Policy.ReadWrite.ExternalIdentities

Allows the application to read and update the organization's external identities policy on behalf of the signed-in user. For example, external identities policy controls if users invited to access resources in your organization via B2B collaboration or B2B direct connect are allowed to self-service leave.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the Policy.ReadWrite.ExternalIdentities permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	03cc4f92-788e-4ede-b93f-199424d144a5	b5219784-1215-45b5-b3f1-88fe1081f9c0
DisplayText	Read and write your organization's external identities policy	Read and write your organization's external identities policy
Description	Allows the application to read and update the organization's external identities policy without a signed-in user. For example, external identities policy controls if users invited to access resources in your organization via B2B collaboration or B2B direct connect are allowed to self-service leave.	Allows the application to read and update the organization's external identities policy on behalf of the signed-in user. For example, external identities policy controls if users invited to access resources in your organization via B2B collaboration or B2B direct connect are allowed to self-service leave.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	GET /policies/externalIdentitiesPolicy
	PATCH /policies/externalIdentitiesPolicy

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgBetaPolicyExternalIdentityPolicy
	Update-MgBetaPolicyExternalIdentityPolicy

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

externalIdentitiesPolicy

Graph reference: externalIdentitiesPolicy

Property	Type	Description
allowDeletedIdentitiesDataRemoval	Boolean	Reserved for future use.
allowExternalIdentitiesToLeave	Boolean	Defines whether external users can leave the guest tenant. If set to `false`, self-service controls are disabled, and the admin of the guest tenant must manually remove the external user from the guest tenant. When the external user leaves the tenant, their data in the guest tenant is first soft-deleted then permanently deleted in 30 days.
displayName	String	The policy name. Inherited from policyBase.

Table of Contents

Policy.ReadWrite.ExternalIdentities

Graph Methods

Resources