| title | userProtectionScopeContainer: compute |
|---|---|
| toc.title | userProtectionScopeContainer: compute |
| description | Compute the data protection policies and actions applicable to a specific user based on their context. |
| author | kylemar |
| ms.date | 02/06/2026 |
| ms.localizationpriority | medium |
| ms.subservice | security |
| doc_type | apiPageType |
Namespace: microsoft.graph
[!INCLUDE beta-disclaimer]
Compute the data protection policies and actions applicable to a specific user based on their context.
[!INCLUDE national-cloud-support]
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
[!INCLUDE permissions-table]
POST /me/dataSecurityAndGovernance/protectionScopes/compute[!INCLUDE me-apis-sign-in-note]
POST /users/{usersId}/dataSecurityAndGovernance/protectionScopes/computeNote
If you only have the user's userPrincipalName, use the following URL to retrieve their object ID.
GET https://graph.microsoft.com/v1.0/users/{userPrincipalName}?$select=id
| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Content-Type | application/json. Required. |
| If-None-Match | Optional. This value is used by the API to determine if the policy state changed since the last call to the API. |
| Client-Request-Id | String (GUID recommended). Optional. Unique identifier for this request, which is used for tracing and debugging in logs and support interactions. If an ID isn't provided, one may be generated automatically. We recommend that you specify the ID to make tracing and debugging easier. The same ID that was sent in the request is returned in the response. |
In the request body, provide a JSON object with the following parameters.
| Parameter | Type | Description |
|---|---|---|
| activities | microsoft.graph.security.userActivityTypes | Optional. Flags specifying the user activities the calling application supports or is interested. Possible values are none, uploadText, uploadFile, downloadText, downloadFile, unknownFutureValue. This object is a multi-valued enumeration. |
| deviceMetadata | deviceMetadata | Optional. Information about the user's device (type, OS) used for contextual policy evaluation. |
| integratedAppMetadata | integratedApplicationMetadata | Optional. Information about the calling application (name, version) integrating with Microsoft Purview. |
| locations | policyLocation collection | Optional. List of specific locations the application is interested in. If provided, results are trimmed to policies covering these locations. Use policy location application for application locations, policy location domain for domain locations, or policy location URL for URL locations. You must specify the @odata.type property to declare the type of policyLocation. For example, "@odata.type": "microsoft.graph.policyLocationApplication". |
| pivotOn | microsoft.graph.policyPivotProperty | Optional. Specifies how the results should be aggregated. If omitted or none, results might be less aggregated. Possible values are activity,location, none. |
| Name | Description |
|---|---|
| ETag | An indicator whether the admin-configured policy state changed. If the Etag matches the If-None-Match value and you cached the results of parsing previous results from this API, there's no need to parse the response and cache the parsed results. Cache this value for calls to process content. |
If successful, this action returns a 200 OK response code and a collection of policyUserScope objects in the response body. Each object represents a set of locations and activities governed by a common set of policy actions and execution mode for the specified user.
The following example computes the protection scope for a user performing text uploads, interested in a specific domain, pivoting the results by activity.
POST https://graph.microsoft.com/beta/users/7c1f8f10-cba8-4a8d-9449-db4b876d1ef70/dataSecurityAndGovernance/protectionScopes/compute
Content-type: application/json
Client-Request-Id: 50dc805c-3af4-42d9-ad16-a746235cc736
{
"activities": "uploadText,downloadText",
"locations": [
{
"@odata.type": "microsoft.graph.policyLocationApplication",
"value": "83ef208a-0396-4893-9d4f-d36efbffc8bd"
}
]
}The following example shows the response. It indicates that for the uploadText activity to public.contoso.com, policies require inline evaluation and trigger a browserRestriction action (likely blocking uploads based on sensitive content).
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
Client-Request-Id: 50dc805c-3af4-42d9-ad16-a746235cc736
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(microsoft.graph.policyUserScope)",
"value": [
{
"activities": "uploadText,downloadText",
"executionMode": "evaluateOffline",
"locations": [
{
"value": "83ef208a-0396-4893-9d4f-d36efbffc8bd"
}
],
"policyActions": []
},
{
"activities": "uploadText",
"executionMode": "evaluateInline",
"locations": [
{
"value": "83ef208a-0396-4893-9d4f-d36efbffc8bd"
}
],
"policyActions": []
}
]
}