Merill's Note
For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the Policy.Read.ApplicationConfiguration permission.
If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant
Granting this permission allows the calling application to access (and/or update) the following information in your tenant.
Graph reference: activityBasedTimeoutPolicy
| Property |
Type |
Description |
| definition |
String collection |
A string collection containing a JSON string that defines the rules and settings for this policy. See below for more details about the JSON schema for this property. Required. |
| description |
String |
Description for this policy. |
| displayName |
String |
Display name for this policy. Required. |
| id |
String |
Unique identifier for this policy. Read-only. |
| isOrganizationDefault |
Boolean |
If set to true, activates this policy. There can be many policies for the same policy type, but only one can be activated as the organization default. Optional, default value is false. |
Graph reference: appManagementApplicationConfiguration
| Property |
Type |
Description |
| identifierUris |
identifierUriConfiguration |
Configuration object for restrictions on identifierUris property for an application |
| keyCredentials |
keyCredentialConfiguration collection |
Collection of certificate credential restrictions settings to be applied to an application or service principal. Inherited from appManagementConfiguration. |
| passwordCredentials |
passwordCredentialConfiguration collection |
Collection of password restrictions settings to be applied to an application or service principal. Inherited from appManagementConfiguration. |
Graph reference: appManagementConfiguration
| Property |
Type |
Description |
| passwordCredentials |
passwordCredentialConfiguration collection |
Collection of password restrictions settings to be applied to an application or service principal. |
| keyCredentials |
keyCredentialConfiguration collection |
Collection of keyCredential restrictions settings to be applied to an application or service principal. |
Graph reference: appManagementPolicy
| Property |
Type |
Description |
| displayName |
String |
The display name of the policy. Inherited from policyBase. |
| description |
String |
The description of the policy. Inherited from policyBase. |
| id |
String |
The unique identifier for the policy. |
| isEnabled |
Boolean |
Denotes whether the policy is enabled. |
| restrictions |
appManagementConfiguration |
Restrictions that apply to an application or service principal object. |
Graph reference: authenticationListener
| Property |
Type |
Description |
| id |
String |
The identifier of the action. |
| priority |
Int32 |
The priority of the listener. Determines the order of evaluation when an event has multiple listeners. The priority is evaluated from low to high. |
| sourceFilter |
authenticationSourceFilter |
Filter based on the source of the authentication that is used to determine whether the listener is evaluated, and is currently limited to evaluations based on application the user is authenticating to. |
Graph reference: authenticationSourceFilter
| Property |
Type |
Description |
| includeApplications |
String collection |
Applications to include for evaluation of the authenticationListener. These applications trigger the associated action when used as the client application in the authentication flow. The application identifer is the application's client id. |
Graph reference: b2xIdentityUserFlow
| Property |
Type |
Description |
| apiConnectorConfiguration |
userFlowApiConnectorConfiguration |
Configuration for enabling an API connector for use as part of the self-service sign-up user flow. You can only obtain the value of this object using Get userFlowApiConnectorConfiguration. |
| id |
String |
The name of the user flow is a required value and is immutable after it's created. The name will be prefixed with the value of B2X_1_ after creation. |
| userFlowType |
userFlowType |
The type of user flow. For self-service sign-up user flows, the value can only be signUpOrSignIn and can't be modified after creation. |
| userFlowTypeVersion |
Single |
The version of the user flow. For self-service sign-up user flows, the version is always 1. |
Graph reference: claimsMappingPolicy
| Property |
Type |
Description |
| definition |
String collection |
A string collection containing a JSON string that defines the rules and settings for this policy. For more information about the JSON schema for this property, see Properties of a claims-mapping policy definition. Required. |
| displayName |
String |
Display name for this policy. Required. |
| id |
String |
Unique identifier for this policy. Read-only. |
| isOrganizationDefault |
Boolean |
Ignore this property. The claims-mapping policy can only be applied to service principals and can't be set globally for the organization. |
Graph reference: customClaimBase
| Property |
Type |
Description |
| configurations |
customClaimConfiguration collection |
One or more configurations that describe how the claim is sourced and under what conditions. |
Graph reference: customClaimsPolicy
| Property |
Type |
Description |
| audienceOverride |
String |
If specified, it overrides the content of the audience claim for WS-Federation and SAML2 protocols. A custom signing key must be used for audienceOverride to be applied, otherwise, the audienceOverride value is ignored. The value provided must be in the format of an absolute URI. |
| claims |
customClaim collection |
Defines which claims are present in the tokens affected by the policy, in addition to the basic claim and the core claim set. Inherited from customclaimbase. |
| id |
String |
Policy identifier string. Inherited from entity. |
| includeApplicationIdInIssuer |
Boolean |
Indicates whether the application ID is added to the claim. It is relevant only for SAML2.0 and if a custom signing key is used. the default value is true. Optional. |
| includeBasicClaimSet |
Boolean |
Determines whether the basic claim set is included in tokens affected by this policy. If set to true, all claims in the basic claim set are emitted in tokens affected by the policy. By default the basic claim set isn't in the tokens unless they're explicitly configured in this policy. |
Graph reference: homeRealmDiscoveryPolicy
| Property |
Type |
Description |
| definition |
String collection |
A string collection containing a JSON string that defines the rules and settings for this policy. For more information about the JSON schema for this property, see Properties of a home realm discovery policy definition. Required. |
| description |
String |
Description for this policy. |
| displayName |
String |
Display name for this policy. Required. |
| id |
String |
Unique identifier for this policy. Read-only. |
| isOrganizationDefault |
Boolean |
If set to true, activates this policy. There can be many policies for the same policy type, but only one can be activated as the organization default. Optional, default value is false. |
Graph reference: invokeUserFlowListener
| Property |
Type |
Description |
| id |
String |
The identifier of the action. Inherited from authenticationListener. |
| priority |
Int32 |
The priority of the action that is used to determine one out of multiple applicable actions. Inherited from authenticationListener. |
| sourceFilter |
authenticationSourceFilter |
Filter based on the source of the authentication that is used to determine whether the listener is executed. Inherited from authenticationListener. |
Graph reference: policyBase
| Property |
Type |
Description |
| id |
String |
Unique identifier for this policy. Read-only. Inherited from directoryObject. |
| description |
String |
Description for this policy. Required. |
| displayName |
String |
Display name for this policy. Required. |
Graph reference: tokenIssuancePolicy
| Property |
Type |
Description |
| definition |
String collection |
A string collection containing a JSON string that defines the rules and settings for this policy. See below for more details about the JSON schema for this property. Required. |
| description |
String |
Description for this policy. |
| displayName |
String |
Display name for this policy. Required. |
| id |
String |
Unique identifier for this policy. Read-only. |
| isOrganizationDefault |
Boolean |
Ignore this property. The token-issuance policy can only be applied to service principals and can't be set globally for the organization. |
Graph reference: tokenLifetimePolicy
| Property |
Type |
Description |
| definition |
String collection |
A string collection containing a JSON string that defines the rules and settings for this policy. For more information about the JSON schema for this property, see Properties of a token lifetime policy definition . Required. |
| displayName |
String |
Display name for this policy. Required. |
| id |
String |
Unique identifier for this policy. Read-only. |
| isOrganizationDefault |
Boolean |
If set to true, activates this policy. There can be many policies for the same policy type, but only one can be activated as the organization default. Optional, default value is false. |