Table of Contents

Policy.Read.All

Allows the app to read your organization's policies on behalf of the signed-in user.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the Policy.Read.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category Application Delegated
Identifier 246dd0d5-5bd0-4def-940b-0421030a5b68 572fea84-0151-49b2-9301-11cb16974376
DisplayText Read your organization's policies Read your organization's policies
Description Allows the app to read all your organization's policies without a signed in user. Allows the app to read your organization's policies on behalf of the signed-in user.
AdminConsentRequired Yes Yes

Graph Methods

API supports delegated access (access on behalf of a user)
API supports app-only access (access without a user)

Methods
DELETE /applications(appId='{appId}')/tokenIssuancePolicies/{id}/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All
DELETE /applications(appId='{appId}')/tokenLifetimePolicies/{tokenLifetimePolicyId}/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All
DELETE /applications/{applicationObjectId}/tokenLifetimePolicies/{tokenLifetimePolicyId}/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All
DELETE /applications/{id}/tokenIssuancePolicies/{id}/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All
DELETE /identity/conditionalAccess/namedLocations/{id}
Policy.Read.All and Policy.ReadWrite.ConditionalAccess
DELETE /identity/conditionalAccess/policies/{id}
Policy.Read.All and Policy.ReadWrite.ConditionalAccess
DELETE /servicePrincipals(appId='{appId}')/claimsMappingPolicies/{id}/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All
DELETE /servicePrincipals(appId='{appId}')/homeRealmDiscoveryPolicies/{id}/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All
DELETE /servicePrincipals(appId='{appId}')/tokenLifetimePolicies/{tokenLifetimePolicyId}/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.Read.All and Application.ReadWrite.OwnedBy
DELETE /servicePrincipals/{id}/claimsMappingPolicies/{id}/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All
DELETE /servicePrincipals/{id}/homeRealmDiscoveryPolicies/{id}/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All
DELETE /servicePrincipals/{servicePrincipalObjectId}/tokenLifetimePolicies/{tokenLifetimePolicyId}/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.Read.All and Application.ReadWrite.OwnedBy
GET /applications(appId='{appId}')/tokenIssuancePolicies
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All
GET /applications(appId='{appId}')/tokenLifetimePolicies
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All
GET /applications/{id}/tokenIssuancePolicies
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All
GET /applications/{id}/tokenLifetimePolicies
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All
GET /identity/conditionalAccess/authenticationStrength/authenticationMethodModes
GET /identity/conditionalAccess/authenticationStrength/authenticationMethodModes/{authenticationMethodModeDetailId}
GET /identity/conditionalAccess/authenticationStrength/policies/{authenticationStrengthPolicyId}/combinationConfigurations
GET /identity/conditionalAccess/authenticationStrength/policies/{authenticationStrengthPolicyId}/combinationConfigurations/{authenticationCombinationConfigurationId}
GET /identity/conditionalAccess/namedLocations
GET /identity/conditionalAccess/namedLocations/{id}
GET /identity/conditionalAccess/policies
GET /identity/conditionalAccess/policies/{id}
GET /identity/conditionalAccess/templates
GET /identity/conditionalAccess/templates/{id}
GET /policies/activityBasedTimeoutPolicies/{id}
GET /policies/adminConsentRequestPolicy
GET /policies/appManagementPolicies
GET /policies/appManagementPolicies/{id}
GET /policies/appManagementPolicies/{id}/appliesTo
Application.Read.All and Policy.Read.All
GET /policies/authenticationFlowsPolicy
GET /policies/authenticationMethodsPolicy
GET /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/email
GET /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/fido2
GET /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/microsoftAuthenticator
GET /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/sms
GET /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath
GET /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/temporaryAccessPass
GET /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/voice
GET /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/x509Certificate
GET /policies/authenticationStrengthPolicies
GET /policies/authenticationStrengthPolicies/{authenticationStrengthPolicyId}
GET /policies/authenticationStrengthPolicies/{authenticationStrengthPolicyId}/usage
GET /policies/authorizationPolicy
GET /policies/claimsMappingPolicies
GET /policies/claimsMappingPolicies/{id}
GET /policies/claimsMappingPolicies/{id}/appliesTo
Policy.Read.All and Application.Read.All
GET /policies/crossTenantAccessPolicy
GET /policies/crossTenantAccessPolicy/default
GET /policies/crossTenantAccessPolicy/partners
GET /policies/crossTenantAccessPolicy/partners/{id}
GET /policies/crossTenantAccessPolicy/partners/{id}/identitySynchronization
GET /policies/crossTenantAccessPolicy/templates/multiTenantOrganizationIdentitySynchronization
GET /policies/crossTenantAccessPolicy/templates/multiTenantOrganizationPartnerConfiguration
GET /policies/defaultAppManagementPolicy
GET /policies/homeRealmDiscoveryPolicies
GET /policies/homeRealmDiscoveryPolicies/{id}
GET /policies/homeRealmDiscoveryPolicies/{id}/appliesTo
Policy.Read.All and Application.Read.All
GET /policies/identitySecurityDefaultsEnforcementPolicy
GET /policies/tokenIssuancePolicies/{id}
GET /policies/tokenIssuancePolicies/{id}/appliesTo
Policy.Read.All and Application.Read.All
GET /policies/tokenLifetimePolicies
GET /policies/tokenLifetimePolicies/{id}
GET /policies/tokenLifetimePolicies/{id}/appliesTo
Policy.Read.All and Application.Read.All
GET /servicePrincipals(appId='{appId}')/claimsMappingPolicies
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All
GET /servicePrincipals(appId='{appId}')/homeRealmDiscoveryPolicies
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All
GET /servicePrincipals(appId='{appId}')/tokenLifetimePolicies
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.Read.All and Application.ReadWrite.OwnedBy
GET /servicePrincipals/{id}/claimsMappingPolicies
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All
GET /servicePrincipals/{id}/homeRealmDiscoveryPolicies
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All
GET /servicePrincipals/{id}/tokenLifetimePolicies
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.Read.All and Application.ReadWrite.OwnedBy
GET policies/activityBasedTimeoutPolicies
GET policies/tokenIssuancePolicies
PATCH /identity/conditionalAccess/namedLocations/{id}
Policy.Read.All and Policy.ReadWrite.ConditionalAccess
PATCH /identity/conditionalAccess/policies/{id}
Policy.Read.All and Policy.ReadWrite.ConditionalAccess
PATCH /policies/identitySecurityDefaultsEnforcementPolicy
POST /applications(appId='{appId}')/tokenIssuancePolicies/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All
POST /applications(appId='{appId}')/tokenLifetimePolicies/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All
POST /applications/{id}/tokenIssuancePolicies/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All
POST /applications/{id}/tokenLifetimePolicies/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All
POST /identity/conditionalAccess/namedLocations
Policy.Read.All and Policy.ReadWrite.ConditionalAccess
POST /identity/conditionalAccess/policies
Policy.Read.All and Policy.ReadWrite.ConditionalAccess
POST /servicePrincipals(appId='{appId}')/claimsMappingPolicies/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All
POST /servicePrincipals(appId='{appId}')/homeRealmDiscoveryPolicies/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All
POST /servicePrincipals(appId='{appId}')/tokenLifetimePolicies/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.Read.All and Application.ReadWrite.OwnedBy
POST /servicePrincipals/{id}/claimsMappingPolicies/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All
POST /servicePrincipals/{id}/homeRealmDiscoveryPolicies/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All
POST /servicePrincipals/{id}/tokenLifetimePolicies/$ref
Application.ReadWrite.All and Policy.Read.All ▪️ Application.ReadWrite.OwnedBy and Policy.Read.All ▪️ Policy.Read.All and Application.ReadWrite.All ▪️ Policy.Read.All and Application.ReadWrite.OwnedBy

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: accessReviewPolicy

Property Type Description
description String Description for this policy. Read-only.
displayName String Display name for this policy. Read-only.
isGroupOwnerManagementEnabled Boolean If true, group owners can create and manage access reviews on groups they own.