NetworkAccessPolicy.ReadWrite.All
Allows the app to read and write your organization's security and routing network access policies on behalf of the signed-in user.
Merill's Note
For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the
NetworkAccessPolicy.ReadWrite.Allpermission.If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the
Export-MsIdAppConsentGrantReportcommand. See How To: Run a quick OAuth app audit of your tenant
| Category | Application | Delegated |
|---|---|---|
| Identifier | f0c341be-8348-4989-8e43-660324294538 | b1fbad0f-ef6e-42ed-8676-bca7fa3e7291 |
| DisplayText | Read and write all security and routing policies for network access | Read and write security and routing policies for network access |
| Description | Allows the app to read and write your organization's network access policies, without a signed-in user. | Allows the app to read and write your organization's security and routing network access policies on behalf of the signed-in user. |
| AdminConsentRequired | Yes | Yes |
Graph Methods
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
| Methods |
|---|
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
| Methods | |
|---|---|
→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)
| Commands |
|---|
→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)
| Commands | |
|---|---|
Resources
Granting this permission allows the calling application to access (and/or update) the following information in your tenant.
- association
- conditionalAccessSettings
- crossTenantAccess
- crossTenantSummary
- destination
- destinationSummary
- device
- deviceUsageSummary
- entitiesSummary
- filteringPolicy
- filteringPolicyLink
- filteringRule
- forwardingPolicyLink
- forwardingProfile
- fqdnFilteringRule
- policyLink
- policyRule
- policyRuleDelta
- profile
- remoteNetwork
- tenantStatus
- tlsInspectionMatchingConditions
- tlsInspectionPolicy
- tlsInspectionPolicyLink
- tlsInspectionPolicySettings
- tlsInspectionRule
- tlsInspectionRuleSettings
- transactionSummary
- networkaccess-user
- webCategoriesSummary
- webCategoryFilteringRule
Graph reference: association
Graph reference: conditionalAccessSettings
| Property | Type | Description |
|---|---|---|
| id | String | Identifier. Inherited from microsoft.graph.entity. |
| signalingStatus | microsoft.graph.networkaccess.status | When SignalingStatus is enabled, the Conditional Access policy includes zero trust network access information. The possible values are: enabled, disabled. |
Graph reference: crossTenantAccess
| Property | Type | Description |
|---|---|---|
| deviceCount | Int64 | The number of devices that accessed the external tenant. |
| lastAccessDateTime | DateTimeOffset | The timestamp of the most recent access to the external tenant. |
| resourceTenantId | String | The tenant ID of the external tenant. |
| resourceTenantName | String | The name of the external tenant. |
| resourceTenantPrimaryDomain | String | The domain of the external tenant. |
| usageStatus | microsoft.graph.networkaccess.usageStatus | The usage status of cross-tenant access. The possible values are frequentlyUsed, rarelyUsed, and unknownFutureValue. |
| userCount | Int64 | The number of users that accessed the external tenant. |
Graph reference: crossTenantSummary
| Property | Type | Description |
|---|---|---|
| authTransactionCount | Int32 | The total number of authentication sessions between startDateTime and endDateTime. |
| deviceCount | Int32 | The number of unique devices that performed cross-tenant access. |
| newTenantCount | Int32 | The number of unique tenants that were accessed between endDateTime and discoveryPivotDateTime, but weren't accessed between discoveryPivotDateTime and startDateTime. |
| rarelyUsedTenantCount | Int32 | The number of tenants that are rarely used. |
| tenantCount | Int32 | The number of unique tenants that were accessed, not including the device's tenant. |
| userCount | Int32 | The number of unique users that performed cross-tenant access. |
Graph reference: destination
| Property | Type | Description |
|---|---|---|
| deviceCount | Int32 | The number of unique devices that were seen. |
| fqdn | String | The fully qualified domain name (FQDN) of the destination. |
| ip | String | The internet protocol (IP) used to access the destination. |
| lastAccessDateTime | DateTimeOffset | The most recent access DateTime. |
| networkingProtocol | microsoft.graph.networkaccess.networkingProtocol | The set of communication rules and conventions that govern data transmission between devices in a network. The possible values are: ip, icmp, igmp, ggp, ipv4, tcp, pup, udp, idp, ipv6, ipv6RoutingHeader, ipv6FragmentHeader, ipSecEncapsulatingSecurityPayload, ipSecAuthenticationHeader, icmpV6, ipv6NoNextHeader, ipv6DestinationOptions, nd, raw, ipx, spx, and spxII. |
| port | Int32 | The numeric identifier that is associated with a specific endpoint in a network. |
| trafficType | microsoft.graph.networkaccess.trafficType | The traffic classification. The possible values are internet, private, microsoft365, and all. |
| transactionCount | Int32 | The number of transactions. |
| userCount | Int32 | The number of unique Microsoft Entra ID users that were seen. |
Graph reference: destinationSummary
| Property | Type | Description |
|---|---|---|
| count | Int32 | The number of the destinationSummary objects, aggregated by Global Secure Access service. |
| destination | String | The IP address or FQDN of the destination. |
| trafficType | microsoft.graph.networkaccess.trafficType | The traffic classification. The allowed values are internet, private, microsoft365, all, and unknownFutureValue. |
Graph reference: device
| Property | Type | Description |
|---|---|---|
| deviceId | String | A unique device ID. |
| displayName | String | The display name for the device. |
| isCompliant | Boolean | A value that indicates whether or not the device is compliant. |
| lastAccessDateTime | DateTimeOffset | The most recent access time for the device. |
| operatingSystem | String | The operating system on the device. |
| trafficType | microsoft.graph.networkaccess.trafficType | The traffic classification. The possible values are: internet, private, microsoft365, or all. |
Graph reference: deviceUsageSummary
| Property | Type | Description |
|---|---|---|
| activeDeviceCount | Int32 | The number of distinct device IDs between the discovery pivot time and the end of the reporting period. |
| inactiveDeviceCount | Int32 | The discovery pivot time and the end of the reporting period, but were seen between the start of the reporting period and the discovery pivot time. |
| totalDeviceCount | Int32 | The total number of distinct device IDs that were seen during the reporting period. |
Graph reference: entitiesSummary
| Property | Type | Description |
|---|---|---|
| deviceCount | Int64 | The number of unique devices that were seen. |
| trafficType | microsoft.graph.networkaccess.trafficType | The traffic classification. The possible values are: internet, private, microsoft365, all. |
| userCount | Int64 | The number of unique Microsoft Entra ID users that were seen. |
| workloadCount | Int64 | The number of unique target workloads/hosts that were seen. |
Graph reference: filteringPolicy
| Property | Type | Description |
|---|---|---|
| createdDateTime | DateTimeOffset | The date and time when the filtering Policy was originally created. |
| description | String | A description of the filtering policy. Inherited from microsoft.graph.networkaccess.policy. |
| id | String | The identifier for the filtering policy. Inherited from microsoft.graph.entity. |
| lastModifiedDateTime | DateTimeOffset | The date and time when a particular profile was last modified or updated. |
| name | String | The display name for the filtering policy. Inherited from microsoft.graph.networkaccess.policy. |
Graph reference: filteringPolicyLink
| Property | Type | Description |
|---|---|---|
| action | microsoft.graph.networkaccess.filteringPolicyAction | The actions for filtering policies, offering "block" and "allow" options to specify whether to block or allow access based on the policy. The possible values are: block, allow. |
| createdDateTime | DateTimeOffset | The date and time when the filtering Policy link was created. |
| id | String | Unique identifier. Inherited from microsoft.graph.entity. |
| lastModifiedDateTime | DateTimeOffset | The date and time when the policy was most recently modified. |
| loggingState | microsoft.graph.networkaccess.status | A value that tells whether the link is enabled or disabled. Inherited from microsoft.graph.networkaccess.policyLink. The allowed values are enabled and disabled. |
| priority | Int64 | Provides an integer priority level for each instance of a URL filtering policy linked to a profile. Required. |
Graph reference: filteringRule
| Property | Type | Description |
|---|---|---|
| destinations | microsoft.graph.networkaccess.ruleDestination collection | Possible destinations and types of destinations accessed by the user in accordance with the network filtering policy, such as IP addresses and FQDNs/URLs. |
| id | String | A unique ID for the rule. Inherited from microsoft.graph.networkaccess.policyRule. |
| name | String | The display name of the rule. Inherited from microsoft.graph.networkaccess.policyRule. |
| ruleType | microsoft.graph.networkaccess.networkDestinationType | The rule types that specify the basis for filtering. The possible values are: url, fqdn, ipAddress, ipRange, ipSubnet, and webCategory. |
Graph reference: forwardingPolicyLink
| Property | Type | Description |
|---|---|---|
| id | String | Unique identifier. Inherited from microsoft.graph.entity. |
| state | microsoft.graph.networkaccess.status | Link Status. Inherited from microsoft.graph.networkaccess.policyLink. The possible values are: enabled, disabled. |
| version | String | Version number. Inherited from microsoft.graph.networkaccess.policyLink. |
Graph reference: forwardingProfile
| Property | Type | Description |
|---|---|---|
| associations | microsoft.graph.networkaccess.association collection | Specifies the users, groups, devices, and remote networks whose traffic is associated with the given traffic forwarding profile. |
| description | String | Profile description. Inherited from microsoft.graph.networkaccess.profile. |
| id | String | Identifier for the profile. Inherited from microsoft.graph.entity. |
| lastModifiedDateTime | DateTimeOffset | Profile last modified time. Inherited from microsoft.graph.networkaccess.profile. |
| name | String | Profile name. Inherited from microsoft.graph.networkaccess.profile. |
| priority | Int32 | Profile priority. |
| state | microsoft.graph.networkaccess.status | Determines whether the profile is active or inactive. Inherited from microsoft.graph.networkaccess.profile. The possible values are: enabled, disabled. |
| trafficForwardingType | microsoft.graph.networkaccess.trafficForwardingType | Profile traffic type. The possible values are: m365, internet, private. |
| version | String | Version. |
Graph reference: fqdnFilteringRule
| Property | Type | Description |
|---|---|---|
| destinations | microsoft.graph.networkaccess.ruleDestination collection | The list of potential destinations and destination types that the user may access, including FQDNs and web categories, within the context of a network filtering policy. Inherited from microsoft.graph.networkaccess.filteringRule. |
| id | String | The unique identifier for the fqdnFilteringRule. Inherited from microsoft.graph.networkaccess.filteringRule. |
| name | String | Display name. Inherited from microsoft.graph.networkaccess.filteringRule. |
| ruleType | microsoft.graph.networkaccess.networkDestinationType | The network destination type used by a filtering rule. Supports a subset of the values for **n |
Graph reference: policyLink
| Property | Type | Description |
|---|---|---|
| id | String | Identifier. Inherited from microsoft.graph.entity. |
| state | microsoft.graph.networkaccess.status | Link status. The possible values are: enabled, disabled. |
| version | String | Version. |
Graph reference: policyRule
| Property | Type | Description |
|---|---|---|
| id | String | The unique identifier for the rule. Inherited from microsoft.graph.entity. |
| name | String | Name. |
Graph reference: policyRuleDelta
| Property | Type | Description |
|---|---|---|
| action | microsoft.graph.networkaccess.forwardingRuleAction | Required. The possible values are: bypass, forward, unknownFutureValue. |
| ruleId | String | The identifier of the policy rule to update. |
Graph reference: profile
| Property | Type | Description |
|---|---|---|
| description | String | Description. |
| id | String | The identifier for the profile. Inherited from microsoft.graph.entity. |
| lastModifiedDateTime | DateTimeOffset | The date and time when the profile was last modified. |
| name | String | The name of the profile. |
| state | microsoft.graph.networkaccess.status | the status of the profile. Possible values are: enabled and disabled. |
| version | String | Profile version. |
Graph reference: remoteNetwork
| Property | Type | Description |
|---|---|---|
| id | String | Identifier for the remote network. Inherited from microsoft.graph.entity. |
| lastModifiedDateTime | DateTimeOffset | last modified time. |
| name | String | Name. |
| region | microsoft.graph.networkaccess.region | Specify the region closest to your remote network. The possible value are: eastUS, eastUS2, westUS, westUS2, westUS3, centralUS, northCentralUS, southCentralUS, northEurope, westEurope, franceCentral, germanyWestCentral, switzerlandNorth, ukSouth, canadaEast, canadaCentral, southAfricaWest, southAfricaNorth, uaeNorth, australiaEast, westCentralUS, centralIndia, southEastAsia, swedenCentral, southIndia, australiaSouthEast, koreaCentral, koreaSouth, polandCentral, brazilSouth, japanEast, japanWest, koreaSouth, italyNorth, franceSouth, israelCentral, unknownFutureValue. |
| version | String | Remote network version. |
Graph reference: tenantStatus
| Property | Type | Description |
|---|---|---|
| id | String | Identifier. Inherited from microsoft.graph.entity. |
| onboardingErrorMessage | String | Reflects a message to the user if there's an error. |
| onboardingStatus | microsoft.graph.networkaccess.onboardingStatus | Reflects the tenant onboarding status. The possible values are: offboarded, offboardingInProgress, onboardingInProgress, onboarded, onboardingErrorOccurred, offboardingErrorOccurred. |
Graph reference: tlsInspectionMatchingConditions
| Property | Type | Description |
|---|---|---|
| destinations | microsoft.graph.networkaccess.tlsInspectionDestination collection | A collection of destinations to match against. Can include FQDN destinations or web category destinations. An empty collection means no destination matching is performed. At least one destination must have non-null properties to allow for matching. |
Graph reference: tlsInspectionPolicy
| Property | Type | Description |
|---|---|---|
| description | String | Optional description of the policy. Inherited from microsoft.graph.networkaccess.policy. Supports $filter (eq, ne, startsWith) |
| id | String | The unique identifier for the policy. Read-only. Inherited from microsoft.graph.networkaccess.policy. |
| lastModifiedDateTime | DateTimeOffset | The timestamp of when the policy was last modified. Supports $filter (eq, ne, not, ge, le, in) and $orderby. Read-only. |
| name | String | The display name of the policy. Inherited from microsoft.graph.networkaccess.policy. |
| settings | microsoft.graph.networkaccess.tlsInspectionPolicySettings | Settings that configure the default behavior of the policy. |
| version | String | Version number of the policy. Supports $filter (eq, ne, startsWith). Read-only. Inherited from microsoft.graph.networkaccess.policy. |
Graph reference: tlsInspectionPolicyLink
| Property | Type | Description |
|---|---|---|
| id | String | The unique identifier for the policy link. Inherited from microsoft.graph.networkaccess.policyLink. Inherits from entity. |
| state | microsoft.graph.networkaccess.status | The state of the policy link. Inherited from microsoft.graph.networkaccess.policyLink. The possible values are: enabled, disabled, unknownFutureValue. Supports $filter (eq, ne). |
| version | String | Version number of the policy link. Inherited from microsoft.graph.networkaccess.policyLink. |
Graph reference: tlsInspectionPolicySettings
| Property | Type | Description |
|---|---|---|
| defaultAction | microsoft.graph.networkaccess.tlsInspectionAction | The default action to take when no rules in the policy match the traffic. The possible values are: bypass, inspect, unknownFutureValue. Supports $filter (eq, ne). |
Graph reference: tlsInspectionRule
| Property | Type | Description |
|---|---|---|
| action | microsoft.graph.networkaccess.tlsInspectionAction | The action to take when traffic matches this rule. The possible values are: bypass, inspect, unknownFutureAction. |
| description | String | Optional description explaining the purpose of the rule. |
| id | String | The unique identifier for the rule. Inherited from microsoft.graph.networkaccess.policyRule. Inherits from entity. |
| matchingConditions | microsoft.graph.networkaccess.tlsInspectionMatchingConditions | The conditions that determine when this rule should be applied to traffic. |
| name | String | The display name of the rule. Inherited from microsoft.graph.networkaccess.policyRule. Supports $filter (eq, ne, startsWith). |
| priority | Int64 | The priority of the rule. Rules are evaluated in ascending order of priority. Lower numbers indicate higher priority. Supports $filter (eq, ne, not, ge, le, in) and $orderby. |
| settings | microsoft.graph.networkaccess.tlsInspectionRuleSettings | Additional settings that configure the rule's behavior. |
Graph reference: tlsInspectionRuleSettings
| Property | Type | Description |
|---|---|---|
| status | microsoft.graph.networkaccess.securityRuleStatus | The enforcement status of the rule. The possible values are: enabled, disabled, reportOnly, unknownFutureValue. Supports $filter (eq, ne). |
Graph reference: transactionSummary
| Property | Type | Description |
|---|---|---|
| blockedCount | Int32 | The number of transactions that were blocked. |
| totalCount | Int32 | The total number of transactions. |
| trafficType | microsoft.graph.networkaccess.trafficType | The trraffic classification. The possible values are internet, private, microsoft365, and all. |
Graph reference: networkaccess-user
| Property | Type | Description |
|---|---|---|
| displayName | String | User display Name. |
| lastAccessDateTime | DateTimeOffset | The date and time of the most recent access. |
| trafficType | microsoft.graph.networkaccess.trafficType | The traffic classification. The possible values are internet, private, microsoft365, and all. |
| userId | String | The ID for the user. |
| userPrincipalName | String | A unique identifier that is associated with a user in a system or directory. Typically, this value is an email address that is used for user authentication and identification. |
| userType | microsoft.graph.networkaccess.userType | The user type. The possible values are member, guest, and unknownFutureValue. |
Graph reference: webCategoriesSummary
| Property | Type | Description |
|---|---|---|
| deviceCount | Int32 | The number of unique devices that were seen. |
| transactionCount | Int32 | The number of transactions that were seen. |
| userCount | Int32 | The number of unique Microsoft Entra ID users that were seen. |
| webCategory | microsoft.graph.networkaccess.webCategory | The website category. |
Graph reference: webCategoryFilteringRule
| Property | Type | Description |
|---|---|---|
| destinations | microsoft.graph.networkaccess.ruleDestination collection | The list of potential destinations and destination types that the user may access, including fully qualified domain names (FQDNs) and web categories, within the context of a network filtering policy. Inherited from microsoft.graph.networkaccess.filteringRule. |
| id | String | The unique identifier for the webCategoryFilteringRule. Inherited from microsoft.graph.networkaccess.filteringRule. |
| name | String | Display name. Inherited from microsoft.graph.networkaccess.filteringRule. |
| ruleType | microsoft.graph.networkaccess.networkDestinationType | The network destination type used by a filtering rule. Supports a subset of the values for **n |