Skip to content

permissiongrantpolicy-post-includes.md

Latest commit

 

History

History
229 lines (168 loc) · 9.16 KB

permissiongrantpolicy-post-includes.md

File metadata and controls

229 lines (168 loc) · 9.16 KB
title Create permissionGrantConditionSet in includes collection of permissionGrantPolicy
description Add conditions under which a permission grant event is included in a permission grant policy.
ms.localizationpriority medium
doc_type apiPageType
ms.subservice entra-sign-in
author psignoret
ms.date 04/05/2024

Create permissionGrantConditionSet in includes collection of permissionGrantPolicy

Namespace: microsoft.graph

[!INCLUDE beta-disclaimer]

Add conditions under which a permission grant event is included in a permission grant policy. You do this by adding a permissionGrantConditionSet to the includes collection of a permissionGrantPolicy.

[!INCLUDE national-cloud-support]

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

[!INCLUDE permissions-table]

[!INCLUDE rbac-permission-grant-preapproval-policy-write]

HTTP request

POST /policies/permissionGrantPolicies/{id}/includes

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Content-type application/json. Required.

Request body

In the request body, supply a JSON representation of an permissionGrantConditionSet object.

Response

If successful, this method returns a 201 Created response code and an permissionGrantConditionSet object in the response body.

Examples

Example 1: Create a permission grant policy for client apps that are from verified publishers

Request

In this example, all delegated permissions for client apps that are from verified publishers are included in the permission grant policy. Because all the other conditions from the permissionGrantConditionSet were omitted, they take their default values, which in each case is the most-inclusive.

HTTP

POST https://graph.microsoft.com/beta/policies/permissionGrantPolicies/{id}/includes
Content-Type: application/json

{
  "permissionType": "delegated",
  "clientApplicationsFromVerifiedPublisherOnly": true
}

C#

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Go

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Java

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

JavaScript

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

PHP

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

PowerShell

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Python

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
  "id": "75ffda85-9314-43bc-bf19-554a7d079e96",
  "permissionClassification": "all",
  "permissionType": "delegated",
  "resourceApplication": "any",
  "permissions": ["all"],
  "clientApplicationIds": ["all"],
  "clientApplicationTenantIds": ["all"],
  "clientApplicationPublisherIds": ["all"],
  "clientApplicationsFromVerifiedPublisherOnly": true,
  "certifiedClientApplicationsOnly": false,
  "scopeSensitivityLabels": {
      "@odata.type": "#microsoft.graph.allScopeSensitivityLabels",
      "labelKind": "all"
  }
}

Example 2: Create a permission grant policy for client apps that are Microsoft 365 certified

Request

In this example, all delegated permissions for all client apps that are Microsoft 365 certified are included in the permission grant policy. Since having a verified publisher is a prerequisite for an app to be considered Microsoft 365 certified, it isn't necessary to explicitly require a verified publisher. Because all the other conditions from the permissionGrantConditionSet were omitted, they take their default values, which in each case is the most-inclusive.

HTTP

POST https://graph.microsoft.com/beta/policies/permissionGrantPolicies/{id}/includes
Content-Type: application/json

{
  "permissionType": "delegated",
  "certifiedClientApplicationsOnly": true
}

C#

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Go

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Java

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

JavaScript

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

PHP

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

PowerShell

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Python

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
  "id": "75ffda85-9314-43bc-bf19-554a7d079e96",
  "permissionClassification": "all",
  "permissionType": "delegated",
  "resourceApplication": "any",
  "permissions": ["all"],
  "clientApplicationIds": ["all"],
  "clientApplicationTenantIds": ["all"],
  "clientApplicationPublisherIds": ["all"],
  "clientApplicationsFromVerifiedPublisherOnly": true,
  "certifiedClientApplicationsOnly": true,
  "scopeSensitivityLabels": {
      "@odata.type": "#microsoft.graph.allScopeSensitivityLabels",
      "labelKind": "all"
  }
}