `blockDownloads`, `mcasConfigured`, `monitorOnly` or `unknownFutureValue`.
         :param bool disable_resilience_defaults: Disables [resilience defaults](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/resilience-defaults). Defaults to `false`.
         :param str persistent_browser_mode: Session control to define whether to persist cookies. Possible values are: `always` or `never`.
-        :param int sign_in_frequency: Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
-        :param str sign_in_frequency_period: The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
+        :param int sign_in_frequency: Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified.
+        :param str sign_in_frequency_authentication_type: Authentication type for enforcing sign-in frequency. Possible values are: `primaryAndSecondaryAuthentication` or `secondaryAuthentication`. Defaults to `primaryAndSecondaryAuthentication`.
+        :param str sign_in_frequency_interval: The interval to apply to sign-in frequency control. Possible values are: `timeBased` or `everyTime`. Defaults to `timeBased`.
+        :param str sign_in_frequency_period: The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified.
         """
         if application_enforced_restrictions_enabled is not None:
             pulumi.set(__self__, "application_enforced_restrictions_enabled", application_enforced_restrictions_enabled)
@@ -2594,6 +2826,10 @@ def __init__(__self__, *,
             pulumi.set(__self__, "persistent_browser_mode", persistent_browser_mode)
         if sign_in_frequency is not None:
             pulumi.set(__self__, "sign_in_frequency", sign_in_frequency)
+        if sign_in_frequency_authentication_type is not None:
+            pulumi.set(__self__, "sign_in_frequency_authentication_type", sign_in_frequency_authentication_type)
+        if sign_in_frequency_interval is not None:
+            pulumi.set(__self__, "sign_in_frequency_interval", sign_in_frequency_interval)
         if sign_in_frequency_period is not None:
             pulumi.set(__self__, "sign_in_frequency_period", sign_in_frequency_period)
 
@@ -2635,15 +2871,31 @@ def persistent_browser_mode(self) -> Optional[str]:
     @pulumi.getter(name="signInFrequency")
     def sign_in_frequency(self) -> Optional[int]:
         """
-        Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
+        Number of days or hours to enforce sign-in frequency. Required when `sign_in_frequency_period` is specified.
         """
         return pulumi.get(self, "sign_in_frequency")
 
+    @property
+    @pulumi.getter(name="signInFrequencyAuthenticationType")
+    def sign_in_frequency_authentication_type(self) -> Optional[str]:
+        """
+        Authentication type for enforcing sign-in frequency. Possible values are: `primaryAndSecondaryAuthentication` or `secondaryAuthentication`. Defaults to `primaryAndSecondaryAuthentication`.
+        """
+        return pulumi.get(self, "sign_in_frequency_authentication_type")
+
+    @property
+    @pulumi.getter(name="signInFrequencyInterval")
+    def sign_in_frequency_interval(self) -> Optional[str]:
+        """
+        The interval to apply to sign-in frequency control. Possible values are: `timeBased` or `everyTime`. Defaults to `timeBased`.
+        """
+        return pulumi.get(self, "sign_in_frequency_interval")
+
     @property
     @pulumi.getter(name="signInFrequencyPeriod")
     def sign_in_frequency_period(self) -> Optional[str]:
         """
-        The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified. Due to an API issue, removing this property forces a new resource to be created.
+        The time period to enforce sign-in frequency. Possible values are: `hours` or `days`. Required when `sign_in_frequency_period` is specified.
         """
         return pulumi.get(self, "sign_in_frequency_period")
 
diff --git a/sdk/python/pulumi_azuread/service_principal.py b/sdk/python/pulumi_azuread/service_principal.py
index 12fd78f5c..d2a4d9596 100644
--- a/sdk/python/pulumi_azuread/service_principal.py
+++ b/sdk/python/pulumi_azuread/service_principal.py
@@ -841,7 +841,7 @@ def __init__(__self__,
             display_name="example",
             owners=[current.object_id])
         example_service_principal = azuread.ServicePrincipal("exampleServicePrincipal",
-            application_id=example_application.application_id,
+            client_id=example_application.client_id,
             app_role_assignment_required=False,
             owners=[current.object_id])
         ```
@@ -857,7 +857,7 @@ def __init__(__self__,
             display_name="example",
             owners=[current.object_id])
         example_service_principal = azuread.ServicePrincipal("exampleServicePrincipal",
-            application_id=example_application.application_id,
+            client_id=example_application.client_id,
             app_role_assignment_required=False,
             owners=[current.object_id],
             feature_tags=[azuread.ServicePrincipalFeatureTagArgs(
@@ -874,7 +874,7 @@ def __init__(__self__,
 
         well_known = azuread.get_application_published_app_ids()
         msgraph = azuread.ServicePrincipal("msgraph",
-            application_id=well_known.result["MicrosoftGraph"],
+            client_id=well_known.result["MicrosoftGraph"],
             use_existing=True)
         ```
 
@@ -889,7 +889,7 @@ def __init__(__self__,
             display_name="example",
             template_id=example_application_template.template_id)
         example_service_principal = azuread.ServicePrincipal("exampleServicePrincipal",
-            application_id=example_application.application_id,
+            client_id=example_application.client_id,
             use_existing=True)
         ```
 
@@ -944,7 +944,7 @@ def __init__(__self__,
             display_name="example",
             owners=[current.object_id])
         example_service_principal = azuread.ServicePrincipal("exampleServicePrincipal",
-            application_id=example_application.application_id,
+            client_id=example_application.client_id,
             app_role_assignment_required=False,
             owners=[current.object_id])
         ```
@@ -960,7 +960,7 @@ def __init__(__self__,
             display_name="example",
             owners=[current.object_id])
         example_service_principal = azuread.ServicePrincipal("exampleServicePrincipal",
-            application_id=example_application.application_id,
+            client_id=example_application.client_id,
             app_role_assignment_required=False,
             owners=[current.object_id],
             feature_tags=[azuread.ServicePrincipalFeatureTagArgs(
@@ -977,7 +977,7 @@ def __init__(__self__,
 
         well_known = azuread.get_application_published_app_ids()
         msgraph = azuread.ServicePrincipal("msgraph",
-            application_id=well_known.result["MicrosoftGraph"],
+            client_id=well_known.result["MicrosoftGraph"],
             use_existing=True)
         ```
 
@@ -992,7 +992,7 @@ def __init__(__self__,
             display_name="example",
             template_id=example_application_template.template_id)
         example_service_principal = azuread.ServicePrincipal("exampleServicePrincipal",
-            application_id=example_application.application_id,
+            client_id=example_application.client_id,
             use_existing=True)
         ```