Policy.Read.ConditionalAccess

Allows the app to read your organization's conditional access policies on behalf of the signed-in user.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the Policy.Read.ConditionalAccess permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	37730810-e9ba-4e46-b07e-8ca78d182097	633e0fce-8c58-4cfb-9495-12bbd5a24f7c
DisplayText	Read your organization's conditional access policies	Read your organization's conditional access policies
Description	Allows the app to read your organization's conditional access policies, without a signed-in user.	Allows the app to read your organization's conditional access policies on behalf of the signed-in user.
AdminConsentRequired	Yes	No

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /identity/conditionalAccess/authenticationContextClassReferences/{id}
	GET /identity/conditionalAccess/authenticationContextClassReferences
	GET /identity/conditionalAccess/authenticationContextClassReferences/{id}

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /identity/conditionalAccess/authenticationContextClassReferences/{authenticationContextClassReferenceId}
	GET /identity/conditionalAccess/authenticationContextClassReferences
	GET /identity/conditionalAccess/authenticationContextClassReferences/{id}
	POST /identity/conditionalAccess/evaluate

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgIdentityConditionalAccessAuthenticationContextClassReference
	Remove-MgIdentityConditionalAccessAuthenticationContextClassReference

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgBetaIdentityConditionalAccessAuthenticationContextClassReference
	Remove-MgBetaIdentityConditionalAccessAuthenticationContextClassReference
	Test-MgBetaIdentityConditionalAccess

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: authenticationContextClassReference

Property	Type	Description
description	String	A short explanation of the policies that are enforced by authenticationContextClassReference. This value should be used to provide secondary text to describe the authentication context class reference when building user-facing admin experiences. For example, a selection UX.
displayName	String	The display name is the friendly name of the authenticationContextClassReference object. This value should be used to identify the authentication context class reference when building user-facing admin experiences. For example, a selection UX.
id	String	Identifier used to reference the authentication context class. The ID is used to trigger step-up authentication for the referenced authentication requirements and is the value that will be issued in the `acrs` claim of an access token. This value in the claim is used to verify that the required authentication context has been satisfied. The allowed values are `c1` through `c25`. Supports `$filter` (`eq`).
isAvailable	Boolean	Indicates whether the authenticationContextClassReference has been published by the security admin and is ready for use by apps. When it's set to `false`, it shouldn't be shown in authentication context selection UX, or used to protect app resources. It's shown and available for Conditional Access policy authoring. The default value is `false`. Supports `$filter` (`eq`).

Graph reference: signInConditions

Property	Type	Description
authenticationFlow	authenticationFlow	Type of authentication flow. The possible value is: `deviceCodeFlow` or `authenticationTransfer`. Default value is `none`.
clientAppType	conditionalAccessClientApp	Client application type. The possible value is: `all`, `browser`, `mobileAppsAndDesktopClients`, `exchangeActiveSync`, `easSupported`, `other`, `unknownFutureValue`. Default value is `all`.
country	String	Country from where the identity is authenticating.
deviceInfo	deviceInfo	Information about the device used for the sign-in.
devicePlatform	conditionalAccessDevicePlatform	Device platform. The possible value is: `android`, `iOS`, `windows`, `windowsPhone`, `macOS`, `all`, `unknownFutureValue`, `linux`. Default value is `all`.
insiderRiskLevel	insiderRiskLevel	Insider risk associated with the authenticating user. The possible value is: `none`, `minor`, `moderate`, `elevated`, `unknownFutureValue`. Default value is `none`.
ipAddress	String	Ip address of the authenticating identity.
servicePrincipalRiskLevel	riskLevel	Risk associated with the service principal. The possible value is: `low`, `medium`, `high`, `hidden`, `none`, `unknownFutureValue`. Default value is `none`.
signInRiskLevel	riskLevel	Sign-in risk associated with the user. The possible value is: `low`, `medium`, `high`, `hidden`, `none`, `unknownFutureValue`. Default value is `none`.
userRiskLevel	riskLevel	The authenticating user's risk level. The possible value is: `low`, `medium`, `high`, `hidden`, `none`, `unknownFutureValue`. Default value is `none`.

Graph reference: whatIfAnalysisResult

Property	Type	Description
analysisReasons	whatIfAnalysisReasons	Specifies the reasons why a policy didn't apply. `analysisReasons` is set to `notSet` when `policyApplies` is `true` and one of the following values when `policyApplies` is `false`: `notEnoughInformation`, `invalidCondition`, `users`, `workloadIdentities`, `application`, `userActions`, `authenticationContext`, `devicePlatform`, `devices`, `clientApps`, `location`, `signInRisk`, `emptyPolicy`, `invalidPolicy`, `policyNotEnabled`, `userRisk`, `time`, `insiderRisk`, `authenticationFlow`, `unknownFutureValue`.
conditions	conditionalAccessConditionSet	Specifies the rules that must be met for the policy to apply. Inherited from conditionalAccessPolicy.
createdDateTime	DateTimeOffset	The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from conditionalAccessPolicy.
description	String	Not used. Inherited from conditionalAccessPolicy.
displayName	String	Specifies a display name for the conditionalAccessPolicy object. Inherited from conditionalAccessPolicy.
grantControls	conditionalAccessGrantControls	Specifies the grant controls that must be fulfilled to pass the policy. Inherited from conditionalAccessPolicy.
id	String	Specifies the identifier of a conditionalAccessPolicy object. Inherited from entity.
modifiedDateTime	DateTimeOffset	The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from conditionalAccessPolicy.
policyApplies	Boolean	Specifies whether the policy applies to the sign-in properties provided in the request body. If `policyApplies` is `true`, the policy applies to the sign-in based on the sign-in properties provided. If `policyApplies` is `false`, the policy doesn't apply to the sign-in based on the sign-in properties provided and the `analysisReasons` property is populated to show the reason for the policy not applying.
sessionControls	conditionalAccessSessionControls	Specifies the session controls that are enforced after sign-in. Inherited from conditionalAccessPolicy.
state	conditionalAccessPolicyState	Specifies the state of the conditionalAccessPolicy object. Inherited from conditionalAccessPolicy. The possible values are: `enabled`, `disabled`, `enabledForReportingButNotEnforced`, `unknownFutureValue`.

Table of Contents

Policy.Read.ConditionalAccess

Graph Methods

Resources