title: "conditionalAccessPolicy resource type" description: "Represents a Microsoft Entra Conditional Access policy. Conditional access policies are custom rules that define an access scenario." author: "ashyasingh" ms.date: 08/11/2025 ms.localizationpriority: medium ms.subservice: "entra-sign-in" doc_type: resourcePageType
Namespace: microsoft.graph
[!INCLUDE beta-disclaimer]
Represents a Microsoft Entra Conditional Access policy. Conditional access policies are custom rules that define an access scenario. For more information, see the Conditional access documentation.
Inherits from policyDeletableItem.
| Method | Return type | Description |
|---|---|---|
| List | conditionalAccessPolicy collection | Get a list of the conditionalAccessPolicy objects and their properties. |
| Create | conditionalAccessPolicy | Create a new conditionalAccessPolicy object. |
| Get | conditionalAccessPolicy | Read the properties and relationships of conditionalAccessPolicy object. |
| Update | conditionalAccessPolicy | Update the properties of a conditionalAccessPolicy object. |
| Delete | None | Delete a conditionalAccessPolicy object. |
| List deleted policies | conditionalAccessPolicy collection | List all deleted conditionalAccessPolicy objects. |
| Get deleted policy | conditionalAccessPolicy | Get a single deleted conditionalAccessPolicy object. |
| Restore | conditionalAccessPolicy | Restore a conditionalAccessPolicy object. |
| Permanently delete a soft deleted policy | None | Permanently delete a deleted conditionalAccessPolicy object. |
| Property | Type | Description |
|---|---|---|
| conditions | conditionalAccessConditionSet | Specifies the rules that must be met for the policy to apply. Required. |
| createdDateTime | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Readonly. |
| description | String | Not used. |
| displayName | String | Specifies a display name for the conditionalAccessPolicy object. |
| grantControls | conditionalAccessGrantControls | Specifies the grant controls that must be fulfilled to pass the policy. |
| id | String | Specifies the identifier of a conditionalAccessPolicy object. Read-only. |
| modifiedDateTime | DateTimeOffset | The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Readonly. |
| sessionControls | conditionalAccessSessionControls | Specifies the session controls that are enforced after sign-in. |
| state | conditionalAccessPolicyState | Specifies the state of the conditionalAccessPolicy object. The possible values are: enabled, disabled, enabledForReportingButNotEnforced. Required. |
| deletedDateTime | DateTimeOffset | Shows the last date and time the policy was deleted.Inherited from policyDeletableItem. |
None.
The following JSON representation shows the resource type.
{
"@odata.type": "#microsoft.graph.conditionalAccessPolicy",
"deletedDateTime": "String (timestamp)",
"id": "String (identifier)",
"createdDateTime": "String (timestamp)",
"modifiedDateTime": "String (timestamp)",
"displayName": "String",
"description": "String",
"state": "String",
"conditions": {
"@odata.type": "microsoft.graph.conditionalAccessConditionSet"
},
"grantControls": {
"@odata.type": "microsoft.graph.conditionalAccessGrantControls"
},
"sessionControls": {
"@odata.type": "microsoft.graph.conditionalAccessSessionControls"
}
}