Show / Hide Table of Contents

Policy.ReadWrite.Authorization

Allows the app to read and write your organization's authorization policy on behalf of the signed-in user. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default.

Graph Methods

Type: A = Application Permission, D = Delegate Permission

Ver Type Method
V1 A,D GET /policies/authorizationPolicy
Beta A,D GET /policies/authorizationPolicy/authorizationPolicy
V1 A,D PATCH /policies/authorizationPolicy
Beta A,D PATCH /policies/authorizationPolicy/authorizationPolicy

Delegate Permission

Id edd3c878-b384-41fd-95ad-e7407dd775be
Consent Type Admin
Display String Read and write your organization's authorization policy
Description Allows the app to read and write your organization's authorization policy on behalf of the signed-in user. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default.

Application Permission

Id fb221be6-99f2-473f-bd32-01c6a0e9ca3b
Display String Read and write your organization's authorization policy
Description Allows the app to read and write your organization's authorization policy without a signed in user. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default.

Resources

authorizationPolicy

Property Type Description
allowedToSignUpEmailBasedSubscriptions Boolean Indicates whether users can sign up for email based subscriptions.
allowedToUseSSPR Boolean Indicates whether the Self-Serve Password Reset feature can be used by users on the tenant.
allowEmailVerifiedUsersToJoinOrganization Boolean Indicates whether a user can join the tenant by email validation.
allowInvitesFrom allowInvitesFrom Indicates who can invite external users to the organization. Possible values are: none, adminsAndGuestInviters, adminsGuestInvitersAndAllMembers, everyone. everyone is the default setting for all cloud environments except US Government. See more in the table below.
blockMsolPowerShell Boolean To disable the use of MSOL PowerShell set this property to true. This will also disable user-based access to the legacy service endpoint used by MSOL PowerShell. This does not affect Azure AD Connect or Microsoft Graph.
defaultUserRolePermissions defaultUserRolePermissions Specifies certain customizable permissions for default user role.
description String Description of this policy.
displayName String Display name for this policy.
guestUserRoleId Guid Represents role templateId for the role that should be granted to guest user. Currently following roles are supported: User (a0b1b346-4d3e-4e8b-98f8-753987be4970), Guest User (10dae51f-b6af-4016-8d66-8c2a99b929b3), and Restricted Guest User (2af84b1e-32c8-42b7-82bc-daa82404023b).
id String ID of the authorization policy. Required. Read-only.

defaultUserRolePermissions

Property Type Description
allowedToCreateApps Boolean Indicates whether the default user role can create applications.
allowedToCreateSecurityGroups Boolean Indicates whether the default user role can create security groups.
allowedToReadOtherUsers Boolean Indicates whether the default user role can read other users.
permissionGrantPoliciesAssigned String collection Indicates if user consent to apps is allowed, and if it is, which permission to grant consent and which app consent policy (permissionGrantPolicy) govern the permission for users to grant consent. Value should be in the format managePermissionGrantsForSelf.{id}, where {id} is the **i
In This Article
Back to top Created by merill | Submit feedback