Policy.Read.ConditionalAccess
Allows the app to read your organization's conditional access policies on behalf of the signed-in user.
Merill's Note
For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the
Policy.Read.ConditionalAccesspermission.If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the
Export-MsIdAppConsentGrantReportcommand. See How To: Run a quick OAuth app audit of your tenant
| Category | Application | Delegated |
|---|---|---|
| Identifier | 37730810-e9ba-4e46-b07e-8ca78d182097 | 633e0fce-8c58-4cfb-9495-12bbd5a24f7c |
| DisplayText | Read your organization's conditional access policies | Read your organization's conditional access policies |
| Description | Allows the app to read your organization's conditional access policies, without a signed-in user. | Allows the app to read your organization's conditional access policies on behalf of the signed-in user. |
| AdminConsentRequired | Yes | No |
Graph Methods
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
| Methods | |
|---|---|
Resources
Granting this permission allows the calling application to access (and/or update) the following information in your tenant.
Graph reference: authenticationContextClassReference
| Property | Type | Description |
|---|---|---|
| description | String | A short explanation of the policies that are enforced by authenticationContextClassReference. This value should be used to provide secondary text to describe the authentication context class reference when building user-facing admin experiences. For example, a selection UX. |
| displayName | String | The display name is the friendly name of the authenticationContextClassReference object. This value should be used to identify the authentication context class reference when building user-facing admin experiences. For example, a selection UX. |
| id | String | Identifier used to reference the authentication context class. The ID is used to trigger step-up authentication for the referenced authentication requirements and is the value that will be issued in the acrs claim of an access token. This value in the claim is used to verify that the required authentication context has been satisfied. The allowed values are c1 through c25. Supports $filter (eq). |
| isAvailable | Boolean | Indicates whether the authenticationContextClassReference has been published by the security admin and is ready for use by apps. When it's set to false, it shouldn't be shown in authentication context selection UX, or used to protect app resources. It's shown and available for Conditional Access policy authoring. The default value is false. Supports $filter (eq). |