| title | Create appManagementPolicy |
|---|---|
| description | Create an application management policy. |
| ms.localizationpriority | medium |
| author | aricrowe57 |
| ms.subservice | entra-sign-in |
| doc_type | apiPageType |
| ms.date | 11/06/2024 |
Namespace: microsoft.graph
[!INCLUDE beta-disclaimer]
Create an appManagementPolicy object.
[!INCLUDE national-cloud-support]
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
[!INCLUDE permissions-table]
[!INCLUDE rbac-app-auth-method-custom-policy-api-update]
POST /policies/appManagementPolicies| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Content-Type | application/json. Required. |
Important
Service principals with a createdDateTime null are treated as having being created on 01/01/2019.
In the request body, supply a JSON representation of the appManagementPolicy object.
You can specify the following properties when creating an appManagementPolicy.
| Property | Type | Description |
|---|---|---|
| displayName | String | The display name of the policy. Required. |
| description | String | The description of the policy. Required. |
| isEnabled | Boolean | Denotes whether the policy is enabled. Optional. |
| restrictions | appManagementConfiguration | Restrictions that apply to an application or service principal object. Optional. |
If successful, this method returns a 201 Created response code with the new appManagementPolicy object in the response payload.
The following example shows a request. This request created an app management policy with the following settings:
- Enables the policy.
- Blocks creating of new passwords for applications and service principals created on or after October 19th 2019 at 10:37 AM UTC time.
- Limits password secrets for apps and service principals created after October 19th 2014 at 10:37 AM UTC time to less than 90 days.
- Disables the nonDefaultUriAddition restriction. This means that apps with this policy applied to them can add new nondefault identifier URIs to their apps, even if the tenant default policy typically blocks it.
- Doesn't specify any other restrictions. This means that the behavior for those restrictions on apps/service principals with this policy applied falls back to however the tenant default policy is configured.
POST https://graph.microsoft.com/beta/policies/appManagementPolicies
{
"displayName": "Credential management policy",
"description": "Cred policy sample",
"isEnabled": true,
"restrictions": {
"passwordCredentials": [
{
"restrictionType": "passwordAddition",
"state": "enabled",
"maxLifetime": null,
"restrictForAppsCreatedAfterDateTime": "2019-10-19T10:37:00Z"
},
{
"restrictionType": "passwordLifetime",
"state": "enabled",
"maxLifetime": "P90D",
"restrictForAppsCreatedAfterDateTime": "2014-10-19T10:37:00Z"
},
{
"restrictionType": "symmetricKeyAddition",
"state": "enabled",
"maxLifetime": null,
"restrictForAppsCreatedAfterDateTime": "2019-10-19T10:37:00Z"
},
{
"restrictionType": "symmetricKeyLifetime",
"state": "enabled",
"maxLifetime": "P90D",
"restrictForAppsCreatedAfterDateTime": "2014-10-19T10:37:00Z"
}
],
"keyCredentials": [],
"applicationRestrictions": {
"identifierUris": {
"nonDefaultUriAddition": {
"state": "disabled",
"restrictForAppsCreatedAfterDateTime": null,
"excludeAppsReceivingV2Tokens": true,
"excludeSaml": true
}
}
}
}
}
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#policies/appManagementPolicies/$entity",
"id": "a4ab1ed9-46bb-4bef-88d4-86fd6398dd5d",
"displayName": "credential management policy",
"description": "Lorem ipsum",
"isEnabled": true,
"restrictions": {
"passwordCredentials": [
{
"restrictionType": "passwordAddition",
"state": "enabled",
"maxLifetime": null,
"restrictForAppsCreatedAfterDateTime": "2019-10-19T10:37:00Z"
},
{
"restrictionType": "passwordLifetime",
"state": "enabled",
"maxLifetime": "P90D",
"restrictForAppsCreatedAfterDateTime": "2018-10-19T10:37:00Z"
},
{
"restrictionType": "symmetricKeyAddition",
"state": "enabled",
"maxLifetime": null,
"restrictForAppsCreatedAfterDateTime": "2019-10-19T10:37:00Z"
},
{
"restrictionType": "symmetricKeyLifetime",
"state": "enabled",
"maxLifetime": "P90D",
"restrictForAppsCreatedAfterDateTime": "2014-10-19T10:37:00Z"
}
],
"keyCredentials": [],
"applicationRestrictions": {
"identifierUris": {
"nonDefaultUriAddition": {
"state": "disabled",
"excludeAppsReceivingV2Tokens": true,
"excludeSaml": true
}
}
}
}
}