Policy.ReadWrite.CrossTenantAccess
Allows the app to read and write your organization's cross-tenant access policies and configuration for automatic user consent settings to suppress consent prompts for users of the other tenant on behalf of the signed-in user.
Merill's Note
For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the
Policy.ReadWrite.CrossTenantAccesspermission.If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the
Export-MsIdAppConsentGrantReportcommand. See How To: Run a quick OAuth app audit of your tenant
| Category | Application | Delegated |
|---|---|---|
| Identifier | 338163d7-f101-4c92-94ba-ca46fe52447c | 014b43d0-6ed4-4fc6-84dc-4b6f7bae7d85 |
| DisplayText | Read and write your organization's cross tenant access policies | Read and write your organization's cross tenant access policies |
| Description | Allows the app to read and write your organization's cross-tenant access policies and configuration for automatic user consent settings to suppress consent prompts for users of the other tenant on behalf of the signed-in user. | Allows the app to read and write your organization's cross-tenant access policies and configuration for automatic user consent settings to suppress consent prompts for users of the other tenant on behalf of the signed-in user. |
| AdminConsentRequired | Yes | Yes |
Graph Methods
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
| Methods | |
|---|---|
Resources
Granting this permission allows the calling application to access (and/or update) the following information in your tenant.
- conditionalAccessPolicy
- crossTenantAccessPolicy
- crossTenantAccessPolicyB2BSetting
- crossTenantAccessPolicyConfigurationDefault
- crossTenantAccessPolicyConfigurationPartner
- crossTenantAccessPolicyInboundTrust
- crossTenantAccessPolicyTenantRestrictions
- crossTenantIdentitySyncPolicyPartner
- crossTenantUserSyncInbound
- inboundOutboundPolicyConfiguration
- multiTenantOrganizationIdentitySyncPolicyTemplate
- multiTenantOrganizationPartnerConfigurationTemplate
- namedLocation
- policyDeletableItem
Graph reference: conditionalAccessPolicy
| Property | Type | Description |
|---|---|---|
| conditions | conditionalAccessConditionSet | Specifies the rules that must be met for the policy to apply. Required. |
| createdDateTime | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Readonly. |
| displayName | String | Specifies a display name for the conditionalAccessPolicy object. |
| grantControls | conditionalAccessGrantControls | Specifies the grant controls that must be fulfilled to pass the policy. |
| id | String | Specifies the identifier of a conditionalAccessPolicy object. Read-only. |
| modifiedDateTime | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Readonly. |
| sessionControls | conditionalAccessSessionControls | Specifies the session controls that are enforced after sign-in. |
| state | conditionalAccessPolicyState | Specifies the state of the conditionalAccessPolicy object. Possible values are: enabled, disabled, enabledForReportingButNotEnforced. Required. |
| templateId | String | Specifies the unique identifier of a Conditional Access template. Inherited from entity. |