Policy.ReadWrite.HybridAuthentication

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the Policy.ReadWrite.HybridAuthentication permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	-	-
DisplayText	-	-
Description	-	-
AdminConsentRequired	Yes	No

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /policies/featureRolloutPolicies/{id}
	DELETE /policies/featureRolloutPolicies/{policyId}/appliesTo/{directoryObjectId}/$ref
	GET /policies/featureRolloutPolicies
	GET /policies/featureRolloutPolicies/{id}
	PATCH /policies/featureRolloutPolicies/{id}
	POST /policies/featureRolloutPolicies
	POST /policies/featureRolloutPolicies/{id}/appliesTo/$ref

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /onPremisesPublishingProfiles/{profile-id}/agents/{agent-id}/agentGroups/{agentGroup-id}/$ref
	DELETE /policies/featureRolloutPolicies/{id}
	DELETE /policies/featureRolloutPolicies/{policyId}/appliesTo/{directoryObjectId}/$ref
	GET /onPremisesPublishingProfiles/{profile-id}/
	GET /onPremisesPublishingProfiles/{profile-id}/agentGroups
	GET /onPremisesPublishingProfiles/{profile-id}/agents
	GET /onPremisesPublishingProfiles/{profile-id}/agents/{agent-id}
	GET /onPremisesPublishingProfiles/{profile-id}/agents/{agent-id}?$expand=agentGroups
	GET /policies/featureRolloutPolicies
	GET /policies/featureRolloutPolicies/{id}
	PATCH /policies/featureRolloutPolicies/{id}
	POST /onPremisesPublishingProfiles/{profile-id}/agents/{agent-id}/agentGroups/$ref
	POST /policies/featureRolloutPolicies
	POST /policies/featureRolloutPolicies/{id}/appliesTo/$ref

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgPolicyFeatureRolloutPolicy
	New-MgPolicyFeatureRolloutPolicy
	New-MgPolicyFeatureRolloutPolicyApplyToByRef
	Remove-MgPolicyFeatureRolloutPolicy
	Remove-MgPolicyFeatureRolloutPolicyApplyToDirectoryObjectByRef
	Update-MgPolicyFeatureRolloutPolicy

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgBetaOnPremisePublishingProfile
	Get-MgBetaOnPremisePublishingProfileAgent
	Get-MgBetaOnPremisePublishingProfileAgentGroup
	Get-MgBetaPolicyFeatureRolloutPolicy
	New-MgBetaPolicyFeatureRolloutPolicy
	New-MgBetaPolicyFeatureRolloutPolicyApplyToByRef
	Remove-MgBetaPolicyFeatureRolloutPolicy
	Remove-MgBetaPolicyFeatureRolloutPolicyApplyToDirectoryObjectByRef
	Update-MgBetaPolicyFeatureRolloutPolicy

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: directoryObject

Property	Type	Description
deletedDateTime	DateTimeOffset	Date and time when this object was deleted. Always `null` when the object hasn't been deleted.
id	String	The unique identifier for the object. For example, `12345678-9abc-def0-1234-56789abcde`. The value of the **i

Graph reference: featureRolloutPolicy

Property	Type	Description
description	String	A description for this feature rollout policy.
displayName	String	The display name for this feature rollout policy.
feature	stagedFeatureName	Possible values are: `passthroughAuthentication`, `seamlessSso`, `passwordHashSync`, `emailAsAlternateId`, `unknownFutureValue`, `certificateBasedAuthentication`, `multiFactorAuthentication`. Use the `Prefer: include-unknown-enum-members` request header to get the following value or values in this evolvable enum: `certificateBasedAuthentication`, `multiFactorAuthentication`. For more information about the prerequisites for the enabled features, see Prerequisites for enabled features.
id	String	Read-only.
isAppliedToOrganization	Boolean	Indicates whether this feature rollout policy should be applied to the entire organization.
isEnabled	Boolean	Indicates whether the feature rollout is enabled.

Graph reference: onPremisesAgent

Property	Type	Description
externalIp	String	The external IP address as detected by the service for the agent machine. Read-only
id	String	The object id of the onPremisesAgent. Read-only.
machineName	String	The name of the machine that the agent is running on. Read-only
status	agentStatus	Possible values are: `active`, `inactive`.
supportedPublishingTypes	String collection	Possible values are: `applicationProxy`, `exchangeOnline`, `authentication`, `provisioning`, `adAdministration`.

Graph reference: onPremisesAgentGroup

Property	Type	Description
displayName	String	Display name of the onPremisesAgentGroup.
id	String	The object ID of the onPremisesAgentGroup. Read-only.
isDefault	Boolean	Indicates if the onPremisesAgentGroup is the default agent group. Only a single agent group can be the default onPremisesAgentGroup and is set by the system.
publishingType	String	Possible values are: `applicationProxy`, `exchangeOnline`, `authentication`, `provisioning`, `adAdministration`.

Graph reference: onPremisesPublishingProfile

Property	Type	Description
hybridAgentUpdaterConfiguration	hybridAgentUpdaterConfiguration	Represents a hybridAgentUpdaterConfiguration object.
id	String	Represents a publishing type. Possible values are: `applicationProxy`, `exchangeOnline`, `authentication`, `provisioning`, `adAdministration`. Read-only.
isDefaultAccessEnabled	Boolean	Specifies whether default access for app proxy is enabled or disabled.
isEnabled	Boolean	Represents if Microsoft Entra application proxy is enabled for the tenant.

Table of Contents

Policy.ReadWrite.HybridAuthentication

Graph Methods

Resources