Namespace: microsoft.graph
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Create a new conditionalAccessPolicy.
This API is available in the following national cloud deployments.
| Global service |
US Government L4 |
US Government L5 (DOD) |
China operated by 21Vianet |
| ✅ |
✅ |
✅ |
✅ |
Permissions
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
| Permission type |
Least privileged permissions |
Higher privileged permissions |
| Delegated (work or school account) |
Policy.Read.All and Policy.ReadWrite.ConditionalAccess |
Application.Read.All and Policy.ReadWrite.ConditionalAccess |
| Delegated (personal Microsoft account) |
Not supported. |
Not supported. |
| Application |
Policy.Read.All and Policy.ReadWrite.ConditionalAccess |
Application.Read.All and Policy.ReadWrite.ConditionalAccess |
Important
In delegated scenarios with work or school accounts where the signed-in user is acting on another user, they must be assigned a supported Microsoft Entra role or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
- Security Administrator
- Conditional Access Administrator
HTTP request
POST /identity/conditionalAccess/policies
Request body
In the request body, supply a JSON representation of a conditionalAccessPolicy object.
A valid policy should contain at least one application rule - for example, 'includeApplications': 'none', one user rule - for example, 'includeUsers': 'none', and at least one grant/session control.
Response
If successful, this method returns a 201 Created response code and a new conditionalAccessPolicy object in the response body.
Examples
Example 1: Require MFA to access Exchange Online outside of trusted locations
Request
The following example shows a common request to require multifactor authentication for access to Exchange Online from modern authentication clients outside of trusted locations for a particular group.
Note: You must set up your trusted locations before using this operation.
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Access to EXO requires MFA",
"state": "enabled",
"conditions": {
"clientAppTypes": [
"mobileAppsAndDesktopClients",
"browser"
],
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
]
},
"users": {
"includeGroups": ["ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"]
},
"locations": {
"includeLocations": [
"All"
],
"excludeLocations": [
"AllTrusted"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
]
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new ConditionalAccessPolicy
{
DisplayName = "Access to EXO requires MFA",
State = ConditionalAccessPolicyState.Enabled,
Conditions = new ConditionalAccessConditionSet
{
ClientAppTypes = new List<ConditionalAccessClientApp?>
{
ConditionalAccessClientApp.MobileAppsAndDesktopClients,
ConditionalAccessClientApp.Browser,
},
Applications = new ConditionalAccessApplications
{
IncludeApplications = new List<string>
{
"00000002-0000-0ff1-ce00-000000000000",
},
},
Users = new ConditionalAccessUsers
{
IncludeGroups = new List<string>
{
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
},
},
Locations = new ConditionalAccessLocations
{
IncludeLocations = new List<string>
{
"All",
},
ExcludeLocations = new List<string>
{
"AllTrusted",
},
},
},
GrantControls = new ConditionalAccessGrantControls
{
Operator = "OR",
BuiltInControls = new List<ConditionalAccessGrantControl?>
{
ConditionalAccessGrantControl.Mfa,
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Identity.ConditionalAccess.Policies.PostAsync(requestBody);
mgc-beta identity conditional-access policies create --body '{\
"displayName": "Access to EXO requires MFA",\
"state": "enabled",\
"conditions": {\
"clientAppTypes": [\
"mobileAppsAndDesktopClients",\
"browser"\
],\
"applications": {\
"includeApplications": [\
"00000002-0000-0ff1-ce00-000000000000"\
]\
},\
"users": {\
"includeGroups": ["ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"]\
},\
"locations": {\
"includeLocations": [\
"All"\
],\
"excludeLocations": [\
"AllTrusted"\
]\
}\
},\
"grantControls": {\
"operator": "OR",\
"builtInControls": [\
"mfa"\
]\
}\
}\
'
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewConditionalAccessPolicy()
displayName := "Access to EXO requires MFA"
requestBody.SetDisplayName(&displayName)
state := graphmodels.ENABLED_CONDITIONALACCESSPOLICYSTATE
requestBody.SetState(&state)
conditions := graphmodels.NewConditionalAccessConditionSet()
clientAppTypes := []graphmodels.ConditionalAccessClientAppable {
conditionalAccessClientApp := graphmodels.MOBILEAPPSANDDESKTOPCLIENTS_CONDITIONALACCESSCLIENTAPP
conditions.SetConditionalAccessClientApp(&conditionalAccessClientApp)
conditionalAccessClientApp := graphmodels.BROWSER_CONDITIONALACCESSCLIENTAPP
conditions.SetConditionalAccessClientApp(&conditionalAccessClientApp)
}
conditions.SetClientAppTypes(clientAppTypes)
applications := graphmodels.NewConditionalAccessApplications()
includeApplications := []string {
"00000002-0000-0ff1-ce00-000000000000",
}
applications.SetIncludeApplications(includeApplications)
conditions.SetApplications(applications)
users := graphmodels.NewConditionalAccessUsers()
includeGroups := []string {
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
}
users.SetIncludeGroups(includeGroups)
conditions.SetUsers(users)
locations := graphmodels.NewConditionalAccessLocations()
includeLocations := []string {
"All",
}
locations.SetIncludeLocations(includeLocations)
excludeLocations := []string {
"AllTrusted",
}
locations.SetExcludeLocations(excludeLocations)
conditions.SetLocations(locations)
requestBody.SetConditions(conditions)
grantControls := graphmodels.NewConditionalAccessGrantControls()
operator := "OR"
grantControls.SetOperator(&operator)
builtInControls := []graphmodels.ConditionalAccessGrantControlable {
conditionalAccessGrantControl := graphmodels.MFA_CONDITIONALACCESSGRANTCONTROL
grantControls.SetConditionalAccessGrantControl(&conditionalAccessGrantControl)
}
grantControls.SetBuiltInControls(builtInControls)
requestBody.SetGrantControls(grantControls)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
policies, err := graphClient.Identity().ConditionalAccess().Policies().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ConditionalAccessPolicy conditionalAccessPolicy = new ConditionalAccessPolicy();
conditionalAccessPolicy.setDisplayName("Access to EXO requires MFA");
conditionalAccessPolicy.setState(ConditionalAccessPolicyState.Enabled);
ConditionalAccessConditionSet conditions = new ConditionalAccessConditionSet();
LinkedList<ConditionalAccessClientApp> clientAppTypes = new LinkedList<ConditionalAccessClientApp>();
clientAppTypes.add(ConditionalAccessClientApp.MobileAppsAndDesktopClients);
clientAppTypes.add(ConditionalAccessClientApp.Browser);
conditions.setClientAppTypes(clientAppTypes);
ConditionalAccessApplications applications = new ConditionalAccessApplications();
LinkedList<String> includeApplications = new LinkedList<String>();
includeApplications.add("00000002-0000-0ff1-ce00-000000000000");
applications.setIncludeApplications(includeApplications);
conditions.setApplications(applications);
ConditionalAccessUsers users = new ConditionalAccessUsers();
LinkedList<String> includeGroups = new LinkedList<String>();
includeGroups.add("ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba");
users.setIncludeGroups(includeGroups);
conditions.setUsers(users);
ConditionalAccessLocations locations = new ConditionalAccessLocations();
LinkedList<String> includeLocations = new LinkedList<String>();
includeLocations.add("All");
locations.setIncludeLocations(includeLocations);
LinkedList<String> excludeLocations = new LinkedList<String>();
excludeLocations.add("AllTrusted");
locations.setExcludeLocations(excludeLocations);
conditions.setLocations(locations);
conditionalAccessPolicy.setConditions(conditions);
ConditionalAccessGrantControls grantControls = new ConditionalAccessGrantControls();
grantControls.setOperator("OR");
LinkedList<ConditionalAccessGrantControl> builtInControls = new LinkedList<ConditionalAccessGrantControl>();
builtInControls.add(ConditionalAccessGrantControl.Mfa);
grantControls.setBuiltInControls(builtInControls);
conditionalAccessPolicy.setGrantControls(grantControls);
ConditionalAccessPolicy result = graphClient.identity().conditionalAccess().policies().post(conditionalAccessPolicy);
const options = {
authProvider,
};
const client = Client.init(options);
const conditionalAccessPolicy = {
displayName: 'Access to EXO requires MFA',
state: 'enabled',
conditions: {
clientAppTypes: [
'mobileAppsAndDesktopClients',
'browser'
],
applications: {
includeApplications: [
'00000002-0000-0ff1-ce00-000000000000'
]
},
users: {
includeGroups: ['ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba']
},
locations: {
includeLocations: [
'All'
],
excludeLocations: [
'AllTrusted'
]
}
},
grantControls: {
operator: 'OR',
builtInControls: [
'mfa'
]
}
};
await client.api('/identity/conditionalAccess/policies')
.version('beta')
.post(conditionalAccessPolicy);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessPolicy;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessPolicyState;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessConditionSet;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessClientApp;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessApplications;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessUsers;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessLocations;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessGrantControls;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessGrantControl;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ConditionalAccessPolicy();
$requestBody->setDisplayName('Access to EXO requires MFA');
$requestBody->setState(new ConditionalAccessPolicyState('enabled'));
$conditions = new ConditionalAccessConditionSet();
$conditions->setClientAppTypes([new ConditionalAccessClientApp('mobileAppsAndDesktopClients'),new ConditionalAccessClientApp('browser'), ]);
$conditionsApplications = new ConditionalAccessApplications();
$conditionsApplications->setIncludeApplications(['00000002-0000-0ff1-ce00-000000000000', ]);
$conditions->setApplications($conditionsApplications);
$conditionsUsers = new ConditionalAccessUsers();
$conditionsUsers->setIncludeGroups(['ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba', ]);
$conditions->setUsers($conditionsUsers);
$conditionsLocations = new ConditionalAccessLocations();
$conditionsLocations->setIncludeLocations(['All', ]);
$conditionsLocations->setExcludeLocations(['AllTrusted', ]);
$conditions->setLocations($conditionsLocations);
$requestBody->setConditions($conditions);
$grantControls = new ConditionalAccessGrantControls();
$grantControls->setOperator('OR');
$grantControls->setBuiltInControls([new ConditionalAccessGrantControl('mfa'), ]);
$requestBody->setGrantControls($grantControls);
$result = $graphServiceClient->identity()->conditionalAccess()->policies()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.SignIns
$params = @{
displayName = "Access to EXO requires MFA"
state = "enabled"
conditions = @{
clientAppTypes = @(
"mobileAppsAndDesktopClients"
"browser"
)
applications = @{
includeApplications = @(
"00000002-0000-0ff1-ce00-000000000000"
)
}
users = @{
includeGroups = @(
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
)
}
locations = @{
includeLocations = @(
"All"
)
excludeLocations = @(
"AllTrusted"
)
}
}
grantControls = @{
operator = "OR"
builtInControls = @(
"mfa"
)
}
}
New-MgBetaIdentityConditionalAccessPolicy -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.conditional_access_policy import ConditionalAccessPolicy
from msgraph_beta.generated.models.conditional_access_policy_state import ConditionalAccessPolicyState
from msgraph_beta.generated.models.conditional_access_condition_set import ConditionalAccessConditionSet
from msgraph_beta.generated.models.conditional_access_client_app import ConditionalAccessClientApp
from msgraph_beta.generated.models.conditional_access_applications import ConditionalAccessApplications
from msgraph_beta.generated.models.conditional_access_users import ConditionalAccessUsers
from msgraph_beta.generated.models.conditional_access_locations import ConditionalAccessLocations
from msgraph_beta.generated.models.conditional_access_grant_controls import ConditionalAccessGrantControls
from msgraph_beta.generated.models.conditional_access_grant_control import ConditionalAccessGrantControl
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ConditionalAccessPolicy(
display_name = "Access to EXO requires MFA",
state = ConditionalAccessPolicyState.Enabled,
conditions = ConditionalAccessConditionSet(
client_app_types = [
ConditionalAccessClientApp.MobileAppsAndDesktopClients,
ConditionalAccessClientApp.Browser,
],
applications = ConditionalAccessApplications(
include_applications = [
"00000002-0000-0ff1-ce00-000000000000",
],
),
users = ConditionalAccessUsers(
include_groups = [
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
],
),
locations = ConditionalAccessLocations(
include_locations = [
"All",
],
exclude_locations = [
"AllTrusted",
],
),
),
grant_controls = ConditionalAccessGrantControls(
operator = "OR",
built_in_controls = [
ConditionalAccessGrantControl.Mfa,
],
),
)
result = await graph_client.identity.conditional_access.policies.post(request_body)
Response
The following example shows the response.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#conditionalAccess/policies/$entity",
"id": "7359d0e0-d8a9-4afa-8a93-e23e099d7be8",
"displayName": "Access to EXO requires MFA",
"createdDateTime": "2019-10-14T19:52:00.050958Z",
"modifiedDateTime": null,
"state": "enabled",
"sessionControls": null,
"conditions": {
"signInRiskLevels": [],
"clientAppTypes": [
"mobileAppsAndDesktopClients",
"browser"
],
"platforms": null,
"deviceStates": null,
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
],
"excludeApplications": [],
"includeUserActions": []
},
"users": {
"includeUsers": [],
"excludeUsers": [],
"includeGroups": [
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": []
},
"locations": {
"includeLocations": [
"All"
],
"excludeLocations": [
"AllTrusted"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
],
"customAuthenticationFactors": [],
"termsOfUse": []
}
}
Example 2: Block access to Exchange Online from nontrusted regions
Request
The following example shows a request to block access to Exchange Online from non-trusted/unknown regions.
This example assumes that the named location with id = 198ad66e-87b3-4157-85a3-8a7b51794ee9 corresponds to a list of non-trusted/unknown regions.
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Block access to EXO non-trusted regions.",
"state": "enabled",
"conditions": {
"clientAppTypes": [
"all"
],
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
]
},
"users": {
"includeGroups": ["ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"]
},
"locations": {
"includeLocations": [
"198ad66e-87b3-4157-85a3-8a7b51794ee9"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
]
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new ConditionalAccessPolicy
{
DisplayName = "Block access to EXO non-trusted regions.",
State = ConditionalAccessPolicyState.Enabled,
Conditions = new ConditionalAccessConditionSet
{
ClientAppTypes = new List<ConditionalAccessClientApp?>
{
ConditionalAccessClientApp.All,
},
Applications = new ConditionalAccessApplications
{
IncludeApplications = new List<string>
{
"00000002-0000-0ff1-ce00-000000000000",
},
},
Users = new ConditionalAccessUsers
{
IncludeGroups = new List<string>
{
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
},
},
Locations = new ConditionalAccessLocations
{
IncludeLocations = new List<string>
{
"198ad66e-87b3-4157-85a3-8a7b51794ee9",
},
},
},
GrantControls = new ConditionalAccessGrantControls
{
Operator = "OR",
BuiltInControls = new List<ConditionalAccessGrantControl?>
{
ConditionalAccessGrantControl.Block,
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Identity.ConditionalAccess.Policies.PostAsync(requestBody);
mgc-beta identity conditional-access policies create --body '{\
"displayName": "Block access to EXO non-trusted regions.",\
"state": "enabled",\
"conditions": {\
"clientAppTypes": [\
"all"\
],\
"applications": {\
"includeApplications": [\
"00000002-0000-0ff1-ce00-000000000000"\
]\
},\
"users": {\
"includeGroups": ["ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"]\
},\
"locations": {\
"includeLocations": [\
"198ad66e-87b3-4157-85a3-8a7b51794ee9"\
]\
}\
},\
"grantControls": {\
"operator": "OR",\
"builtInControls": [\
"block"\
]\
}\
}\
'
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewConditionalAccessPolicy()
displayName := "Block access to EXO non-trusted regions."
requestBody.SetDisplayName(&displayName)
state := graphmodels.ENABLED_CONDITIONALACCESSPOLICYSTATE
requestBody.SetState(&state)
conditions := graphmodels.NewConditionalAccessConditionSet()
clientAppTypes := []graphmodels.ConditionalAccessClientAppable {
conditionalAccessClientApp := graphmodels.ALL_CONDITIONALACCESSCLIENTAPP
conditions.SetConditionalAccessClientApp(&conditionalAccessClientApp)
}
conditions.SetClientAppTypes(clientAppTypes)
applications := graphmodels.NewConditionalAccessApplications()
includeApplications := []string {
"00000002-0000-0ff1-ce00-000000000000",
}
applications.SetIncludeApplications(includeApplications)
conditions.SetApplications(applications)
users := graphmodels.NewConditionalAccessUsers()
includeGroups := []string {
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
}
users.SetIncludeGroups(includeGroups)
conditions.SetUsers(users)
locations := graphmodels.NewConditionalAccessLocations()
includeLocations := []string {
"198ad66e-87b3-4157-85a3-8a7b51794ee9",
}
locations.SetIncludeLocations(includeLocations)
conditions.SetLocations(locations)
requestBody.SetConditions(conditions)
grantControls := graphmodels.NewConditionalAccessGrantControls()
operator := "OR"
grantControls.SetOperator(&operator)
builtInControls := []graphmodels.ConditionalAccessGrantControlable {
conditionalAccessGrantControl := graphmodels.BLOCK_CONDITIONALACCESSGRANTCONTROL
grantControls.SetConditionalAccessGrantControl(&conditionalAccessGrantControl)
}
grantControls.SetBuiltInControls(builtInControls)
requestBody.SetGrantControls(grantControls)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
policies, err := graphClient.Identity().ConditionalAccess().Policies().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ConditionalAccessPolicy conditionalAccessPolicy = new ConditionalAccessPolicy();
conditionalAccessPolicy.setDisplayName("Block access to EXO non-trusted regions.");
conditionalAccessPolicy.setState(ConditionalAccessPolicyState.Enabled);
ConditionalAccessConditionSet conditions = new ConditionalAccessConditionSet();
LinkedList<ConditionalAccessClientApp> clientAppTypes = new LinkedList<ConditionalAccessClientApp>();
clientAppTypes.add(ConditionalAccessClientApp.All);
conditions.setClientAppTypes(clientAppTypes);
ConditionalAccessApplications applications = new ConditionalAccessApplications();
LinkedList<String> includeApplications = new LinkedList<String>();
includeApplications.add("00000002-0000-0ff1-ce00-000000000000");
applications.setIncludeApplications(includeApplications);
conditions.setApplications(applications);
ConditionalAccessUsers users = new ConditionalAccessUsers();
LinkedList<String> includeGroups = new LinkedList<String>();
includeGroups.add("ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba");
users.setIncludeGroups(includeGroups);
conditions.setUsers(users);
ConditionalAccessLocations locations = new ConditionalAccessLocations();
LinkedList<String> includeLocations = new LinkedList<String>();
includeLocations.add("198ad66e-87b3-4157-85a3-8a7b51794ee9");
locations.setIncludeLocations(includeLocations);
conditions.setLocations(locations);
conditionalAccessPolicy.setConditions(conditions);
ConditionalAccessGrantControls grantControls = new ConditionalAccessGrantControls();
grantControls.setOperator("OR");
LinkedList<ConditionalAccessGrantControl> builtInControls = new LinkedList<ConditionalAccessGrantControl>();
builtInControls.add(ConditionalAccessGrantControl.Block);
grantControls.setBuiltInControls(builtInControls);
conditionalAccessPolicy.setGrantControls(grantControls);
ConditionalAccessPolicy result = graphClient.identity().conditionalAccess().policies().post(conditionalAccessPolicy);
const options = {
authProvider,
};
const client = Client.init(options);
const conditionalAccessPolicy = {
displayName: 'Block access to EXO non-trusted regions.',
state: 'enabled',
conditions: {
clientAppTypes: [
'all'
],
applications: {
includeApplications: [
'00000002-0000-0ff1-ce00-000000000000'
]
},
users: {
includeGroups: ['ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba']
},
locations: {
includeLocations: [
'198ad66e-87b3-4157-85a3-8a7b51794ee9'
]
}
},
grantControls: {
operator: 'OR',
builtInControls: [
'block'
]
}
};
await client.api('/identity/conditionalAccess/policies')
.version('beta')
.post(conditionalAccessPolicy);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessPolicy;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessPolicyState;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessConditionSet;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessClientApp;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessApplications;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessUsers;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessLocations;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessGrantControls;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessGrantControl;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ConditionalAccessPolicy();
$requestBody->setDisplayName('Block access to EXO non-trusted regions.');
$requestBody->setState(new ConditionalAccessPolicyState('enabled'));
$conditions = new ConditionalAccessConditionSet();
$conditions->setClientAppTypes([new ConditionalAccessClientApp('all'), ]);
$conditionsApplications = new ConditionalAccessApplications();
$conditionsApplications->setIncludeApplications(['00000002-0000-0ff1-ce00-000000000000', ]);
$conditions->setApplications($conditionsApplications);
$conditionsUsers = new ConditionalAccessUsers();
$conditionsUsers->setIncludeGroups(['ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba', ]);
$conditions->setUsers($conditionsUsers);
$conditionsLocations = new ConditionalAccessLocations();
$conditionsLocations->setIncludeLocations(['198ad66e-87b3-4157-85a3-8a7b51794ee9', ]);
$conditions->setLocations($conditionsLocations);
$requestBody->setConditions($conditions);
$grantControls = new ConditionalAccessGrantControls();
$grantControls->setOperator('OR');
$grantControls->setBuiltInControls([new ConditionalAccessGrantControl('block'), ]);
$requestBody->setGrantControls($grantControls);
$result = $graphServiceClient->identity()->conditionalAccess()->policies()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.SignIns
$params = @{
displayName = "Block access to EXO non-trusted regions."
state = "enabled"
conditions = @{
clientAppTypes = @(
"all"
)
applications = @{
includeApplications = @(
"00000002-0000-0ff1-ce00-000000000000"
)
}
users = @{
includeGroups = @(
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
)
}
locations = @{
includeLocations = @(
"198ad66e-87b3-4157-85a3-8a7b51794ee9"
)
}
}
grantControls = @{
operator = "OR"
builtInControls = @(
"block"
)
}
}
New-MgBetaIdentityConditionalAccessPolicy -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.conditional_access_policy import ConditionalAccessPolicy
from msgraph_beta.generated.models.conditional_access_policy_state import ConditionalAccessPolicyState
from msgraph_beta.generated.models.conditional_access_condition_set import ConditionalAccessConditionSet
from msgraph_beta.generated.models.conditional_access_client_app import ConditionalAccessClientApp
from msgraph_beta.generated.models.conditional_access_applications import ConditionalAccessApplications
from msgraph_beta.generated.models.conditional_access_users import ConditionalAccessUsers
from msgraph_beta.generated.models.conditional_access_locations import ConditionalAccessLocations
from msgraph_beta.generated.models.conditional_access_grant_controls import ConditionalAccessGrantControls
from msgraph_beta.generated.models.conditional_access_grant_control import ConditionalAccessGrantControl
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ConditionalAccessPolicy(
display_name = "Block access to EXO non-trusted regions.",
state = ConditionalAccessPolicyState.Enabled,
conditions = ConditionalAccessConditionSet(
client_app_types = [
ConditionalAccessClientApp.All,
],
applications = ConditionalAccessApplications(
include_applications = [
"00000002-0000-0ff1-ce00-000000000000",
],
),
users = ConditionalAccessUsers(
include_groups = [
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
],
),
locations = ConditionalAccessLocations(
include_locations = [
"198ad66e-87b3-4157-85a3-8a7b51794ee9",
],
),
),
grant_controls = ConditionalAccessGrantControls(
operator = "OR",
built_in_controls = [
ConditionalAccessGrantControl.Block,
],
),
)
result = await graph_client.identity.conditional_access.policies.post(request_body)
Response
The following example shows the response.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#conditionalAccess/policies/$entity",
"id": "c98e6c3d-f6ca-42ea-a927-773b6f12a0c2",
"displayName": "Block access to EXO non-trusted regions.",
"createdDateTime": "2019-10-14T19:53:11.3705634Z",
"modifiedDateTime": null,
"state": "enabled",
"sessionControls": null,
"conditions": {
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"platforms": null,
"deviceStates": null,
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
],
"excludeApplications": [],
"includeUserActions": []
},
"users": {
"includeUsers": [],
"excludeUsers": [],
"includeGroups": [
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": []
},
"locations": {
"includeLocations": [
"198ad66e-87b3-4157-85a3-8a7b51794ee9"
],
"excludeLocations": []
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
],
"customAuthenticationFactors": [],
"termsOfUse": []
}
}
Example 3: Use all conditions/controls
Request
The following example shows a request to use all the conditions/controls.
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Demo app for documentation",
"state": "disabled",
"conditions": {
"signInRiskLevels": [
"high",
"medium"
],
"clientAppTypes": [
"mobileAppsAndDesktopClients",
"exchangeActiveSync",
"other"
],
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [
"499b84ac-1321-427f-aa17-267ca6975798",
"00000007-0000-0000-c000-000000000000",
"de8bc8b5-d9f9-48b1-a8ad-b748da725064",
"00000012-0000-0000-c000-000000000000",
"797f4846-ba00-4fd7-ba43-dac1f8f63013",
"05a65629-4c1b-48c1-a78b-804c4abdd4af",
"7df0a125-d3be-4c96-aa54-591f83ff541c"
],
"includeUserActions": []
},
"users": {
"includeUsers": [
"a702a13d-a437-4a07-8a7e-8c052de62dfd"
],
"excludeUsers": [
"124c5b6a-ffa5-483a-9b88-04c3fce5574a",
"GuestsOrExternalUsers"
],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"cf1c38e5-3621-4004-a7cb-879624dced7c",
"c4e39bd9-1100-46d3-8c65-fb160da0071f"
],
"excludeRoles": [
"b0f54661-2d74-4c50-afa3-1ec803f12efe"
]
},
"platforms": {
"includePlatforms": [
"all"
],
"excludePlatforms": [
"iOS",
"windowsPhone"
]
},
"locations": {
"includeLocations": [
"AllTrusted"
],
"excludeLocations": [
"00000000-0000-0000-0000-000000000000",
"d2136c9c-b049-47ae-b9cf-316e04ef7198"
]
},
"deviceStates": {
"includeStates": [
"All"
],
"excludeStates": [
"Compliant"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa",
"compliantDevice",
"domainJoinedDevice",
"approvedApplication",
"compliantApplication"
],
"customAuthenticationFactors": [],
"termsOfUse": [
"ce580154-086a-40fd-91df-8a60abac81a0",
"7f29d675-caff-43e1-8a53-1b8516ed2075"
]
},
"sessionControls": {
"applicationEnforcedRestrictions": null,
"persistentBrowser": null,
"cloudAppSecurity": {
"cloudAppSecurityType": "blockDownloads",
"isEnabled": true
},
"signInFrequency": {
"value": 4,
"type": "hours",
"isEnabled": true
}
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new ConditionalAccessPolicy
{
DisplayName = "Demo app for documentation",
State = ConditionalAccessPolicyState.Disabled,
Conditions = new ConditionalAccessConditionSet
{
SignInRiskLevels = new List<RiskLevel?>
{
RiskLevel.High,
RiskLevel.Medium,
},
ClientAppTypes = new List<ConditionalAccessClientApp?>
{
ConditionalAccessClientApp.MobileAppsAndDesktopClients,
ConditionalAccessClientApp.ExchangeActiveSync,
ConditionalAccessClientApp.Other,
},
Applications = new ConditionalAccessApplications
{
IncludeApplications = new List<string>
{
"All",
},
ExcludeApplications = new List<string>
{
"499b84ac-1321-427f-aa17-267ca6975798",
"00000007-0000-0000-c000-000000000000",
"de8bc8b5-d9f9-48b1-a8ad-b748da725064",
"00000012-0000-0000-c000-000000000000",
"797f4846-ba00-4fd7-ba43-dac1f8f63013",
"05a65629-4c1b-48c1-a78b-804c4abdd4af",
"7df0a125-d3be-4c96-aa54-591f83ff541c",
},
IncludeUserActions = new List<string>
{
},
},
Users = new ConditionalAccessUsers
{
IncludeUsers = new List<string>
{
"a702a13d-a437-4a07-8a7e-8c052de62dfd",
},
ExcludeUsers = new List<string>
{
"124c5b6a-ffa5-483a-9b88-04c3fce5574a",
"GuestsOrExternalUsers",
},
IncludeGroups = new List<string>
{
},
ExcludeGroups = new List<string>
{
},
IncludeRoles = new List<string>
{
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"cf1c38e5-3621-4004-a7cb-879624dced7c",
"c4e39bd9-1100-46d3-8c65-fb160da0071f",
},
ExcludeRoles = new List<string>
{
"b0f54661-2d74-4c50-afa3-1ec803f12efe",
},
},
Platforms = new ConditionalAccessPlatforms
{
IncludePlatforms = new List<ConditionalAccessDevicePlatform?>
{
ConditionalAccessDevicePlatform.All,
},
ExcludePlatforms = new List<ConditionalAccessDevicePlatform?>
{
ConditionalAccessDevicePlatform.IOS,
ConditionalAccessDevicePlatform.WindowsPhone,
},
},
Locations = new ConditionalAccessLocations
{
IncludeLocations = new List<string>
{
"AllTrusted",
},
ExcludeLocations = new List<string>
{
"00000000-0000-0000-0000-000000000000",
"d2136c9c-b049-47ae-b9cf-316e04ef7198",
},
},
DeviceStates = new ConditionalAccessDeviceStates
{
IncludeStates = new List<string>
{
"All",
},
ExcludeStates = new List<string>
{
"Compliant",
},
},
},
GrantControls = new ConditionalAccessGrantControls
{
Operator = "OR",
BuiltInControls = new List<ConditionalAccessGrantControl?>
{
ConditionalAccessGrantControl.Mfa,
ConditionalAccessGrantControl.CompliantDevice,
ConditionalAccessGrantControl.DomainJoinedDevice,
ConditionalAccessGrantControl.ApprovedApplication,
ConditionalAccessGrantControl.CompliantApplication,
},
CustomAuthenticationFactors = new List<string>
{
},
TermsOfUse = new List<string>
{
"ce580154-086a-40fd-91df-8a60abac81a0",
"7f29d675-caff-43e1-8a53-1b8516ed2075",
},
},
SessionControls = new ConditionalAccessSessionControls
{
ApplicationEnforcedRestrictions = null,
PersistentBrowser = null,
CloudAppSecurity = new CloudAppSecuritySessionControl
{
CloudAppSecurityType = CloudAppSecuritySessionControlType.BlockDownloads,
IsEnabled = true,
},
SignInFrequency = new SignInFrequencySessionControl
{
Value = 4,
Type = SigninFrequencyType.Hours,
IsEnabled = true,
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Identity.ConditionalAccess.Policies.PostAsync(requestBody);
mgc-beta identity conditional-access policies create --body '{\
"displayName": "Demo app for documentation",\
"state": "disabled",\
"conditions": {\
"signInRiskLevels": [\
"high",\
"medium"\
],\
"clientAppTypes": [\
"mobileAppsAndDesktopClients",\
"exchangeActiveSync",\
"other"\
],\
"applications": {\
"includeApplications": [\
"All"\
],\
"excludeApplications": [\
"499b84ac-1321-427f-aa17-267ca6975798",\
"00000007-0000-0000-c000-000000000000",\
"de8bc8b5-d9f9-48b1-a8ad-b748da725064",\
"00000012-0000-0000-c000-000000000000",\
"797f4846-ba00-4fd7-ba43-dac1f8f63013",\
"05a65629-4c1b-48c1-a78b-804c4abdd4af",\
"7df0a125-d3be-4c96-aa54-591f83ff541c"\
],\
"includeUserActions": []\
},\
"users": {\
"includeUsers": [\
"a702a13d-a437-4a07-8a7e-8c052de62dfd"\
],\
"excludeUsers": [\
"124c5b6a-ffa5-483a-9b88-04c3fce5574a",\
"GuestsOrExternalUsers"\
],\
"includeGroups": [],\
"excludeGroups": [],\
"includeRoles": [\
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",\
"cf1c38e5-3621-4004-a7cb-879624dced7c",\
"c4e39bd9-1100-46d3-8c65-fb160da0071f"\
],\
"excludeRoles": [\
"b0f54661-2d74-4c50-afa3-1ec803f12efe"\
]\
},\
"platforms": {\
"includePlatforms": [\
"all"\
],\
"excludePlatforms": [\
"iOS",\
"windowsPhone"\
]\
},\
"locations": {\
"includeLocations": [\
"AllTrusted"\
],\
"excludeLocations": [\
"00000000-0000-0000-0000-000000000000",\
"d2136c9c-b049-47ae-b9cf-316e04ef7198"\
]\
},\
"deviceStates": {\
"includeStates": [\
"All"\
],\
"excludeStates": [\
"Compliant"\
]\
}\
},\
"grantControls": {\
"operator": "OR",\
"builtInControls": [\
"mfa",\
"compliantDevice",\
"domainJoinedDevice",\
"approvedApplication",\
"compliantApplication"\
],\
"customAuthenticationFactors": [],\
"termsOfUse": [\
"ce580154-086a-40fd-91df-8a60abac81a0",\
"7f29d675-caff-43e1-8a53-1b8516ed2075"\
]\
},\
"sessionControls": {\
"applicationEnforcedRestrictions": null,\
"persistentBrowser": null,\
"cloudAppSecurity": {\
"cloudAppSecurityType": "blockDownloads",\
"isEnabled": true\
},\
"signInFrequency": {\
"value": 4,\
"type": "hours",\
"isEnabled": true\
}\
}\
}\
'
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewConditionalAccessPolicy()
displayName := "Demo app for documentation"
requestBody.SetDisplayName(&displayName)
state := graphmodels.DISABLED_CONDITIONALACCESSPOLICYSTATE
requestBody.SetState(&state)
conditions := graphmodels.NewConditionalAccessConditionSet()
signInRiskLevels := []graphmodels.RiskLevelable {
riskLevel := graphmodels.HIGH_RISKLEVEL
conditions.SetRiskLevel(&riskLevel)
riskLevel := graphmodels.MEDIUM_RISKLEVEL
conditions.SetRiskLevel(&riskLevel)
}
conditions.SetSignInRiskLevels(signInRiskLevels)
clientAppTypes := []graphmodels.ConditionalAccessClientAppable {
conditionalAccessClientApp := graphmodels.MOBILEAPPSANDDESKTOPCLIENTS_CONDITIONALACCESSCLIENTAPP
conditions.SetConditionalAccessClientApp(&conditionalAccessClientApp)
conditionalAccessClientApp := graphmodels.EXCHANGEACTIVESYNC_CONDITIONALACCESSCLIENTAPP
conditions.SetConditionalAccessClientApp(&conditionalAccessClientApp)
conditionalAccessClientApp := graphmodels.OTHER_CONDITIONALACCESSCLIENTAPP
conditions.SetConditionalAccessClientApp(&conditionalAccessClientApp)
}
conditions.SetClientAppTypes(clientAppTypes)
applications := graphmodels.NewConditionalAccessApplications()
includeApplications := []string {
"All",
}
applications.SetIncludeApplications(includeApplications)
excludeApplications := []string {
"499b84ac-1321-427f-aa17-267ca6975798",
"00000007-0000-0000-c000-000000000000",
"de8bc8b5-d9f9-48b1-a8ad-b748da725064",
"00000012-0000-0000-c000-000000000000",
"797f4846-ba00-4fd7-ba43-dac1f8f63013",
"05a65629-4c1b-48c1-a78b-804c4abdd4af",
"7df0a125-d3be-4c96-aa54-591f83ff541c",
}
applications.SetExcludeApplications(excludeApplications)
includeUserActions := []string {
}
applications.SetIncludeUserActions(includeUserActions)
conditions.SetApplications(applications)
users := graphmodels.NewConditionalAccessUsers()
includeUsers := []string {
"a702a13d-a437-4a07-8a7e-8c052de62dfd",
}
users.SetIncludeUsers(includeUsers)
excludeUsers := []string {
"124c5b6a-ffa5-483a-9b88-04c3fce5574a",
"GuestsOrExternalUsers",
}
users.SetExcludeUsers(excludeUsers)
includeGroups := []string {
}
users.SetIncludeGroups(includeGroups)
excludeGroups := []string {
}
users.SetExcludeGroups(excludeGroups)
includeRoles := []string {
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"cf1c38e5-3621-4004-a7cb-879624dced7c",
"c4e39bd9-1100-46d3-8c65-fb160da0071f",
}
users.SetIncludeRoles(includeRoles)
excludeRoles := []string {
"b0f54661-2d74-4c50-afa3-1ec803f12efe",
}
users.SetExcludeRoles(excludeRoles)
conditions.SetUsers(users)
platforms := graphmodels.NewConditionalAccessPlatforms()
includePlatforms := []graphmodels.ConditionalAccessDevicePlatformable {
conditionalAccessDevicePlatform := graphmodels.ALL_CONDITIONALACCESSDEVICEPLATFORM
platforms.SetConditionalAccessDevicePlatform(&conditionalAccessDevicePlatform)
}
platforms.SetIncludePlatforms(includePlatforms)
excludePlatforms := []graphmodels.ConditionalAccessDevicePlatformable {
conditionalAccessDevicePlatform := graphmodels.IOS_CONDITIONALACCESSDEVICEPLATFORM
platforms.SetConditionalAccessDevicePlatform(&conditionalAccessDevicePlatform)
conditionalAccessDevicePlatform := graphmodels.WINDOWSPHONE_CONDITIONALACCESSDEVICEPLATFORM
platforms.SetConditionalAccessDevicePlatform(&conditionalAccessDevicePlatform)
}
platforms.SetExcludePlatforms(excludePlatforms)
conditions.SetPlatforms(platforms)
locations := graphmodels.NewConditionalAccessLocations()
includeLocations := []string {
"AllTrusted",
}
locations.SetIncludeLocations(includeLocations)
excludeLocations := []string {
"00000000-0000-0000-0000-000000000000",
"d2136c9c-b049-47ae-b9cf-316e04ef7198",
}
locations.SetExcludeLocations(excludeLocations)
conditions.SetLocations(locations)
deviceStates := graphmodels.NewConditionalAccessDeviceStates()
includeStates := []string {
"All",
}
deviceStates.SetIncludeStates(includeStates)
excludeStates := []string {
"Compliant",
}
deviceStates.SetExcludeStates(excludeStates)
conditions.SetDeviceStates(deviceStates)
requestBody.SetConditions(conditions)
grantControls := graphmodels.NewConditionalAccessGrantControls()
operator := "OR"
grantControls.SetOperator(&operator)
builtInControls := []graphmodels.ConditionalAccessGrantControlable {
conditionalAccessGrantControl := graphmodels.MFA_CONDITIONALACCESSGRANTCONTROL
grantControls.SetConditionalAccessGrantControl(&conditionalAccessGrantControl)
conditionalAccessGrantControl := graphmodels.COMPLIANTDEVICE_CONDITIONALACCESSGRANTCONTROL
grantControls.SetConditionalAccessGrantControl(&conditionalAccessGrantControl)
conditionalAccessGrantControl := graphmodels.DOMAINJOINEDDEVICE_CONDITIONALACCESSGRANTCONTROL
grantControls.SetConditionalAccessGrantControl(&conditionalAccessGrantControl)
conditionalAccessGrantControl := graphmodels.APPROVEDAPPLICATION_CONDITIONALACCESSGRANTCONTROL
grantControls.SetConditionalAccessGrantControl(&conditionalAccessGrantControl)
conditionalAccessGrantControl := graphmodels.COMPLIANTAPPLICATION_CONDITIONALACCESSGRANTCONTROL
grantControls.SetConditionalAccessGrantControl(&conditionalAccessGrantControl)
}
grantControls.SetBuiltInControls(builtInControls)
customAuthenticationFactors := []string {
}
grantControls.SetCustomAuthenticationFactors(customAuthenticationFactors)
termsOfUse := []string {
"ce580154-086a-40fd-91df-8a60abac81a0",
"7f29d675-caff-43e1-8a53-1b8516ed2075",
}
grantControls.SetTermsOfUse(termsOfUse)
requestBody.SetGrantControls(grantControls)
sessionControls := graphmodels.NewConditionalAccessSessionControls()
applicationEnforcedRestrictions := null
sessionControls.SetApplicationEnforcedRestrictions(&applicationEnforcedRestrictions)
persistentBrowser := null
sessionControls.SetPersistentBrowser(&persistentBrowser)
cloudAppSecurity := graphmodels.NewCloudAppSecuritySessionControl()
cloudAppSecurityType := graphmodels.BLOCKDOWNLOADS_CLOUDAPPSECURITYSESSIONCONTROLTYPE
cloudAppSecurity.SetCloudAppSecurityType(&cloudAppSecurityType)
isEnabled := true
cloudAppSecurity.SetIsEnabled(&isEnabled)
sessionControls.SetCloudAppSecurity(cloudAppSecurity)
signInFrequency := graphmodels.NewSignInFrequencySessionControl()
value := int32(4)
signInFrequency.SetValue(&value)
type := graphmodels.HOURS_SIGNINFREQUENCYTYPE
signInFrequency.SetType(&type)
isEnabled := true
signInFrequency.SetIsEnabled(&isEnabled)
sessionControls.SetSignInFrequency(signInFrequency)
requestBody.SetSessionControls(sessionControls)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
policies, err := graphClient.Identity().ConditionalAccess().Policies().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ConditionalAccessPolicy conditionalAccessPolicy = new ConditionalAccessPolicy();
conditionalAccessPolicy.setDisplayName("Demo app for documentation");
conditionalAccessPolicy.setState(ConditionalAccessPolicyState.Disabled);
ConditionalAccessConditionSet conditions = new ConditionalAccessConditionSet();
LinkedList<RiskLevel> signInRiskLevels = new LinkedList<RiskLevel>();
signInRiskLevels.add(RiskLevel.High);
signInRiskLevels.add(RiskLevel.Medium);
conditions.setSignInRiskLevels(signInRiskLevels);
LinkedList<ConditionalAccessClientApp> clientAppTypes = new LinkedList<ConditionalAccessClientApp>();
clientAppTypes.add(ConditionalAccessClientApp.MobileAppsAndDesktopClients);
clientAppTypes.add(ConditionalAccessClientApp.ExchangeActiveSync);
clientAppTypes.add(ConditionalAccessClientApp.Other);
conditions.setClientAppTypes(clientAppTypes);
ConditionalAccessApplications applications = new ConditionalAccessApplications();
LinkedList<String> includeApplications = new LinkedList<String>();
includeApplications.add("All");
applications.setIncludeApplications(includeApplications);
LinkedList<String> excludeApplications = new LinkedList<String>();
excludeApplications.add("499b84ac-1321-427f-aa17-267ca6975798");
excludeApplications.add("00000007-0000-0000-c000-000000000000");
excludeApplications.add("de8bc8b5-d9f9-48b1-a8ad-b748da725064");
excludeApplications.add("00000012-0000-0000-c000-000000000000");
excludeApplications.add("797f4846-ba00-4fd7-ba43-dac1f8f63013");
excludeApplications.add("05a65629-4c1b-48c1-a78b-804c4abdd4af");
excludeApplications.add("7df0a125-d3be-4c96-aa54-591f83ff541c");
applications.setExcludeApplications(excludeApplications);
LinkedList<String> includeUserActions = new LinkedList<String>();
applications.setIncludeUserActions(includeUserActions);
conditions.setApplications(applications);
ConditionalAccessUsers users = new ConditionalAccessUsers();
LinkedList<String> includeUsers = new LinkedList<String>();
includeUsers.add("a702a13d-a437-4a07-8a7e-8c052de62dfd");
users.setIncludeUsers(includeUsers);
LinkedList<String> excludeUsers = new LinkedList<String>();
excludeUsers.add("124c5b6a-ffa5-483a-9b88-04c3fce5574a");
excludeUsers.add("GuestsOrExternalUsers");
users.setExcludeUsers(excludeUsers);
LinkedList<String> includeGroups = new LinkedList<String>();
users.setIncludeGroups(includeGroups);
LinkedList<String> excludeGroups = new LinkedList<String>();
users.setExcludeGroups(excludeGroups);
LinkedList<String> includeRoles = new LinkedList<String>();
includeRoles.add("9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3");
includeRoles.add("cf1c38e5-3621-4004-a7cb-879624dced7c");
includeRoles.add("c4e39bd9-1100-46d3-8c65-fb160da0071f");
users.setIncludeRoles(includeRoles);
LinkedList<String> excludeRoles = new LinkedList<String>();
excludeRoles.add("b0f54661-2d74-4c50-afa3-1ec803f12efe");
users.setExcludeRoles(excludeRoles);
conditions.setUsers(users);
ConditionalAccessPlatforms platforms = new ConditionalAccessPlatforms();
LinkedList<ConditionalAccessDevicePlatform> includePlatforms = new LinkedList<ConditionalAccessDevicePlatform>();
includePlatforms.add(ConditionalAccessDevicePlatform.All);
platforms.setIncludePlatforms(includePlatforms);
LinkedList<ConditionalAccessDevicePlatform> excludePlatforms = new LinkedList<ConditionalAccessDevicePlatform>();
excludePlatforms.add(ConditionalAccessDevicePlatform.IOS);
excludePlatforms.add(ConditionalAccessDevicePlatform.WindowsPhone);
platforms.setExcludePlatforms(excludePlatforms);
conditions.setPlatforms(platforms);
ConditionalAccessLocations locations = new ConditionalAccessLocations();
LinkedList<String> includeLocations = new LinkedList<String>();
includeLocations.add("AllTrusted");
locations.setIncludeLocations(includeLocations);
LinkedList<String> excludeLocations = new LinkedList<String>();
excludeLocations.add("00000000-0000-0000-0000-000000000000");
excludeLocations.add("d2136c9c-b049-47ae-b9cf-316e04ef7198");
locations.setExcludeLocations(excludeLocations);
conditions.setLocations(locations);
ConditionalAccessDeviceStates deviceStates = new ConditionalAccessDeviceStates();
LinkedList<String> includeStates = new LinkedList<String>();
includeStates.add("All");
deviceStates.setIncludeStates(includeStates);
LinkedList<String> excludeStates = new LinkedList<String>();
excludeStates.add("Compliant");
deviceStates.setExcludeStates(excludeStates);
conditions.setDeviceStates(deviceStates);
conditionalAccessPolicy.setConditions(conditions);
ConditionalAccessGrantControls grantControls = new ConditionalAccessGrantControls();
grantControls.setOperator("OR");
LinkedList<ConditionalAccessGrantControl> builtInControls = new LinkedList<ConditionalAccessGrantControl>();
builtInControls.add(ConditionalAccessGrantControl.Mfa);
builtInControls.add(ConditionalAccessGrantControl.CompliantDevice);
builtInControls.add(ConditionalAccessGrantControl.DomainJoinedDevice);
builtInControls.add(ConditionalAccessGrantControl.ApprovedApplication);
builtInControls.add(ConditionalAccessGrantControl.CompliantApplication);
grantControls.setBuiltInControls(builtInControls);
LinkedList<String> customAuthenticationFactors = new LinkedList<String>();
grantControls.setCustomAuthenticationFactors(customAuthenticationFactors);
LinkedList<String> termsOfUse = new LinkedList<String>();
termsOfUse.add("ce580154-086a-40fd-91df-8a60abac81a0");
termsOfUse.add("7f29d675-caff-43e1-8a53-1b8516ed2075");
grantControls.setTermsOfUse(termsOfUse);
conditionalAccessPolicy.setGrantControls(grantControls);
ConditionalAccessSessionControls sessionControls = new ConditionalAccessSessionControls();
sessionControls.setApplicationEnforcedRestrictions(null);
sessionControls.setPersistentBrowser(null);
CloudAppSecuritySessionControl cloudAppSecurity = new CloudAppSecuritySessionControl();
cloudAppSecurity.setCloudAppSecurityType(CloudAppSecuritySessionControlType.BlockDownloads);
cloudAppSecurity.setIsEnabled(true);
sessionControls.setCloudAppSecurity(cloudAppSecurity);
SignInFrequencySessionControl signInFrequency = new SignInFrequencySessionControl();
signInFrequency.setValue(4);
signInFrequency.setType(SigninFrequencyType.Hours);
signInFrequency.setIsEnabled(true);
sessionControls.setSignInFrequency(signInFrequency);
conditionalAccessPolicy.setSessionControls(sessionControls);
ConditionalAccessPolicy result = graphClient.identity().conditionalAccess().policies().post(conditionalAccessPolicy);
const options = {
authProvider,
};
const client = Client.init(options);
const conditionalAccessPolicy = {
displayName: 'Demo app for documentation',
state: 'disabled',
conditions: {
signInRiskLevels: [
'high',
'medium'
],
clientAppTypes: [
'mobileAppsAndDesktopClients',
'exchangeActiveSync',
'other'
],
applications: {
includeApplications: [
'All'
],
excludeApplications: [
'499b84ac-1321-427f-aa17-267ca6975798',
'00000007-0000-0000-c000-000000000000',
'de8bc8b5-d9f9-48b1-a8ad-b748da725064',
'00000012-0000-0000-c000-000000000000',
'797f4846-ba00-4fd7-ba43-dac1f8f63013',
'05a65629-4c1b-48c1-a78b-804c4abdd4af',
'7df0a125-d3be-4c96-aa54-591f83ff541c'
],
includeUserActions: []
},
users: {
includeUsers: [
'a702a13d-a437-4a07-8a7e-8c052de62dfd'
],
excludeUsers: [
'124c5b6a-ffa5-483a-9b88-04c3fce5574a',
'GuestsOrExternalUsers'
],
includeGroups: [],
excludeGroups: [],
includeRoles: [
'9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3',
'cf1c38e5-3621-4004-a7cb-879624dced7c',
'c4e39bd9-1100-46d3-8c65-fb160da0071f'
],
excludeRoles: [
'b0f54661-2d74-4c50-afa3-1ec803f12efe'
]
},
platforms: {
includePlatforms: [
'all'
],
excludePlatforms: [
'iOS',
'windowsPhone'
]
},
locations: {
includeLocations: [
'AllTrusted'
],
excludeLocations: [
'00000000-0000-0000-0000-000000000000',
'd2136c9c-b049-47ae-b9cf-316e04ef7198'
]
},
deviceStates: {
includeStates: [
'All'
],
excludeStates: [
'Compliant'
]
}
},
grantControls: {
operator: 'OR',
builtInControls: [
'mfa',
'compliantDevice',
'domainJoinedDevice',
'approvedApplication',
'compliantApplication'
],
customAuthenticationFactors: [],
termsOfUse: [
'ce580154-086a-40fd-91df-8a60abac81a0',
'7f29d675-caff-43e1-8a53-1b8516ed2075'
]
},
sessionControls: {
applicationEnforcedRestrictions: null,
persistentBrowser: null,
cloudAppSecurity: {
cloudAppSecurityType: 'blockDownloads',
isEnabled: true
},
signInFrequency: {
value: 4,
type: 'hours',
isEnabled: true
}
}
};
await client.api('/identity/conditionalAccess/policies')
.version('beta')
.post(conditionalAccessPolicy);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessPolicy;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessPolicyState;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessConditionSet;
use Microsoft\Graph\Beta\Generated\Models\RiskLevel;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessClientApp;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessApplications;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessUsers;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessPlatforms;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessDevicePlatform;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessLocations;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessDeviceStates;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessGrantControls;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessGrantControl;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessSessionControls;
use Microsoft\Graph\Beta\Generated\Models\CloudAppSecuritySessionControl;
use Microsoft\Graph\Beta\Generated\Models\CloudAppSecuritySessionControlType;
use Microsoft\Graph\Beta\Generated\Models\SignInFrequencySessionControl;
use Microsoft\Graph\Beta\Generated\Models\SigninFrequencyType;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ConditionalAccessPolicy();
$requestBody->setDisplayName('Demo app for documentation');
$requestBody->setState(new ConditionalAccessPolicyState('disabled'));
$conditions = new ConditionalAccessConditionSet();
$conditions->setSignInRiskLevels([new RiskLevel('high'),new RiskLevel('medium'), ]);
$conditions->setClientAppTypes([new ConditionalAccessClientApp('mobileAppsAndDesktopClients'),new ConditionalAccessClientApp('exchangeActiveSync'),new ConditionalAccessClientApp('other'), ]);
$conditionsApplications = new ConditionalAccessApplications();
$conditionsApplications->setIncludeApplications(['All', ]);
$conditionsApplications->setExcludeApplications(['499b84ac-1321-427f-aa17-267ca6975798', '00000007-0000-0000-c000-000000000000', 'de8bc8b5-d9f9-48b1-a8ad-b748da725064', '00000012-0000-0000-c000-000000000000', '797f4846-ba00-4fd7-ba43-dac1f8f63013', '05a65629-4c1b-48c1-a78b-804c4abdd4af', '7df0a125-d3be-4c96-aa54-591f83ff541c', ]);
$conditionsApplications->setIncludeUserActions([ ]);
$conditions->setApplications($conditionsApplications);
$conditionsUsers = new ConditionalAccessUsers();
$conditionsUsers->setIncludeUsers(['a702a13d-a437-4a07-8a7e-8c052de62dfd', ]);
$conditionsUsers->setExcludeUsers(['124c5b6a-ffa5-483a-9b88-04c3fce5574a', 'GuestsOrExternalUsers', ]);
$conditionsUsers->setIncludeGroups([ ]);
$conditionsUsers->setExcludeGroups([ ]);
$conditionsUsers->setIncludeRoles(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3', 'cf1c38e5-3621-4004-a7cb-879624dced7c', 'c4e39bd9-1100-46d3-8c65-fb160da0071f', ]);
$conditionsUsers->setExcludeRoles(['b0f54661-2d74-4c50-afa3-1ec803f12efe', ]);
$conditions->setUsers($conditionsUsers);
$conditionsPlatforms = new ConditionalAccessPlatforms();
$conditionsPlatforms->setIncludePlatforms([new ConditionalAccessDevicePlatform('all'), ]);
$conditionsPlatforms->setExcludePlatforms([new ConditionalAccessDevicePlatform('iOS'),new ConditionalAccessDevicePlatform('windowsPhone'), ]);
$conditions->setPlatforms($conditionsPlatforms);
$conditionsLocations = new ConditionalAccessLocations();
$conditionsLocations->setIncludeLocations(['AllTrusted', ]);
$conditionsLocations->setExcludeLocations(['00000000-0000-0000-0000-000000000000', 'd2136c9c-b049-47ae-b9cf-316e04ef7198', ]);
$conditions->setLocations($conditionsLocations);
$conditionsDeviceStates = new ConditionalAccessDeviceStates();
$conditionsDeviceStates->setIncludeStates(['All', ]);
$conditionsDeviceStates->setExcludeStates(['Compliant', ]);
$conditions->setDeviceStates($conditionsDeviceStates);
$requestBody->setConditions($conditions);
$grantControls = new ConditionalAccessGrantControls();
$grantControls->setOperator('OR');
$grantControls->setBuiltInControls([new ConditionalAccessGrantControl('mfa'),new ConditionalAccessGrantControl('compliantDevice'),new ConditionalAccessGrantControl('domainJoinedDevice'),new ConditionalAccessGrantControl('approvedApplication'),new ConditionalAccessGrantControl('compliantApplication'), ]);
$grantControls->setCustomAuthenticationFactors([ ]);
$grantControls->setTermsOfUse(['ce580154-086a-40fd-91df-8a60abac81a0', '7f29d675-caff-43e1-8a53-1b8516ed2075', ]);
$requestBody->setGrantControls($grantControls);
$sessionControls = new ConditionalAccessSessionControls();
$sessionControls->setApplicationEnforcedRestrictions(null);
$sessionControls->setPersistentBrowser(null);
$sessionControlsCloudAppSecurity = new CloudAppSecuritySessionControl();
$sessionControlsCloudAppSecurity->setCloudAppSecurityType(new CloudAppSecuritySessionControlType('blockDownloads'));
$sessionControlsCloudAppSecurity->setIsEnabled(true);
$sessionControls->setCloudAppSecurity($sessionControlsCloudAppSecurity);
$sessionControlsSignInFrequency = new SignInFrequencySessionControl();
$sessionControlsSignInFrequency->setValue(4);
$sessionControlsSignInFrequency->setType(new SigninFrequencyType('hours'));
$sessionControlsSignInFrequency->setIsEnabled(true);
$sessionControls->setSignInFrequency($sessionControlsSignInFrequency);
$requestBody->setSessionControls($sessionControls);
$result = $graphServiceClient->identity()->conditionalAccess()->policies()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.SignIns
$params = @{
displayName = "Demo app for documentation"
state = "disabled"
conditions = @{
signInRiskLevels = @(
"high"
"medium"
)
clientAppTypes = @(
"mobileAppsAndDesktopClients"
"exchangeActiveSync"
"other"
)
applications = @{
includeApplications = @(
"All"
)
excludeApplications = @(
"499b84ac-1321-427f-aa17-267ca6975798"
"00000007-0000-0000-c000-000000000000"
"de8bc8b5-d9f9-48b1-a8ad-b748da725064"
"00000012-0000-0000-c000-000000000000"
"797f4846-ba00-4fd7-ba43-dac1f8f63013"
"05a65629-4c1b-48c1-a78b-804c4abdd4af"
"7df0a125-d3be-4c96-aa54-591f83ff541c"
)
includeUserActions = @(
)
}
users = @{
includeUsers = @(
"a702a13d-a437-4a07-8a7e-8c052de62dfd"
)
excludeUsers = @(
"124c5b6a-ffa5-483a-9b88-04c3fce5574a"
"GuestsOrExternalUsers"
)
includeGroups = @(
)
excludeGroups = @(
)
includeRoles = @(
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"
"cf1c38e5-3621-4004-a7cb-879624dced7c"
"c4e39bd9-1100-46d3-8c65-fb160da0071f"
)
excludeRoles = @(
"b0f54661-2d74-4c50-afa3-1ec803f12efe"
)
}
platforms = @{
includePlatforms = @(
"all"
)
excludePlatforms = @(
"iOS"
"windowsPhone"
)
}
locations = @{
includeLocations = @(
"AllTrusted"
)
excludeLocations = @(
"00000000-0000-0000-0000-000000000000"
"d2136c9c-b049-47ae-b9cf-316e04ef7198"
)
}
deviceStates = @{
includeStates = @(
"All"
)
excludeStates = @(
"Compliant"
)
}
}
grantControls = @{
operator = "OR"
builtInControls = @(
"mfa"
"compliantDevice"
"domainJoinedDevice"
"approvedApplication"
"compliantApplication"
)
customAuthenticationFactors = @(
)
termsOfUse = @(
"ce580154-086a-40fd-91df-8a60abac81a0"
"7f29d675-caff-43e1-8a53-1b8516ed2075"
)
}
sessionControls = @{
applicationEnforcedRestrictions = $null
persistentBrowser = $null
cloudAppSecurity = @{
cloudAppSecurityType = "blockDownloads"
isEnabled = $true
}
signInFrequency = @{
value = 4
type = "hours"
isEnabled = $true
}
}
}
New-MgBetaIdentityConditionalAccessPolicy -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.conditional_access_policy import ConditionalAccessPolicy
from msgraph_beta.generated.models.conditional_access_policy_state import ConditionalAccessPolicyState
from msgraph_beta.generated.models.conditional_access_condition_set import ConditionalAccessConditionSet
from msgraph_beta.generated.models.risk_level import RiskLevel
from msgraph_beta.generated.models.conditional_access_client_app import ConditionalAccessClientApp
from msgraph_beta.generated.models.conditional_access_applications import ConditionalAccessApplications
from msgraph_beta.generated.models.conditional_access_users import ConditionalAccessUsers
from msgraph_beta.generated.models.conditional_access_platforms import ConditionalAccessPlatforms
from msgraph_beta.generated.models.conditional_access_device_platform import ConditionalAccessDevicePlatform
from msgraph_beta.generated.models.conditional_access_locations import ConditionalAccessLocations
from msgraph_beta.generated.models.conditional_access_device_states import ConditionalAccessDeviceStates
from msgraph_beta.generated.models.conditional_access_grant_controls import ConditionalAccessGrantControls
from msgraph_beta.generated.models.conditional_access_grant_control import ConditionalAccessGrantControl
from msgraph_beta.generated.models.conditional_access_session_controls import ConditionalAccessSessionControls
from msgraph_beta.generated.models.cloud_app_security_session_control import CloudAppSecuritySessionControl
from msgraph_beta.generated.models.cloud_app_security_session_control_type import CloudAppSecuritySessionControlType
from msgraph_beta.generated.models.sign_in_frequency_session_control import SignInFrequencySessionControl
from msgraph_beta.generated.models.signin_frequency_type import SigninFrequencyType
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ConditionalAccessPolicy(
display_name = "Demo app for documentation",
state = ConditionalAccessPolicyState.Disabled,
conditions = ConditionalAccessConditionSet(
sign_in_risk_levels = [
RiskLevel.High,
RiskLevel.Medium,
],
client_app_types = [
ConditionalAccessClientApp.MobileAppsAndDesktopClients,
ConditionalAccessClientApp.ExchangeActiveSync,
ConditionalAccessClientApp.Other,
],
applications = ConditionalAccessApplications(
include_applications = [
"All",
],
exclude_applications = [
"499b84ac-1321-427f-aa17-267ca6975798",
"00000007-0000-0000-c000-000000000000",
"de8bc8b5-d9f9-48b1-a8ad-b748da725064",
"00000012-0000-0000-c000-000000000000",
"797f4846-ba00-4fd7-ba43-dac1f8f63013",
"05a65629-4c1b-48c1-a78b-804c4abdd4af",
"7df0a125-d3be-4c96-aa54-591f83ff541c",
],
include_user_actions = [
],
),
users = ConditionalAccessUsers(
include_users = [
"a702a13d-a437-4a07-8a7e-8c052de62dfd",
],
exclude_users = [
"124c5b6a-ffa5-483a-9b88-04c3fce5574a",
"GuestsOrExternalUsers",
],
include_groups = [
],
exclude_groups = [
],
include_roles = [
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"cf1c38e5-3621-4004-a7cb-879624dced7c",
"c4e39bd9-1100-46d3-8c65-fb160da0071f",
],
exclude_roles = [
"b0f54661-2d74-4c50-afa3-1ec803f12efe",
],
),
platforms = ConditionalAccessPlatforms(
include_platforms = [
ConditionalAccessDevicePlatform.All,
],
exclude_platforms = [
ConditionalAccessDevicePlatform.IOS,
ConditionalAccessDevicePlatform.WindowsPhone,
],
),
locations = ConditionalAccessLocations(
include_locations = [
"AllTrusted",
],
exclude_locations = [
"00000000-0000-0000-0000-000000000000",
"d2136c9c-b049-47ae-b9cf-316e04ef7198",
],
),
device_states = ConditionalAccessDeviceStates(
include_states = [
"All",
],
exclude_states = [
"Compliant",
],
),
),
grant_controls = ConditionalAccessGrantControls(
operator = "OR",
built_in_controls = [
ConditionalAccessGrantControl.Mfa,
ConditionalAccessGrantControl.CompliantDevice,
ConditionalAccessGrantControl.DomainJoinedDevice,
ConditionalAccessGrantControl.ApprovedApplication,
ConditionalAccessGrantControl.CompliantApplication,
],
custom_authentication_factors = [
],
terms_of_use = [
"ce580154-086a-40fd-91df-8a60abac81a0",
"7f29d675-caff-43e1-8a53-1b8516ed2075",
],
),
session_controls = ConditionalAccessSessionControls(
application_enforced_restrictions = None,
persistent_browser = None,
cloud_app_security = CloudAppSecuritySessionControl(
cloud_app_security_type = CloudAppSecuritySessionControlType.BlockDownloads,
is_enabled = True,
),
sign_in_frequency = SignInFrequencySessionControl(
value = 4,
type = SigninFrequencyType.Hours,
is_enabled = True,
),
),
)
result = await graph_client.identity.conditional_access.policies.post(request_body)
Response
The following example shows the response.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#conditionalAccess/policies/$entity",
"id": "6b5e999b-0ba8-4186-a106-e0296c1c4358",
"displayName": "Demo app for documentation",
"createdDateTime": "2019-09-26T23:12:16.0792706Z",
"modifiedDateTime": null,
"state": "disabled",
"conditions": {
"signInRiskLevels": [
"high",
"medium"
],
"clientAppTypes": [
"mobileAppsAndDesktopClients",
"exchangeActiveSync",
"other"
],
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [
"499b84ac-1321-427f-aa17-267ca6975798",
"00000007-0000-0000-c000-000000000000",
"de8bc8b5-d9f9-48b1-a8ad-b748da725064",
"00000012-0000-0000-c000-000000000000",
"797f4846-ba00-4fd7-ba43-dac1f8f63013",
"05a65629-4c1b-48c1-a78b-804c4abdd4af",
"7df0a125-d3be-4c96-aa54-591f83ff541c"
],
"includeUserActions": []
},
"users": {
"includeUsers": [
"a702a13d-a437-4a07-8a7e-8c052de62dfd"
],
"excludeUsers": [
"124c5b6a-ffa5-483a-9b88-04c3fce5574a",
"GuestsOrExternalUsers"
],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"cf1c38e5-3621-4004-a7cb-879624dced7c",
"c4e39bd9-1100-46d3-8c65-fb160da0071f"
],
"excludeRoles": [
"b0f54661-2d74-4c50-afa3-1ec803f12efe"
]
},
"platforms": {
"includePlatforms": [
"all"
],
"excludePlatforms": [
"iOS",
"windowsPhone"
]
},
"locations": {
"includeLocations": [
"AllTrusted"
],
"excludeLocations": [
"00000000-0000-0000-0000-000000000000",
"d2136c9c-b049-47ae-b9cf-316e04ef7198"
]
},
"deviceStates": {
"includeStates": [
"All"
],
"excludeStates": [
"Compliant"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa",
"compliantDevice",
"domainJoinedDevice",
"approvedApplication",
"compliantApplication"
],
"customAuthenticationFactors": [],
"termsOfUse": [
"ce580154-086a-40fd-91df-8a60abac81a0",
"7f29d675-caff-43e1-8a53-1b8516ed2075"
]
},
"sessionControls": {
"applicationEnforcedRestrictions": null,
"persistentBrowser": null,
"cloudAppSecurity": {
"cloudAppSecurityType": "blockDownloads",
"isEnabled": true
},
"signInFrequency": {
"value": 4,
"type": "hours",
"isEnabled": true
}
}
}
Example 4: Require MFA to Exchange Online from non-compliant devices
Note: We are deprecating the deviceStates condition, and it may be removed in the future. Going forward, use devices condition.
Request
The following example shows a request to require MFA to Exchange Online from non-compliant devices.
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Require MFA to EXO from non-complaint devices.",
"state": "enabled",
"conditions": {
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
]
},
"users": {
"includeGroups": ["ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"]
},
"devices": {
"includeDevices": [
"All"
],
"excludeDevices": [
"Compliant"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
]
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new ConditionalAccessPolicy
{
DisplayName = "Require MFA to EXO from non-complaint devices.",
State = ConditionalAccessPolicyState.Enabled,
Conditions = new ConditionalAccessConditionSet
{
Applications = new ConditionalAccessApplications
{
IncludeApplications = new List<string>
{
"00000002-0000-0ff1-ce00-000000000000",
},
},
Users = new ConditionalAccessUsers
{
IncludeGroups = new List<string>
{
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
},
},
Devices = new ConditionalAccessDevices
{
IncludeDevices = new List<string>
{
"All",
},
ExcludeDevices = new List<string>
{
"Compliant",
},
},
},
GrantControls = new ConditionalAccessGrantControls
{
Operator = "OR",
BuiltInControls = new List<ConditionalAccessGrantControl?>
{
ConditionalAccessGrantControl.Mfa,
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Identity.ConditionalAccess.Policies.PostAsync(requestBody);
mgc-beta identity conditional-access policies create --body '{\
"displayName": "Require MFA to EXO from non-complaint devices.",\
"state": "enabled",\
"conditions": {\
"applications": {\
"includeApplications": [\
"00000002-0000-0ff1-ce00-000000000000"\
]\
},\
"users": {\
"includeGroups": ["ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"]\
},\
"devices": {\
"includeDevices": [\
"All"\
],\
"excludeDevices": [\
"Compliant"\
]\
}\
},\
"grantControls": {\
"operator": "OR",\
"builtInControls": [\
"mfa"\
]\
}\
}\
'
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewConditionalAccessPolicy()
displayName := "Require MFA to EXO from non-complaint devices."
requestBody.SetDisplayName(&displayName)
state := graphmodels.ENABLED_CONDITIONALACCESSPOLICYSTATE
requestBody.SetState(&state)
conditions := graphmodels.NewConditionalAccessConditionSet()
applications := graphmodels.NewConditionalAccessApplications()
includeApplications := []string {
"00000002-0000-0ff1-ce00-000000000000",
}
applications.SetIncludeApplications(includeApplications)
conditions.SetApplications(applications)
users := graphmodels.NewConditionalAccessUsers()
includeGroups := []string {
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
}
users.SetIncludeGroups(includeGroups)
conditions.SetUsers(users)
devices := graphmodels.NewConditionalAccessDevices()
includeDevices := []string {
"All",
}
devices.SetIncludeDevices(includeDevices)
excludeDevices := []string {
"Compliant",
}
devices.SetExcludeDevices(excludeDevices)
conditions.SetDevices(devices)
requestBody.SetConditions(conditions)
grantControls := graphmodels.NewConditionalAccessGrantControls()
operator := "OR"
grantControls.SetOperator(&operator)
builtInControls := []graphmodels.ConditionalAccessGrantControlable {
conditionalAccessGrantControl := graphmodels.MFA_CONDITIONALACCESSGRANTCONTROL
grantControls.SetConditionalAccessGrantControl(&conditionalAccessGrantControl)
}
grantControls.SetBuiltInControls(builtInControls)
requestBody.SetGrantControls(grantControls)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
policies, err := graphClient.Identity().ConditionalAccess().Policies().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ConditionalAccessPolicy conditionalAccessPolicy = new ConditionalAccessPolicy();
conditionalAccessPolicy.setDisplayName("Require MFA to EXO from non-complaint devices.");
conditionalAccessPolicy.setState(ConditionalAccessPolicyState.Enabled);
ConditionalAccessConditionSet conditions = new ConditionalAccessConditionSet();
ConditionalAccessApplications applications = new ConditionalAccessApplications();
LinkedList<String> includeApplications = new LinkedList<String>();
includeApplications.add("00000002-0000-0ff1-ce00-000000000000");
applications.setIncludeApplications(includeApplications);
conditions.setApplications(applications);
ConditionalAccessUsers users = new ConditionalAccessUsers();
LinkedList<String> includeGroups = new LinkedList<String>();
includeGroups.add("ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba");
users.setIncludeGroups(includeGroups);
conditions.setUsers(users);
ConditionalAccessDevices devices = new ConditionalAccessDevices();
LinkedList<String> includeDevices = new LinkedList<String>();
includeDevices.add("All");
devices.setIncludeDevices(includeDevices);
LinkedList<String> excludeDevices = new LinkedList<String>();
excludeDevices.add("Compliant");
devices.setExcludeDevices(excludeDevices);
conditions.setDevices(devices);
conditionalAccessPolicy.setConditions(conditions);
ConditionalAccessGrantControls grantControls = new ConditionalAccessGrantControls();
grantControls.setOperator("OR");
LinkedList<ConditionalAccessGrantControl> builtInControls = new LinkedList<ConditionalAccessGrantControl>();
builtInControls.add(ConditionalAccessGrantControl.Mfa);
grantControls.setBuiltInControls(builtInControls);
conditionalAccessPolicy.setGrantControls(grantControls);
ConditionalAccessPolicy result = graphClient.identity().conditionalAccess().policies().post(conditionalAccessPolicy);
const options = {
authProvider,
};
const client = Client.init(options);
const conditionalAccessPolicy = {
displayName: 'Require MFA to EXO from non-complaint devices.',
state: 'enabled',
conditions: {
applications: {
includeApplications: [
'00000002-0000-0ff1-ce00-000000000000'
]
},
users: {
includeGroups: ['ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba']
},
devices: {
includeDevices: [
'All'
],
excludeDevices: [
'Compliant'
]
}
},
grantControls: {
operator: 'OR',
builtInControls: [
'mfa'
]
}
};
await client.api('/identity/conditionalAccess/policies')
.version('beta')
.post(conditionalAccessPolicy);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessPolicy;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessPolicyState;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessConditionSet;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessApplications;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessUsers;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessDevices;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessGrantControls;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessGrantControl;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ConditionalAccessPolicy();
$requestBody->setDisplayName('Require MFA to EXO from non-complaint devices.');
$requestBody->setState(new ConditionalAccessPolicyState('enabled'));
$conditions = new ConditionalAccessConditionSet();
$conditionsApplications = new ConditionalAccessApplications();
$conditionsApplications->setIncludeApplications(['00000002-0000-0ff1-ce00-000000000000', ]);
$conditions->setApplications($conditionsApplications);
$conditionsUsers = new ConditionalAccessUsers();
$conditionsUsers->setIncludeGroups(['ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba', ]);
$conditions->setUsers($conditionsUsers);
$conditionsDevices = new ConditionalAccessDevices();
$conditionsDevices->setIncludeDevices(['All', ]);
$conditionsDevices->setExcludeDevices(['Compliant', ]);
$conditions->setDevices($conditionsDevices);
$requestBody->setConditions($conditions);
$grantControls = new ConditionalAccessGrantControls();
$grantControls->setOperator('OR');
$grantControls->setBuiltInControls([new ConditionalAccessGrantControl('mfa'), ]);
$requestBody->setGrantControls($grantControls);
$result = $graphServiceClient->identity()->conditionalAccess()->policies()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Identity.SignIns
$params = @{
displayName = "Require MFA to EXO from non-complaint devices."
state = "enabled"
conditions = @{
applications = @{
includeApplications = @(
"00000002-0000-0ff1-ce00-000000000000"
)
}
users = @{
includeGroups = @(
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
)
}
devices = @{
includeDevices = @(
"All"
)
excludeDevices = @(
"Compliant"
)
}
}
grantControls = @{
operator = "OR"
builtInControls = @(
"mfa"
)
}
}
New-MgBetaIdentityConditionalAccessPolicy -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.conditional_access_policy import ConditionalAccessPolicy
from msgraph_beta.generated.models.conditional_access_policy_state import ConditionalAccessPolicyState
from msgraph_beta.generated.models.conditional_access_condition_set import ConditionalAccessConditionSet
from msgraph_beta.generated.models.conditional_access_applications import ConditionalAccessApplications
from msgraph_beta.generated.models.conditional_access_users import ConditionalAccessUsers
from msgraph_beta.generated.models.conditional_access_devices import ConditionalAccessDevices
from msgraph_beta.generated.models.conditional_access_grant_controls import ConditionalAccessGrantControls
from msgraph_beta.generated.models.conditional_access_grant_control import ConditionalAccessGrantControl
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ConditionalAccessPolicy(
display_name = "Require MFA to EXO from non-complaint devices.",
state = ConditionalAccessPolicyState.Enabled,
conditions = ConditionalAccessConditionSet(
applications = ConditionalAccessApplications(
include_applications = [
"00000002-0000-0ff1-ce00-000000000000",
],
),
users = ConditionalAccessUsers(
include_groups = [
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
],
),
devices = ConditionalAccessDevices(
include_devices = [
"All",
],
exclude_devices = [
"Compliant",
],
),
),
grant_controls = ConditionalAccessGrantControls(
operator = "OR",
built_in_controls = [
ConditionalAccessGrantControl.Mfa,
],
),
)
result = await graph_client.identity.conditional_access.policies.post(request_body)
Response
The following example shows the response.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#conditionalAccess/policies/$entity",
"id": "b3f1298e-8e93-49af-bdbf-94cf7d453ca3",
"displayName": "Require MFA to EXO from non-complaint devices.",
"createdDateTime": "2020-04-01T00:55:12.9571747Z",
"modifiedDateTime": null,
"state": "enabled",
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
],
"excludeApplications": [],
"includeUserActions": [],
"includeProtectionLevels": []
},
"users": {
"includeUsers": [],
"excludeUsers": [],
"includeGroups": [
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": []
},
"devices": {
"includeDevices": [
"All"
],
"excludeDevices": [
"Compliant"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
],
"customAuthenticationFactors": [],
"termsOfUse": []
}
}