| title | conditionalAccessConditionSet resource type |
|---|---|
| description | Represents the type of conditions that govern when the policy applies. |
| ms.localizationpriority | medium |
| author | lisaychuang |
| ms.reviewer | conditionalaccesspm |
| ms.subservice | entra-sign-in |
| doc_type | resourcePageType |
| ms.date | 05/15/2024 |
Namespace: microsoft.graph
[!INCLUDE beta-disclaimer]
Represents the type of conditions that govern when the policy applies.
| Property | Type | Description |
|---|---|---|
| agentIdRiskLevels | conditionalAccessAgentIdRiskLevels | Agent identity risk levels included in the policy. The possible values are: low, medium, high, unknownFutureValue. This enumeration is multivalued. |
| applications | conditionalAccessApplications | Applications and user actions included in and excluded from the policy. Required. |
| authenticationFlows | conditionalAccessAuthenticationFlows | Authentication flows included in the policy scope. For more information, see Conditional Access: Authentication flows. |
| users | conditionalAccessUsers | Users, groups, and roles included in and excluded from the policy. Either users or clientApplications is required. |
| clientApplications | conditionalAccessClientApplications | Client applications (service principals and workload identities) included in and excluded from the policy. Either users or clientApplications is required. |
| clientAppTypes | conditionalAccessClientApp collection | Client application types included in the policy. The possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported, other. Required. The easUnsupported enumeration member is deprecated in favor of exchangeActiveSync, which includes EAS supported and unsupported platforms. |
| deviceStates | conditionalAccessDeviceStates | Device states in the policy. To be deprecated and removed. Use the devices property instead. |
| devices | conditionalAccessDevices | Devices in the policy. |
| locations | conditionalAccessLocations | Locations included in and excluded from the policy. |
| platforms | conditionalAccessPlatforms | Platforms included in and excluded from the policy. |
| servicePrincipalRiskLevels | riskLevel collection | Service principal risk levels included in the policy. The possible values are: low, medium, high, none, unknownFutureValue. |
| signInRiskLevels | riskLevel collection | Sign-in risk levels included in the policy. The possible values are: low, medium, high, hidden, none, unknownFutureValue. Required. |
| userRiskLevels | riskLevel collection | User risk levels included in the policy. The possible values are: low, medium, high, hidden, none, unknownFutureValue. Required. |
| insiderRiskLevels | conditionalAccessInsiderRiskLevels | Insider risk levels included in the policy. The possible values are: minor, moderate, elevated, unknownFutureValue. |
None.
The following JSON representation shows the resource type.
{
"@odata.type": "#microsoft.graph.conditionalAccessConditionSet",
"applications": {"@odata.type": "microsoft.graph.conditionalAccessApplications"},
"users": {"@odata.type": "microsoft.graph.conditionalAccessUsers"},
"clientApplications": {"@odata.type": "microsoft.graph.conditionalAccessClientApplications"},
"clientAppTypes": ["String"],
"deviceStates": {"@odata.type": "microsoft.graph.conditionalAccessDeviceStates"},
"devices": {"@odata.type": "microsoft.graph.conditionalAccessDevices"},
"locations": {"@odata.type": "microsoft.graph.conditionalAccessLocations"},
"platforms": {"@odata.type": "microsoft.graph.conditionalAccessPlatforms"},
"servicePrincipalRiskLevels": ["String"],
"signInRiskLevels": ["String"],
"userRiskLevels": ["String"],
"authenticationFlows": {"@odata.type": "microsoft.graph.conditionalAccessAuthenticationFlows"},
"insiderRiskLevels": "String",
"agentIdRiskLevels": "String"
}