Policy.ReadWrite.ConditionalAccess

Allows the app to read and write your organization's conditional access policies on behalf of the signed-in user.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the Policy.ReadWrite.ConditionalAccess permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	01c0a623-fc9b-48e9-b794-0756f8e8f067	ad902697-1014-4ef5-81ef-2b4301988e8c
DisplayText	Read and write your organization's conditional access policies	Read and write your organization's conditional access policies
Description	Allows the app to read and write your organization's conditional access policies, without a signed-in user.	Allows the app to read and write your organization's conditional access policies on behalf of the signed-in user.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /identity/conditionalAccess/authenticationStrength/policies/{authenticationStrengthPolicyId}/combinationConfigurations/{authenticationCombinationConfigurationId}
	DELETE /identity/conditionalAccess/namedLocations/{id} `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	DELETE /identity/conditionalAccess/policies/{id} `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	DELETE /policies/authenticationStrengthPolicies/{authenticationStrengthPolicyId}
	GET /identity/conditionalAccess/authenticationContextClassReferences
	GET /identity/conditionalAccess/authenticationStrength/authenticationMethodModes
	GET /identity/conditionalAccess/authenticationStrength/authenticationMethodModes/{authenticationMethodModeDetailId}
	GET /identity/conditionalAccess/authenticationStrength/policies/{authenticationStrengthPolicyId}/combinationConfigurations
	GET /identity/conditionalAccess/authenticationStrength/policies/{authenticationStrengthPolicyId}/combinationConfigurations/{authenticationCombinationConfigurationId}
	GET /policies/authenticationStrengthPolicies
	GET /policies/authenticationStrengthPolicies/{authenticationStrengthPolicyId}
	GET /policies/authenticationStrengthPolicies/{authenticationStrengthPolicyId}/usage
	PATCH /identity/conditionalAccess/authenticationContextClassReferences/{id}
	PATCH /identity/conditionalAccess/authenticationStrength/policies/{authenticationStrengthPolicyId}/combinationConfigurations/{authenticationCombinationConfigurationId}
	PATCH /identity/conditionalAccess/namedLocations/{id} `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	PATCH /identity/conditionalAccess/policies/{id} `Application.Read.All and Policy.ReadWrite.ConditionalAccess` ▪️ `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	PATCH /policies/authenticationStrengthPolicies/{authenticationStrengthPolicyId}
	PATCH /policies/identitySecurityDefaultsEnforcementPolicy
	POST /identity/conditionalAccess/authenticationStrength/policies/{authenticationStrengthPolicyId}/combinationConfigurations
	POST /identity/conditionalAccess/namedLocations `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	POST /identity/conditionalAccess/policies `Application.Read.All and Policy.ReadWrite.ConditionalAccess` ▪️ `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	POST /policies/authenticationStrengthPolicies
	POST /policies/authenticationStrengthPolicies/{authenticationStrengthPolicyId}/updateAllowedCombinations

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /identity/conditionalAccess/authenticationStrength/policies/{authenticationStrengthPolicyId}/combinationConfigurations/{authenticationCombinationConfigurationId}
	DELETE /identity/conditionalAccess/namedLocations/{id} `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	DELETE /identity/conditionalAccess/policies/{id} `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	DELETE /policies/authenticationStrengthPolicies/{authenticationStrengthPolicyId}
	GET /identity/conditionalAccess/authenticationContextClassReferences
	GET /identity/conditionalAccess/authenticationStrength/authenticationMethodModes
	GET /identity/conditionalAccess/authenticationStrength/authenticationMethodModes/{authenticationMethodModeDetailId}
	GET /identity/conditionalAccess/authenticationStrength/policies/{authenticationStrengthPolicyId}/combinationConfigurations
	GET /identity/conditionalAccess/authenticationStrength/policies/{authenticationStrengthPolicyId}/combinationConfigurations/{authenticationCombinationConfigurationId}
	GET /policies/authenticationStrengthPolicies
	GET /policies/authenticationStrengthPolicies/{authenticationStrengthPolicyId}
	GET /policies/authenticationStrengthPolicies/{authenticationStrengthPolicyId}/usage
	GET /policies/authenticationStrengthPolicies/findByMethodMode(authenticationMethodModes={authenticationMethodMode})
	GET /tenantRelationships/managedTenants/conditionalAccessPolicyCoverages
	GET /tenantRelationships/managedTenants/conditionalAccessPolicyCoverages/{conditionalAccessPolicyCoverageId}
	PATCH /identity/conditionalAccess/authenticationContextClassReferences/{id}
	PATCH /identity/conditionalAccess/authenticationStrength/policies/{authenticationStrengthPolicyId}/combinationConfigurations/{authenticationCombinationConfigurationId}
	PATCH /identity/conditionalAccess/namedLocations/{id} `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	PATCH /identity/conditionalAccess/policies/{id} `Application.Read.All and Policy.ReadWrite.ConditionalAccess` ▪️ `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	PATCH /identity/continuousAccessEvaluationPolicy `Application.Read.All and Policy.ReadWrite.ConditionalAccess` ▪️ `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	PATCH /policies/authenticationStrengthPolicies/{authenticationStrengthPolicyId}
	PATCH /policies/identitySecurityDefaultsEnforcementPolicy
	POST /identity/conditionalAccess/authenticationContextClassReferences
	POST /identity/conditionalAccess/authenticationStrength/policies/{authenticationStrengthPolicyId}/combinationConfigurations
	POST /identity/conditionalAccess/evaluate
	POST /identity/conditionalAccess/namedLocations `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	POST /identity/conditionalAccess/policies `Application.Read.All and Policy.ReadWrite.ConditionalAccess` ▪️ `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	POST /policies/authenticationStrengthPolicies
	POST /policies/authenticationStrengthPolicies/{authenticationStrengthPolicyId}/updateAllowedCombinations

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgIdentityConditionalAccessAuthenticationContextClassReference
	Get-MgPolicyAuthenticationStrengthPolicy
	Invoke-MgUsagePolicyAuthenticationStrengthPolicy
	New-MgIdentityConditionalAccessAuthenticationStrengthPolicyCombinationConfiguration
	New-MgIdentityConditionalAccessNamedLocation `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	New-MgIdentityConditionalAccessPolicy `Application.Read.All and Policy.ReadWrite.ConditionalAccess` ▪️ `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	New-MgPolicyAuthenticationStrengthPolicy
	Remove-MgIdentityConditionalAccessNamedLocation `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	Remove-MgIdentityConditionalAccessPolicy `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	Remove-MgPolicyAuthenticationStrengthPolicy
	Update-MgIdentityConditionalAccessAuthenticationContextClassReference
	Update-MgIdentityConditionalAccessNamedLocation `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	Update-MgIdentityConditionalAccessPolicy `Application.Read.All and Policy.ReadWrite.ConditionalAccess` ▪️ `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	Update-MgPolicyAuthenticationStrengthPolicy
	Update-MgPolicyAuthenticationStrengthPolicyAllowedCombination
	Update-MgPolicyIdentitySecurityDefaultEnforcementPolicy

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgBetaIdentityConditionalAccessAuthenticationContextClassReference
	Get-MgBetaPolicyAuthenticationStrengthPolicy
	Get-MgBetaTenantRelationshipManagedTenantConditionalAccessPolicyCoverage
	Invoke-MgBetaUsagePolicyAuthenticationStrengthPolicy
	New-MgBetaIdentityConditionalAccessAuthenticationContextClassReference
	New-MgBetaIdentityConditionalAccessNamedLocation `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	New-MgBetaIdentityConditionalAccessPolicy `Application.Read.All and Policy.ReadWrite.ConditionalAccess` ▪️ `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	New-MgBetaPolicyAuthenticationStrengthPolicy
	Remove-MgBetaIdentityConditionalAccessNamedLocation `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	Remove-MgBetaIdentityConditionalAccessPolicy `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	Remove-MgBetaPolicyAuthenticationStrengthPolicy
	Test-MgBetaIdentityConditionalAccess
	Update-MgBetaIdentityConditionalAccessAuthenticationContextClassReference
	Update-MgBetaIdentityConditionalAccessNamedLocation `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	Update-MgBetaIdentityConditionalAccessPolicy `Application.Read.All and Policy.ReadWrite.ConditionalAccess` ▪️ `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	Update-MgBetaIdentityContinuouAccessEvaluationPolicy `Application.Read.All and Policy.ReadWrite.ConditionalAccess` ▪️ `Policy.Read.All and Policy.ReadWrite.ConditionalAccess`
	Update-MgBetaPolicyAuthenticationStrengthPolicy
	Update-MgBetaPolicyAuthenticationStrengthPolicyAllowedCombination
	Update-MgBetaPolicyIdentitySecurityDefaultEnforcementPolicy

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: authenticationCombinationConfiguration

Property	Type	Description
appliesToCombinations	authenticationMethodModes collection	Which authentication method combinations this configuration applies to. Must be an allowedCombinations object, part of the authenticationStrengthPolicy. The only possible value for `fido2combinationConfigurations` is `"fido2"`.
id	String	A unique system-generated identifier.

Graph reference: authenticationContextClassReference

Property	Type	Description
description	String	A short explanation of the policies that are enforced by authenticationContextClassReference. This value should be used to provide secondary text to describe the authentication context class reference when building user-facing admin experiences. For example, a selection UX.
displayName	String	The display name is the friendly name of the authenticationContextClassReference object. This value should be used to identify the authentication context class reference when building user-facing admin experiences. For example, a selection UX.
id	String	Identifier used to reference the authentication context class. The ID is used to trigger step-up authentication for the referenced authentication requirements and is the value that will be issued in the `acrs` claim of an access token. This value in the claim is used to verify that the required authentication context has been satisfied. The allowed values are `c1` through `c25`. Supports `$filter` (`eq`).
isAvailable	Boolean	Indicates whether the authenticationContextClassReference has been published by the security admin and is ready for use by apps. When it's set to `false`, it shouldn't be shown in authentication context selection UX, or used to protect app resources. It's shown and available for Conditional Access policy authoring. The default value is `false`. Supports `$filter` (`eq`).

Graph reference: authenticationMethodModeDetail

Property	Type	Description
authenticationMethod	baseAuthenticationMethod	The authentication method that this mode modifies. The possible values are: `password`, `voice`, `hardwareOath`, `softwareOath`, `sms`, `fido2`, `windowsHelloForBusiness`, `microsoftAuthenticator`, `temporaryAccessPass`, `email`, `x509Certificate`, `federation`, `unknownFutureValue`, `qrCodePin`. Use the `Prefer: include-unknown-enum-members` request header to get the following values from this {evolvable enum}(/graph/best-practices-concept#handling-future-members-in-evolvable-enumerations): `qrCodePin`.
displayName	String	The display name of this mode
id	String	The system-generated identifier for this mode.

Graph reference: authenticationStrengthPolicy

Property	Type	Description
allowedCombinations	authenticationMethodModes collection	A collection of authentication method modes that are required be used to satify this authentication strength.
createdDateTime	DateTimeOffset	The datetime when this policy was created.
description	String	The human-readable description of this policy.
displayName	String	The human-readable display name of this policy. Supports `$filter` (`eq`, `ne`, `not` , and `in`).
id	String	The system-generated identifier for this mode.
modifiedDateTime	DateTimeOffset	The datetime when this policy was last modified.
policyType	authenticationStrengthPolicyType	A descriptor of whether this policy is built into Microsoft Entra ID or created by an admin for the tenant. The possible values are: `builtIn`, `custom`, `unknownFutureValue`. Supports `$filter` (`eq`, `ne`, `not` , and `in`).
requirementsSatisfied	authenticationStrengthRequirements	A descriptor of whether this authentication strength grants the MFA claim upon successful satisfaction. The possible values are: `none`, `mfa`, `unknownFutureValue`.

Graph reference: authenticationStrengthUsage

Property	Type	Description
mfa	conditionalAccessPolicy collection	A collection of Conditional Access policies that reference the specified authentication strength policy and that require an MFA claim.
none	conditionalAccessPolicy collection	A collection of Conditional Access policies that reference the specified authentication strength policy and that do not require an MFA claim.

Graph reference: compliantNetworkNamedLocation

Property	Type	Description
compliantNetworkType	compliantNetworkType	Type of compliant network. Currently the only possible value is `allTenantCompliantNetworks`.
createdDateTime	DateTimeOffset	The timestamp type represents creation date and time of the location using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only. Inherited from namedLocation.
displayName	String	Human-readable name of the location. Required. Always "All Compliant Network Locations". Inherited from namedLocation.
id	String	Identifier of the object. Read-only. Inherited from entity.
isTrusted	Boolean	`true` if this location is explicitly trusted. Optional. Default value is `false`.
modifiedDateTime	DateTimeOffset	The timestamp type represents last modified date and time of the location using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only. Inherited from namedLocation.

Graph reference: conditionalAccessApplications

Property	Type	Description
excludeApplications	String collection	Can be one of the following: The list of client IDs (appId) explicitly excluded from the policy. `Office365` - For the list of apps included in `Office365`, see Apps included in Conditional Access Office 365 app suite `MicrosoftAdminPortals` - For more information, see Conditional Access Target resources: Microsoft Admin Portals
includeApplications	String collection	Can be one of the following: The list of client IDs (appId) the policy applies to, unless explicitly excluded (in excludeApplications) `All` `Office365` - For the list of apps included in `Office365`, see Apps included in Conditional Access Office 365 app suite `MicrosoftAdminPortals` - For more information, see Conditional Access Target resources: Microsoft Admin Portals
applicationFilter	conditionalAccessFilter	Filter that defines the dynamic-application-syntax rule to include/exclude cloud applications. A filter can use custom security attributes to include/exclude applications.
includeUserActions	String collection	User actions to include. Supported values are `urn:user:registersecurityinfo` and `urn:user:registerdevice`

Graph reference: conditionalAccessGrantControls

Property	Type	Description
builtInControls	conditionalAccessGrantControl collection	List of values of built-in controls required by the policy. Possible values: `block`, `mfa`, `compliantDevice`, `domainJoinedDevice`, `approvedApplication`, `compliantApplication`, `passwordChange`, `unknownFutureValue`.
customAuthenticationFactors	String collection	List of custom controls IDs required by the policy. For more information, see Custom controls.
operator	String	Defines the relationship of the grant controls. Possible values: `AND`, `OR`.
termsOfUse	String collection	List of terms of use IDs required by the policy.

Graph reference: conditionalAccessPolicy

Property	Type	Description
conditions	conditionalAccessConditionSet	Specifies the rules that must be met for the policy to apply. Required.
createdDateTime	DateTimeOffset	The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Readonly.
displayName	String	Specifies a display name for the conditionalAccessPolicy object.
grantControls	conditionalAccessGrantControls	Specifies the grant controls that must be fulfilled to pass the policy.
id	String	Specifies the identifier of a conditionalAccessPolicy object. Read-only.
modifiedDateTime	DateTimeOffset	The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Readonly.
sessionControls	conditionalAccessSessionControls	Specifies the session controls that are enforced after sign-in.
state	conditionalAccessPolicyState	Specifies the state of the conditionalAccessPolicy object. Possible values are: `enabled`, `disabled`, `enabledForReportingButNotEnforced`. Required.

Graph reference: conditionalAccessSessionControls

Property	Type	Description
applicationEnforcedRestrictions	applicationEnforcedRestrictionsSessionControl	Session control to enforce application restrictions. Only Exchange Online and Sharepoint Online support this session control.
cloudAppSecurity	cloudAppSecuritySessionControl	Session control to apply cloud app security.
disableResilienceDefaults	Boolean	Session control that determines whether it is acceptable for Microsoft Entra ID to extend existing sessions based on information collected prior to an outage or not.
persistentBrowser	persistentBrowserSessionControl	Session control to define whether to persist cookies or not. All apps should be selected for this session control to work correctly.
signInFrequency	signInFrequencySessionControl	Session control to enforce signin frequency.

Graph reference: conditionalAccessUsers

Property	Type	Description
excludeGroups	String collection	Group IDs excluded from scope of policy.
excludeGuestsOrExternalUsers	conditionalAccessGuestsOrExternalUsers	Internal guests or external users excluded from the policy scope. Optionally populated.
excludeRoles	String collection	Role IDs excluded from scope of policy.
excludeUsers	String collection	User IDs excluded from scope of policy and/or `GuestsOrExternalUsers`.
includeGroups	String collection	Group IDs in scope of policy unless explicitly excluded.
includeGuestsOrExternalUsers	conditionalAccessGuestsOrExternalUsers	Internal guests or external users included in the policy scope. Optionally populated.
includeRoles	String collection	Role IDs in scope of policy unless explicitly excluded.
includeUsers	String collection	User IDs in scope of policy unless explicitly excluded, `None`, `All`, or `GuestsOrExternalUsers`.

Graph reference: continuousAccessEvaluationPolicy

Property	Type	Description
description	String	Continuous access evaluation automatically blocks access to resources and applications in near real time when a user's access is removed or a client IP address changes. Read-only.
displayName	String	The value is always `Continuous Access Evaluation`. Read-only.
groups	String collection	The collection of group identifiers in scope for evaluation. All groups are in scope when the collection is empty. Read-only.
id	String	Specifies the identifier of a continuousAccessEvaluationPolicy object. Read-only.
isEnabled	Boolean	`true` to indicate whether continuous access evaluation should be performed; otherwise `false`. Read-only.
users	String collection	The collection of user identifiers in scope for evaluation. All users are in scope when the collection is empty. Read-only.
migrate	Boolean	`true` to indicate that the continuous access evaluation policy settings should be or has been migrated to the conditional access policy.

Graph reference: countryNamedLocation

Property	Type	Description
countriesAndRegions	String collection	List of countries and/or regions in two-letter format specified by ISO 3166-2. Required.
countryLookupMethod	countryLookupMethodType	Determines what method is used to decide which country the user is located in. Possible values are `clientIpAddress`(default) and `authenticatorAppGps`. Note: `authenticatorAppGps` is not yet supported in the Microsoft Cloud for US Government.
createdDateTime	DateTimeOffset	The Timestamp type represents creation date and time of the location using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only. Inherited from namedLocation.
displayName	String	Human-readable name of the location. Required. Inherited from namedLocation.
id	String	Identifier of a namedLocation object. Read-only. Inherited from namedLocation.
includeUnknownCountriesAndRegions	Boolean	`true` if IP addresses that don't map to a country or region should be included in the named location. Optional. Default value is `false`.
modifiedDateTime	DateTimeOffset	The Timestamp type represents last modified date and time of the location using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only. Inherited from namedLocation.

Graph reference: fido2CombinationConfiguration

Property	Type	Description
allowedAAGUIDs	String collection	A list of AAGUIDs allowed to be used as part of the specified authentication method combinations.
appliesToCombinations	authenticationMethodModes collection	Which authentication method combinations this configuration applies to. The only possible value is `"fido2"`. Inherited from authenticationCombinationConfiguration.
id	String	A system-generated identifier. Inherited from entity.

Graph reference: identitySecurityDefaultsEnforcementPolicy

Property	Type	Description
description	String	Description for this policy. Read-only.
displayName	String	Display name for this policy. Read-only.
id	String	Identifier for this policy. Read-only.
isEnabled	Boolean	If set to `true`, Microsoft Entra security defaults are enabled for the tenant.

Graph reference: ipNamedLocation

Property	Type	Description
createdDateTime	DateTimeOffset	The Timestamp type represents creation date and time of the location using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only. Inherited from namedLocation.
displayName	String	Human-readable name of the location. Required.
id	String	Identifier of a namedLocation object. Read-only. Inherited from namedLocation.
ipRanges	ipRange collection	List of IP address ranges in IPv4 CIDR format (for example, 1.2.3.4/32) or any allowable IPv6 format from IETF RFC5969. Required.
isTrusted	Boolean	`true` if this location is explicitly trusted. Optional. Default value is `false`.
modifiedDateTime	DateTimeOffset	The Timestamp type represents last modified date and time of the location using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only. Inherited from namedLocation.

Graph reference: conditionalAccessPolicyCoverage

Property	Type	Description
conditionalAccessPolicyState	String	The state for the conditional access policy. Possible values are: `enabled`, `disabled`, `enabledForReportingButNotEnforced`. Required. Read-only.
id	String	The unique identifier for this entity. Required. Read-only.
latestPolicyModifiedDateTime	DateTimeOffset	The date and time the conditional access policy was last modified. Required. Read-only.
requiresDeviceCompliance	Boolean	A flag indicating whether the conditional access policy requires device compliance. Required. Read-only.
tenantDisplayName	String	The display name for the managed tenant. Required. Read-only.

Graph reference: namedLocation

Property	Type	Description
createdDateTime	DateTimeOffset	The Timestamp type represents creation date and time of the location using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only.
displayName	String	Human-readable name of the location.
id	String	Identifier of a namedLocation object. Read-only.
modifiedDateTime	DateTimeOffset	The Timestamp type represents last modified date and time of the location using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Read-only.

Graph reference: signInConditions

Property	Type	Description
authenticationFlow	authenticationFlow	Type of authentication flow. The possible value is: `deviceCodeFlow` or `authenticationTransfer`. Default value is `none`.
clientAppType	conditionalAccessClientApp	Client application type. The possible value is: `all`, `browser`, `mobileAppsAndDesktopClients`, `exchangeActiveSync`, `easSupported`, `other`, `unknownFutureValue`. Default value is `all`.
country	String	Country from where the identity is authenticating.
deviceInfo	deviceInfo	Information about the device used for the sign-in.
devicePlatform	conditionalAccessDevicePlatform	Device platform. The possible value is: `android`, `iOS`, `windows`, `windowsPhone`, `macOS`, `all`, `unknownFutureValue`, `linux`. Default value is `all`.
insiderRiskLevel	insiderRiskLevel	Insider risk associated with the authenticating user. The possible value is: `none`, `minor`, `moderate`, `elevated`, `unknownFutureValue`. Default value is `none`.
ipAddress	String	Ip address of the authenticating identity.
servicePrincipalRiskLevel	riskLevel	Risk associated with the service principal. The possible value is: `low`, `medium`, `high`, `hidden`, `none`, `unknownFutureValue`. Default value is `none`.
signInRiskLevel	riskLevel	Sign-in risk associated with the user. The possible value is: `low`, `medium`, `high`, `hidden`, `none`, `unknownFutureValue`. Default value is `none`.
userRiskLevel	riskLevel	The authenticating user's risk level. The possible value is: `low`, `medium`, `high`, `hidden`, `none`, `unknownFutureValue`. Default value is `none`.

Graph reference: updateAllowedCombinationsResult

Property	Type	Description
additionalInformation	String	Information about why the updateAllowedCombinations action was successful or failed.
conditionalAccessReferences	String collection	References to existing Conditional Access policies that use this authentication strength.
currentCombinations	authenticationMethodModes collection	The list of current authentication method combinations allowed by the authentication strength.
previousCombinations	authenticationMethodModes collection	The list of former authentication method combinations allowed by the authentication strength before they were updated through the updateAllowedCombinations action.

Graph reference: whatIfAnalysisResult

Property	Type	Description
analysisReasons	whatIfAnalysisReasons	Specifies the reasons why a policy didn't apply. `analysisReasons` is set to `notSet` when `policyApplies` is `true` and one of the following values when `policyApplies` is `false`: `notEnoughInformation`, `invalidCondition`, `users`, `workloadIdentities`, `application`, `userActions`, `authenticationContext`, `devicePlatform`, `devices`, `clientApps`, `location`, `signInRisk`, `emptyPolicy`, `invalidPolicy`, `policyNotEnabled`, `userRisk`, `time`, `insiderRisk`, `authenticationFlow`, `unknownFutureValue`.
conditions	conditionalAccessConditionSet	Specifies the rules that must be met for the policy to apply. Inherited from conditionalAccessPolicy.
createdDateTime	DateTimeOffset	The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from conditionalAccessPolicy.
description	String	Not used. Inherited from conditionalAccessPolicy.
displayName	String	Specifies a display name for the conditionalAccessPolicy object. Inherited from conditionalAccessPolicy.
grantControls	conditionalAccessGrantControls	Specifies the grant controls that must be fulfilled to pass the policy. Inherited from conditionalAccessPolicy.
id	String	Specifies the identifier of a conditionalAccessPolicy object. Inherited from entity.
modifiedDateTime	DateTimeOffset	The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from conditionalAccessPolicy.
policyApplies	Boolean	Specifies whether the policy applies to the sign-in properties provided in the request body. If `policyApplies` is `true`, the policy applies to the sign-in based on the sign-in properties provided. If `policyApplies` is `false`, the policy doesn't apply to the sign-in based on the sign-in properties provided and the `analysisReasons` property is populated to show the reason for the policy not applying.
sessionControls	conditionalAccessSessionControls	Specifies the session controls that are enforced after sign-in. Inherited from conditionalAccessPolicy.
state	conditionalAccessPolicyState	Specifies the state of the conditionalAccessPolicy object. Inherited from conditionalAccessPolicy. The possible values are: `enabled`, `disabled`, `enabledForReportingButNotEnforced`, `unknownFutureValue`.

Graph reference: x509CertificateCombinationConfiguration

Property	Type	Description
allowedIssuerSkis	String collection	A list of allowed subject key identifier values.
allowedPolicyOIDs	String collection	A list of allowed policy OIDs.
appliesToCombinations	authenticationMethodModes collection	Which authentication method combinations this configuration applies to. The possible values for x509certificatecombinationconfiguration are `"x509CertificateSingleFactor"` or `"x509CertificateMultiFactor"`. Inherited from authenticationCombinationConfiguration.
id	String	A system-generated identifier. Inherited from entity.

Table of Contents

Policy.ReadWrite.ConditionalAccess

Graph Methods

Resources