| title | Create conditionalAccessPolicy |
|---|---|
| description | Create a new conditionalAccessPolicy. |
| ms.localizationpriority | medium |
| author | lisaychuang |
| ms.reviewer | conditionalaccesspm |
| ms.subservice | entra-sign-in |
| doc_type | apiPageType |
| ms.date | 10/17/2024 |
Namespace: microsoft.graph
[!INCLUDE beta-disclaimer]
Create a new conditionalAccessPolicy.
[!INCLUDE national-cloud-support]
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
[!INCLUDE permissions-table]
[!INCLUDE rbac-conditionalaccess-apis-write]
Note
This method has a known permissions issue and may require consent to multiple permissions.
POST /identity/conditionalAccess/policies| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Content-Type | application/json. Required. |
In the request body, supply a JSON representation of a conditionalAccessPolicy object.
A valid policy should contain at least one application rule - for example, 'includeApplications': 'none', one user rule - for example, 'includeUsers': 'none', and at least one grant/session control.
If successful, this method returns a 201 Created response code and a new conditionalAccessPolicy object in the response body.
The following example shows a common request to require multifactor authentication for access to Exchange Online from modern authentication clients outside of trusted locations for a particular group.
Note: You must set up your trusted locations before using this operation.
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Access to EXO requires MFA",
"state": "enabled",
"conditions": {
"clientAppTypes": [
"mobileAppsAndDesktopClients",
"browser"
],
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
]
},
"users": {
"includeGroups": ["ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"]
},
"locations": {
"includeLocations": [
"All"
],
"excludeLocations": [
"AllTrusted"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
]
}
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#conditionalAccess/policies/$entity",
"id": "7359d0e0-d8a9-4afa-8a93-e23e099d7be8",
"displayName": "Access to EXO requires MFA",
"createdDateTime": "2019-10-14T19:52:00.050958Z",
"modifiedDateTime": null,
"state": "enabled",
"sessionControls": null,
"conditions": {
"signInRiskLevels": [],
"clientAppTypes": [
"mobileAppsAndDesktopClients",
"browser"
],
"platforms": null,
"deviceStates": null,
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
],
"excludeApplications": [],
"includeUserActions": []
},
"users": {
"includeUsers": [],
"excludeUsers": [],
"includeGroups": [
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": []
},
"locations": {
"includeLocations": [
"All"
],
"excludeLocations": [
"AllTrusted"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
],
"customAuthenticationFactors": [],
"termsOfUse": []
}
}The following example shows a request to block access to Exchange Online from non-trusted/unknown regions. This example assumes that the named location with id = 198ad66e-87b3-4157-85a3-8a7b51794ee9 corresponds to a list of non-trusted/unknown regions.
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Block access to EXO non-trusted regions.",
"state": "enabled",
"conditions": {
"clientAppTypes": [
"all"
],
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
]
},
"users": {
"includeGroups": ["ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"]
},
"locations": {
"includeLocations": [
"198ad66e-87b3-4157-85a3-8a7b51794ee9"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
]
}
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#conditionalAccess/policies/$entity",
"id": "c98e6c3d-f6ca-42ea-a927-773b6f12a0c2",
"displayName": "Block access to EXO non-trusted regions.",
"createdDateTime": "2019-10-14T19:53:11.3705634Z",
"modifiedDateTime": null,
"state": "enabled",
"sessionControls": null,
"conditions": {
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"platforms": null,
"deviceStates": null,
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
],
"excludeApplications": [],
"includeUserActions": []
},
"users": {
"includeUsers": [],
"excludeUsers": [],
"includeGroups": [
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": []
},
"locations": {
"includeLocations": [
"198ad66e-87b3-4157-85a3-8a7b51794ee9"
],
"excludeLocations": []
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
],
"customAuthenticationFactors": [],
"termsOfUse": []
}
}The following example shows a request to use all the conditions/controls.
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Demo app for documentation",
"state": "disabled",
"conditions": {
"signInRiskLevels": [
"high",
"medium"
],
"clientAppTypes": [
"mobileAppsAndDesktopClients",
"exchangeActiveSync",
"other"
],
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [
"499b84ac-1321-427f-aa17-267ca6975798",
"00000007-0000-0000-c000-000000000000",
"de8bc8b5-d9f9-48b1-a8ad-b748da725064",
"00000012-0000-0000-c000-000000000000",
"797f4846-ba00-4fd7-ba43-dac1f8f63013",
"05a65629-4c1b-48c1-a78b-804c4abdd4af",
"7df0a125-d3be-4c96-aa54-591f83ff541c"
],
"includeUserActions": []
},
"users": {
"includeUsers": [
"a702a13d-a437-4a07-8a7e-8c052de62dfd"
],
"excludeUsers": [
"124c5b6a-ffa5-483a-9b88-04c3fce5574a",
"GuestsOrExternalUsers"
],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"cf1c38e5-3621-4004-a7cb-879624dced7c",
"c4e39bd9-1100-46d3-8c65-fb160da0071f"
],
"excludeRoles": [
"b0f54661-2d74-4c50-afa3-1ec803f12efe"
]
},
"platforms": {
"includePlatforms": [
"all"
],
"excludePlatforms": [
"iOS",
"windowsPhone"
]
},
"locations": {
"includeLocations": [
"AllTrusted"
],
"excludeLocations": [
"00000000-0000-0000-0000-000000000000",
"d2136c9c-b049-47ae-b9cf-316e04ef7198"
]
},
"deviceStates": {
"includeStates": [
"All"
],
"excludeStates": [
"Compliant"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa",
"compliantDevice",
"domainJoinedDevice",
"approvedApplication",
"compliantApplication"
],
"customAuthenticationFactors": [],
"termsOfUse": [
"ce580154-086a-40fd-91df-8a60abac81a0",
"7f29d675-caff-43e1-8a53-1b8516ed2075"
]
},
"sessionControls": {
"applicationEnforcedRestrictions": null,
"persistentBrowser": null,
"cloudAppSecurity": {
"cloudAppSecurityType": "blockDownloads",
"isEnabled": true
},
"signInFrequency": {
"value": 4,
"type": "hours",
"isEnabled": true
}
}
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#conditionalAccess/policies/$entity",
"id": "6b5e999b-0ba8-4186-a106-e0296c1c4358",
"displayName": "Demo app for documentation",
"createdDateTime": "2019-09-26T23:12:16.0792706Z",
"modifiedDateTime": null,
"state": "disabled",
"conditions": {
"signInRiskLevels": [
"high",
"medium"
],
"clientAppTypes": [
"mobileAppsAndDesktopClients",
"exchangeActiveSync",
"other"
],
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [
"499b84ac-1321-427f-aa17-267ca6975798",
"00000007-0000-0000-c000-000000000000",
"de8bc8b5-d9f9-48b1-a8ad-b748da725064",
"00000012-0000-0000-c000-000000000000",
"797f4846-ba00-4fd7-ba43-dac1f8f63013",
"05a65629-4c1b-48c1-a78b-804c4abdd4af",
"7df0a125-d3be-4c96-aa54-591f83ff541c"
],
"includeUserActions": []
},
"users": {
"includeUsers": [
"a702a13d-a437-4a07-8a7e-8c052de62dfd"
],
"excludeUsers": [
"124c5b6a-ffa5-483a-9b88-04c3fce5574a",
"GuestsOrExternalUsers"
],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"cf1c38e5-3621-4004-a7cb-879624dced7c",
"c4e39bd9-1100-46d3-8c65-fb160da0071f"
],
"excludeRoles": [
"b0f54661-2d74-4c50-afa3-1ec803f12efe"
]
},
"platforms": {
"includePlatforms": [
"all"
],
"excludePlatforms": [
"iOS",
"windowsPhone"
]
},
"locations": {
"includeLocations": [
"AllTrusted"
],
"excludeLocations": [
"00000000-0000-0000-0000-000000000000",
"d2136c9c-b049-47ae-b9cf-316e04ef7198"
]
},
"deviceStates": {
"includeStates": [
"All"
],
"excludeStates": [
"Compliant"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa",
"compliantDevice",
"domainJoinedDevice",
"approvedApplication",
"compliantApplication"
],
"customAuthenticationFactors": [],
"termsOfUse": [
"ce580154-086a-40fd-91df-8a60abac81a0",
"7f29d675-caff-43e1-8a53-1b8516ed2075"
]
},
"sessionControls": {
"applicationEnforcedRestrictions": null,
"persistentBrowser": null,
"cloudAppSecurity": {
"cloudAppSecurityType": "blockDownloads",
"isEnabled": true
},
"signInFrequency": {
"value": 4,
"type": "hours",
"isEnabled": true
}
}
}Note: We are deprecating the deviceStates condition, and it may be removed in the future. Going forward, use devices condition.
The following example shows a request to require MFA to Exchange Online from non-compliant devices.
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Require MFA to EXO from non-compliant devices.",
"state": "enabled",
"conditions": {
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
]
},
"users": {
"includeGroups": ["ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"]
},
"devices": {
"includeDevices": [
"All"
],
"excludeDevices": [
"Compliant"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
]
}
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#conditionalAccess/policies/$entity",
"id": "b3f1298e-8e93-49af-bdbf-94cf7d453ca3",
"displayName": "Require MFA to EXO from non-complaint devices.",
"createdDateTime": "2020-04-01T00:55:12.9571747Z",
"modifiedDateTime": null,
"state": "enabled",
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
],
"excludeApplications": [],
"includeUserActions": [],
"includeProtectionLevels": []
},
"users": {
"includeUsers": [],
"excludeUsers": [],
"includeGroups": [
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": []
},
"devices": {
"includeDevices": [
"All"
],
"excludeDevices": [
"Compliant"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
],
"customAuthenticationFactors": [],
"termsOfUse": []
}
}Example 5: Create a Conditional Access policy to allow only agent identities with the 'approved' custom security attribute tag to access resources with the 'HR' custom security attribute tag
The following example shows how to create a policy using custom security attributes
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Allow only approved agents to access resources",
"conditions": {
"clientApplications": {
"includeAgentIdServicePrincipals": [
"All"
],
"excludeAgentIdServicePrincipals": [],
"agentIdServicePrincipalFilter": {
"mode": "exclude",
"rule": "CustomSecurityAttribute.AgentAttributes_AgentStatus -eq \"Approved\""
}
},
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"applicationFilter": {
"mode": "exclude",
"rule": "CustomSecurityAttribute.AgenticResources_ResourceType -eq \"HR\""
}
}
},
"grantControls": {
"operator": "AND",
"builtInControls": [
"block"
]
},
"state": "enabledForReportingButNotEnforced"
}The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identity/conditionalAccess/policies/$entity",
"id": "baf90002-11d1-4ba4-8275-6f9c6218c2d4",
"templateId": null,
"displayName": "Allow only approved agents to access resources",
"createdDateTime": "2025-11-05T06:13:51.6950045Z",
"modifiedDateTime": null,
"state": "enabledForReportingButNotEnforced",
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": [],
"insiderRiskLevels": null,
"platforms": null,
"locations": null,
"devices": null,
"authenticationFlows": null,
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": {
"mode": "exclude",
"rule": "CustomSecurityAttribute.AgenticResources_ResourceType -eq \"HR\""
}
},
"users": {
"includeUsers": [
"None"
],
"excludeUsers": [],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
},
"clientApplications": {
"includeServicePrincipals": [],
"excludeServicePrincipals": [],
"servicePrincipalFilter": null
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identity/conditionalAccess/policies('baf90002-11d1-4ba4-8275-6f9c6218c2d4')/grantControls/authenticationStrength/$entity",
"authenticationStrength": null
}
}Example 6: Create a Conditional Access policy to block all agent identities from accessing all resources
The following example shows a request to block all agent identities from accessing all resources.
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Block all agent identities from accessing resources",
"conditions": {
"clientApplications": {
"includeAgentIdServicePrincipals": [
"All"
],
"excludeAgentIdServicePrincipals": [],
"agentIdServicePrincipalFilter": null
},
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": []
}
},
"grantControls": {
"operator": "AND",
"builtInControls": [
"block"
]
},
"state": "enabledForReportingButNotEnforced"
}The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies/$entity",
"id": "86d20244-3175-4847-8b2f-3c60c8fc2aef",
"templateId": null,
"displayName": "Block all agent identities from accessing resources",
"createdDateTime": "2025-11-04T16:30:48.295918Z",
"modifiedDateTime": null,
"state": "enabled",
"deletedDateTime": null,
"partialEnablementStrategy": null,
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null
},
"users": {
"includeUsers": [
"None"
],
"excludeUsers": [],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
},
"clientApplications": {
"includeServicePrincipals": [],
"includeAgentIdServicePrincipals": [
"All"
],
"excludeServicePrincipals": []
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies('86d20244-3175-4847-8b2f-3c60c8fc2aef')/grantControls/authenticationStrength/$entity",
"authenticationStrength": null
}
}Example 7: Create a Conditional Access policy to block all high risk agent identities from accessing all resources
The following example shows a request to block all high risky agent identities from accessing all resources.
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Block all agent identities from accessing resources",
"conditions": {
"clientApplications": {
"includeAgentIdServicePrincipals": [
"All"
],
"excludeAgentIdServicePrincipals": [],
"agentIdServicePrincipalFilter": null
},
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": []
},
"agentIdRiskLevels": "high"
},
"grantControls": {
"operator": "AND",
"builtInControls": [
"block"
]
},
"state": "enabledForReportingButNotEnforced"
}The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies/$entity",
"id": "86d20244-3175-4847-8b2f-3c60c8fc2aef",
"templateId": null,
"displayName": "Block all high risk agent identities from accessing resources",
"createdDateTime": "2025-11-04T16:30:48.295918Z",
"modifiedDateTime": null,
"state": "enabled",
"deletedDateTime": null,
"partialEnablementStrategy": null,
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"agentIdRiskLevels": "high"
"clientAppTypes": [
"all"
],
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null
},
"users": {
"includeUsers": [
"None"
],
"excludeUsers": [],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
},
"clientApplications": {
"includeServicePrincipals": [],
"includeAgentIdServicePrincipals": [
"All"
],
"excludeServicePrincipals": []
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies('86d20244-3175-4847-8b2f-3c60c8fc2aef')/grantControls/authenticationStrength/$entity",
"authenticationStrength": null
}
}The following example shows a request to block all agent users from accessing all resources.
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Block all agent users from accessing resources",
"conditions": {
"users": {
"includeUsers": [
"AllAgentIdUsers"
]},
"applications": {
"includeApplications": [
"All"
]
}
},
"grantControls": {
"operator": "AND",
"builtInControls": [
"block"
]
},
"state": "enabled"
}The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies/$entity",
"id": "0f9848ad-884e-46b2-b3ab-e26e1594f5e4",
"templateId": null,
"displayName": "Block all agent users from accessing resources",
"createdDateTime": "2025-11-04T16:28:54.84246Z",
"modifiedDateTime": null,
"state": "enabled",
"deletedDateTime": null,
"partialEnablementStrategy": null,
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"clientApplications": null,
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null
},
"users": {
"includeUsers": [
"AllAgentIdUsers"
],
"excludeUsers": [],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies('0f9848ad-884e-46b2-b3ab-e26e1594f5e4')/grantControls/authenticationStrength/$entity",
"authenticationStrength": null
}
}Example 9: Create a Conditional Access policy to require all users to perform MFA to access all agent resources
The following example shows a request to require all users to perform MFA to access all agent resources
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Require MFA for all users accessing agent resources",
"conditions": {
"users": {
"includeUsers": [
"All"
]
},
"applications": {
"includeApplications": [
"AllAgentIdResources"
],
"excludeApplications": []
}
},
"grantControls": {
"operator": "AND",
"builtInControls": [
"mfa"
]
},
"state": "enabledForReportingButNotEnforced"
}The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies/$entity",
"id": "4efea1cf-1eb7-4a33-b580-43d1c5c4c6e6",
"templateId": null,
"displayName": "Require MFA for all users accessing agent resources",
"createdDateTime": "2025-11-04T16:32:00.8699295Z",
"modifiedDateTime": null,
"state": "enabledForReportingButNotEnforced",
"deletedDateTime": null,
"partialEnablementStrategy": null,
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"clientApplications": null,
"applications": {
"includeApplications": [
"AllAgentIdResources"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null
},
"users": {
"includeUsers": [
"All"
],
"excludeUsers": [],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies('4efea1cf-1eb7-4a33-b580-43d1c5c4c6e6')/grantControls/authenticationStrength/$entity",
"authenticationStrength": null
}
}