conditionalAccessRoot: evaluate

Namespace: microsoft.graph

Wichtig

Die APIs unter der /beta Version in Microsoft Graph können sich ändern. Die Verwendung dieser APIs in Produktionsanwendungen wird nicht unterstützt. Um festzustellen, ob eine API in v1.0 verfügbar ist, verwenden Sie die Version Selektor.

Bewertet die Anwendbarkeit von Richtlinien für bedingten Zugriff in Ihrem Mandanten basierend auf den bereitgestellten Anmeldeeigenschaften.

Diese API ist in den folgenden nationalen Cloudbereitstellungen verfügbar.

Weltweiter Service	US Government L4	US Government L5 (DOD)	China, betrieben von 21Vianet
✅	✅	✅	✅

Berechtigungen

Wählen Sie die Berechtigungen aus, die für diese API als am wenigsten privilegiert markiert sind. Verwenden Sie eine höhere Berechtigung oder Berechtigungen nur, wenn Ihre App dies erfordert. Ausführliche Informationen zu delegierten Berechtigungen und Anwendungsberechtigungen finden Sie unter Berechtigungstypen. Weitere Informationen zu diesen Berechtigungen finden Sie in der Berechtigungsreferenz.

Berechtigungstyp	Berechtigungen mit den geringsten Berechtigungen	Berechtigungen mit höheren Berechtigungen
Delegiert (Geschäfts-, Schul- oder Unikonto)	Policy.Read.ConditionalAccess	Policy.Read.All, Policy.ReadWrite.ConditionalAccess
Delegiert (persönliches Microsoft-Konto)	Nicht unterstützt	Nicht unterstützt
Application	Policy.Read.ConditionalAccess	Policy.Read.All, Policy.ReadWrite.ConditionalAccess

HTTP-Anforderung

POST /identity/conditionalAccess/evaluate

Anforderungsheader

Name	Beschreibung
Authorization	Bearer {token}. Erforderlich. Erfahren Sie mehr über Authentifizierung und Autorisierung.
Content-Type	application/json. Erforderlich.

Anforderungstext

Geben Sie im Anforderungstext eine JSON-Darstellung der Parameter an. Damit die Auswertung die genauesten Ergebnisse liefert, geben Sie so viele Details zur Anmeldung wie möglich an. Wenn Ihr Mandant über Richtlinien mit bestimmten Bedingungen verfügt und die Anmeldedetails für diese Bedingungen in der Anforderung fehlen, kann das Was-wäre-wenn-Tool diese Bedingungen nicht auswerten.

In der folgenden Tabelle sind die Parameter aufgeführt, die beim Aufrufen dieser Aktion erforderlich sind.

Parameter	Typ	Beschreibung
signInIdentity	signInIdentity	Stellt die Identität dar, die sich authentifiziert. Dies kann ein Benutzer, ein externer Benutzer oder ein Dienstprinzipal mit einem einzelnen Mandanten sein. Erforderlich.
signInContext	signInContext	Stellt den Kontext der Authentifizierung dar. Dies kann den Zugriff auf eine Anwendung, das Ausführen einer bestimmten Benutzeraktion oder den Zugriff auf Daten umfassen, die durch einen Authentifizierungskontext geschützt sind. Erforderlich.
signInConditions	signInConditions	Stellt Anmeldeparameter der authentifizierenden Identität dar. Dies umfasst Details wie Standort, Geräteinformationen, Risikoinformationen usw. Erforderlich.
appliedPoliciesOnly	Boolean	Diese Eigenschaft steuert, ob alle Richtlinien in die Antwort eingeschlossen werden sollen oder nur die Richtlinien, die für das Authentifizierungsereignis gelten. Optional.

Antwort

Wenn die Aktion erfolgreich verläuft, werden der 200 OK Antwortcode und eine whatIfAnalysisResult-Auflistung im Antworttext zurückgegeben. Die Antwort gibt an, ob jede Richtlinie im Mandanten basierend auf den Anmeldeeigenschaften, die im Anforderungstext bereitgestellt werden, angewendet wird oder nicht.

Beispiele

Beispiel 1: Identifizieren von Richtlinien für bedingten Zugriff, die für einen Benutzer gelten, der auf eine Anwendung zugreift

Anforderung

Das folgende Beispiel zeigt eine Anfrage.

POST https://graph.microsoft.com/beta/identity/conditionalAccess/evaluate
Content-Type: application/json

{
    "signInIdentity": {
        "@odata.type": "#microsoft.graph.userSignIn",
        "userId": "15dc174b-f34c-4588-ac45-61d6e05dce93"
    },
    "signInContext": {
        "@odata.type": "#microsoft.graph.applicationContext",
        "includeApplications": [
            "00000003-0000-0ff1-ce00-000000000000"
        ]
    },
    "signInConditions": {
        "devicePlatform": "android",
        "clientAppType": "browser",
        "signInRiskLevel": "high",
        "userRiskLevel": "high",
        "country": "US",
        "ipAddress": "40.77.182.32",
        "insiderRiskLevel": "elevated",
        "authenticationFlow": {
            "transferMethod": "deviceCodeFlow"
        },
        "deviceInfo": {
            "isCompliant": true
        }
    },
    "appliedPoliciesOnly": true
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Identity.ConditionalAccess.Evaluate;
using Microsoft.Graph.Beta.Models;

var requestBody = new EvaluatePostRequestBody
{
	SignInIdentity = new UserSignIn
	{
		OdataType = "#microsoft.graph.userSignIn",
		UserId = "15dc174b-f34c-4588-ac45-61d6e05dce93",
	},
	SignInContext = new ApplicationContext
	{
		OdataType = "#microsoft.graph.applicationContext",
		IncludeApplications = new List<string>
		{
			"00000003-0000-0ff1-ce00-000000000000",
		},
	},
	SignInConditions = new SignInConditions
	{
		DevicePlatform = ConditionalAccessDevicePlatform.Android,
		ClientAppType = ConditionalAccessClientApp.Browser,
		SignInRiskLevel = RiskLevel.High,
		UserRiskLevel = RiskLevel.High,
		Country = "US",
		IpAddress = "40.77.182.32",
		InsiderRiskLevel = InsiderRiskLevel.Elevated,
		AuthenticationFlow = new AuthenticationFlow
		{
			TransferMethod = ConditionalAccessTransferMethods.DeviceCodeFlow,
		},
		DeviceInfo = new DeviceInfo
		{
			IsCompliant = true,
		},
	},
	AppliedPoliciesOnly = true,
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Identity.ConditionalAccess.Evaluate.PostAsEvaluatePostResponseAsync(requestBody);

Wichtig

Die Microsoft Graph SDKs verwenden standardmäßig die Version v1.0 der API und unterstützen nicht alle Typen, Eigenschaften und APIs, die in der Beta-Version verfügbar sind. Einzelheiten zum Zugriff auf die Beta-API mit dem SDK finden Sie unter Verwenden der Microsoft Graph SDKs mit der Beta-API.

Einzelheiten darüber, wie Sie das SDK zu Ihrem Projekt hinzufügen und eine authProvider-Instanz erstellen, finden Sie in der SDK-Dokumentation.



// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphidentity "github.com/microsoftgraph/msgraph-beta-sdk-go/identity"
	  graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
	  //other-imports
)

requestBody := graphidentity.NewEvaluatePostRequestBody()
signInIdentity := graphmodels.NewUserSignIn()
userId := "15dc174b-f34c-4588-ac45-61d6e05dce93"
signInIdentity.SetUserId(&userId) 
requestBody.SetSignInIdentity(signInIdentity)
signInContext := graphmodels.NewApplicationContext()
includeApplications := []string {
	"00000003-0000-0ff1-ce00-000000000000",
}
signInContext.SetIncludeApplications(includeApplications)
requestBody.SetSignInContext(signInContext)
signInConditions := graphmodels.NewSignInConditions()
devicePlatform := graphmodels.ANDROID_CONDITIONALACCESSDEVICEPLATFORM 
signInConditions.SetDevicePlatform(&devicePlatform) 
clientAppType := graphmodels.BROWSER_CONDITIONALACCESSCLIENTAPP 
signInConditions.SetClientAppType(&clientAppType) 
signInRiskLevel := graphmodels.HIGH_RISKLEVEL 
signInConditions.SetSignInRiskLevel(&signInRiskLevel) 
userRiskLevel := graphmodels.HIGH_RISKLEVEL 
signInConditions.SetUserRiskLevel(&userRiskLevel) 
country := "US"
signInConditions.SetCountry(&country) 
ipAddress := "40.77.182.32"
signInConditions.SetIpAddress(&ipAddress) 
insiderRiskLevel := graphmodels.ELEVATED_INSIDERRISKLEVEL 
signInConditions.SetInsiderRiskLevel(&insiderRiskLevel) 
authenticationFlow := graphmodels.NewAuthenticationFlow()
transferMethod := graphmodels.DEVICECODEFLOW_CONDITIONALACCESSTRANSFERMETHODS 
authenticationFlow.SetTransferMethod(&transferMethod) 
signInConditions.SetAuthenticationFlow(authenticationFlow)
deviceInfo := graphmodels.NewDeviceInfo()
isCompliant := true
deviceInfo.SetIsCompliant(&isCompliant) 
signInConditions.SetDeviceInfo(deviceInfo)
requestBody.SetSignInConditions(signInConditions)
appliedPoliciesOnly := true
requestBody.SetAppliedPoliciesOnly(&appliedPoliciesOnly) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
evaluate, err := graphClient.Identity().ConditionalAccess().Evaluate().PostAsEvaluatePostResponse(context.Background(), requestBody, nil)

Wichtig

Einzelheiten darüber, wie Sie das SDK zu Ihrem Projekt hinzufügen und eine authProvider-Instanz erstellen, finden Sie in der SDK-Dokumentation.


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

com.microsoft.graph.beta.identity.conditionalaccess.evaluate.EvaluatePostRequestBody evaluatePostRequestBody = new com.microsoft.graph.beta.identity.conditionalaccess.evaluate.EvaluatePostRequestBody();
UserSignIn signInIdentity = new UserSignIn();
signInIdentity.setOdataType("#microsoft.graph.userSignIn");
signInIdentity.setUserId("15dc174b-f34c-4588-ac45-61d6e05dce93");
evaluatePostRequestBody.setSignInIdentity(signInIdentity);
ApplicationContext signInContext = new ApplicationContext();
signInContext.setOdataType("#microsoft.graph.applicationContext");
LinkedList<String> includeApplications = new LinkedList<String>();
includeApplications.add("00000003-0000-0ff1-ce00-000000000000");
signInContext.setIncludeApplications(includeApplications);
evaluatePostRequestBody.setSignInContext(signInContext);
SignInConditions signInConditions = new SignInConditions();
signInConditions.setDevicePlatform(ConditionalAccessDevicePlatform.Android);
signInConditions.setClientAppType(ConditionalAccessClientApp.Browser);
signInConditions.setSignInRiskLevel(RiskLevel.High);
signInConditions.setUserRiskLevel(RiskLevel.High);
signInConditions.setCountry("US");
signInConditions.setIpAddress("40.77.182.32");
signInConditions.setInsiderRiskLevel(InsiderRiskLevel.Elevated);
AuthenticationFlow authenticationFlow = new AuthenticationFlow();
authenticationFlow.setTransferMethod(EnumSet.of(ConditionalAccessTransferMethods.DeviceCodeFlow));
signInConditions.setAuthenticationFlow(authenticationFlow);
DeviceInfo deviceInfo = new DeviceInfo();
deviceInfo.setIsCompliant(true);
signInConditions.setDeviceInfo(deviceInfo);
evaluatePostRequestBody.setSignInConditions(signInConditions);
evaluatePostRequestBody.setAppliedPoliciesOnly(true);
var result = graphClient.identity().conditionalAccess().evaluate().post(evaluatePostRequestBody);

Wichtig

Einzelheiten darüber, wie Sie das SDK zu Ihrem Projekt hinzufügen und eine authProvider-Instanz erstellen, finden Sie in der SDK-Dokumentation.


const options = {
	authProvider,
};

const client = Client.init(options);

const whatIfAnalysisResult = {
    signInIdentity: {
        '@odata.type': '#microsoft.graph.userSignIn',
        userId: '15dc174b-f34c-4588-ac45-61d6e05dce93'
    },
    signInContext: {
        '@odata.type': '#microsoft.graph.applicationContext',
        includeApplications: [
            '00000003-0000-0ff1-ce00-000000000000'
        ]
    },
    signInConditions: {
        devicePlatform: 'android',
        clientAppType: 'browser',
        signInRiskLevel: 'high',
        userRiskLevel: 'high',
        country: 'US',
        ipAddress: '40.77.182.32',
        insiderRiskLevel: 'elevated',
        authenticationFlow: {
            transferMethod: 'deviceCodeFlow'
        },
        deviceInfo: {
            isCompliant: true
        }
    },
    appliedPoliciesOnly: true
};

await client.api('/identity/conditionalAccess/evaluate')
	.version('beta')
	.post(whatIfAnalysisResult);

Wichtig

Einzelheiten darüber, wie Sie das SDK zu Ihrem Projekt hinzufügen und eine authProvider-Instanz erstellen, finden Sie in der SDK-Dokumentation.


<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Identity\ConditionalAccess\Evaluate\EvaluatePostRequestBody;
use Microsoft\Graph\Beta\Generated\Models\UserSignIn;
use Microsoft\Graph\Beta\Generated\Models\ApplicationContext;
use Microsoft\Graph\Beta\Generated\Models\SignInConditions;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessDevicePlatform;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessClientApp;
use Microsoft\Graph\Beta\Generated\Models\RiskLevel;
use Microsoft\Graph\Beta\Generated\Models\InsiderRiskLevel;
use Microsoft\Graph\Beta\Generated\Models\AuthenticationFlow;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessTransferMethods;
use Microsoft\Graph\Beta\Generated\Models\DeviceInfo;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new EvaluatePostRequestBody();
$signInIdentity = new UserSignIn();
$signInIdentity->setOdataType('#microsoft.graph.userSignIn');
$signInIdentity->setUserId('15dc174b-f34c-4588-ac45-61d6e05dce93');
$requestBody->setSignInIdentity($signInIdentity);
$signInContext = new ApplicationContext();
$signInContext->setOdataType('#microsoft.graph.applicationContext');
$signInContext->setIncludeApplications(['00000003-0000-0ff1-ce00-000000000000', 	]);
$requestBody->setSignInContext($signInContext);
$signInConditions = new SignInConditions();
$signInConditions->setDevicePlatform(new ConditionalAccessDevicePlatform('android'));
$signInConditions->setClientAppType(new ConditionalAccessClientApp('browser'));
$signInConditions->setSignInRiskLevel(new RiskLevel('high'));
$signInConditions->setUserRiskLevel(new RiskLevel('high'));
$signInConditions->setCountry('US');
$signInConditions->setIpAddress('40.77.182.32');
$signInConditions->setInsiderRiskLevel(new InsiderRiskLevel('elevated'));
$signInConditionsAuthenticationFlow = new AuthenticationFlow();
$signInConditionsAuthenticationFlow->setTransferMethod(new ConditionalAccessTransferMethods('deviceCodeFlow'));
$signInConditions->setAuthenticationFlow($signInConditionsAuthenticationFlow);
$signInConditionsDeviceInfo = new DeviceInfo();
$signInConditionsDeviceInfo->setIsCompliant(true);
$signInConditions->setDeviceInfo($signInConditionsDeviceInfo);
$requestBody->setSignInConditions($signInConditions);
$requestBody->setAppliedPoliciesOnly(true);

$result = $graphServiceClient->identity()->conditionalAccess()->evaluate()->post($requestBody)->wait();

Wichtig

Einzelheiten darüber, wie Sie das SDK zu Ihrem Projekt hinzufügen und eine authProvider-Instanz erstellen, finden Sie in der SDK-Dokumentation.


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.identity.conditionalaccess.evaluate.evaluate_post_request_body import EvaluatePostRequestBody
from msgraph_beta.generated.models.user_sign_in import UserSignIn
from msgraph_beta.generated.models.application_context import ApplicationContext
from msgraph_beta.generated.models.sign_in_conditions import SignInConditions
from msgraph_beta.generated.models.conditional_access_device_platform import ConditionalAccessDevicePlatform
from msgraph_beta.generated.models.conditional_access_client_app import ConditionalAccessClientApp
from msgraph_beta.generated.models.risk_level import RiskLevel
from msgraph_beta.generated.models.insider_risk_level import InsiderRiskLevel
from msgraph_beta.generated.models.authentication_flow import AuthenticationFlow
from msgraph_beta.generated.models.conditional_access_transfer_methods import ConditionalAccessTransferMethods
from msgraph_beta.generated.models.device_info import DeviceInfo
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = EvaluatePostRequestBody(
	sign_in_identity = UserSignIn(
		odata_type = "#microsoft.graph.userSignIn",
		user_id = "15dc174b-f34c-4588-ac45-61d6e05dce93",
	),
	sign_in_context = ApplicationContext(
		odata_type = "#microsoft.graph.applicationContext",
		include_applications = [
			"00000003-0000-0ff1-ce00-000000000000",
		],
	),
	sign_in_conditions = SignInConditions(
		device_platform = ConditionalAccessDevicePlatform.Android,
		client_app_type = ConditionalAccessClientApp.Browser,
		sign_in_risk_level = RiskLevel.High,
		user_risk_level = RiskLevel.High,
		country = "US",
		ip_address = "40.77.182.32",
		insider_risk_level = InsiderRiskLevel.Elevated,
		authentication_flow = AuthenticationFlow(
			transfer_method = ConditionalAccessTransferMethods.DeviceCodeFlow,
		),
		device_info = DeviceInfo(
			is_compliant = True,
		),
	),
	applied_policies_only = True,
)

result = await graph_client.identity.conditional_access.evaluate.post(request_body)

Wichtig

Einzelheiten darüber, wie Sie das SDK zu Ihrem Projekt hinzufügen und eine authProvider-Instanz erstellen, finden Sie in der SDK-Dokumentation.

Antwort

Das folgende Beispiel zeigt die Antwort.

Hinweis: Das hier gezeigte Antwortobjekt kann zur besseren Lesbarkeit gekürzt werden.

HTTP/1.1 200 OK
Content-Type: application/json

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(microsoft.graph.whatIfAnalysisResult)",
    "value": [
        {
            "id": "df9e6f15-2b60-4e78-b990-b2da33a10886",
            "templateId": null,
            "displayName": "All users except au1_Office 365_No conditions_Session control application enforced restrictions",
            "createdDateTime": "2022-04-01T18:55:43.1454565Z",
            "modifiedDateTime": "2025-03-27T21:42:26.951558Z",
            "state": "enabledForReportingButNotEnforced",
            "policyApplies": true,
            "analysisReasons": "notSet",
            "grantControls": null,
            "partialEnablementStrategy": null,
            "conditions": {
                "userRiskLevels": [],
                "signInRiskLevels": [],
                "clientAppTypes": [
                    "all"
                ],
                "servicePrincipalRiskLevels": [],
                "insiderRiskLevels": null,
                "clients": null,
                "platforms": null,
                "locations": null,
                "times": null,
                "deviceStates": null,
                "devices": null,
                "clientApplications": null,
                "authenticationFlows": null,
                "applications": {
                    "includeApplications": [
                        "Office365"
                    ],
                    "excludeApplications": [],
                    "includeUserActions": [],
                    "includeAuthenticationContextClassReferences": [],
                    "applicationFilter": null,
                    "networkAccess": null,
                    "globalSecureAccess": null
                },
                "users": {
                    "includeUsers": [
                        "All"
                    ],
                    "excludeUsers": [
                        "f7ca74b0-8562-4083-b66c-0476f942cfd0"
                    ],
                    "includeGroups": [],
                    "excludeGroups": [],
                    "includeRoles": [],
                    "excludeRoles": [],
                    "includeGuestsOrExternalUsers": null,
                    "excludeGuestsOrExternalUsers": null
                }
            },
            "sessionControls": {
                "disableResilienceDefaults": null,
                "cloudAppSecurity": null,
                "signInFrequency": null,
                "persistentBrowser": null,
                "continuousAccessEvaluation": null,
                "secureSignInSession": null,
                "networkAccessSecurity": null,
                "globalSecureAccessFilteringProfile": null,
                "applicationEnforcedRestrictions": {
                    "isEnabled": true
                }
            }
        },
        {
            "id": "37d51c45-8c60-4f82-98e0-6e1451cecf7c",
            "templateId": null,
            "displayName": "All Users except au1_All resources_user risk H_Password change",
            "createdDateTime": "2022-03-31T22:59:59.6688974Z",
            "modifiedDateTime": "2025-03-27T19:55:43.5390544Z",
            "state": "enabledForReportingButNotEnforced",
            "policyApplies": true,
            "analysisReasons": "notSet",
            "partialEnablementStrategy": null,
            "sessionControls": null,
            "conditions": {
                "userRiskLevels": [
                    "high"
                ],
                "signInRiskLevels": [],
                "clientAppTypes": [
                    "all"
                ],
                "servicePrincipalRiskLevels": [],
                "insiderRiskLevels": null,
                "clients": null,
                "platforms": null,
                "locations": null,
                "times": null,
                "deviceStates": null,
                "devices": null,
                "clientApplications": null,
                "authenticationFlows": null,
                "applications": {
                    "includeApplications": [
                        "All"
                    ],
                    "excludeApplications": [],
                    "includeUserActions": [],
                    "includeAuthenticationContextClassReferences": [],
                    "applicationFilter": null,
                    "networkAccess": null,
                    "globalSecureAccess": null
                },
                "users": {
                    "includeUsers": [
                        "All"
                    ],
                    "excludeUsers": [
                        "f7ca74b0-8562-4083-b66c-0476f942cfd0"
                    ],
                    "includeGroups": [],
                    "excludeGroups": [],
                    "includeRoles": [],
                    "excludeRoles": [],
                    "includeGuestsOrExternalUsers": null,
                    "excludeGuestsOrExternalUsers": null
                }
            },
            "grantControls": {
                "operator": "AND",
                "builtInControls": [
                    "mfa",
                    "passwordChange"
                ],
                "customAuthenticationFactors": [],
                "termsOfUse": [],
                "authenticationStrength": null
            }
        }
    ]
}

Beispiel 2: Identifizieren von Richtlinien für bedingten Zugriff, die für einen Benutzer gelten, der auf eine vertrauliche Datei zugreift, die durch einen Authentifizierungskontext geschützt wird

Anforderung

Das folgende Beispiel zeigt eine Anfrage.

POST https://graph.microsoft.com/beta/identity/conditionalAccess/evaluate
Content-Type: application/json

{
    "signInIdentity": {
        "@odata.type": "#microsoft.graph.userSignIn",
        "userId": "15dc174b-f34c-4588-ac45-61d6e05dce93"
    },
    "signInContext": {
        "@odata.type": "#microsoft.graph.authContext",
        "authenticationContextValue": "c37"
    },
    "signInConditions": {
        "devicePlatform": "windows",
        "clientAppType": "mobileAppsAndDesktopClients",
        "signInRiskLevel": "medium",
        "userRiskLevel": "none",
        "country": "US",
        "ipAddress": "40.77.182.32",
        "insiderRiskLevel": "moderate",
        "authenticationFlow": {
            "transferMethod": "authenticationTransfer"
        },
        "deviceInfo": {
            "profileType": "Standard"
        }
    },
    "appliedPoliciesOnly": true
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Identity.ConditionalAccess.Evaluate;
using Microsoft.Graph.Beta.Models;

var requestBody = new EvaluatePostRequestBody
{
	SignInIdentity = new UserSignIn
	{
		OdataType = "#microsoft.graph.userSignIn",
		UserId = "15dc174b-f34c-4588-ac45-61d6e05dce93",
	},
	SignInContext = new AuthContext
	{
		OdataType = "#microsoft.graph.authContext",
		AuthenticationContextValue = "c37",
	},
	SignInConditions = new SignInConditions
	{
		DevicePlatform = ConditionalAccessDevicePlatform.Windows,
		ClientAppType = ConditionalAccessClientApp.MobileAppsAndDesktopClients,
		SignInRiskLevel = RiskLevel.Medium,
		UserRiskLevel = RiskLevel.None,
		Country = "US",
		IpAddress = "40.77.182.32",
		InsiderRiskLevel = InsiderRiskLevel.Moderate,
		AuthenticationFlow = new AuthenticationFlow
		{
			TransferMethod = ConditionalAccessTransferMethods.AuthenticationTransfer,
		},
		DeviceInfo = new DeviceInfo
		{
			ProfileType = "Standard",
		},
	},
	AppliedPoliciesOnly = true,
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Identity.ConditionalAccess.Evaluate.PostAsEvaluatePostResponseAsync(requestBody);

Wichtig

Einzelheiten darüber, wie Sie das SDK zu Ihrem Projekt hinzufügen und eine authProvider-Instanz erstellen, finden Sie in der SDK-Dokumentation.



// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphidentity "github.com/microsoftgraph/msgraph-beta-sdk-go/identity"
	  graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
	  //other-imports
)

requestBody := graphidentity.NewEvaluatePostRequestBody()
signInIdentity := graphmodels.NewUserSignIn()
userId := "15dc174b-f34c-4588-ac45-61d6e05dce93"
signInIdentity.SetUserId(&userId) 
requestBody.SetSignInIdentity(signInIdentity)
signInContext := graphmodels.NewAuthContext()
authenticationContextValue := "c37"
signInContext.SetAuthenticationContextValue(&authenticationContextValue) 
requestBody.SetSignInContext(signInContext)
signInConditions := graphmodels.NewSignInConditions()
devicePlatform := graphmodels.WINDOWS_CONDITIONALACCESSDEVICEPLATFORM 
signInConditions.SetDevicePlatform(&devicePlatform) 
clientAppType := graphmodels.MOBILEAPPSANDDESKTOPCLIENTS_CONDITIONALACCESSCLIENTAPP 
signInConditions.SetClientAppType(&clientAppType) 
signInRiskLevel := graphmodels.MEDIUM_RISKLEVEL 
signInConditions.SetSignInRiskLevel(&signInRiskLevel) 
userRiskLevel := graphmodels.NONE_RISKLEVEL 
signInConditions.SetUserRiskLevel(&userRiskLevel) 
country := "US"
signInConditions.SetCountry(&country) 
ipAddress := "40.77.182.32"
signInConditions.SetIpAddress(&ipAddress) 
insiderRiskLevel := graphmodels.MODERATE_INSIDERRISKLEVEL 
signInConditions.SetInsiderRiskLevel(&insiderRiskLevel) 
authenticationFlow := graphmodels.NewAuthenticationFlow()
transferMethod := graphmodels.AUTHENTICATIONTRANSFER_CONDITIONALACCESSTRANSFERMETHODS 
authenticationFlow.SetTransferMethod(&transferMethod) 
signInConditions.SetAuthenticationFlow(authenticationFlow)
deviceInfo := graphmodels.NewDeviceInfo()
profileType := "Standard"
deviceInfo.SetProfileType(&profileType) 
signInConditions.SetDeviceInfo(deviceInfo)
requestBody.SetSignInConditions(signInConditions)
appliedPoliciesOnly := true
requestBody.SetAppliedPoliciesOnly(&appliedPoliciesOnly) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
evaluate, err := graphClient.Identity().ConditionalAccess().Evaluate().PostAsEvaluatePostResponse(context.Background(), requestBody, nil)

Wichtig

Einzelheiten darüber, wie Sie das SDK zu Ihrem Projekt hinzufügen und eine authProvider-Instanz erstellen, finden Sie in der SDK-Dokumentation.


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

com.microsoft.graph.beta.identity.conditionalaccess.evaluate.EvaluatePostRequestBody evaluatePostRequestBody = new com.microsoft.graph.beta.identity.conditionalaccess.evaluate.EvaluatePostRequestBody();
UserSignIn signInIdentity = new UserSignIn();
signInIdentity.setOdataType("#microsoft.graph.userSignIn");
signInIdentity.setUserId("15dc174b-f34c-4588-ac45-61d6e05dce93");
evaluatePostRequestBody.setSignInIdentity(signInIdentity);
AuthContext signInContext = new AuthContext();
signInContext.setOdataType("#microsoft.graph.authContext");
signInContext.setAuthenticationContextValue("c37");
evaluatePostRequestBody.setSignInContext(signInContext);
SignInConditions signInConditions = new SignInConditions();
signInConditions.setDevicePlatform(ConditionalAccessDevicePlatform.Windows);
signInConditions.setClientAppType(ConditionalAccessClientApp.MobileAppsAndDesktopClients);
signInConditions.setSignInRiskLevel(RiskLevel.Medium);
signInConditions.setUserRiskLevel(RiskLevel.None);
signInConditions.setCountry("US");
signInConditions.setIpAddress("40.77.182.32");
signInConditions.setInsiderRiskLevel(InsiderRiskLevel.Moderate);
AuthenticationFlow authenticationFlow = new AuthenticationFlow();
authenticationFlow.setTransferMethod(EnumSet.of(ConditionalAccessTransferMethods.AuthenticationTransfer));
signInConditions.setAuthenticationFlow(authenticationFlow);
DeviceInfo deviceInfo = new DeviceInfo();
deviceInfo.setProfileType("Standard");
signInConditions.setDeviceInfo(deviceInfo);
evaluatePostRequestBody.setSignInConditions(signInConditions);
evaluatePostRequestBody.setAppliedPoliciesOnly(true);
var result = graphClient.identity().conditionalAccess().evaluate().post(evaluatePostRequestBody);

Wichtig

Einzelheiten darüber, wie Sie das SDK zu Ihrem Projekt hinzufügen und eine authProvider-Instanz erstellen, finden Sie in der SDK-Dokumentation.


const options = {
	authProvider,
};

const client = Client.init(options);

const whatIfAnalysisResult = {
    signInIdentity: {
        '@odata.type': '#microsoft.graph.userSignIn',
        userId: '15dc174b-f34c-4588-ac45-61d6e05dce93'
    },
    signInContext: {
        '@odata.type': '#microsoft.graph.authContext',
        authenticationContextValue: 'c37'
    },
    signInConditions: {
        devicePlatform: 'windows',
        clientAppType: 'mobileAppsAndDesktopClients',
        signInRiskLevel: 'medium',
        userRiskLevel: 'none',
        country: 'US',
        ipAddress: '40.77.182.32',
        insiderRiskLevel: 'moderate',
        authenticationFlow: {
            transferMethod: 'authenticationTransfer'
        },
        deviceInfo: {
            profileType: 'Standard'
        }
    },
    appliedPoliciesOnly: true
};

await client.api('/identity/conditionalAccess/evaluate')
	.version('beta')
	.post(whatIfAnalysisResult);

Wichtig

Einzelheiten darüber, wie Sie das SDK zu Ihrem Projekt hinzufügen und eine authProvider-Instanz erstellen, finden Sie in der SDK-Dokumentation.


<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Identity\ConditionalAccess\Evaluate\EvaluatePostRequestBody;
use Microsoft\Graph\Beta\Generated\Models\UserSignIn;
use Microsoft\Graph\Beta\Generated\Models\AuthContext;
use Microsoft\Graph\Beta\Generated\Models\SignInConditions;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessDevicePlatform;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessClientApp;
use Microsoft\Graph\Beta\Generated\Models\RiskLevel;
use Microsoft\Graph\Beta\Generated\Models\InsiderRiskLevel;
use Microsoft\Graph\Beta\Generated\Models\AuthenticationFlow;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessTransferMethods;
use Microsoft\Graph\Beta\Generated\Models\DeviceInfo;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new EvaluatePostRequestBody();
$signInIdentity = new UserSignIn();
$signInIdentity->setOdataType('#microsoft.graph.userSignIn');
$signInIdentity->setUserId('15dc174b-f34c-4588-ac45-61d6e05dce93');
$requestBody->setSignInIdentity($signInIdentity);
$signInContext = new AuthContext();
$signInContext->setOdataType('#microsoft.graph.authContext');
$signInContext->setAuthenticationContextValue('c37');
$requestBody->setSignInContext($signInContext);
$signInConditions = new SignInConditions();
$signInConditions->setDevicePlatform(new ConditionalAccessDevicePlatform('windows'));
$signInConditions->setClientAppType(new ConditionalAccessClientApp('mobileAppsAndDesktopClients'));
$signInConditions->setSignInRiskLevel(new RiskLevel('medium'));
$signInConditions->setUserRiskLevel(new RiskLevel('none'));
$signInConditions->setCountry('US');
$signInConditions->setIpAddress('40.77.182.32');
$signInConditions->setInsiderRiskLevel(new InsiderRiskLevel('moderate'));
$signInConditionsAuthenticationFlow = new AuthenticationFlow();
$signInConditionsAuthenticationFlow->setTransferMethod(new ConditionalAccessTransferMethods('authenticationTransfer'));
$signInConditions->setAuthenticationFlow($signInConditionsAuthenticationFlow);
$signInConditionsDeviceInfo = new DeviceInfo();
$signInConditionsDeviceInfo->setProfileType('Standard');
$signInConditions->setDeviceInfo($signInConditionsDeviceInfo);
$requestBody->setSignInConditions($signInConditions);
$requestBody->setAppliedPoliciesOnly(true);

$result = $graphServiceClient->identity()->conditionalAccess()->evaluate()->post($requestBody)->wait();

Wichtig

Einzelheiten darüber, wie Sie das SDK zu Ihrem Projekt hinzufügen und eine authProvider-Instanz erstellen, finden Sie in der SDK-Dokumentation.


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.identity.conditionalaccess.evaluate.evaluate_post_request_body import EvaluatePostRequestBody
from msgraph_beta.generated.models.user_sign_in import UserSignIn
from msgraph_beta.generated.models.auth_context import AuthContext
from msgraph_beta.generated.models.sign_in_conditions import SignInConditions
from msgraph_beta.generated.models.conditional_access_device_platform import ConditionalAccessDevicePlatform
from msgraph_beta.generated.models.conditional_access_client_app import ConditionalAccessClientApp
from msgraph_beta.generated.models.risk_level import RiskLevel
from msgraph_beta.generated.models.insider_risk_level import InsiderRiskLevel
from msgraph_beta.generated.models.authentication_flow import AuthenticationFlow
from msgraph_beta.generated.models.conditional_access_transfer_methods import ConditionalAccessTransferMethods
from msgraph_beta.generated.models.device_info import DeviceInfo
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = EvaluatePostRequestBody(
	sign_in_identity = UserSignIn(
		odata_type = "#microsoft.graph.userSignIn",
		user_id = "15dc174b-f34c-4588-ac45-61d6e05dce93",
	),
	sign_in_context = AuthContext(
		odata_type = "#microsoft.graph.authContext",
		authentication_context_value = "c37",
	),
	sign_in_conditions = SignInConditions(
		device_platform = ConditionalAccessDevicePlatform.Windows,
		client_app_type = ConditionalAccessClientApp.MobileAppsAndDesktopClients,
		sign_in_risk_level = RiskLevel.Medium,
		user_risk_level = RiskLevel.None,
		country = "US",
		ip_address = "40.77.182.32",
		insider_risk_level = InsiderRiskLevel.Moderate,
		authentication_flow = AuthenticationFlow(
			transfer_method = ConditionalAccessTransferMethods.AuthenticationTransfer,
		),
		device_info = DeviceInfo(
			profile_type = "Standard",
		),
	),
	applied_policies_only = True,
)

result = await graph_client.identity.conditional_access.evaluate.post(request_body)

Wichtig

Einzelheiten darüber, wie Sie das SDK zu Ihrem Projekt hinzufügen und eine authProvider-Instanz erstellen, finden Sie in der SDK-Dokumentation.

Antwort

Das folgende Beispiel zeigt die Antwort.

Hinweis: Das hier gezeigte Antwortobjekt kann zur besseren Lesbarkeit gekürzt werden.

HTTP/1.1 200 OK
Content-Type: application/json


{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(microsoft.graph.whatIfAnalysisResult)",
    "value": [
        {
            "id": "e897c693-c0e6-4386-abc3-f46dee5940fb",
            "templateId": null,
            "displayName": "All users_auth context_No conditions_Auth strength MFA",
            "createdDateTime": "2023-07-10T17:27:37.9735926Z",
            "modifiedDateTime": "2025-03-27T20:03:41.92628Z",
            "state": "enabledForReportingButNotEnforced",
            "policyApplies": true,
            "analysisReasons": "notSet",
            "partialEnablementStrategy": null,
            "sessionControls": null,
            "conditions": {
                "userRiskLevels": [],
                "signInRiskLevels": [],
                "clientAppTypes": [
                    "all"
                ],
                "servicePrincipalRiskLevels": [],
                "insiderRiskLevels": null,
                "clients": null,
                "platforms": null,
                "locations": null,
                "times": null,
                "deviceStates": null,
                "devices": null,
                "clientApplications": null,
                "authenticationFlows": null,
                "applications": {
                    "includeApplications": [],
                    "excludeApplications": [],
                    "includeUserActions": [],
                    "includeAuthenticationContextClassReferences": [
                        "c1",
                        "c37"
                    ],
                    "applicationFilter": null,
                    "networkAccess": null,
                    "globalSecureAccess": null
                },
                "users": {
                    "includeUsers": [
                        "All"
                    ],
                    "excludeUsers": [],
                    "includeGroups": [],
                    "excludeGroups": [],
                    "includeRoles": [],
                    "excludeRoles": [],
                    "includeGuestsOrExternalUsers": null,
                    "excludeGuestsOrExternalUsers": null
                }
            },
            "grantControls": {
                "operator": "OR",
                "builtInControls": [],
                "customAuthenticationFactors": [],
                "termsOfUse": [],
                "authenticationStrength": {
                    "id": "00000000-0000-0000-0000-000000000002",
                    "createdDateTime": "2021-12-01T08:00:00Z",
                    "modifiedDateTime": "2021-12-01T08:00:00Z",
                    "displayName": "Multifactor authentication",
                    "description": "Combinations of methods that satisfy strong authentication, such as a password + SMS",
                    "policyType": "builtIn",
                    "requirementsSatisfied": "mfa",
                    "allowedCombinations": [
                        "windowsHelloForBusiness",
                        "fido2",
                        "x509CertificateMultiFactor",
                        "deviceBasedPush",
                        "temporaryAccessPassOneTime",
                        "temporaryAccessPassMultiUse",
                        "password,microsoftAuthenticatorPush",
                        "password,softwareOath",
                        "password,hardwareOath",
                        "password,x509CertificateSingleFactor",
                        "password,x509CertificateMultiFactor",
                        "password,sms",
                        "password,voice",
                        "federatedMultiFactor",
                        "microsoftAuthenticatorPush,federatedSingleFactor",
                        "softwareOath,federatedSingleFactor",
                        "hardwareOath,federatedSingleFactor",
                        "sms,federatedSingleFactor",
                        "voice,federatedSingleFactor"
                    ],
                    "combinationConfigurations": []
                }
            }
        }
    ]
}

Beispiel 3: Identifizieren von Richtlinien für bedingten Zugriff, die für einen Benutzer gelten, der eine Benutzeraktion ausführt

Anforderung

Das folgende Beispiel zeigt eine Anfrage.

POST https://graph.microsoft.com/beta/identity/conditionalAccess/evaluate
Content-Type: application/json

{
    "signInIdentity": {
        "@odata.type": "#microsoft.graph.userSignIn",
        "userId": "15dc174b-f34c-4588-ac45-61d6e05dce93"
    },
    "signInContext": {
        "@odata.type": "#microsoft.graph.userActionContext",
        "userAction": "registerSecurityInformation"
    },
    "signInConditions": {
        "devicePlatform": "macOS",
        "clientAppType": "browser",
        "signInRiskLevel": "low",
        "userRiskLevel": "high",
        "servicePrincipalRiskLevel": "none",
        "country": "CA",
        "ipAddress": "40.77.182.32",
        "insiderRiskLevel": "minor",
        "authenticationFlow": {
            "transferMethod": "deviceCodeFlow"
        },
        "deviceInfo": {
            "trustType": "EntraID"
        }
    },
    "appliedPoliciesOnly": true
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Identity.ConditionalAccess.Evaluate;
using Microsoft.Graph.Beta.Models;

var requestBody = new EvaluatePostRequestBody
{
	SignInIdentity = new UserSignIn
	{
		OdataType = "#microsoft.graph.userSignIn",
		UserId = "15dc174b-f34c-4588-ac45-61d6e05dce93",
	},
	SignInContext = new UserActionContext
	{
		OdataType = "#microsoft.graph.userActionContext",
		UserAction = UserAction.RegisterSecurityInformation,
	},
	SignInConditions = new SignInConditions
	{
		DevicePlatform = ConditionalAccessDevicePlatform.MacOS,
		ClientAppType = ConditionalAccessClientApp.Browser,
		SignInRiskLevel = RiskLevel.Low,
		UserRiskLevel = RiskLevel.High,
		ServicePrincipalRiskLevel = RiskLevel.None,
		Country = "CA",
		IpAddress = "40.77.182.32",
		InsiderRiskLevel = InsiderRiskLevel.Minor,
		AuthenticationFlow = new AuthenticationFlow
		{
			TransferMethod = ConditionalAccessTransferMethods.DeviceCodeFlow,
		},
		DeviceInfo = new DeviceInfo
		{
			TrustType = "EntraID",
		},
	},
	AppliedPoliciesOnly = true,
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Identity.ConditionalAccess.Evaluate.PostAsEvaluatePostResponseAsync(requestBody);

Wichtig

Einzelheiten darüber, wie Sie das SDK zu Ihrem Projekt hinzufügen und eine authProvider-Instanz erstellen, finden Sie in der SDK-Dokumentation.



// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphidentity "github.com/microsoftgraph/msgraph-beta-sdk-go/identity"
	  graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
	  //other-imports
)

requestBody := graphidentity.NewEvaluatePostRequestBody()
signInIdentity := graphmodels.NewUserSignIn()
userId := "15dc174b-f34c-4588-ac45-61d6e05dce93"
signInIdentity.SetUserId(&userId) 
requestBody.SetSignInIdentity(signInIdentity)
signInContext := graphmodels.NewUserActionContext()
userAction := graphmodels.REGISTERSECURITYINFORMATION_USERACTION 
signInContext.SetUserAction(&userAction) 
requestBody.SetSignInContext(signInContext)
signInConditions := graphmodels.NewSignInConditions()
devicePlatform := graphmodels.MACOS_CONDITIONALACCESSDEVICEPLATFORM 
signInConditions.SetDevicePlatform(&devicePlatform) 
clientAppType := graphmodels.BROWSER_CONDITIONALACCESSCLIENTAPP 
signInConditions.SetClientAppType(&clientAppType) 
signInRiskLevel := graphmodels.LOW_RISKLEVEL 
signInConditions.SetSignInRiskLevel(&signInRiskLevel) 
userRiskLevel := graphmodels.HIGH_RISKLEVEL 
signInConditions.SetUserRiskLevel(&userRiskLevel) 
servicePrincipalRiskLevel := graphmodels.NONE_RISKLEVEL 
signInConditions.SetServicePrincipalRiskLevel(&servicePrincipalRiskLevel) 
country := "CA"
signInConditions.SetCountry(&country) 
ipAddress := "40.77.182.32"
signInConditions.SetIpAddress(&ipAddress) 
insiderRiskLevel := graphmodels.MINOR_INSIDERRISKLEVEL 
signInConditions.SetInsiderRiskLevel(&insiderRiskLevel) 
authenticationFlow := graphmodels.NewAuthenticationFlow()
transferMethod := graphmodels.DEVICECODEFLOW_CONDITIONALACCESSTRANSFERMETHODS 
authenticationFlow.SetTransferMethod(&transferMethod) 
signInConditions.SetAuthenticationFlow(authenticationFlow)
deviceInfo := graphmodels.NewDeviceInfo()
trustType := "EntraID"
deviceInfo.SetTrustType(&trustType) 
signInConditions.SetDeviceInfo(deviceInfo)
requestBody.SetSignInConditions(signInConditions)
appliedPoliciesOnly := true
requestBody.SetAppliedPoliciesOnly(&appliedPoliciesOnly) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
evaluate, err := graphClient.Identity().ConditionalAccess().Evaluate().PostAsEvaluatePostResponse(context.Background(), requestBody, nil)

Wichtig

Einzelheiten darüber, wie Sie das SDK zu Ihrem Projekt hinzufügen und eine authProvider-Instanz erstellen, finden Sie in der SDK-Dokumentation.


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

com.microsoft.graph.beta.identity.conditionalaccess.evaluate.EvaluatePostRequestBody evaluatePostRequestBody = new com.microsoft.graph.beta.identity.conditionalaccess.evaluate.EvaluatePostRequestBody();
UserSignIn signInIdentity = new UserSignIn();
signInIdentity.setOdataType("#microsoft.graph.userSignIn");
signInIdentity.setUserId("15dc174b-f34c-4588-ac45-61d6e05dce93");
evaluatePostRequestBody.setSignInIdentity(signInIdentity);
UserActionContext signInContext = new UserActionContext();
signInContext.setOdataType("#microsoft.graph.userActionContext");
signInContext.setUserAction(UserAction.RegisterSecurityInformation);
evaluatePostRequestBody.setSignInContext(signInContext);
SignInConditions signInConditions = new SignInConditions();
signInConditions.setDevicePlatform(ConditionalAccessDevicePlatform.MacOS);
signInConditions.setClientAppType(ConditionalAccessClientApp.Browser);
signInConditions.setSignInRiskLevel(RiskLevel.Low);
signInConditions.setUserRiskLevel(RiskLevel.High);
signInConditions.setServicePrincipalRiskLevel(RiskLevel.None);
signInConditions.setCountry("CA");
signInConditions.setIpAddress("40.77.182.32");
signInConditions.setInsiderRiskLevel(InsiderRiskLevel.Minor);
AuthenticationFlow authenticationFlow = new AuthenticationFlow();
authenticationFlow.setTransferMethod(EnumSet.of(ConditionalAccessTransferMethods.DeviceCodeFlow));
signInConditions.setAuthenticationFlow(authenticationFlow);
DeviceInfo deviceInfo = new DeviceInfo();
deviceInfo.setTrustType("EntraID");
signInConditions.setDeviceInfo(deviceInfo);
evaluatePostRequestBody.setSignInConditions(signInConditions);
evaluatePostRequestBody.setAppliedPoliciesOnly(true);
var result = graphClient.identity().conditionalAccess().evaluate().post(evaluatePostRequestBody);

Wichtig

Einzelheiten darüber, wie Sie das SDK zu Ihrem Projekt hinzufügen und eine authProvider-Instanz erstellen, finden Sie in der SDK-Dokumentation.


const options = {
	authProvider,
};

const client = Client.init(options);

const whatIfAnalysisResult = {
    signInIdentity: {
        '@odata.type': '#microsoft.graph.userSignIn',
        userId: '15dc174b-f34c-4588-ac45-61d6e05dce93'
    },
    signInContext: {
        '@odata.type': '#microsoft.graph.userActionContext',
        userAction: 'registerSecurityInformation'
    },
    signInConditions: {
        devicePlatform: 'macOS',
        clientAppType: 'browser',
        signInRiskLevel: 'low',
        userRiskLevel: 'high',
        servicePrincipalRiskLevel: 'none',
        country: 'CA',
        ipAddress: '40.77.182.32',
        insiderRiskLevel: 'minor',
        authenticationFlow: {
            transferMethod: 'deviceCodeFlow'
        },
        deviceInfo: {
            trustType: 'EntraID'
        }
    },
    appliedPoliciesOnly: true
};

await client.api('/identity/conditionalAccess/evaluate')
	.version('beta')
	.post(whatIfAnalysisResult);

Wichtig

Einzelheiten darüber, wie Sie das SDK zu Ihrem Projekt hinzufügen und eine authProvider-Instanz erstellen, finden Sie in der SDK-Dokumentation.


<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Identity\ConditionalAccess\Evaluate\EvaluatePostRequestBody;
use Microsoft\Graph\Beta\Generated\Models\UserSignIn;
use Microsoft\Graph\Beta\Generated\Models\UserActionContext;
use Microsoft\Graph\Beta\Generated\Models\UserAction;
use Microsoft\Graph\Beta\Generated\Models\SignInConditions;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessDevicePlatform;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessClientApp;
use Microsoft\Graph\Beta\Generated\Models\RiskLevel;
use Microsoft\Graph\Beta\Generated\Models\InsiderRiskLevel;
use Microsoft\Graph\Beta\Generated\Models\AuthenticationFlow;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessTransferMethods;
use Microsoft\Graph\Beta\Generated\Models\DeviceInfo;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new EvaluatePostRequestBody();
$signInIdentity = new UserSignIn();
$signInIdentity->setOdataType('#microsoft.graph.userSignIn');
$signInIdentity->setUserId('15dc174b-f34c-4588-ac45-61d6e05dce93');
$requestBody->setSignInIdentity($signInIdentity);
$signInContext = new UserActionContext();
$signInContext->setOdataType('#microsoft.graph.userActionContext');
$signInContext->setUserAction(new UserAction('registerSecurityInformation'));
$requestBody->setSignInContext($signInContext);
$signInConditions = new SignInConditions();
$signInConditions->setDevicePlatform(new ConditionalAccessDevicePlatform('macOS'));
$signInConditions->setClientAppType(new ConditionalAccessClientApp('browser'));
$signInConditions->setSignInRiskLevel(new RiskLevel('low'));
$signInConditions->setUserRiskLevel(new RiskLevel('high'));
$signInConditions->setServicePrincipalRiskLevel(new RiskLevel('none'));
$signInConditions->setCountry('CA');
$signInConditions->setIpAddress('40.77.182.32');
$signInConditions->setInsiderRiskLevel(new InsiderRiskLevel('minor'));
$signInConditionsAuthenticationFlow = new AuthenticationFlow();
$signInConditionsAuthenticationFlow->setTransferMethod(new ConditionalAccessTransferMethods('deviceCodeFlow'));
$signInConditions->setAuthenticationFlow($signInConditionsAuthenticationFlow);
$signInConditionsDeviceInfo = new DeviceInfo();
$signInConditionsDeviceInfo->setTrustType('EntraID');
$signInConditions->setDeviceInfo($signInConditionsDeviceInfo);
$requestBody->setSignInConditions($signInConditions);
$requestBody->setAppliedPoliciesOnly(true);

$result = $graphServiceClient->identity()->conditionalAccess()->evaluate()->post($requestBody)->wait();

Wichtig

Einzelheiten darüber, wie Sie das SDK zu Ihrem Projekt hinzufügen und eine authProvider-Instanz erstellen, finden Sie in der SDK-Dokumentation.


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.identity.conditionalaccess.evaluate.evaluate_post_request_body import EvaluatePostRequestBody
from msgraph_beta.generated.models.user_sign_in import UserSignIn
from msgraph_beta.generated.models.user_action_context import UserActionContext
from msgraph_beta.generated.models.user_action import UserAction
from msgraph_beta.generated.models.sign_in_conditions import SignInConditions
from msgraph_beta.generated.models.conditional_access_device_platform import ConditionalAccessDevicePlatform
from msgraph_beta.generated.models.conditional_access_client_app import ConditionalAccessClientApp
from msgraph_beta.generated.models.risk_level import RiskLevel
from msgraph_beta.generated.models.insider_risk_level import InsiderRiskLevel
from msgraph_beta.generated.models.authentication_flow import AuthenticationFlow
from msgraph_beta.generated.models.conditional_access_transfer_methods import ConditionalAccessTransferMethods
from msgraph_beta.generated.models.device_info import DeviceInfo
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = EvaluatePostRequestBody(
	sign_in_identity = UserSignIn(
		odata_type = "#microsoft.graph.userSignIn",
		user_id = "15dc174b-f34c-4588-ac45-61d6e05dce93",
	),
	sign_in_context = UserActionContext(
		odata_type = "#microsoft.graph.userActionContext",
		user_action = UserAction.RegisterSecurityInformation,
	),
	sign_in_conditions = SignInConditions(
		device_platform = ConditionalAccessDevicePlatform.MacOS,
		client_app_type = ConditionalAccessClientApp.Browser,
		sign_in_risk_level = RiskLevel.Low,
		user_risk_level = RiskLevel.High,
		service_principal_risk_level = RiskLevel.None,
		country = "CA",
		ip_address = "40.77.182.32",
		insider_risk_level = InsiderRiskLevel.Minor,
		authentication_flow = AuthenticationFlow(
			transfer_method = ConditionalAccessTransferMethods.DeviceCodeFlow,
		),
		device_info = DeviceInfo(
			trust_type = "EntraID",
		),
	),
	applied_policies_only = True,
)

result = await graph_client.identity.conditional_access.evaluate.post(request_body)

Wichtig

Einzelheiten darüber, wie Sie das SDK zu Ihrem Projekt hinzufügen und eine authProvider-Instanz erstellen, finden Sie in der SDK-Dokumentation.

Antwort

Das folgende Beispiel zeigt die Antwort.

HTTP/1.1 200 OK
Content-Type: application/json

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(microsoft.graph.whatIfAnalysisResult)",
    "value": [
        {
            "id": "37d51c45-8c60-4f82-98e0-6e1451cecf7c",
            "templateId": null,
            "displayName": "All Users except au1_All resources_user risk H_Password change",
            "createdDateTime": "2022-03-31T22:59:59.6688974Z",
            "modifiedDateTime": "2025-03-27T19:55:43.5390544Z",
            "state": "enabledForReportingButNotEnforced",
            "policyApplies": true,
            "analysisReasons": "notSet",
            "partialEnablementStrategy": null,
            "sessionControls": null,
            "conditions": {
                "userRiskLevels": [
                    "high"
                ],
                "signInRiskLevels": [],
                "clientAppTypes": [
                    "all"
                ],
                "servicePrincipalRiskLevels": [],
                "insiderRiskLevels": null,
                "clients": null,
                "platforms": null,
                "locations": null,
                "times": null,
                "deviceStates": null,
                "devices": null,
                "clientApplications": null,
                "authenticationFlows": null,
                "applications": {
                    "includeApplications": [
                        "All"
                    ],
                    "excludeApplications": [],
                    "includeUserActions": [],
                    "includeAuthenticationContextClassReferences": [],
                    "applicationFilter": null,
                    "networkAccess": null,
                    "globalSecureAccess": null
                },
                "users": {
                    "includeUsers": [
                        "All"
                    ],
                    "excludeUsers": [
                        "f7ca74b0-8562-4083-b66c-0476f942cfd0"
                    ],
                    "includeGroups": [],
                    "excludeGroups": [],
                    "includeRoles": [],
                    "excludeRoles": [],
                    "includeGuestsOrExternalUsers": null,
                    "excludeGuestsOrExternalUsers": null
                }
            },
            "grantControls": {
                "operator": "AND",
                "builtInControls": [
                    "mfa",
                    "passwordChange"
                ],
                "customAuthenticationFactors": [],
                "termsOfUse": [],
                "authenticationStrength": null
            }
        },
        {
            "id": "4aa7d105-d92b-4c07-9834-0e810ddb89ac",
            "templateId": null,
            "displayName": "All admin roles except au1_All resources_No conditions_MFA",
            "createdDateTime": "2022-03-29T20:39:24.3899939Z",
            "modifiedDateTime": "2025-03-27T21:40:19.6686701Z",
            "state": "enabledForReportingButNotEnforced",
            "policyApplies": true,
            "analysisReasons": "notSet",
            "partialEnablementStrategy": null,
            "sessionControls": null,
            "conditions": {
                "userRiskLevels": [],
                "signInRiskLevels": [],
                "clientAppTypes": [
                    "all"
                ],
                "servicePrincipalRiskLevels": [],
                "insiderRiskLevels": null,
                "clients": null,
                "platforms": null,
                "locations": null,
                "times": null,
                "deviceStates": null,
                "devices": null,
                "clientApplications": null,
                "authenticationFlows": null,
                "applications": {
                    "includeApplications": [
                        "All"
                    ],
                    "excludeApplications": [],
                    "includeUserActions": [],
                    "includeAuthenticationContextClassReferences": [],
                    "applicationFilter": null,
                    "networkAccess": null,
                    "globalSecureAccess": null
                },
                "users": {
                    "includeUsers": [],
                    "excludeUsers": [
                        "f7ca74b0-8562-4083-b66c-0476f942cfd0"
                    ],
                    "includeGroups": [],
                    "excludeGroups": [],
                    "includeRoles": [
                        "62e90394-69f5-4237-9190-012177145e10",
                        "194ae4cb-b126-40b2-bd5b-6091b380977d",
                        "f28a1f50-f6e7-4571-818b-6a12f2af6b6c",
                        "29232cdf-9323-42fd-ade2-1d097af3e4de",
                        "b1be1c3e-b65d-4f19-8427-f6fa0d97feb9",
                        "729827e3-9c14-49f7-bb1b-9608f156bbb8",
                        "b0f54661-2d74-4c50-afa3-1ec803f12efe",
                        "fe930be7-5e62-47db-91af-98c3a49a38b1",
                        "c4e39bd9-1100-46d3-8c65-fb160da0071f",
                        "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
                        "158c047a-c907-4556-b7ef-446551a6b5f7",
                        "966707d0-3269-4727-9be2-8c3a10f19b9d",
                        "7be44c8a-adaf-4e2a-84d6-ab2649e08a13",
                        "e8611ab8-c189-46e8-94e1-60213ab1f814"
                    ],
                    "excludeRoles": [],
                    "includeGuestsOrExternalUsers": null,
                    "excludeGuestsOrExternalUsers": null
                }
            },
            "grantControls": {
                "operator": "OR",
                "builtInControls": [
                    "mfa"
                ],
                "customAuthenticationFactors": [],
                "termsOfUse": [],
                "authenticationStrength": null
            }
        },
        {
            "id": "11083471-5a50-43ad-90c0-23f1af0869e1",
            "templateId": null,
            "displayName": "All users except au1_User action RS info_No conditions_Auth strenfth MFA",
            "createdDateTime": "2024-10-16T15:06:45.0788027Z",
            "modifiedDateTime": "2025-03-27T20:08:22.6064571Z",
            "state": "enabledForReportingButNotEnforced",
            "policyApplies": true,
            "analysisReasons": "notSet",
            "partialEnablementStrategy": null,
            "sessionControls": null,
            "conditions": {
                "userRiskLevels": [],
                "signInRiskLevels": [],
                "clientAppTypes": [
                    "all"
                ],
                "servicePrincipalRiskLevels": [],
                "insiderRiskLevels": null,
                "clients": null,
                "platforms": null,
                "locations": null,
                "times": null,
                "deviceStates": null,
                "devices": null,
                "clientApplications": null,
                "authenticationFlows": null,
                "applications": {
                    "includeApplications": [],
                    "excludeApplications": [],
                    "includeUserActions": [
                        "urn:user:registersecurityinfo"
                    ],
                    "includeAuthenticationContextClassReferences": [],
                    "applicationFilter": null,
                    "networkAccess": null,
                    "globalSecureAccess": null
                },
                "users": {
                    "includeUsers": [
                        "All"
                    ],
                    "excludeUsers": [
                        "f7ca74b0-8562-4083-b66c-0476f942cfd0"
                    ],
                    "includeGroups": [],
                    "excludeGroups": [],
                    "includeRoles": [],
                    "excludeRoles": [],
                    "includeGuestsOrExternalUsers": null,
                    "excludeGuestsOrExternalUsers": null
                }
            },
            "grantControls": {
                "operator": "OR",
                "builtInControls": [],
                "customAuthenticationFactors": [],
                "termsOfUse": [],
                "authenticationStrength": {
                    "id": "00000000-0000-0000-0000-000000000002",
                    "createdDateTime": "2021-12-01T08:00:00Z",
                    "modifiedDateTime": "2021-12-01T08:00:00Z",
                    "displayName": "Multifactor authentication",
                    "description": "Combinations of methods that satisfy strong authentication, such as a password + SMS",
                    "policyType": "builtIn",
                    "requirementsSatisfied": "mfa",
                    "allowedCombinations": [
                        "windowsHelloForBusiness",
                        "fido2",
                        "x509CertificateMultiFactor",
                        "deviceBasedPush",
                        "temporaryAccessPassOneTime",
                        "temporaryAccessPassMultiUse",
                        "password,microsoftAuthenticatorPush",
                        "password,softwareOath",
                        "password,hardwareOath",
                        "password,x509CertificateSingleFactor",
                        "password,x509CertificateMultiFactor",
                        "password,sms",
                        "password,voice",
                        "federatedMultiFactor",
                        "microsoftAuthenticatorPush,federatedSingleFactor",
                        "softwareOath,federatedSingleFactor",
                        "hardwareOath,federatedSingleFactor",
                        "sms,federatedSingleFactor",
                        "voice,federatedSingleFactor"
                    ],
                    "combinationConfigurations": []
                }
            }
        }
    ]
}

Beispiel 4: Identifizieren von Richtlinien für bedingten Zugriff, die für einen Dienstprinzipal gelten

Anforderung

Das folgende Beispiel zeigt eine Anfrage.

POST https://graph.microsoft.com/beta/identity/conditionalAccess/evaluate
Content-Type: application/json

{
    "signInIdentity": {
        "@odata.type": "#microsoft.graph.servicePrincipalSignIn",
        "servicePrincipalId": "c65b94a5-0049-439a-a6fd-bce307077730"
    },
    "signInContext": {
        "@odata.type": "#microsoft.graph.applicationContext",
        "includeApplications": [
            "00000003-0000-0ff1-ce00-000000000000"
        ]
    },
    "signInConditions": {
        "servicePrincipalRiskLevel": "high",
        "country": "CA",
        "ipAddress": "40.77.182.32"
    },
    "appliedPoliciesOnly": true
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Identity.ConditionalAccess.Evaluate;
using Microsoft.Graph.Beta.Models;

var requestBody = new EvaluatePostRequestBody
{
	SignInIdentity = new ServicePrincipalSignIn
	{
		OdataType = "#microsoft.graph.servicePrincipalSignIn",
		ServicePrincipalId = "c65b94a5-0049-439a-a6fd-bce307077730",
	},
	SignInContext = new ApplicationContext
	{
		OdataType = "#microsoft.graph.applicationContext",
		IncludeApplications = new List<string>
		{
			"00000003-0000-0ff1-ce00-000000000000",
		},
	},
	SignInConditions = new SignInConditions
	{
		ServicePrincipalRiskLevel = RiskLevel.High,
		Country = "CA",
		IpAddress = "40.77.182.32",
	},
	AppliedPoliciesOnly = true,
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Identity.ConditionalAccess.Evaluate.PostAsEvaluatePostResponseAsync(requestBody);

Wichtig

Einzelheiten darüber, wie Sie das SDK zu Ihrem Projekt hinzufügen und eine authProvider-Instanz erstellen, finden Sie in der SDK-Dokumentation.



// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphidentity "github.com/microsoftgraph/msgraph-beta-sdk-go/identity"
	  graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
	  //other-imports
)

requestBody := graphidentity.NewEvaluatePostRequestBody()
signInIdentity := graphmodels.NewServicePrincipalSignIn()
servicePrincipalId := "c65b94a5-0049-439a-a6fd-bce307077730"
signInIdentity.SetServicePrincipalId(&servicePrincipalId) 
requestBody.SetSignInIdentity(signInIdentity)
signInContext := graphmodels.NewApplicationContext()
includeApplications := []string {
	"00000003-0000-0ff1-ce00-000000000000",
}
signInContext.SetIncludeApplications(includeApplications)
requestBody.SetSignInContext(signInContext)
signInConditions := graphmodels.NewSignInConditions()
servicePrincipalRiskLevel := graphmodels.HIGH_RISKLEVEL 
signInConditions.SetServicePrincipalRiskLevel(&servicePrincipalRiskLevel) 
country := "CA"
signInConditions.SetCountry(&country) 
ipAddress := "40.77.182.32"
signInConditions.SetIpAddress(&ipAddress) 
requestBody.SetSignInConditions(signInConditions)
appliedPoliciesOnly := true
requestBody.SetAppliedPoliciesOnly(&appliedPoliciesOnly) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
evaluate, err := graphClient.Identity().ConditionalAccess().Evaluate().PostAsEvaluatePostResponse(context.Background(), requestBody, nil)

Wichtig

Einzelheiten darüber, wie Sie das SDK zu Ihrem Projekt hinzufügen und eine authProvider-Instanz erstellen, finden Sie in der SDK-Dokumentation.


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

com.microsoft.graph.beta.identity.conditionalaccess.evaluate.EvaluatePostRequestBody evaluatePostRequestBody = new com.microsoft.graph.beta.identity.conditionalaccess.evaluate.EvaluatePostRequestBody();
ServicePrincipalSignIn signInIdentity = new ServicePrincipalSignIn();
signInIdentity.setOdataType("#microsoft.graph.servicePrincipalSignIn");
signInIdentity.setServicePrincipalId("c65b94a5-0049-439a-a6fd-bce307077730");
evaluatePostRequestBody.setSignInIdentity(signInIdentity);
ApplicationContext signInContext = new ApplicationContext();
signInContext.setOdataType("#microsoft.graph.applicationContext");
LinkedList<String> includeApplications = new LinkedList<String>();
includeApplications.add("00000003-0000-0ff1-ce00-000000000000");
signInContext.setIncludeApplications(includeApplications);
evaluatePostRequestBody.setSignInContext(signInContext);
SignInConditions signInConditions = new SignInConditions();
signInConditions.setServicePrincipalRiskLevel(RiskLevel.High);
signInConditions.setCountry("CA");
signInConditions.setIpAddress("40.77.182.32");
evaluatePostRequestBody.setSignInConditions(signInConditions);
evaluatePostRequestBody.setAppliedPoliciesOnly(true);
var result = graphClient.identity().conditionalAccess().evaluate().post(evaluatePostRequestBody);

Wichtig

Einzelheiten darüber, wie Sie das SDK zu Ihrem Projekt hinzufügen und eine authProvider-Instanz erstellen, finden Sie in der SDK-Dokumentation.


const options = {
	authProvider,
};

const client = Client.init(options);

const whatIfAnalysisResult = {
    signInIdentity: {
        '@odata.type': '#microsoft.graph.servicePrincipalSignIn',
        servicePrincipalId: 'c65b94a5-0049-439a-a6fd-bce307077730'
    },
    signInContext: {
        '@odata.type': '#microsoft.graph.applicationContext',
        includeApplications: [
            '00000003-0000-0ff1-ce00-000000000000'
        ]
    },
    signInConditions: {
        servicePrincipalRiskLevel: 'high',
        country: 'CA',
        ipAddress: '40.77.182.32'
    },
    appliedPoliciesOnly: true
};

await client.api('/identity/conditionalAccess/evaluate')
	.version('beta')
	.post(whatIfAnalysisResult);

Wichtig

Einzelheiten darüber, wie Sie das SDK zu Ihrem Projekt hinzufügen und eine authProvider-Instanz erstellen, finden Sie in der SDK-Dokumentation.


<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Identity\ConditionalAccess\Evaluate\EvaluatePostRequestBody;
use Microsoft\Graph\Beta\Generated\Models\ServicePrincipalSignIn;
use Microsoft\Graph\Beta\Generated\Models\ApplicationContext;
use Microsoft\Graph\Beta\Generated\Models\SignInConditions;
use Microsoft\Graph\Beta\Generated\Models\RiskLevel;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new EvaluatePostRequestBody();
$signInIdentity = new ServicePrincipalSignIn();
$signInIdentity->setOdataType('#microsoft.graph.servicePrincipalSignIn');
$signInIdentity->setServicePrincipalId('c65b94a5-0049-439a-a6fd-bce307077730');
$requestBody->setSignInIdentity($signInIdentity);
$signInContext = new ApplicationContext();
$signInContext->setOdataType('#microsoft.graph.applicationContext');
$signInContext->setIncludeApplications(['00000003-0000-0ff1-ce00-000000000000', 	]);
$requestBody->setSignInContext($signInContext);
$signInConditions = new SignInConditions();
$signInConditions->setServicePrincipalRiskLevel(new RiskLevel('high'));
$signInConditions->setCountry('CA');
$signInConditions->setIpAddress('40.77.182.32');
$requestBody->setSignInConditions($signInConditions);
$requestBody->setAppliedPoliciesOnly(true);

$result = $graphServiceClient->identity()->conditionalAccess()->evaluate()->post($requestBody)->wait();

Wichtig

Einzelheiten darüber, wie Sie das SDK zu Ihrem Projekt hinzufügen und eine authProvider-Instanz erstellen, finden Sie in der SDK-Dokumentation.


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.identity.conditionalaccess.evaluate.evaluate_post_request_body import EvaluatePostRequestBody
from msgraph_beta.generated.models.service_principal_sign_in import ServicePrincipalSignIn
from msgraph_beta.generated.models.application_context import ApplicationContext
from msgraph_beta.generated.models.sign_in_conditions import SignInConditions
from msgraph_beta.generated.models.risk_level import RiskLevel
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = EvaluatePostRequestBody(
	sign_in_identity = ServicePrincipalSignIn(
		odata_type = "#microsoft.graph.servicePrincipalSignIn",
		service_principal_id = "c65b94a5-0049-439a-a6fd-bce307077730",
	),
	sign_in_context = ApplicationContext(
		odata_type = "#microsoft.graph.applicationContext",
		include_applications = [
			"00000003-0000-0ff1-ce00-000000000000",
		],
	),
	sign_in_conditions = SignInConditions(
		service_principal_risk_level = RiskLevel.High,
		country = "CA",
		ip_address = "40.77.182.32",
	),
	applied_policies_only = True,
)

result = await graph_client.identity.conditional_access.evaluate.post(request_body)

Wichtig

Einzelheiten darüber, wie Sie das SDK zu Ihrem Projekt hinzufügen und eine authProvider-Instanz erstellen, finden Sie in der SDK-Dokumentation.

Antwort

Das folgende Beispiel zeigt die Antwort.

HTTP/1.1 200 OK
Content-Type: application/json

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(microsoft.graph.whatIfAnalysisResult)",
    "value": [
        {
            "id": "461478d2-5896-4761-84ba-4d241c396a29",
            "templateId": null,
            "displayName": "All ST SPs_All resources_Any location_Block",
            "createdDateTime": "2022-04-08T19:31:15.6087842Z",
            "modifiedDateTime": "2025-03-27T20:08:54.0912734Z",
            "state": "enabledForReportingButNotEnforced",
            "policyApplies": true,
            "analysisReasons": "notSet",
            "partialEnablementStrategy": null,
            "sessionControls": null,
            "conditions": {
                "userRiskLevels": [],
                "signInRiskLevels": [],
                "clientAppTypes": [
                    "all"
                ],
                "servicePrincipalRiskLevels": [],
                "insiderRiskLevels": null,
                "clients": null,
                "platforms": null,
                "times": null,
                "deviceStates": null,
                "devices": null,
                "authenticationFlows": null,
                "applications": {
                    "includeApplications": [
                        "All"
                    ],
                    "excludeApplications": [],
                    "includeUserActions": [],
                    "includeAuthenticationContextClassReferences": [],
                    "applicationFilter": null,
                    "networkAccess": null,
                    "globalSecureAccess": null
                },
                "users": {
                    "includeUsers": [
                        "None"
                    ],
                    "excludeUsers": [],
                    "includeGroups": [],
                    "excludeGroups": [],
                    "includeRoles": [],
                    "excludeRoles": [],
                    "includeGuestsOrExternalUsers": null,
                    "excludeGuestsOrExternalUsers": null
                },
                "locations": {
                    "includeLocations": [
                        "All"
                    ],
                    "excludeLocations": []
                },
                "clientApplications": {
                    "includeServicePrincipals": [
                        "ServicePrincipalsInMyTenant"
                    ],
                    "excludeServicePrincipals": [],
                    "servicePrincipalFilter": null
                }
            },
            "grantControls": {
                "operator": "OR",
                "builtInControls": [
                    "block"
                ],
                "customAuthenticationFactors": [],
                "termsOfUse": [],
                "authenticationStrength": null
            }
        },
        {
            "id": "4f1d2ff3-50db-4299-bbdd-0a114c98e97e",
            "templateId": null,
            "displayName": "All ST SPs_All resources_No conditions_Block",
            "createdDateTime": "2025-02-21T07:04:44.777856Z",
            "modifiedDateTime": "2025-03-28T06:15:41.2376665Z",
            "state": "enabledForReportingButNotEnforced",
            "policyApplies": true,
            "analysisReasons": "notSet",
            "partialEnablementStrategy": null,
            "sessionControls": null,
            "conditions": {
                "userRiskLevels": [],
                "signInRiskLevels": [],
                "clientAppTypes": [
                    "all"
                ],
                "servicePrincipalRiskLevels": [],
                "insiderRiskLevels": null,
                "clients": null,
                "platforms": null,
                "locations": null,
                "times": null,
                "deviceStates": null,
                "devices": null,
                "authenticationFlows": null,
                "applications": {
                    "includeApplications": [
                        "All"
                    ],
                    "excludeApplications": [],
                    "includeUserActions": [],
                    "includeAuthenticationContextClassReferences": [],
                    "applicationFilter": null,
                    "networkAccess": null,
                    "globalSecureAccess": null
                },
                "users": {
                    "includeUsers": [
                        "None"
                    ],
                    "excludeUsers": [],
                    "includeGroups": [],
                    "excludeGroups": [],
                    "includeRoles": [],
                    "excludeRoles": [],
                    "includeGuestsOrExternalUsers": null,
                    "excludeGuestsOrExternalUsers": null
                },
                "clientApplications": {
                    "includeServicePrincipals": [
                        "ServicePrincipalsInMyTenant"
                    ],
                    "excludeServicePrincipals": [],
                    "servicePrincipalFilter": null
                }
            },
            "grantControls": {
                "operator": "OR",
                "builtInControls": [
                    "block"
                ],
                "customAuthenticationFactors": [],
                "termsOfUse": [],
                "authenticationStrength": null
            }
        }
    ]
}

Feedback

War diese Seite hilfreich?

Last updated on 2025-09-10

Freigeben über

conditionalAccessRoot: evaluate

Berechtigungen

HTTP-Anforderung

Anforderungsheader

Anforderungstext

Antwort

Beispiele

Beispiel 1: Identifizieren von Richtlinien für bedingten Zugriff, die für einen Benutzer gelten, der auf eine Anwendung zugreift

Anforderung

Antwort

Beispiel 2: Identifizieren von Richtlinien für bedingten Zugriff, die für einen Benutzer gelten, der auf eine vertrauliche Datei zugreift, die durch einen Authentifizierungskontext geschützt wird

Anforderung

Antwort

Beispiel 3: Identifizieren von Richtlinien für bedingten Zugriff, die für einen Benutzer gelten, der eine Benutzeraktion ausführt

Anforderung

Antwort

Beispiel 4: Identifizieren von Richtlinien für bedingten Zugriff, die für einen Dienstprinzipal gelten

Anforderung

Antwort

Feedback

Zusätzliche Ressourcen