Policy.ReadWrite.ApplicationConfiguration

Allows the app to read and write your organization's application configuration policies on behalf of the signed-in user. This includes policies such as activityBasedTimeoutPolicy, claimsMappingPolicy, homeRealmDiscoveryPolicy, tokenIssuancePolicy and tokenLifetimePolicy.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the Policy.ReadWrite.ApplicationConfiguration permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	be74164b-cff1-491c-8741-e671cb536e13	b27add92-efb2-4f16-84f5-8108ba77985c
DisplayText	Read and write your organization's application configuration policies	Read and write your organization's application configuration policies
Description	Allows the app to read and write your organization's application configuration policies, without a signed-in user. This includes policies such as activityBasedTimeoutPolicy, claimsMappingPolicy, homeRealmDiscoveryPolicy, tokenIssuancePolicy and tokenLifetimePolicy.	Allows the app to read and write your organization's application configuration policies on behalf of the signed-in user. This includes policies such as activityBasedTimeoutPolicy, claimsMappingPolicy, homeRealmDiscoveryPolicy, tokenIssuancePolicy and tokenLifetimePolicy.
AdminConsentRequired	Yes	Yes

Graph Methods

• API [v1.0]
• API [beta]
• PowerShell [v1.0]
• PowerShell [beta]

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /applications(appId='{appId}')/tokenIssuancePolicies/{id}/$ref Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
	DELETE /applications(appId='{appId}')/tokenLifetimePolicies/{tokenLifetimePolicyId}/$ref Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
	DELETE /applications/{applicationObjectId}/appManagementPolicies/{appManagementPolicyId}/$ref Application.Read.All and Policy.ReadWrite.ApplicationConfiguration
	DELETE /applications/{applicationObjectId}/tokenLifetimePolicies/{tokenLifetimePolicyId}/$ref Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
	DELETE /applications/{id}/tokenIssuancePolicies/{id}/$ref Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
	DELETE /policies/activityBasedTimeoutPolicies/{id}
	DELETE /policies/appManagementPolicies/{id}
	DELETE /policies/claimsMappingPolicies/{id}
	DELETE /policies/homeRealmDiscoveryPolicies/{id}
	DELETE /policies/tokenIssuancePolicies/{id}
	DELETE /policies/tokenLifetimePolicies/{id}
	DELETE /servicePrincipals(appId='{appId}')/claimsMappingPolicies/{id}/$ref Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
	DELETE /servicePrincipals(appId='{appId}')/homeRealmDiscoveryPolicies/{id}/$ref Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
	DELETE /servicePrincipals(appId='{appId}')/tokenLifetimePolicies/{tokenLifetimePolicyId}/$ref Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.OwnedBy
	DELETE /servicePrincipals/{id}/claimsMappingPolicies/{id}/$ref Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
	DELETE /servicePrincipals/{id}/homeRealmDiscoveryPolicies/{id}/$ref Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
	DELETE /servicePrincipals/{servicePrincipalObjectId}/appManagementPolicies/{appManagementPolicyId}/$ref Application.Read.All and Policy.ReadWrite.ApplicationConfiguration
	DELETE /servicePrincipals/{servicePrincipalObjectId}/tokenLifetimePolicies/{tokenLifetimePolicyId}/$ref Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.OwnedBy
	GET /applications(appId='{appId}')/tokenIssuancePolicies Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
	GET /applications(appId='{appId}')/tokenLifetimePolicies Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
	GET /applications/{id}/tokenIssuancePolicies Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
	GET /applications/{id}/tokenLifetimePolicies Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
	GET /policies/activityBasedTimeoutPolicies
	GET /policies/activityBasedTimeoutPolicies/{id}
	GET /policies/appManagementPolicies
	GET /policies/appManagementPolicies/{id}
	GET /policies/appManagementPolicies/{id}/appliesTo Application.Read.All and Policy.ReadWrite.ApplicationConfiguration
	GET /policies/claimsMappingPolicies
	GET /policies/claimsMappingPolicies/{id}
	GET /policies/claimsMappingPolicies/{id}/appliesTo Policy.ReadWrite.ApplicationConfiguration and Application.Read.All
	GET /policies/defaultAppManagementPolicy
	GET /policies/homeRealmDiscoveryPolicies
	GET /policies/homeRealmDiscoveryPolicies/{id}
	GET /policies/homeRealmDiscoveryPolicies/{id}/appliesTo Policy.ReadWrite.ApplicationConfiguration and Application.Read.All
	GET /policies/tokenIssuancePolicies/{id}
	GET /policies/tokenIssuancePolicies/{id}/appliesTo Policy.ReadWrite.ApplicationConfiguration and Application.Read.All
	GET /policies/tokenLifetimePolicies
	GET /policies/tokenLifetimePolicies/{id}
	GET /policies/tokenLifetimePolicies/{id}/appliesTo Policy.ReadWrite.ApplicationConfiguration and Application.Read.All
	GET /servicePrincipals(appId='{appId}')/claimsMappingPolicies Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
	GET /servicePrincipals(appId='{appId}')/homeRealmDiscoveryPolicies Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
	GET /servicePrincipals(appId='{appId}')/tokenLifetimePolicies Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.OwnedBy
	GET /servicePrincipals/{id}/claimsMappingPolicies Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
	GET /servicePrincipals/{id}/homeRealmDiscoveryPolicies Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
	GET /servicePrincipals/{id}/tokenLifetimePolicies Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.OwnedBy
	GET policies/tokenIssuancePolicies
	PATCH /policies/activityBasedTimeoutPolicies/{id}
	PATCH /policies/appManagementPolicies/{id}
	PATCH /policies/claimsMappingPolicies/{id}
	PATCH /policies/defaultAppManagementPolicy
	PATCH /policies/homeRealmDiscoveryPolicies/{id}
	PATCH /policies/tokenIssuancePolicies/{id}
	PATCH /policies/tokenLifetimePolicies/{id}
	POST /applications(appId='{appId}')/tokenIssuancePolicies/$ref Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
	POST /applications(appId='{appId}')/tokenLifetimePolicies/$ref Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
	POST /applications/{id}/appManagementPolicies/$ref Application.Read.All and Policy.ReadWrite.ApplicationConfiguration
	POST /applications/{id}/tokenIssuancePolicies/$ref Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
	POST /applications/{id}/tokenLifetimePolicies/$ref Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
	POST /policies/activityBasedTimeoutPolicies
	POST /policies/appManagementPolicies
	POST /policies/claimsMappingPolicies
	POST /policies/homeRealmDiscoveryPolicies
	POST /servicePrincipals(appId='{appId}')/claimsMappingPolicies/$ref Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
	POST /servicePrincipals(appId='{appId}')/homeRealmDiscoveryPolicies/$ref Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
	POST /servicePrincipals(appId='{appId}')/tokenLifetimePolicies/$ref Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.OwnedBy
	POST /servicePrincipals/{id}/claimsMappingPolicies/$ref Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
	POST /servicePrincipals/{id}/homeRealmDiscoveryPolicies/$ref Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All
	POST /servicePrincipals/{id}/tokenLifetimePolicies/$ref Application.ReadWrite.All and Policy.ReadWrite.ApplicationConfiguration ▪️ Application.ReadWrite.OwnedBy and Policy.ReadWrite.ApplicationConfiguration ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.All ▪️ Policy.ReadWrite.ApplicationConfiguration and Application.ReadWrite.OwnedBy
	POST policies/tokenIssuancePolicies
	POST policies/tokenLifetimePolicies

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

• activityBasedTimeoutPolicy
• application
• appManagementApplicationConfiguration
• appManagementConfiguration
• appManagementPolicy
• authenticationListener
• authenticationSourceFilter
• b2xIdentityUserFlow
• claimsMappingPolicy
• customClaimBase
• customClaimsPolicy
• directoryObject
• homeRealmDiscoveryPolicy
• invokeUserFlowListener
• policyBase
• servicePrincipal
• tenantAppManagementPolicy
• tokenIssuancePolicy
• tokenLifetimePolicy

Graph reference: activityBasedTimeoutPolicy

Property	Type	Description
definition	String collection	A string collection containing a JSON string that defines the rules and settings for this policy. See below for more details about the JSON schema for this property. Required.
displayName	String	Display name for this policy. Required.
id	String	Unique identifier for this policy. Read-only.
isOrganizationDefault	Boolean	If set to true, activates this policy. There can be many policies for the same policy type, but only one can be activated as the organization default. Optional, default value is false.