NetworkAccessPolicy.ReadWrite.All

Allows the app to read and write your organization's security and routing network access policies on behalf of the signed-in user.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the NetworkAccessPolicy.ReadWrite.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	f0c341be-8348-4989-8e43-660324294538	b1fbad0f-ef6e-42ed-8676-bca7fa3e7291
DisplayText	Read and write all security and routing policies for network access	Read and write security and routing policies for network access
Description	Allows the app to read and write your organization's network access policies, without a signed-in user.	Allows the app to read and write your organization's security and routing network access policies on behalf of the signed-in user.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /networkaccess/filteringPolicies/{filteringPoliciesId}
	GET /filteringProfiles/{filteringProfileId}/policies
	GET /networkAccess/connectivity/branches/{branchSiteId}/forwardingProfiles
	GET /networkaccess/filteringPolicies/{filteringPoliciesId}
	GET /networkAccess/filteringPolicies/{filteringPolicyId}
	GET /networkaccess/filteringPolicies/{filteringPolicyId}?$expand=policyRules
	GET /networkAccess/filteringProfiles/{filteringProfileId}/policies/{policyLinkId}/policy
	GET /networkAccess/filteringProfiles/{filteringProfileId}/policies/{tlsPolicyLinkId}
	GET /networkAccess/forwardingProfiles/{forwardingProfileId}/policies/
	GET /networkAccess/reports/entitiesSummaries(startDateTime={startDateTime},endDateTime={endDateTime})
	GET /networkAccess/reports/getCloudApplicationReport(startDateTime={startDateTime},endDateTime={endDateTime})
	GET /networkAccess/reports/getCrossTenantSummary(startDateTime={startDateTime},endDateTime={endDateTime},discoveryPivotDateTime={discoveryPivotDateTime})
	GET /networkAccess/reports/getDestinationSummaries(startDateTime={startDateTime},endDateTime={endDateTime},aggregatedBy={aggregatedBy})
	GET /networkAccess/reports/getDeviceUsageSummary(startDateTime={startDateTime},endDateTime={endDateTime},activityPivotDateTime={activityPivotDateTime})
	GET /networkAccess/reports/transactionSummaries(startDateTime={startDateTime},endDateTime={endDateTime})
	GET /networkAccess/settings/forwardingOptions
	GET /networkAccess/tenantStatus
	GET /networkAccessRoot/reports/crossTenantAccessReport(startDateTime={startDateTime}, endDateTime={endDateTime})
	GET /networkAccessRoot/reports/destinationReport(startDateTime={startDateTime}, endDateTime={endDateTime})
	GET /networkAccessRoot/reports/deviceReport(startDateTime={startDateTime}, endDateTime={endDateTime})
	GET /networkAccessRoot/reports/userReport(startDateTime={startDateTime},endDateTime={endDateTime})
	GET /networkAccessRoot/reports/webCategoryReport(startDateTime={startDateTime},endDateTime={endDateTime})
	PATCH /networkAccess/settings/forwardingOptions
	PATCH networkAccess/filteringProfiles({filteringProfile_id})/policies({Policy_link_id})
	POST /networkAccess/connectivity/branches/{branchSiteId}/forwardingProfiles
	POST /networkAccess/forwardingPolicies/{id}/updatePolicyRules

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgBetaNetworkAccessConnectivityBranchForwardingProfile
	Get-MgBetaNetworkAccessFilteringPolicy
	Get-MgBetaNetworkAccessFilteringProfilePolicy
	Get-MgBetaNetworkAccessForwardingProfilePolicy
	Get-MgBetaNetworkAccessReportCrossTenantSummary
	Get-MgBetaNetworkAccessReportDeviceUsageSummary
	Get-MgBetaNetworkAccessSettingForwardingOption
	Get-MgBetaNetworkAccessTenantStatus
	Invoke-MgBetaEntityNetworkAccessReportSummary
	Invoke-MgBetaTransactionNetworkAccessReportSummary
	New-MgBetaNetworkAccessConnectivityBranchForwardingProfile
	Remove-MgBetaNetworkAccessFilteringPolicy
	Update-MgBetaNetworkAccessFilteringProfilePolicy
	Update-MgBetaNetworkAccessSettingForwardingOption

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: association

Graph reference: cloudApplicationReport

Property	Type	Description
category	microsoft.graph.networkaccess.cloudApplicationCategory	The category of the SaaS application. The possible values are: `hostingServices`, `itServices`, `accountingAndFinance`, `businessManagement`, `productivity`, `eCommerce`, `education`, `marketing`, `humanResourceManagement`, `health`, `security`, `generativeAi`, `newsAndEntertainment`, `operationsManagement`, `contentManagement`, `developmentTools`, `collaboration`, `crm`, `communications`, `dataAnalytics`, `advertising`, `supplyChainAndLogistics`, `projectManagement`, `transportationAndTravel`, `cloudComputingPlatform`, `businessIntelligence`, `cloudStorage`, `propertyManagement`, `contentSharing`, `customerSupport`, `sales`, `productDesign`, `socialNetwork`, `onlineMeetings`, `webmail`, `internetOfThings`, `forums`, `webAnalytics`, `websiteMonitoring`, `vendorManagementSystem`, `personalInstantMessaging`, `codeHosting`, `unknownFutureValue`.
cloudApplicationCatalogId	String	The ID of the application in the SaaS application catalog.
complianceScore	Int32	The compliance score of the application.
deviceCount	Int32	Number of devices under this application.
firstAccessDateTime	DateTimeOffset	Timestamp of the first access to the application.
generalScore	Int32	The general score of the application.
lastAccessDateTime	DateTimeOffset	Timestamp of the last access to the application.
legalScore	Int32	The legal score of the application.
name	String	The name of the application (e.g., ChatGPT, Salesforce, Bing).
riskScore	Int32	The risk score of the application.
securityScore	Int32	The security score of the application.
totalBytesReceived	Int64	Total bytes received from the application.
totalBytesSent	Int64	Total bytes sent to the application.
trafficType	microsoft.graph.networkaccess.trafficType	The type of traffic. The possible values are: `internet`, `private`, `microsoft365`, `all`, `unknownFutureValue`.
transactionCount	Int32	Number of transactions under this application.
userCount	Int32	Number of users under this application.

Graph reference: conditionalAccessSettings

Property	Type	Description
id	String	Identifier. Inherited from microsoft.graph.entity.
signalingStatus	microsoft.graph.networkaccess.status	When SignalingStatus is enabled, the Conditional Access policy includes zero trust network access information. The possible values are: `enabled`, `disabled`.

Graph reference: crossTenantAccess

Property	Type	Description
deviceCount	Int64	The number of devices that accessed the external tenant.
lastAccessDateTime	DateTimeOffset	The timestamp of the most recent access to the external tenant.
resourceTenantId	String	The tenant ID of the external tenant.
resourceTenantName	String	The name of the external tenant.
resourceTenantPrimaryDomain	String	The domain of the external tenant.
usageStatus	microsoft.graph.networkaccess.usageStatus	The usage status of cross-tenant access. The possible values are `frequentlyUsed`, `rarelyUsed`, and `unknownFutureValue`.
userCount	Int64	The number of users that accessed the external tenant.

Graph reference: crossTenantSummary

Property	Type	Description
authTransactionCount	Int32	The total number of authentication sessions between startDateTime and endDateTime.
deviceCount	Int32	The number of unique devices that performed cross-tenant access.
newTenantCount	Int32	The number of unique tenants that were accessed between endDateTime and discoveryPivotDateTime, but weren't accessed between discoveryPivotDateTime and startDateTime.
rarelyUsedTenantCount	Int32	The number of tenants that are rarely used.
tenantCount	Int32	The number of unique tenants that were accessed, not including the device's tenant.
userCount	Int32	The number of unique users that performed cross-tenant access.

Graph reference: destination

Property	Type	Description
deviceCount	Int32	The number of unique devices that were seen.
fqdn	String	The fully qualified domain name (FQDN) of the destination.
ip	String	The internet protocol (IP) used to access the destination.
lastAccessDateTime	DateTimeOffset	The most recent access DateTime.
networkingProtocol	microsoft.graph.networkaccess.networkingProtocol	The set of communication rules and conventions that govern data transmission between devices in a network. The possible values are: `ip`, `icmp`, `igmp`, `ggp`, `ipv4`, `tcp`, `pup`, `udp`, `idp`, `ipv6`, `ipv6RoutingHeader`, `ipv6FragmentHeader`, `ipSecEncapsulatingSecurityPayload`, `ipSecAuthenticationHeader`, `icmpV6`, `ipv6NoNextHeader`, `ipv6DestinationOptions`, `nd`, `raw`, `ipx`, `spx`, and `spxII`.
port	Int32	The numeric identifier that is associated with a specific endpoint in a network.
trafficType	microsoft.graph.networkaccess.trafficType	The traffic classification. The possible values are `internet`, `private`, `microsoft365`, and `all`.
transactionCount	Int32	The number of transactions.
userCount	Int32	The number of unique Microsoft Entra ID users that were seen.

Graph reference: destinationSummary

Property	Type	Description
count	Int32	The number of the destinationSummary objects, aggregated by Global Secure Access service.
destination	String	The IP address or FQDN of the destination.
trafficType	microsoft.graph.networkaccess.trafficType	The traffic classification. The allowed values are `internet`, `private`, `microsoft365`, `all`, and `unknownFutureValue`.

Graph reference: device

Property	Type	Description
deviceId	String	A unique device ID.
displayName	String	The display name for the device.
isCompliant	Boolean	A value that indicates whether or not the device is compliant.
lastAccessDateTime	DateTimeOffset	The most recent access time for the device.
operatingSystem	String	The operating system on the device.
trafficType	microsoft.graph.networkaccess.trafficType	The traffic classification. The possible values are: `internet`, `private`, `microsoft365`, or `all`.

Graph reference: deviceUsageSummary

Property	Type	Description
activeDeviceCount	Int32	The number of distinct device IDs between the discovery pivot time and the end of the reporting period.
inactiveDeviceCount	Int32	The discovery pivot time and the end of the reporting period, but were seen between the start of the reporting period and the discovery pivot time.
totalDeviceCount	Int32	The total number of distinct device IDs that were seen during the reporting period.

Graph reference: entitiesSummary

Property	Type	Description
deviceCount	Int64	The number of devices in the summary. Required.
trafficType	microsoft.graph.networkaccess.trafficType	The type of network traffic summarized. Required. The possible values are: `internet`, `private`, `microsoft365`, `all`, `unknownFutureValue`.
userCount	Int64	The number of users in the summary. Required.
workloadCount	Int64	The number of workloads in the summary. Required.

Graph reference: filteringPolicy

Property	Type	Description
createdDateTime	DateTimeOffset	The date and time when the filtering Policy was originally created.
description	String	A description of the filtering policy. Inherited from microsoft.graph.networkaccess.policy.
id	String	The identifier for the filtering policy. Inherited from microsoft.graph.entity.
lastModifiedDateTime	DateTimeOffset	The date and time when a particular profile was last modified or updated.
name	String	The display name for the filtering policy. Inherited from microsoft.graph.networkaccess.policy.

Graph reference: filteringPolicyLink

Property	Type	Description
action	microsoft.graph.networkaccess.filteringPolicyAction	The actions for filtering policies, offering "block" and "allow" options to specify whether to block or allow access based on the policy. The possible values are: `block`, `allow`.
createdDateTime	DateTimeOffset	The date and time when the filtering Policy link was created.
id	String	Unique identifier. Inherited from microsoft.graph.entity.
lastModifiedDateTime	DateTimeOffset	The date and time when the policy was most recently modified.
loggingState	microsoft.graph.networkaccess.status	A value that tells whether the link is enabled or disabled. Inherited from microsoft.graph.networkaccess.policyLink. The allowed values are `enabled` and `disabled`.
priority	Int64	Provides an integer priority level for each instance of a URL filtering policy linked to a profile. Required.

Graph reference: filteringRule

Property	Type	Description
destinations	microsoft.graph.networkaccess.ruleDestination collection	Possible destinations and types of destinations accessed by the user in accordance with the network filtering policy, such as IP addresses and FQDNs/URLs.
id	String	A unique ID for the rule. Inherited from microsoft.graph.networkaccess.policyRule.
name	String	The display name of the rule. Inherited from microsoft.graph.networkaccess.policyRule.
ruleType	microsoft.graph.networkaccess.networkDestinationType	The rule types that specify the basis for filtering. The possible values are: `url`, `fqdn`, `ipAddress`, `ipRange`, `ipSubnet`, and `webCategory`.

Graph reference: forwardingPolicyLink

Property	Type	Description
id	String	Unique identifier. Inherited from microsoft.graph.entity.
state	microsoft.graph.networkaccess.status	Link Status. Inherited from microsoft.graph.networkaccess.policyLink. The possible values are: `enabled`, `disabled`.
version	String	Version number. Inherited from microsoft.graph.networkaccess.policyLink.

Graph reference: forwardingProfile

Property	Type	Description
associations	microsoft.graph.networkaccess.association collection	Specifies the users, groups, devices, and remote networks whose traffic is associated with the given traffic forwarding profile.
description	String	Profile description. Inherited from microsoft.graph.networkaccess.profile.
id	String	Identifier for the profile. Inherited from microsoft.graph.entity.
lastModifiedDateTime	DateTimeOffset	Profile last modified time. Inherited from microsoft.graph.networkaccess.profile.
name	String	Profile name. Inherited from microsoft.graph.networkaccess.profile.
priority	Int32	Profile priority.
state	microsoft.graph.networkaccess.status	Determines whether the profile is active or inactive. Inherited from microsoft.graph.networkaccess.profile. The possible values are: `enabled`, `disabled`.
trafficForwardingType	microsoft.graph.networkaccess.trafficForwardingType	Profile traffic type. The possible values are: `m365`, `internet`, `private`.
version	String	Version.

Graph reference: fqdnFilteringRule

Property	Type	Description
destinations	microsoft.graph.networkaccess.ruleDestination collection	The list of potential destinations and destination types that the user may access, including FQDNs and web categories, within the context of a network filtering policy. Inherited from microsoft.graph.networkaccess.filteringRule.
id	String	The unique identifier for the fqdnFilteringRule. Inherited from microsoft.graph.networkaccess.filteringRule.
name	String	Display name. Inherited from microsoft.graph.networkaccess.filteringRule.
ruleType	microsoft.graph.networkaccess.networkDestinationType	The network destination type used by a filtering rule. Supports a subset of the values for **n

Graph reference: policyLink

Property	Type	Description
id	String	Identifier. Inherited from microsoft.graph.entity.
state	microsoft.graph.networkaccess.status	Link status. The possible values are: `enabled`, `disabled`.
version	String	Version.

Property	Type	Description
id	String	The unique identifier for the rule. Inherited from microsoft.graph.entity.
name	String	Name.

Graph reference: policyRuleDelta

Property	Type	Description
action	microsoft.graph.networkaccess.forwardingRuleAction	Required. The possible values are: `bypass`, `forward`, `unknownFutureValue`.
ruleId	String	The identifier of the policy rule to update.

Graph reference: profile

Property	Type	Description
description	String	Description.
id	String	The identifier for the profile. Inherited from microsoft.graph.entity.
lastModifiedDateTime	DateTimeOffset	The date and time when the profile was last modified.
name	String	The name of the profile.
state	microsoft.graph.networkaccess.status	the status of the profile. Possible values are: `enabled` and `disabled`.
version	String	Profile version.

Graph reference: remoteNetwork

Property	Type	Description
id	String	Identifier for the remote network. Inherited from microsoft.graph.entity.
lastModifiedDateTime	DateTimeOffset	last modified time.
name	String	Name.
region	microsoft.graph.networkaccess.region	Specify the region closest to your remote network. The possible value are: `eastUS`, `eastUS2`, `westUS`, `westUS2`, `westUS3`, `centralUS`, `northCentralUS`, `southCentralUS`, `northEurope`, `westEurope`, `franceCentral`, `germanyWestCentral`, `switzerlandNorth`, `ukSouth`, `canadaEast`, `canadaCentral`, `southAfricaWest`, `southAfricaNorth`, `uaeNorth`, `australiaEast`, `westCentralUS`, `centralIndia`, `southEastAsia`, `swedenCentral`, `southIndia`, `australiaSouthEast`, `koreaCentral`, `koreaSouth`, `polandCentral`, `brazilSouth`, `japanEast`, `japanWest`, `koreaSouth`, `italyNorth`, `franceSouth`, `israelCentral`, `unknownFutureValue`.
version	String	Remote network version.

Graph reference: tenantStatus

Property	Type	Description
id	String	Identifier. Inherited from microsoft.graph.entity.
onboardingErrorMessage	String	Reflects a message to the user if there's an error.
onboardingStatus	microsoft.graph.networkaccess.onboardingStatus	Reflects the tenant onboarding status. The possible values are: `offboarded`, `offboardingInProgress`, `onboardingInProgress`, `onboarded`, `onboardingErrorOccurred`, `offboardingErrorOccurred`.

Graph reference: tlsInspectionPolicyLink

Property	Type	Description
id	String	The unique identifier for the policy link. Inherited from microsoft.graph.networkaccess.policyLink. Inherits from entity.
state	microsoft.graph.networkaccess.status	The state of the policy link. Inherited from microsoft.graph.networkaccess.policyLink. The possible values are: `enabled`, `disabled`, `unknownFutureValue`. Supports `$filter` (`eq`, `ne`).
version	String	Version number of the policy link. Inherited from microsoft.graph.networkaccess.policyLink.

Graph reference: transactionSummary

Property	Type	Description
blockedCount	Int32	The number of transactions that were blocked.
totalCount	Int32	The total number of transactions.
trafficType	microsoft.graph.networkaccess.trafficType	The trraffic classification. The possible values are `internet`, `private`, `microsoft365`, and `all`.

Graph reference: networkaccess-user

Property	Type	Description
displayName	String	User display Name.
lastAccessDateTime	DateTimeOffset	The date and time of the most recent access.
trafficType	microsoft.graph.networkaccess.trafficType	The traffic classification. The possible values are `internet`, `private`, `microsoft365`, and `all`.
userId	String	The ID for the user.
userPrincipalName	String	A unique identifier that is associated with a user in a system or directory. Typically, this value is an email address that is used for user authentication and identification.
userType	microsoft.graph.networkaccess.userType	The user type. The possible values are `member`, `guest`, and `unknownFutureValue`.

Graph reference: webCategoriesSummary

Property	Type	Description
deviceCount	Int32	The number of unique devices that were seen.
transactionCount	Int32	The number of transactions that were seen.
userCount	Int32	The number of unique Microsoft Entra ID users that were seen.
webCategory	microsoft.graph.networkaccess.webCategory	The website category.

Graph reference: webCategoryFilteringRule

Property	Type	Description
destinations	microsoft.graph.networkaccess.ruleDestination collection	The list of potential destinations and destination types that the user may access, including fully qualified domain names (FQDNs) and web categories, within the context of a network filtering policy. Inherited from microsoft.graph.networkaccess.filteringRule.
id	String	The unique identifier for the webCategoryFilteringRule. Inherited from microsoft.graph.networkaccess.filteringRule.
name	String	Display name. Inherited from microsoft.graph.networkaccess.filteringRule.
ruleType	microsoft.graph.networkaccess.networkDestinationType	The network destination type used by a filtering rule. Supports a subset of the values for **n

Table of Contents

NetworkAccessPolicy.ReadWrite.All

Graph Methods

Resources