Policy.Read.All
Allows the app to read your organization's policies on behalf of the signed-in user.
Graph Methods
Type: A = Application Permission, D = Delegate Permission
Delegate Permission
| Id | 572fea84-0151-49b2-9301-11cb16974376 |
| Consent Type | Admin |
| Display String | Read your organization's policies |
| Description | Allows the app to read your organization's policies on behalf of the signed-in user. |
Application Permission
| Id | 246dd0d5-5bd0-4def-940b-0421030a5b68 |
| Display String | Read your organization's policies |
| Description | Allows the app to read all your organization's policies without a signed in user. |
Resources
accessReviewPolicy
| Property | Type | Description |
|---|---|---|
| description | String | Description for this policy. Read-only. |
| displayName | String | Display name for this policy. Read-only. |
| isGroupOwnerManagementEnabled | Boolean | If true, group owners can create and manage access reviews on groups they own. |
activityBasedTimeoutPolicy
| Property | Type | Description |
|---|---|---|
| definition | String collection | A string collection containing a JSON string that defines the rules and settings for this policy. See below for more details about the JSON schema for this property. Required. |
| description | String | Description for this policy. |
| displayName | String | Display name for this policy. Required. |
| id | String | Unique identifier for this policy. Read-only. |
| isOrganizationDefault | Boolean | If set to true, activates this policy. There can be many policies for the same policy type, but only one can be activated as the organization default. Optional, default value is false. |
adminConsentRequestPolicy
| Property | Type | Description |
|---|---|---|
| isEnabled | Boolean | Specifies whether the admin consent request feature is enabled or disabled. Required. |
| notifyReviewers | Boolean | Specifies whether reviewers will receive notifications. Required. |
| remindersEnabled | Boolean | Specifies whether reviewers will receive reminder emails. Required. |
| requestDurationInDays | Int32 | Specifies the duration the request is active before it automatically expires if no decision is applied. |
| reviewers | accessReviewReviewerScope collection | The list of reviewers for the admin consent. Required. |
| version | Int32 | Specifies the version of this policy. When the policy is updated, this version is updated. Read-only. |
application
| Property | Type | Description |
|---|---|---|
| addIns | addIn collection | Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its "FileHandler" functionality. This will let services like Office 365 call the application in the context of a document the user is working on. |
| api | apiApplication | Specifies settings for an application that implements a web API. |
| appId | String | The unique identifier for the application that is assigned to an application by Azure AD. Not nullable. Read-only. Supports $filter (eq). |
| applicationTemplateId | String | Unique identifier of the applicationTemplate. Supports $filter (eq, not, ne). |
| appRoles | appRole collection | The collection of roles defined for the application. With app role assignments, these roles can be assigned to users, groups, or service principals associated with other applications. Not nullable. |
| certification | certification | Specifies the certification status of the application. |
| createdDateTime | DateTimeOffset | The date and time the application was registered. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. Supports $filter (eq, ne, not, ge, le, in, and eq on null values) and $orderBy. |
| deletedDateTime | DateTimeOffset | The date and time the application was deleted. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. |
| description | String | Free text field to provide a description of the application object to end users. The maximum allowed size is 1024 characters. Supports $filter (eq, ne, not, ge, le, startsWith) and $search. |
| disabledByMicrosoftStatus | String | Specifies whether Microsoft has disabled the registered application. Possible values are: null (default value), NotDisabled, and DisabledDueToViolationOfServicesAgreement (reasons may include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement). Supports $filter (eq, ne, not). |
| displayName | String | The display name for the application. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values), $search, and $orderBy. |
| groupMembershipClaims | String | Configures the groups claim issued in a user or OAuth 2.0 access token that the application expects. To set this attribute, use one of the following valid string values: None, SecurityGroup (for security groups and Azure AD roles), All (this gets all of the security groups, distribution groups, and Azure AD directory roles that the signed-in user is a member of). |
| id | String | Unique identifier for the application object. This property is referred to as Object ID in the Azure portal. Inherited from directoryObject. Key. Not nullable. Read-only. Supports $filter (eq, ne, not, in). |
| identifierUris | String collection | Also known as App ID URI, this value is set when an application is used as a resource app. The identifierUris acts as the prefix for the scopes you'll reference in your API's code, and it must be globally unique. You can use the default value provided, which is in the form api://<application-client-id>, or specify a more readable URI like https://contoso.com/api. For more information on valid identifierUris patterns and best practices, see Azure AD application registration security best practices. Not nullable. Supports $filter (eq, ne, ge, le, startsWith). |
| info | informationalUrl | Basic profile information of the application such as app's marketing, support, terms of service and privacy statement URLs. The terms of service and privacy statement are surfaced to users through the user consent experience. For more info, see How to: Add Terms of service and privacy statement for registered Azure AD apps. Supports $filter (eq, ne, not, ge, le, and eq on null values). |
| isDeviceOnlyAuthSupported | Boolean | Specifies whether this application supports device authentication without a user. The default is false. |
| isFallbackPublicClient | Boolean | Specifies the fallback application type as public client, such as an installed application running on a mobile device. The default value is false which means the fallback application type is confidential client such as a web app. There are certain scenarios where Azure AD cannot determine the client application type. For example, the ROPC flow where it is configured without specifying a redirect URI. In those cases Azure AD interprets the application type based on the value of this property. |
| keyCredentials | keyCredential collection | The collection of key credentials associated with the application. Not nullable. Supports $filter (eq, not, ge, le). |
| logo | Stream | The main logo for the application. Not nullable. |
| notes | String | Notes relevant for the management of the application. |
| oauth2RequiredPostResponse | Boolean | Specifies whether, as part of OAuth 2.0 token requests, Azure AD allows POST requests, as opposed to GET requests. The default is false, which specifies that only GET requests are allowed. |
| optionalClaims | optionalClaims | Application developers can configure optional claims in their Azure AD applications to specify the claims that are sent to their application by the Microsoft security token service. For more information, see How to: Provide optional claims to your app. |
| parentalControlSettings | parentalControlSettings | Specifies parental control settings for an application. |
| passwordCredentials | passwordCredential collection | The collection of password credentials associated with the application. Not nullable. |
| publicClient | publicClientApplication | Specifies settings for installed clients such as desktop or mobile devices. |
| publisherDomain | String | The verified publisher domain for the application. Read-only. For more information, see How to: Configure an application's publisher domain. Supports $filter (eq, ne, ge, le, startsWith). |
| requiredResourceAccess | requiredResourceAccess collection | Specifies the resources that the application needs to access. This property also specifies the set of delegated permissions and application roles that it needs for each of those resources. This configuration of access to the required resources drives the consent experience. No more than 50 resource services (APIs) can be configured. Beginning mid-October 2021, the total number of required permissions must not exceed 400. For more information, see Limits on requested permissions per app. Not nullable. Supports $filter (eq, not, ge, le). |
| samlMetadataUrl | String | The URL where the service exposes SAML metadata for federation. This property is valid only for single-tenant applications. Nullable. |
| serviceManagementReference | String | References application or service contact information from a Service or Asset Management database. Nullable. |
| signInAudience | String | Specifies the Microsoft accounts that are supported for the current application. The possible values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount (default), and PersonalMicrosoftAccount. See more in the table. The value of this object also limits the number of permissions an app can request. For more information, see Limits on requested permissions per app. The value for this property has implications on other app object properties. As a result, if you change this property, you may need to change other properties first. For more information, see Validation differences for signInAudience. Supports $filter (eq, ne, not). |
| spa | spaApplication | Specifies settings for a single-page application, including sign out URLs and redirect URIs for authorization codes and access tokens. |
| tags | String collection | Custom strings that can be used to categorize and identify the application. Not nullable. Supports $filter (eq, not, ge, le, startsWith). |
| tokenEncryptionKeyId | String | Specifies the keyId of a public key from the keyCredentials collection. When configured, Azure AD encrypts all the tokens it emits by using the key this property points to. The application code that receives the encrypted token must use the matching private key to decrypt the token before it can be used for the signed-in user. |
| verifiedPublisher | verifiedPublisher | Specifies the verified publisher of the application. For more information about how publisher verification helps support application security, trustworthiness, and compliance, see Publisher verification. |
| web | webApplication | Specifies settings for a web application. |
appManagementPolicy
| Property | Type | Description |
|---|---|---|
| id | String | The policy identifier. |
| displayName | String | The display name of the policy. Inherited from policyBase. |
| description | String | The description of the policy. Inherited from policyBase. |
| isEnabled | Boolean | Denotes whether the policy is enabled. |
| restrictions | appManagementConfiguration | Restrictions that apply to an application or service principal object. |
authenticationCombinationConfiguration
| Property | Type | Description |
|---|---|---|
| appliesToCombinations | authenticationMethodModes collection | Which authentication method combinations this configuration applies to. Must be an allowedCombinations object that's defined for the authenticationStrengthPolicy. The only possible value for fido2combinationConfigurations is "fido2". |
| id | String | A unique system-generated identifier. Inherited from entity. |
authenticationFlowsPolicy
| Property | Type | Description |
|---|---|---|
| description | String | Inherited property. A description of the policy. Optional. Read-only. |
| displayName | String | Inherited property. The human-readable name of the policy. Optional. Read-only. |
| id | String | Inherited property. The identifier of the authentication flows policy. Optional. Read-only. |
| selfServiceSignUp | selfServiceSignUpAuthenticationFlowConfiguration | Contains selfServiceSignUpAuthenticationFlowConfiguration settings that convey whether self-service sign-up is enabled or disabled. Optional. Read-only. |
authenticationListener
| Property | Type | Description |
|---|---|---|
| id | String | The identifier of the action. |
| priority | Int32 | The priority of the listener. Determines the order of evaluation when an event has multiple listeners. The priority is evaluated from low to high. |
| sourceFilter | authenticationSourceFilter | Filter based on the source of the authentication that is used to determine whether the listener is evaluated. This is currently limited to evaluations based on application the user is authenticating to. |
authenticationMethodModeDetail
| Property | Type | Description |
|---|---|---|
| authenticationMethod | baseAuthenticationMethod | The authentication method that this mode modifies. The possible values are: password, voice, hardwareOath, softwareOath, sms, fido2, windowsHelloForBusiness, microsoftAuthenticator, temporaryAccessPass, email, x509Certificate, federation, unknownFutureValue. |
| displayName | String | The display name of this mode |
| id | String | The system-generated identifier for this mode. Inherited from entity. |
authenticationmethodspolicies-overview
authenticationMethodsPolicy
| Property | Type | Description |
|---|---|---|
| description | String | A description of the policy. Read-only. |
| displayName | String | The name of the policy. Read-only. |
| id | String | The identifier of the policy. Inherited from entity. |
| lastModifiedDateTime | DateTimeOffset | The date and time of the last update to the policy. Read-only. |
| policyVersion | String | The version of the policy in use. Read-only. |
| registrationEnforcement | registrationEnforcement | Enforce registration at sign-in time. This property can be used to remind users to set up targeted authentication methods. |
authenticationStrengthPolicy
| Property | Type | Description |
|---|---|---|
| allowedCombinations | authenticationMethodModes collection | A collection of authentication method modes that are required be used to satify this authentication strength. |
| createdDateTime | DateTimeOffset | The datetime when this policy was created. |
| description | String | The human-readable description of this policy. |
| displayName | String | The human-readable display name of this policy. Supports $filter (eq, ne, not , and in). |
| id | String | The system-generated identifier for this mode. Inherited from entity. |
| modifiedDateTime | DateTimeOffset | The datetime when this policy was last modified. |
| policyType | authenticationStrengthPolicyType | A descriptor of whether this policy is built into Azure AD or created by an admin for the tenant. The possible values are: builtIn, custom, unknownFutureValue. Supports $filter (eq, ne, not , and in). |
| requirementsSatisfied | authenticationStrengthRequirements | A descriptor of whether this authentication strength grants the MFA claim upon successful satisfaction. The possible values are: none, mfa, unknownFutureValue. |
authenticationStrengthUsage
| Property | Type | Description |
|---|---|---|
| mfa | conditionalAccessPolicy collection | A collection of Conditional Access policies that reference the specified authentication strength policy and that require an MFA claim. |
| none | conditionalAccessPolicy collection | A collection of Conditional Access policies that reference the specified authentication strength policy and that do not require an MFA claim. |
authorizationPolicy
| Property | Type | Description |
|---|---|---|
| allowedToSignUpEmailBasedSubscriptions | Boolean | Indicates whether users can sign up for email based subscriptions. |
| allowedToUseSSPR | Boolean | Indicates whether the Self-Serve Password Reset feature can be used by users on the tenant. |
| allowEmailVerifiedUsersToJoinOrganization | Boolean | Indicates whether a user can join the tenant by email validation. |
| allowInvitesFrom | allowInvitesFrom | Indicates who can invite external users to the organization. Possible values are: none, adminsAndGuestInviters, adminsGuestInvitersAndAllMembers, everyone. everyone is the default setting for all cloud environments except US Government. See more in the table below. |
| blockMsolPowerShell | Boolean | To disable the use of MSOL PowerShell set this property to true. This will also disable user-based access to the legacy service endpoint used by MSOL PowerShell. This does not affect Azure AD Connect or Microsoft Graph. |
| defaultUserRolePermissions | defaultUserRolePermissions | Specifies certain customizable permissions for default user role. |
| description | String | Description of this policy. |
| displayName | String | Display name for this policy. |
| guestUserRoleId | Guid | Represents role templateId for the role that should be granted to guest user. Currently following roles are supported: User (a0b1b346-4d3e-4e8b-98f8-753987be4970), Guest User (10dae51f-b6af-4016-8d66-8c2a99b929b3), and Restricted Guest User (2af84b1e-32c8-42b7-82bc-daa82404023b). |
| id | String | ID of the authorization policy. Required. Read-only. |
b2cAuthenticationMethodsPolicy
| Property | Type | Description |
|---|---|---|
| id | String | The id of the B2C authentication methods policy. This is a read only property and the key. |
| isEmailPasswordAuthenticationEnabled | Boolean | The tenant admin can configure local accounts using email if the email and password authentication method is enabled. |
| isUserNameAuthenticationEnabled | Boolean | The tenant admin can configure local accounts using username if the username and password authentication method is enabled. |
| isPhoneOneTimePasswordAuthenticationEnabled | Boolean | The tenant admin can configure local accounts using phone number if the phone number and one-time password authentication method is enabled. |
claimsMappingPolicy
| Property | Type | Description |
|---|---|---|
| definition | String collection | A string collection containing a JSON string that defines the rules and settings for this policy. See Properties of a claims-mapping policy definition for more details about the JSON schema for this property. Required. |
| displayName | String | Display name for this policy. Required. |
| id | String | Unique identifier for this policy. Read-only. |
| isOrganizationDefault | Boolean | Ignore this property. The claims-mapping policy can only be applied to service principals and can't be set globally for the organization. |
conditionalAccessApplications
| Property | Type | Description |
|---|---|---|
| excludeApplications | String collection | Can be one of the following: Office365 - For the list of apps included in Office365, see Conditional Access target apps: Office 365 |
| includeApplications | String collection | Can be one of the following: All Office365 - For the list of apps included in Office365, see Conditional Access target apps: Office 365 |
| includeUserActions | String collection | User actions to include. Supported values are urn:user:registersecurityinfo and urn:user:registerdevice |
conditionalAccessGrantControls
| Property | Type | Description |
|---|---|---|
| builtInControls | conditionalAccessGrantControl collection | List of values of built-in controls required by the policy. Possible values: block, mfa, compliantDevice, domainJoinedDevice, approvedApplication, compliantApplication, passwordChange, unknownFutureValue. |
| customAuthenticationFactors | String collection | List of custom controls IDs required by the policy. For more information, see Custom controls. |
| operator | String | Defines the relationship of the grant controls. Possible values: AND, OR. |
| termsOfUse | String collection | List of terms of use IDs required by the policy. |
conditionalAccessPolicy
| Property | Type | Description |
|---|---|---|
| conditions | conditionalAccessConditionSet | Specifies the rules that must be met for the policy to apply. Required. |
| createdDateTime | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Readonly. |
| displayName | String | Specifies a display name for the conditionalAccessPolicy object. |
| grantControls | conditionalAccessGrantControls | Specifies the grant controls that must be fulfilled to pass the policy. |
| id | String | Specifies the identifier of a conditionalAccessPolicy object. Read-only. |
| modifiedDateTime | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Readonly. |
| sessionControls | conditionalAccessSessionControls | Specifies the session controls that are enforced after sign-in. |
| state | conditionalAccessPolicyState | Specifies the state of the conditionalAccessPolicy object. Possible values are: enabled, disabled, enabledForReportingButNotEnforced. Required. |
conditionalAccessSessionControls
| Property | Type | Description |
|---|---|---|
| applicationEnforcedRestrictions | applicationEnforcedRestrictionsSessionControl | Session control to enforce application restrictions. Only Exchange Online and Sharepoint Online support this session control. |
| cloudAppSecurity | cloudAppSecuritySessionControl | Session control to apply cloud app security. |
| disableResilienceDefaults | Boolean | Session control that determines whether it is acceptable for Azure AD to extend existing sessions based on information collected prior to an outage or not. |
| persistentBrowser | persistentBrowserSessionControl | Session control to define whether to persist cookies or not. All apps should be selected for this session control to work correctly. |
| signInFrequency | signInFrequencySessionControl | Session control to enforce signin frequency. |
conditionalAccessTemplate
| Property | Type | Description |
|---|---|---|
| description | String | The user-friendly name of the template. |
| details | conditionalAccessPolicyDetail | Complete list of policy details specific to the template. This property contains the JSON of policy settings for configuring a Conditional Access policy. |
| id | String | Immutable ID of a template. Inherited from entity. |
| name | String | The user-friendly name of the template. |
| scenarios | templateScenarios | List of conditional access scenarios that the template is recommended for. The possible values are: new, secureFoundation, zeroTrust, remoteWork, protectAdmins, emergingThreats, unknownFutureValue. This is a multi-valued enum. Supports $filter (has). |
conditionalAccessUsers
| Property | Type | Description |
|---|---|---|
| excludeGroups | String collection | Group IDs excluded from scope of policy. |
| excludeRoles | String collection | Role IDs excluded from scope of policy. |
| excludeUsers | String collection | User IDs excluded from scope of policy and/or GuestsOrExternalUsers. |
| includeGroups | String collection | Group IDs in scope of policy unless explicitly excluded, or All. |
| includeRoles | String collection | Role IDs in scope of policy unless explicitly excluded, or All. |
| includeUsers | String collection | User IDs in scope of policy unless explicitly excluded, or None or All or GuestsOrExternalUsers. |
continuousAccessEvaluationPolicy
| Property | Type | Description |
|---|---|---|
| description | String | Continuous access evaluation automatically blocks access to resources and applications in near real time when a user's access is removed or a client IP address changes. Read-only. |
| displayName | String | The value is always Continuous Access Evaluation. Read-only. |
| groups | String collection | The collection of group identifiers in scope for evaluation. All groups are in scope when the collection is empty. Read-only. |
| id | String | Specifies the identifier of a continuousAccessEvaluationPolicy object. Read-only. |
| isEnabled | Boolean | true to indicate whether continuous access evaluation should be performed; otherwise false. Read-only. |
| users | String collection | The collection of user identifiers in scope for evaluation. All users are in scope when the collection is empty. Read-only. |
| migrate | Boolean | true to indicate that the continuous access evaluation policy settings should be or has been migrated to the conditional access policy. |
countryNamedLocation
| Property | Type | Description |
|---|---|---|
| countriesAndRegions | String collection | List of countries and/or regions in two-letter format specified by ISO 3166-2. Required. |
| countryLookupMethod | countryLookupMethodType | Determines what method is used to decide which country the user is located in. Possible values are clientIpAddress(default) and authenticatorAppGps. Note: authenticatorAppGps is not yet supported in the Microsoft Cloud for US Government. |
| createdDateTime | DateTimeOffset | The Timestamp type represents creation date and time of the location using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. Inherited from namedLocation. |
| displayName | String | Human-readable name of the location. Required. Inherited from namedLocation. |
| id | String | Identifier of a namedLocation object. Read-only. Inherited from namedLocation. |
| includeUnknownCountriesAndRegions | Boolean | true if IP addresses that don't map to a country or region should be included in the named location. Optional. Default value is false. |
| modifiedDateTime | DateTimeOffset | The Timestamp type represents last modified date and time of the location using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. Inherited from namedLocation. |
crossTenantAccessPolicy
| Property | Type | Description |
|---|---|---|
| displayName | String | The display name of the cross-tenant access policy. Inherited from policyBase. |
crossTenantAccessPolicyConfigurationDefault
| Property | Type | Description |
|---|---|---|
| b2bCollaborationInbound | crossTenantAccessPolicyB2BSetting | Defines your default configuration for users from other organizations accessing your resources via Azure AD B2B collaboration. |
| b2bCollaborationOutbound | crossTenantAccessPolicyB2BSetting | Defines your default configuration for users in your organization going outbound to access resources in another organization via Azure AD B2B collaboration. |
| b2bDirectConnectInbound | crossTenantAccessPolicyB2BSetting | Defines your default configuration for users from other organizations accessing your resources via Azure AD B2B direct connect. |
| b2bDirectConnectOutbound | crossTenantAccessPolicyB2BSetting | Defines your default configuration for users in your organization going outbound to access resources in another organization via Azure AD B2B direct connect. |
| inboundTrust | crossTenantAccessPolicyInboundTrust | Determines the default configuration for trusting other Conditional Access claims from external Azure AD organizations. |
| isServiceDefault | Boolean | If true, the default configuration is set to the system default configuration. If false, the default settings have been customized. |
crossTenantAccessPolicyConfigurationPartner
| Property | Type | Description |
|---|---|---|
| b2bCollaborationInbound | crossTenantAccessPolicyB2BSetting | Defines your partner-specific configuration for users from other organizations accessing your resources via Azure AD B2B collaboration. |
| b2bCollaborationOutbound | crossTenantAccessPolicyB2BSetting | Defines your partner-specific configuration for users in your organization going outbound to access resources in another organization via Azure AD B2B collaboration. |
| b2bDirectConnectInbound | crossTenantAccessPolicyB2BSetting | Defines your partner-specific configuration for users from other organizations accessing your resources via Azure B2B direct connect. |
| b2bDirectConnectOutbound | crossTenantAccessPolicyB2BSetting | Defines your partner-specific configuration for users in your organization going outbound to access resources in another organization via Azure AD B2B direct connect. |
| inboundTrust | crossTenantAccessPolicyInboundTrust | Determines the partner-specific configuration for trusting other Conditional Access claims from external Azure AD organizations. |
| isServiceProvider | Boolean | Identifies whether the partner-specific configuration is a Cloud Service Provider for your organization. |
| tenantId | String | The tenant identifier for the partner Azure AD organization. Read-only. Key. |
crossTenantIdentitySyncPolicyPartner
| Property | Type | Description |
|---|---|---|
| displayName | String | Display name for the cross-tenant user synchronization policy. Use the name of the partner Azure AD tenant to easily identify the policy. Optional. |
| tenantId | String | Tenant identifier for the partner Azure AD organization. Read-only. |
| userSyncInbound | crossTenantUserSyncInbound | Defines whether users can be synchronized from the partner tenant. Key. |
deviceRegistrationPolicy
| Property | Type | Description |
|---|---|---|
| azureADJoin | azureAdJoinPolicy | Specifies the authorization policy for controlling registration of new devices using Azure AD Join within your organization. Required. For more information, see What is a device identity?. |
| azureADRegistration | azureADRegistrationPolicy | Specifies the authorization policy for controlling registration of new devices using Azure AD registered within your organization. Required. For more information, see What is a device identity?. |
| description | String | The description of the device registration policy. It is always set to Tenant-wide policy that manages intial provisioning controls using quota restrictions, additional authentication and authorization checks. Read-only. |
| displayName | String | The name of the device registration policy. It is always set to Device Registration Policy. Read-only. |
| id | String | The identifier of the device registration policy. It is always set to deviceRegistrationPolicy. Read-only. |
| multiFactorAuthConfiguration | multiFactorAuthConfiguration | Specifies the authentication policy for a user to complete registration using Azure AD Join or Azure AD registered within your organization. The possible values are: 0 (meaning notRequired), 1 (meaning required), and 2 (meaning unknownFutureValue). The default value is 0. |
| userDeviceQuota | Int32 | Specifies the maximum number of devices that a user can have within your organization before blocking new device registrations. The default value is set to 50. If this property is not specified during the policy update operation, it is automatically reset to 0 to indicate that users are not allowed to join any devices. |
directoryObject
| Property | Type | Description |
|---|---|---|
| deletedDateTime | DateTimeOffset | Date and time when this object was deleted. Always null when the object hasn't been deleted. |
| id | String | The unique identifier for the object. For example, 12345678-9abc-def0-1234-56789abcde. The value of the **i |
emailAuthenticationMethodConfiguration
| Property | Type | Description |
|---|---|---|
| allowExternalIdToUseEmailOtp | externalEmailOtpState | Determines whether email OTP is usable by external users for authentication. Possible values are: default, enabled, disabled, unknownFutureValue. Tenants in the default state who did not use public preview will automatically have email OTP enabled beginning in October 2021. |
| id | String | The authentication method policy identifier. Inherited from authenticationMethodConfiguration. |
| state | authenticationMethodState | Indicates whether this authentication method is enabled or not. Possible values are: enabled, disabled. |
externalIdentitiesPolicy
| Property | Type | Description |
|---|---|---|
| allowDeletedIdentitiesDataRemoval | Boolean | Reserved for future use. |
| allowExternalIdentitiesToLeave | Boolean | Defines whether external users can leave the guest tenant. If set to false, self-service controls are disabled, and the admin of the guest tenant must manually remove the external user from the guest tenant. When the external user leaves the tenant, their data in the guest tenant is first soft-deleted then permanently deleted in 30 days. |
| displayName | String | The policy name. Inherited from policyBase. |
fido2AuthenticationMethodConfiguration
| Property | Type | Description |
|---|---|---|
| id | String | The authentication method policy identifier. |
| isAttestationEnforced | Boolean | Determines whether attestation must be enforced for FIDO2 security key registration. |
| isSelfServiceRegistrationAllowed | Boolean | Determines if users can register new FIDO2 security keys. |
| keyRestrictions | fido2KeyRestrictions | Controls whether key restrictions are enforced on FIDO2 security keys, either allowing or disallowing certain key types as defined by Authenticator Attestation GUID (AAGUID), an identifier that indicates the type (e.g. make and model) of the authenticator. |
| state | authenticationMethodState | Possible values are: enabled, disabled. |
fido2CombinationConfiguration
| Property | Type | Description |
|---|---|---|
| allowedAAGUIDs | String collection | A list of AAGUIDs allowed to be used as part of the specified authentication method combinations. |
| appliesToCombinations | authenticationMethodModes collection | Which authentication method combinations this configuration applies to. The only possible value for fido2combinationConfigurations is "fido2". Inherited from authenticationCombinationConfiguration. |
| id | String | A system-generated identifier. Inherited from entity. |
group
| Property | Type | Description |
|---|---|---|
| allowExternalSenders | Boolean | Indicates if people external to the organization can send messages to the group. Default value is false. Returned only on $select. Supported only on the Get group API (GET /groups/{ID}). |
| assignedLabels | assignedLabel collection | The list of sensitivity label pairs (label ID, label name) associated with a Microsoft 365 group. Returned only on $select. |
| assignedLicenses | assignedLicense collection | The licenses that are assigned to the group. Returned only on $select. Supports $filter (eq).Read-only. |
| autoSubscribeNewMembers | Boolean | Indicates if new members added to the group will be auto-subscribed to receive email notifications. You can set this property in a PATCH request for the group; do not set it in the initial POST request that creates the group. Default value is false. Returned only on $select. Supported only on the Get group API (GET /groups/{ID}). |
| classification | String | Describes a classification for the group (such as low, medium or high business impact). Valid values for this property are defined by creating a ClassificationList setting value, based on the template definition. Returned by default. Supports $filter (eq, ne, not, ge, le, startsWith). |
| createdDateTime | DateTimeOffset | Timestamp of when the group was created. The value cannot be modified and is automatically populated when the group is created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Returned by default. Supports $filter (eq, ne, not, ge, le, in). Read-only. |
| deletedDateTime | DateTimeOffset | For some Azure Active Directory objects (user, group, application), if the object is deleted, it is first logically deleted, and this property is updated with the date and time when the object was deleted. Otherwise this property is null. If the object is restored, this property is updated to null. |
| description | String | An optional description for the group. Returned by default. Supports $filter (eq, ne, not, ge, le, startsWith) and $search. |
| displayName | String | The display name for the group. This property is required when a group is created and cannot be cleared during updates. Maximum length is 256 characters. Returned by default. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values), $search, and $orderBy. |
| expirationDateTime | DateTimeOffset | Timestamp of when the group is set to expire. The value cannot be modified and is automatically populated when the group is created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Returned by default. Supports $filter (eq, ne, not, ge, le, in). Read-only. |
| groupTypes | String collection | Specifies the group type and its membership. If the collection contains Unified, the group is a Microsoft 365 group; otherwise, it's either a security group or distribution group. For details, see groups overview.If the collection includes DynamicMembership, the group has dynamic membership; otherwise, membership is static. Returned by default. Supports $filter (eq, not). |
| hasMembersWithLicenseErrors | Boolean | Indicates whether there are members in this group that have license errors from its group-based license assignment. This property is never returned on a GET operation. You can use it as a $filter argument to get groups that have members with license errors (that is, filter for this property being true). See an example. Supports $filter (eq). |
| hideFromAddressLists | Boolean | True if the group is not displayed in certain parts of the Outlook UI: the Address Book, address lists for selecting message recipients, and the Browse Groups dialog for searching groups; otherwise, false. Default value is false. Returned only on $select. Supported only on the Get group API (GET /groups/{ID}). |
| hideFromOutlookClients | Boolean | True if the group is not displayed in Outlook clients, such as Outlook for Windows and Outlook on the web; otherwise, false. Default value is false. Returned only on $select. Supported only on the Get group API (GET /groups/{ID}). |
| id | String | The unique identifier for the group. Returned by default. Inherited from directoryObject. Key. Not nullable. Read-only. Supports $filter (eq, ne, not, in). |
| isArchived | Boolean | When a group is associated with a team this property determines whether the team is in read-only mode. To read this property, use the /group/{groupId}/team endpoint or the Get team API. To update this property, use the archiveTeam and unarchiveTeam APIs. |
| isAssignableToRole | Boolean | Indicates whether this group can be assigned to an Azure Active Directory role or not. Optional. This property can only be set while creating the group and is immutable. If set to true, the securityEnabled property must also be set to true, visibility must be Hidden, and the group cannot be a dynamic group (that is, groupTypes cannot contain DynamicMembership). Only callers in Global Administrator and Privileged Role Administrator roles can set this property. The caller must also be assigned the RoleManagement.ReadWrite.Directory permission to set this property or update the membership of such groups. For more, see Using a group to manage Azure AD role assignments Using this feature requires a Azure AD Premium P1 license. Returned by default. Supports $filter (eq, ne, not). |
| isSubscribedByMail | Boolean | Indicates whether the signed-in user is subscribed to receive email conversations. Default value is true. Returned only on $select. Supported only on the Get group API (GET /groups/{ID}). |
| licenseProcessingState | String | Indicates status of the group license assignment to all members of the group. Default value is false. Read-only. Possible values: QueuedForProcessing, ProcessingInProgress, and ProcessingComplete.Returned only on $select. Read-only. |
| String | The SMTP address for the group, for example, "[email protected]". Returned by default. Read-only. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values). |
|
| mailEnabled | Boolean | Specifies whether the group is mail-enabled. Required. Returned by default. Supports $filter (eq, ne, not). |
| mailNickname | String | The mail alias for the group, unique for Microsoft 365 groups in the organization. Maximum length is 64 characters. This property can contain only characters in the ASCII character set 0 - 127 except the following: @ () \ [] " ; : <> , SPACE. Required. Returned by default. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values). |
| membershipRule | String | The rule that determines members for this group if the group is a dynamic group (groupTypes contains DynamicMembership). For more information about the syntax of the membership rule, see Membership Rules syntax. Returned by default. Supports $filter (eq, ne, not, ge, le, startsWith). |
| membershipRuleProcessingState | String | Indicates whether the dynamic membership processing is on or paused. Possible values are On or Paused. Returned by default. Supports $filter (eq, ne, not, in). |
| onPremisesLastSyncDateTime | DateTimeOffset | Indicates the last time at which the group was synced with the on-premises directory.The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Returned by default. Read-only. Supports $filter (eq, ne, not, ge, le, in). |
| onPremisesProvisioningErrors | onPremisesProvisioningError collection | Errors when using Microsoft synchronization product during provisioning. Returned by default. Supports $filter (eq, not). |
| onPremisesSamAccountName | String | Contains the on-premises SAM account name synchronized from the on-premises directory. The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect. Returned by default. Supports $filter (eq, ne, not, ge, le, in, startsWith). Read-only. |
| onPremisesSecurityIdentifier | String | Contains the on-premises security identifier (SID) for the group that was synchronized from on-premises to the cloud. Returned by default. Supports $filter (eq including on null values). Read-only. |
| onPremisesSyncEnabled | Boolean | true if this group is synced from an on-premises directory; false if this group was originally synced from an on-premises directory but is no longer synced; null if this object has never been synced from an on-premises directory (default). Returned by default. Read-only. Supports $filter (eq, ne, not, in, and eq on null values). |
| preferredDataLocation | String | The preferred data location for the Microsoft 365 group. By default, the group inherits the group creator's preferred data location. To set this property, the calling user must be assigned one of the following Azure AD roles:
For more information about this property, see OneDrive Online Multi-Geo. Nullable. Returned by default. |
| preferredLanguage | String | The preferred language for a Microsoft 365 group. Should follow ISO 639-1 Code; for example en-US. Returned by default. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values). |
| proxyAddresses | String collection | Email addresses for the group that direct to the same group mailbox. For example: ["SMTP: [email protected]", "smtp: [email protected]"]. The any operator is required to filter expressions on multi-valued properties. Returned by default. Read-only. Not nullable. Supports $filter (eq, not, ge, le, startsWith, endsWith, /$count eq 0, /$count ne 0). |
| renewedDateTime | DateTimeOffset | Timestamp of when the group was last renewed. This cannot be modified directly and is only updated via the renew service action. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Returned by default. Supports $filter (eq, ne, not, ge, le, in). Read-only. |
| resourceBehaviorOptions | String collection | Specifies the group behaviors that can be set for a Microsoft 365 group during creation. This can be set only as part of creation (POST). Possible values are AllowOnlyMembersToPost, HideGroupInOutlook, SubscribeNewGroupMembers, WelcomeEmailDisabled. For more information, see Set Microsoft 365 group behaviors and provisioning options. |
| resourceProvisioningOptions | String collection | Specifies the group resources that are provisioned as part of Microsoft 365 group creation, that are not normally part of default group creation. Possible value is Team. For more information, see Set Microsoft 365 group behaviors and provisioning options. |
| securityEnabled | Boolean | Specifies whether the group is a security group. Required. Returned by default. Supports $filter (eq, ne, not, in). |
| securityIdentifier | String | Security identifier of the group, used in Windows scenarios. Returned by default. |
| theme | string | Specifies a Microsoft 365 group's color theme. Possible values are Teal, Purple, Green, Blue, Pink, Orange or Red. Returned by default. |
| unseenCount | Int32 | Count of conversations that have received new posts since the signed-in user last visited the group. Returned only on $select. Supported only on the Get group API (GET /groups/{ID}). |
| visibility | String | Specifies the group join policy and group content visibility for groups. Possible values are: Private, Public, or HiddenMembership. HiddenMembership can be set only for Microsoft 365 groups, when the groups are created. It can't be updated later. Other values of visibility can be updated after group creation.If visibility value is not specified during group creation on Microsoft Graph, a security group is created as Private by default and Microsoft 365 group is Public. Groups assignable to roles are always Private. See group visibility options to learn more. Returned by default. Nullable. |
homeRealmDiscoveryPolicy
| Property | Type | Description |
|---|---|---|
| definition | String collection | A string collection containing a JSON string that defines the rules and settings for this policy. See Properties of a home realm discovery policy definition for more details about the JSON schema for this property. Required. |
| description | String | Description for this policy. |
| displayName | String | Display name for this policy. Required. |
| id | String | Unique identifier for this policy. Read-only. |
| isOrganizationDefault | Boolean | If set to true, activates this policy. There can be many policies for the same policy type, but only one can be activated as the organization default. Optional, default value is false. |
identitySecurityDefaultsEnforcementPolicy
| Property | Type | Description |
|---|---|---|
| description | String | Description for this policy. Read-only. |
| displayName | String | Display name for this policy. Read-only. |
| id | String | Identifier for this policy. Read-only. |
| isEnabled | Boolean | If set to true, Azure Active Directory security defaults is enabled for the tenant. |
invokeUserFlowListener
| Property | Type | Description |
|---|---|---|
| id | String | The identifier of the action. Inherited from authenticationListener. |
| priority | Int32 | The priority of the action that is used to determine one out of multiple applicable actions. Inherited from authenticationListener. |
| sourceFilter | authenticationSourceFilter | Filter based on the source of the authentication that is used to determine whether the listener is executed. Inherited from authenticationListener. |
ipNamedLocation
| Property | Type | Description |
|---|---|---|
| createdDateTime | DateTimeOffset | The Timestamp type represents creation date and time of the location using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. Inherited from namedLocation. |
| displayName | String | Human-readable name of the location. Required. |
| id | String | Identifier of a namedLocation object. Read-only. Inherited from namedLocation. |
| ipRanges | ipRange collection | List of IP address ranges in IPv4 CIDR format (e.g. 1.2.3.4/32) or any allowable IPv6 format from IETF RFC596. Required. |
| isTrusted | Boolean | true if this location is explicitly trusted. Optional. Default value is false. |
| modifiedDateTime | DateTimeOffset | The Timestamp type represents last modified date and time of the location using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. Inherited from namedLocation. |
ipRange
conditionalAccessPolicyCoverage
| Property | Type | Description |
|---|---|---|
| conditionalAccessPolicyState | String | The state for the conditional access policy. Possible values are: enabled, disabled, enabledForReportingButNotEnforced. Required. Read-only. |
| id | String | The unique identifier for this entity. Required. Read-only. |
| latestPolicyModifiedDateTime | DateTimeOffset | The date and time the conditional access policy was last modified. Required. Read-only. |
| requiresDeviceCompliance | Boolean | A flag indicating whether the conditional access policy requires device compliance. Required. Read-only. |
| tenantDisplayName | String | The display name for the managed tenant. Required. Read-only. |
microsoftAuthenticatorAuthenticationMethodConfiguration
| Property | Type | Description |
|---|---|---|
| id | String | The authentication method policy identifier. |
| featureSettings | microsoftAuthenticatorFeatureSettings | A collection of Microsoft Authenticator settings such as application context and location context, and whether they are enabled for all users or specific users only. |
| state | authenticationMethodState | Possible values are: enabled, disabled. |
mobilityManagementPolicy
| Property | Type | Description |
|---|---|---|
| appliesTo | policyScope | Indicates the user scope of the mobility management policy. Possible values are: none, all, selected. |
| complianceUrl | String | Compliance URL of the mobility management application. |
| description | String | Description of the mobility management application. |
| discoveryUrl | String | Discovery URL of the mobility management application. |
| displayName | String | Display name of the mobility management application. |
| id | String | Object Id of the mobility management application. |
| isValid | Boolean | Whether policy is valid. Invalid policies may not be updated and should be deleted. |
| termsOfUseUrl | String | Terms of Use URL of the mobility management application. |
namedLocation
| Property | Type | Description |
|---|---|---|
| createdDateTime | DateTimeOffset | The Timestamp type represents creation date and time of the location using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. |
| displayName | String | Human-readable name of the location. |
| id | String | Identifier of a namedLocation object. Read-only. |
| modifiedDateTime | DateTimeOffset | The Timestamp type represents last modified date and time of the location using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Read-only. |
servicePrincipal
| Property | Type | Description |
|---|---|---|
| accountEnabled | Boolean | true if the service principal account is enabled; otherwise, false. If set to false, then no users will be able to sign in to this app, even if they are assigned to it. Supports $filter (eq, ne, not, in). |
| addIns | addIn collection | Defines custom behavior that a consuming service can use to call an app in specific contexts. For example, applications that can render file streams may set the addIns property for its "FileHandler" functionality. This will let services like Microsoft 365 call the application in the context of a document the user is working on. |
| alternativeNames | String collection | Used to retrieve service principals by subscription, identify resource group and full resource ids for managed identities. Supports $filter (eq, not, ge, le, startsWith). |
| appDescription | String | The description exposed by the associated application. |
| appDisplayName | String | The display name exposed by the associated application. |
| appId | String | The unique identifier for the associated application (its appId property). Supports $filter (eq, ne, not, in, startsWith). |
| applicationTemplateId | String | Unique identifier of the applicationTemplate that the servicePrincipal was created from. Read-only. Supports $filter (eq, ne, NOT, startsWith). |
| appOwnerOrganizationId | Guid | Contains the tenant id where the application is registered. This is applicable only to service principals backed by applications. Supports $filter (eq, ne, NOT, ge, le). |
| appRoleAssignmentRequired | Boolean | Specifies whether users or other service principals need to be granted an app role assignment for this service principal before users can sign in or apps can get tokens. The default value is false. Not nullable. Supports $filter (eq, ne, NOT). |
| appRoles | appRole collection | The roles exposed by the application which this service principal represents. For more information see the appRoles property definition on the application entity. Not nullable. |
| deletedDateTime | DateTimeOffset | The date and time the service principal was deleted. Read-only. |
| description | String | Free text field to provide an internal end-user facing description of the service principal. End-user portals such MyApps will display the application description in this field. The maximum allowed size is 1024 characters. Supports $filter (eq, ne, not, ge, le, startsWith) and $search. |
| disabledByMicrosoftStatus | String | Specifies whether Microsoft has disabled the registered application. Possible values are: null (default value), NotDisabled, and DisabledDueToViolationOfServicesAgreement (reasons may include suspicious, abusive, or malicious activity, or a violation of the Microsoft Services Agreement). Supports $filter (eq, ne, not). |
| displayName | String | The display name for the service principal. Supports $filter (eq, ne, not, ge, le, in, startsWith, and eq on null values), $search, and $orderBy. |
| homepage | String | Home page or landing page of the application. |
| id | String | The unique identifier for the service principal. Inherited from directoryObject. Key. Not nullable. Read-only. Supports $filter (eq, ne, not, in). |
| info | informationalUrl | Basic profile information of the acquired application such as app's marketing, support, terms of service and privacy statement URLs. The terms of service and privacy statement are surfaced to users through the user consent experience. For more info, see How to: Add Terms of service and privacy statement for registered Azure AD apps. Supports $filter (eq, ne, not, ge, le, and eq on null values). |
| keyCredentials | keyCredential collection | The collection of key credentials associated with the service principal. Not nullable. Supports $filter (eq, not, ge, le). |
| loginUrl | String | Specifies the URL where the service provider redirects the user to Azure AD to authenticate. Azure AD uses the URL to launch the application from Microsoft 365 or the Azure AD My Apps. When blank, Azure AD performs IdP-initiated sign-on for applications configured with SAML-based single sign-on. The user launches the application from Microsoft 365, the Azure AD My Apps, or the Azure AD SSO URL. |
| logoutUrl | String | Specifies the URL that will be used by Microsoft's authorization service to logout an user using OpenId Connect front-channel, back-channel or SAML logout protocols. |
| notes | String | Free text field to capture information about the service principal, typically used for operational purposes. Maximum allowed size is 1024 characters. |
| notificationEmailAddresses | String collection | Specifies the list of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. This is only for the certificates used to sign the SAML token issued for Azure AD Gallery applications. |
| oauth2PermissionScopes | permissionScope collection | The delegated permissions exposed by the application. For more information see the oauth2PermissionScopes property on the application entity's api property. Not nullable. |
| passwordCredentials | passwordCredential collection | The collection of password credentials associated with the application. Not nullable. |
| preferredSingleSignOnMode | string | Specifies the single sign-on mode configured for this application. Azure AD uses the preferred single sign-on mode to launch the application from Microsoft 365 or the Azure AD My Apps. The supported values are password, saml, notSupported, and oidc. |
| preferredTokenSigningKeyThumbprint | String | Reserved for internal use only. Do not write or otherwise rely on this property. May be removed in future versions. |
| replyUrls | String collection | The URLs that user tokens are sent to for sign in with the associated application, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to for the associated application. Not nullable. |
| resourceSpecificApplicationPermissions | resourceSpecificPermission collection | The resource-specific application permissions exposed by this application. Currently, resource-specific permissions are only supported for Teams apps accessing to specific chats and teams using Microsoft Graph. Read-only. |
| samlSingleSignOnSettings | samlSingleSignOnSettings | The collection for settings related to saml single sign-on. |
| servicePrincipalNames | String collection | Contains the list of identifiersUris, copied over from the associated application. Additional values can be added to hybrid applications. These values can be used to identify the permissions exposed by this app within Azure AD. For example,
The any operator is required for filter expressions on multi-valued properties. Not nullable. Supports $filter (eq, not, ge, le, startsWith). |
| servicePrincipalType | String | Identifies whether the service principal represents an application, a managed identity, or a legacy application. This is set by Azure AD internally. The servicePrincipalType property can be set to three different values:
|
| signInAudience | String | Specifies the Microsoft accounts that are supported for the current application. Read-only. Supported values are:
|
| tags | String collection | Custom strings that can be used to categorize and identify the service principal. Not nullable. Supports $filter (eq, not, ge, le, startsWith). |
| tokenEncryptionKeyId | String | Specifies the keyId of a public key from the keyCredentials collection. When configured, Azure AD issues tokens for this application encrypted using the key specified by this property. The application code that receives the encrypted token must use the matching private key to decrypt the token before it can be used for the signed-in user. |
| verifiedPublisher | verifiedPublisher | Specifies the verified publisher of the application which this service principal represents. |
smsAuthenticationMethodConfiguration
| Property | Type | Description |
|---|---|---|
| excludeTargets | excludeTarget collection | Groups of users that are excluded from the policy. |
| id | String | The authentication method policy identifier. |
| state | authenticationMethodState | Possible values are: enabled, disabled. |
softwareOathAuthenticationMethodConfiguration
| Property | Type | Description |
|---|---|---|
| excludeTargets | excludeTarget collection | Groups of users that are excluded from the policy. |
| id | String | The authentication method policy identifier. |
| state | authenticationMethodState | Represents whether users can register this authentication method. The possible values are: enabled, disabled. |
temporaryAccessPassAuthenticationMethodConfiguration
| Property | Type | Description |
|---|---|---|
| defaultLength | Int | Default length in characters of a Temporary Access Pass object. Must be between 8 and 48 characters. |
| defaultLifetimeInMinutes | Int | Default lifetime in minutes for a Temporary Access Pass. Value can be any integer between the minimumLifetimeInMinutes and maximumLifetimeInMinutes. |
| id | String | The identifier of the authentication method policy. Inherited from entity. |
| isUsableOnce | Boolean | If true, all the passes in the tenant will be restricted to one-time use. If false, passes in the tenant can be created to be either one-time use or reusable. |
| maximumLifetimeInMinutes | Int | Maximum lifetime in minutes for any Temporary Access Pass created in the tenant. Value can be between 10 and 43200 minutes (equivalent to 30 days). |
| minimumLifetimeInMinutes | Int | Minimum lifetime in minutes for any Temporary Access Pass created in the tenant. Value can be between 10 and 43200 minutes (equivalent to 30 days). |
| state | authenticationMethodState | Whether the Temporary Access Pass method is enabled in the tenant. Possible values are: enabled, disabled. Inherited from authenticationMethodConfiguration. |
tenantAppManagementPolicy
| Property | Type | Description |
|---|---|---|
| id | String | The default policy identifier. |
| displayName | String | The display name of the default policy. Inherited from policyBase. |
| description | String | The description of the default policy. Inherited from policyBase. |
| isEnabled | Boolean | Denotes whether the policy is enabled. Default value is false. |
| applicationRestrictions | appManagementConfiguration | Restrictions that apply as default to all application objects in the tenant. |
| servicePrincipalRestrictions | appManagementConfiguration | Restrictions that apply as default to all service principal objects in the tenant. |
tokenIssuancePolicy
| Property | Type | Description |
|---|---|---|
| definition | String collection | A string collection containing a JSON string that defines the rules and settings for this policy. See below for more details about the JSON schema for this property. Required. |
| description | String | Description for this policy. |
| displayName | String | Display name for this policy. Required. |
| id | String | Unique identifier for this policy. Read-only. |
| isOrganizationDefault | Boolean | Ignore this property. The token-issuance policy can only be applied to service principals and can't be set globally for the organization. |
tokenLifetimePolicy
| Property | Type | Description |
|---|---|---|
| definition | String collection | A string collection containing a JSON string that defines the rules and settings for this policy. See below for more details about the JSON schema for this property. Required. |
| description | String | Description for this policy. |
| displayName | String | Display name for this policy. Required. |
| id | String | Unique identifier for this policy. Read-only. |
| isOrganizationDefault | Boolean | If set to true, activates this policy. There can be many policies for the same policy type, but only one can be activated as the organization default. Optional, default value is false. |
trustFrameworkPolicy
| Property | Type | Description |
|---|---|---|
| id | String | The ID of the policy. |
voiceAuthenticationMethodConfiguration
| Property | Type | Description |
|---|---|---|
| excludeTargets | excludeTarget collection | Groups of users that are excluded from the policy. |
| id | String | The authentication method policy identifier. |
| isOfficePhoneAllowed | Boolean | true if users can register office phones, otherwise, false. |
| state | authenticationMethodState | Represents whether users can register this authentication method. The possible values are: enabled, disabled. |
x509CertificateAuthenticationMethodConfiguration
| Property | Type | Description |
|---|---|---|
| authenticationModeConfiguration | x509CertificateAuthenticationModeConfiguration | Defines strong authentication configurations. This configuration includes the default authentication mode and the different rules for strong authentication bindings. |
| certificateUserBindings | x509CertificateUserBinding collection | Defines fields in the X.509 certificate that map to attributes of the Azure AD user object in order to bind the certificate to the user. The priority of the object determines the order in which the binding is carried out. The first binding that matches will be used and the rest ignored. |
| id | String | The identifier for the authentication method policy. The value is always X509Certificate. Inherited from |
| state | authenticationMethodState | The possible values are: enabled, disabled. Inherited from authenticationMethodConfiguration. |