Namespace: microsoft.graph
Importante
As APIs na versão /beta no Microsoft Graph estão sujeitas a alterações. Não há suporte para o uso dessas APIs em aplicativos de produção. Para determinar se uma API está disponível na v1.0, use o seletor Versão.
Crie uma nova conditionalAccessPolicy.
Esta API está disponível nas seguintes implementações de cloud nacionais.
| Serviço global |
US Government L4 |
US Government L5 (DOD) |
China operada pela 21Vianet |
| ✅ |
✅ |
✅ |
✅ |
Permissões
Escolha a permissão ou permissões marcadas como menos privilegiadas para esta API. Utilize uma permissão ou permissões com privilégios mais elevados apenas se a sua aplicação o exigir. Para obter detalhes sobre as permissões delegadas e de aplicação, veja Tipos de permissão. Para saber mais sobre estas permissões, veja a referência de permissões.
| Tipo de permissão |
Permissões com menos privilégios |
Permissões com privilégios superiores |
| Delegado (conta corporativa ou de estudante) |
Policy.Read.All e Policy.ReadWrite.ConditionalAccess |
Application.Read.All e Policy.ReadWrite.ConditionalAccess |
| Delegado (conta pessoal da Microsoft) |
Sem suporte. |
Sem suporte. |
| Application |
Policy.Read.All e Policy.ReadWrite.ConditionalAccess |
Application.Read.All e Policy.ReadWrite.ConditionalAccess |
Importante
Em cenários delegados com contas escolares ou profissionais em que o utilizador com sessão iniciada está a agir sobre outro utilizador, tem de lhes ser atribuída uma função de Microsoft Entra suportada ou uma função personalizada com uma permissão de função suportada. As seguintes funções com menos privilégios são suportadas para esta operação.
- Administrador de Segurança
- Administrador de Acesso Condicional
Solicitação HTTP
POST /identity/conditionalAccess/policies
| Nome |
Descrição |
| Autorização |
{token} de portador. Obrigatório. Saiba mais sobre autenticação e autorização. |
| Content-Type |
application/json. Obrigatório. |
Corpo da solicitação
No corpo do pedido, forneça uma representação JSON de um objeto conditionalAccessPolicy .
Uma política válida deve conter, pelo menos, uma regra de aplicação , por exemplo, 'includeApplications': 'none'uma regra de utilizador, por exemplo, e, pelo menos, 'includeUsers': 'none'um controlo desessão de concessão/.
Resposta
Se for bem-sucedido, este método devolve um 201 Created código de resposta e um novo objeto conditionalAccessPolicy no corpo da resposta.
Exemplos
Exemplo 1: Exigir que a MFA aceda a Exchange Online fora das localizações fidedignas
Solicitação
O exemplo seguinte mostra um pedido comum para exigir a autenticação multifator para acesso a Exchange Online a partir de clientes de autenticação modernos fora de localizações fidedignas para um grupo específico.
Nota: Tem de configurar as suas localizações fidedignas antes de utilizar esta operação.
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Access to EXO requires MFA",
"state": "enabled",
"conditions": {
"clientAppTypes": [
"mobileAppsAndDesktopClients",
"browser"
],
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
]
},
"users": {
"includeGroups": ["ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"]
},
"locations": {
"includeLocations": [
"All"
],
"excludeLocations": [
"AllTrusted"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
]
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new ConditionalAccessPolicy
{
DisplayName = "Access to EXO requires MFA",
State = ConditionalAccessPolicyState.Enabled,
Conditions = new ConditionalAccessConditionSet
{
ClientAppTypes = new List<ConditionalAccessClientApp?>
{
ConditionalAccessClientApp.MobileAppsAndDesktopClients,
ConditionalAccessClientApp.Browser,
},
Applications = new ConditionalAccessApplications
{
IncludeApplications = new List<string>
{
"00000002-0000-0ff1-ce00-000000000000",
},
},
Users = new ConditionalAccessUsers
{
IncludeGroups = new List<string>
{
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
},
},
Locations = new ConditionalAccessLocations
{
IncludeLocations = new List<string>
{
"All",
},
ExcludeLocations = new List<string>
{
"AllTrusted",
},
},
},
GrantControls = new ConditionalAccessGrantControls
{
Operator = "OR",
BuiltInControls = new List<ConditionalAccessGrantControl?>
{
ConditionalAccessGrantControl.Mfa,
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Identity.ConditionalAccess.Policies.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewConditionalAccessPolicy()
displayName := "Access to EXO requires MFA"
requestBody.SetDisplayName(&displayName)
state := graphmodels.ENABLED_CONDITIONALACCESSPOLICYSTATE
requestBody.SetState(&state)
conditions := graphmodels.NewConditionalAccessConditionSet()
clientAppTypes := []graphmodels.ConditionalAccessClientAppable {
conditionalAccessClientApp := graphmodels.MOBILEAPPSANDDESKTOPCLIENTS_CONDITIONALACCESSCLIENTAPP
conditions.SetConditionalAccessClientApp(&conditionalAccessClientApp)
conditionalAccessClientApp := graphmodels.BROWSER_CONDITIONALACCESSCLIENTAPP
conditions.SetConditionalAccessClientApp(&conditionalAccessClientApp)
}
conditions.SetClientAppTypes(clientAppTypes)
applications := graphmodels.NewConditionalAccessApplications()
includeApplications := []string {
"00000002-0000-0ff1-ce00-000000000000",
}
applications.SetIncludeApplications(includeApplications)
conditions.SetApplications(applications)
users := graphmodels.NewConditionalAccessUsers()
includeGroups := []string {
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
}
users.SetIncludeGroups(includeGroups)
conditions.SetUsers(users)
locations := graphmodels.NewConditionalAccessLocations()
includeLocations := []string {
"All",
}
locations.SetIncludeLocations(includeLocations)
excludeLocations := []string {
"AllTrusted",
}
locations.SetExcludeLocations(excludeLocations)
conditions.SetLocations(locations)
requestBody.SetConditions(conditions)
grantControls := graphmodels.NewConditionalAccessGrantControls()
operator := "OR"
grantControls.SetOperator(&operator)
builtInControls := []graphmodels.ConditionalAccessGrantControlable {
conditionalAccessGrantControl := graphmodels.MFA_CONDITIONALACCESSGRANTCONTROL
grantControls.SetConditionalAccessGrantControl(&conditionalAccessGrantControl)
}
grantControls.SetBuiltInControls(builtInControls)
requestBody.SetGrantControls(grantControls)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
policies, err := graphClient.Identity().ConditionalAccess().Policies().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ConditionalAccessPolicy conditionalAccessPolicy = new ConditionalAccessPolicy();
conditionalAccessPolicy.setDisplayName("Access to EXO requires MFA");
conditionalAccessPolicy.setState(ConditionalAccessPolicyState.Enabled);
ConditionalAccessConditionSet conditions = new ConditionalAccessConditionSet();
LinkedList<ConditionalAccessClientApp> clientAppTypes = new LinkedList<ConditionalAccessClientApp>();
clientAppTypes.add(ConditionalAccessClientApp.MobileAppsAndDesktopClients);
clientAppTypes.add(ConditionalAccessClientApp.Browser);
conditions.setClientAppTypes(clientAppTypes);
ConditionalAccessApplications applications = new ConditionalAccessApplications();
LinkedList<String> includeApplications = new LinkedList<String>();
includeApplications.add("00000002-0000-0ff1-ce00-000000000000");
applications.setIncludeApplications(includeApplications);
conditions.setApplications(applications);
ConditionalAccessUsers users = new ConditionalAccessUsers();
LinkedList<String> includeGroups = new LinkedList<String>();
includeGroups.add("ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba");
users.setIncludeGroups(includeGroups);
conditions.setUsers(users);
ConditionalAccessLocations locations = new ConditionalAccessLocations();
LinkedList<String> includeLocations = new LinkedList<String>();
includeLocations.add("All");
locations.setIncludeLocations(includeLocations);
LinkedList<String> excludeLocations = new LinkedList<String>();
excludeLocations.add("AllTrusted");
locations.setExcludeLocations(excludeLocations);
conditions.setLocations(locations);
conditionalAccessPolicy.setConditions(conditions);
ConditionalAccessGrantControls grantControls = new ConditionalAccessGrantControls();
grantControls.setOperator("OR");
LinkedList<ConditionalAccessGrantControl> builtInControls = new LinkedList<ConditionalAccessGrantControl>();
builtInControls.add(ConditionalAccessGrantControl.Mfa);
grantControls.setBuiltInControls(builtInControls);
conditionalAccessPolicy.setGrantControls(grantControls);
ConditionalAccessPolicy result = graphClient.identity().conditionalAccess().policies().post(conditionalAccessPolicy);
const options = {
authProvider,
};
const client = Client.init(options);
const conditionalAccessPolicy = {
displayName: 'Access to EXO requires MFA',
state: 'enabled',
conditions: {
clientAppTypes: [
'mobileAppsAndDesktopClients',
'browser'
],
applications: {
includeApplications: [
'00000002-0000-0ff1-ce00-000000000000'
]
},
users: {
includeGroups: ['ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba']
},
locations: {
includeLocations: [
'All'
],
excludeLocations: [
'AllTrusted'
]
}
},
grantControls: {
operator: 'OR',
builtInControls: [
'mfa'
]
}
};
await client.api('/identity/conditionalAccess/policies')
.version('beta')
.post(conditionalAccessPolicy);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessPolicy;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessPolicyState;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessConditionSet;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessClientApp;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessApplications;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessUsers;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessLocations;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessGrantControls;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessGrantControl;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ConditionalAccessPolicy();
$requestBody->setDisplayName('Access to EXO requires MFA');
$requestBody->setState(new ConditionalAccessPolicyState('enabled'));
$conditions = new ConditionalAccessConditionSet();
$conditions->setClientAppTypes([new ConditionalAccessClientApp('mobileAppsAndDesktopClients'),new ConditionalAccessClientApp('browser'), ]);
$conditionsApplications = new ConditionalAccessApplications();
$conditionsApplications->setIncludeApplications(['00000002-0000-0ff1-ce00-000000000000', ]);
$conditions->setApplications($conditionsApplications);
$conditionsUsers = new ConditionalAccessUsers();
$conditionsUsers->setIncludeGroups(['ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba', ]);
$conditions->setUsers($conditionsUsers);
$conditionsLocations = new ConditionalAccessLocations();
$conditionsLocations->setIncludeLocations(['All', ]);
$conditionsLocations->setExcludeLocations(['AllTrusted', ]);
$conditions->setLocations($conditionsLocations);
$requestBody->setConditions($conditions);
$grantControls = new ConditionalAccessGrantControls();
$grantControls->setOperator('OR');
$grantControls->setBuiltInControls([new ConditionalAccessGrantControl('mfa'), ]);
$requestBody->setGrantControls($grantControls);
$result = $graphServiceClient->identity()->conditionalAccess()->policies()->post($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.conditional_access_policy import ConditionalAccessPolicy
from msgraph_beta.generated.models.conditional_access_policy_state import ConditionalAccessPolicyState
from msgraph_beta.generated.models.conditional_access_condition_set import ConditionalAccessConditionSet
from msgraph_beta.generated.models.conditional_access_client_app import ConditionalAccessClientApp
from msgraph_beta.generated.models.conditional_access_applications import ConditionalAccessApplications
from msgraph_beta.generated.models.conditional_access_users import ConditionalAccessUsers
from msgraph_beta.generated.models.conditional_access_locations import ConditionalAccessLocations
from msgraph_beta.generated.models.conditional_access_grant_controls import ConditionalAccessGrantControls
from msgraph_beta.generated.models.conditional_access_grant_control import ConditionalAccessGrantControl
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ConditionalAccessPolicy(
display_name = "Access to EXO requires MFA",
state = ConditionalAccessPolicyState.Enabled,
conditions = ConditionalAccessConditionSet(
client_app_types = [
ConditionalAccessClientApp.MobileAppsAndDesktopClients,
ConditionalAccessClientApp.Browser,
],
applications = ConditionalAccessApplications(
include_applications = [
"00000002-0000-0ff1-ce00-000000000000",
],
),
users = ConditionalAccessUsers(
include_groups = [
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
],
),
locations = ConditionalAccessLocations(
include_locations = [
"All",
],
exclude_locations = [
"AllTrusted",
],
),
),
grant_controls = ConditionalAccessGrantControls(
operator = "OR",
built_in_controls = [
ConditionalAccessGrantControl.Mfa,
],
),
)
result = await graph_client.identity.conditional_access.policies.post(request_body)
Resposta
O exemplo a seguir mostra a resposta.
Observação: o objeto de resposta mostrado aqui pode ser encurtado para legibilidade.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#conditionalAccess/policies/$entity",
"id": "7359d0e0-d8a9-4afa-8a93-e23e099d7be8",
"displayName": "Access to EXO requires MFA",
"createdDateTime": "2019-10-14T19:52:00.050958Z",
"modifiedDateTime": null,
"state": "enabled",
"sessionControls": null,
"conditions": {
"signInRiskLevels": [],
"clientAppTypes": [
"mobileAppsAndDesktopClients",
"browser"
],
"platforms": null,
"deviceStates": null,
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
],
"excludeApplications": [],
"includeUserActions": []
},
"users": {
"includeUsers": [],
"excludeUsers": [],
"includeGroups": [
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": []
},
"locations": {
"includeLocations": [
"All"
],
"excludeLocations": [
"AllTrusted"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
],
"customAuthenticationFactors": [],
"termsOfUse": []
}
}
Exemplo 2: Bloquear o acesso a Exchange Online a partir de regiões não confiáveis
Solicitação
O exemplo seguinte mostra um pedido para bloquear o acesso a Exchange Online de regiões não fidedignas/desconhecidas.
Este exemplo pressupõe que a localização nomeada com o ID = 198ad66e-87b3-4157-85a3-8a7b51794ee9 corresponde a uma lista de regiões não fidedignas/desconhecidas.
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Block access to EXO non-trusted regions.",
"state": "enabled",
"conditions": {
"clientAppTypes": [
"all"
],
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
]
},
"users": {
"includeGroups": ["ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"]
},
"locations": {
"includeLocations": [
"198ad66e-87b3-4157-85a3-8a7b51794ee9"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
]
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new ConditionalAccessPolicy
{
DisplayName = "Block access to EXO non-trusted regions.",
State = ConditionalAccessPolicyState.Enabled,
Conditions = new ConditionalAccessConditionSet
{
ClientAppTypes = new List<ConditionalAccessClientApp?>
{
ConditionalAccessClientApp.All,
},
Applications = new ConditionalAccessApplications
{
IncludeApplications = new List<string>
{
"00000002-0000-0ff1-ce00-000000000000",
},
},
Users = new ConditionalAccessUsers
{
IncludeGroups = new List<string>
{
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
},
},
Locations = new ConditionalAccessLocations
{
IncludeLocations = new List<string>
{
"198ad66e-87b3-4157-85a3-8a7b51794ee9",
},
},
},
GrantControls = new ConditionalAccessGrantControls
{
Operator = "OR",
BuiltInControls = new List<ConditionalAccessGrantControl?>
{
ConditionalAccessGrantControl.Block,
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Identity.ConditionalAccess.Policies.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewConditionalAccessPolicy()
displayName := "Block access to EXO non-trusted regions."
requestBody.SetDisplayName(&displayName)
state := graphmodels.ENABLED_CONDITIONALACCESSPOLICYSTATE
requestBody.SetState(&state)
conditions := graphmodels.NewConditionalAccessConditionSet()
clientAppTypes := []graphmodels.ConditionalAccessClientAppable {
conditionalAccessClientApp := graphmodels.ALL_CONDITIONALACCESSCLIENTAPP
conditions.SetConditionalAccessClientApp(&conditionalAccessClientApp)
}
conditions.SetClientAppTypes(clientAppTypes)
applications := graphmodels.NewConditionalAccessApplications()
includeApplications := []string {
"00000002-0000-0ff1-ce00-000000000000",
}
applications.SetIncludeApplications(includeApplications)
conditions.SetApplications(applications)
users := graphmodels.NewConditionalAccessUsers()
includeGroups := []string {
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
}
users.SetIncludeGroups(includeGroups)
conditions.SetUsers(users)
locations := graphmodels.NewConditionalAccessLocations()
includeLocations := []string {
"198ad66e-87b3-4157-85a3-8a7b51794ee9",
}
locations.SetIncludeLocations(includeLocations)
conditions.SetLocations(locations)
requestBody.SetConditions(conditions)
grantControls := graphmodels.NewConditionalAccessGrantControls()
operator := "OR"
grantControls.SetOperator(&operator)
builtInControls := []graphmodels.ConditionalAccessGrantControlable {
conditionalAccessGrantControl := graphmodels.BLOCK_CONDITIONALACCESSGRANTCONTROL
grantControls.SetConditionalAccessGrantControl(&conditionalAccessGrantControl)
}
grantControls.SetBuiltInControls(builtInControls)
requestBody.SetGrantControls(grantControls)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
policies, err := graphClient.Identity().ConditionalAccess().Policies().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ConditionalAccessPolicy conditionalAccessPolicy = new ConditionalAccessPolicy();
conditionalAccessPolicy.setDisplayName("Block access to EXO non-trusted regions.");
conditionalAccessPolicy.setState(ConditionalAccessPolicyState.Enabled);
ConditionalAccessConditionSet conditions = new ConditionalAccessConditionSet();
LinkedList<ConditionalAccessClientApp> clientAppTypes = new LinkedList<ConditionalAccessClientApp>();
clientAppTypes.add(ConditionalAccessClientApp.All);
conditions.setClientAppTypes(clientAppTypes);
ConditionalAccessApplications applications = new ConditionalAccessApplications();
LinkedList<String> includeApplications = new LinkedList<String>();
includeApplications.add("00000002-0000-0ff1-ce00-000000000000");
applications.setIncludeApplications(includeApplications);
conditions.setApplications(applications);
ConditionalAccessUsers users = new ConditionalAccessUsers();
LinkedList<String> includeGroups = new LinkedList<String>();
includeGroups.add("ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba");
users.setIncludeGroups(includeGroups);
conditions.setUsers(users);
ConditionalAccessLocations locations = new ConditionalAccessLocations();
LinkedList<String> includeLocations = new LinkedList<String>();
includeLocations.add("198ad66e-87b3-4157-85a3-8a7b51794ee9");
locations.setIncludeLocations(includeLocations);
conditions.setLocations(locations);
conditionalAccessPolicy.setConditions(conditions);
ConditionalAccessGrantControls grantControls = new ConditionalAccessGrantControls();
grantControls.setOperator("OR");
LinkedList<ConditionalAccessGrantControl> builtInControls = new LinkedList<ConditionalAccessGrantControl>();
builtInControls.add(ConditionalAccessGrantControl.Block);
grantControls.setBuiltInControls(builtInControls);
conditionalAccessPolicy.setGrantControls(grantControls);
ConditionalAccessPolicy result = graphClient.identity().conditionalAccess().policies().post(conditionalAccessPolicy);
const options = {
authProvider,
};
const client = Client.init(options);
const conditionalAccessPolicy = {
displayName: 'Block access to EXO non-trusted regions.',
state: 'enabled',
conditions: {
clientAppTypes: [
'all'
],
applications: {
includeApplications: [
'00000002-0000-0ff1-ce00-000000000000'
]
},
users: {
includeGroups: ['ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba']
},
locations: {
includeLocations: [
'198ad66e-87b3-4157-85a3-8a7b51794ee9'
]
}
},
grantControls: {
operator: 'OR',
builtInControls: [
'block'
]
}
};
await client.api('/identity/conditionalAccess/policies')
.version('beta')
.post(conditionalAccessPolicy);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessPolicy;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessPolicyState;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessConditionSet;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessClientApp;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessApplications;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessUsers;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessLocations;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessGrantControls;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessGrantControl;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ConditionalAccessPolicy();
$requestBody->setDisplayName('Block access to EXO non-trusted regions.');
$requestBody->setState(new ConditionalAccessPolicyState('enabled'));
$conditions = new ConditionalAccessConditionSet();
$conditions->setClientAppTypes([new ConditionalAccessClientApp('all'), ]);
$conditionsApplications = new ConditionalAccessApplications();
$conditionsApplications->setIncludeApplications(['00000002-0000-0ff1-ce00-000000000000', ]);
$conditions->setApplications($conditionsApplications);
$conditionsUsers = new ConditionalAccessUsers();
$conditionsUsers->setIncludeGroups(['ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba', ]);
$conditions->setUsers($conditionsUsers);
$conditionsLocations = new ConditionalAccessLocations();
$conditionsLocations->setIncludeLocations(['198ad66e-87b3-4157-85a3-8a7b51794ee9', ]);
$conditions->setLocations($conditionsLocations);
$requestBody->setConditions($conditions);
$grantControls = new ConditionalAccessGrantControls();
$grantControls->setOperator('OR');
$grantControls->setBuiltInControls([new ConditionalAccessGrantControl('block'), ]);
$requestBody->setGrantControls($grantControls);
$result = $graphServiceClient->identity()->conditionalAccess()->policies()->post($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.conditional_access_policy import ConditionalAccessPolicy
from msgraph_beta.generated.models.conditional_access_policy_state import ConditionalAccessPolicyState
from msgraph_beta.generated.models.conditional_access_condition_set import ConditionalAccessConditionSet
from msgraph_beta.generated.models.conditional_access_client_app import ConditionalAccessClientApp
from msgraph_beta.generated.models.conditional_access_applications import ConditionalAccessApplications
from msgraph_beta.generated.models.conditional_access_users import ConditionalAccessUsers
from msgraph_beta.generated.models.conditional_access_locations import ConditionalAccessLocations
from msgraph_beta.generated.models.conditional_access_grant_controls import ConditionalAccessGrantControls
from msgraph_beta.generated.models.conditional_access_grant_control import ConditionalAccessGrantControl
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ConditionalAccessPolicy(
display_name = "Block access to EXO non-trusted regions.",
state = ConditionalAccessPolicyState.Enabled,
conditions = ConditionalAccessConditionSet(
client_app_types = [
ConditionalAccessClientApp.All,
],
applications = ConditionalAccessApplications(
include_applications = [
"00000002-0000-0ff1-ce00-000000000000",
],
),
users = ConditionalAccessUsers(
include_groups = [
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
],
),
locations = ConditionalAccessLocations(
include_locations = [
"198ad66e-87b3-4157-85a3-8a7b51794ee9",
],
),
),
grant_controls = ConditionalAccessGrantControls(
operator = "OR",
built_in_controls = [
ConditionalAccessGrantControl.Block,
],
),
)
result = await graph_client.identity.conditional_access.policies.post(request_body)
Resposta
O exemplo a seguir mostra a resposta.
Observação: o objeto de resposta mostrado aqui pode ser encurtado para legibilidade.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#conditionalAccess/policies/$entity",
"id": "c98e6c3d-f6ca-42ea-a927-773b6f12a0c2",
"displayName": "Block access to EXO non-trusted regions.",
"createdDateTime": "2019-10-14T19:53:11.3705634Z",
"modifiedDateTime": null,
"state": "enabled",
"sessionControls": null,
"conditions": {
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"platforms": null,
"deviceStates": null,
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
],
"excludeApplications": [],
"includeUserActions": []
},
"users": {
"includeUsers": [],
"excludeUsers": [],
"includeGroups": [
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": []
},
"locations": {
"includeLocations": [
"198ad66e-87b3-4157-85a3-8a7b51794ee9"
],
"excludeLocations": []
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
],
"customAuthenticationFactors": [],
"termsOfUse": []
}
}
Exemplo 3: Utilizar todas as condições/controlos
Solicitação
O exemplo seguinte mostra um pedido para utilizar todas as condições/controlos.
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Demo app for documentation",
"state": "disabled",
"conditions": {
"signInRiskLevels": [
"high",
"medium"
],
"clientAppTypes": [
"mobileAppsAndDesktopClients",
"exchangeActiveSync",
"other"
],
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [
"499b84ac-1321-427f-aa17-267ca6975798",
"00000007-0000-0000-c000-000000000000",
"de8bc8b5-d9f9-48b1-a8ad-b748da725064",
"00000012-0000-0000-c000-000000000000",
"797f4846-ba00-4fd7-ba43-dac1f8f63013",
"05a65629-4c1b-48c1-a78b-804c4abdd4af",
"7df0a125-d3be-4c96-aa54-591f83ff541c"
],
"includeUserActions": []
},
"users": {
"includeUsers": [
"a702a13d-a437-4a07-8a7e-8c052de62dfd"
],
"excludeUsers": [
"124c5b6a-ffa5-483a-9b88-04c3fce5574a",
"GuestsOrExternalUsers"
],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"cf1c38e5-3621-4004-a7cb-879624dced7c",
"c4e39bd9-1100-46d3-8c65-fb160da0071f"
],
"excludeRoles": [
"b0f54661-2d74-4c50-afa3-1ec803f12efe"
]
},
"platforms": {
"includePlatforms": [
"all"
],
"excludePlatforms": [
"iOS",
"windowsPhone"
]
},
"locations": {
"includeLocations": [
"AllTrusted"
],
"excludeLocations": [
"00000000-0000-0000-0000-000000000000",
"d2136c9c-b049-47ae-b9cf-316e04ef7198"
]
},
"deviceStates": {
"includeStates": [
"All"
],
"excludeStates": [
"Compliant"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa",
"compliantDevice",
"domainJoinedDevice",
"approvedApplication",
"compliantApplication"
],
"customAuthenticationFactors": [],
"termsOfUse": [
"ce580154-086a-40fd-91df-8a60abac81a0",
"7f29d675-caff-43e1-8a53-1b8516ed2075"
]
},
"sessionControls": {
"applicationEnforcedRestrictions": null,
"persistentBrowser": null,
"cloudAppSecurity": {
"cloudAppSecurityType": "blockDownloads",
"isEnabled": true
},
"signInFrequency": {
"value": 4,
"type": "hours",
"isEnabled": true
}
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new ConditionalAccessPolicy
{
DisplayName = "Demo app for documentation",
State = ConditionalAccessPolicyState.Disabled,
Conditions = new ConditionalAccessConditionSet
{
SignInRiskLevels = new List<RiskLevel?>
{
RiskLevel.High,
RiskLevel.Medium,
},
ClientAppTypes = new List<ConditionalAccessClientApp?>
{
ConditionalAccessClientApp.MobileAppsAndDesktopClients,
ConditionalAccessClientApp.ExchangeActiveSync,
ConditionalAccessClientApp.Other,
},
Applications = new ConditionalAccessApplications
{
IncludeApplications = new List<string>
{
"All",
},
ExcludeApplications = new List<string>
{
"499b84ac-1321-427f-aa17-267ca6975798",
"00000007-0000-0000-c000-000000000000",
"de8bc8b5-d9f9-48b1-a8ad-b748da725064",
"00000012-0000-0000-c000-000000000000",
"797f4846-ba00-4fd7-ba43-dac1f8f63013",
"05a65629-4c1b-48c1-a78b-804c4abdd4af",
"7df0a125-d3be-4c96-aa54-591f83ff541c",
},
IncludeUserActions = new List<string>
{
},
},
Users = new ConditionalAccessUsers
{
IncludeUsers = new List<string>
{
"a702a13d-a437-4a07-8a7e-8c052de62dfd",
},
ExcludeUsers = new List<string>
{
"124c5b6a-ffa5-483a-9b88-04c3fce5574a",
"GuestsOrExternalUsers",
},
IncludeGroups = new List<string>
{
},
ExcludeGroups = new List<string>
{
},
IncludeRoles = new List<string>
{
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"cf1c38e5-3621-4004-a7cb-879624dced7c",
"c4e39bd9-1100-46d3-8c65-fb160da0071f",
},
ExcludeRoles = new List<string>
{
"b0f54661-2d74-4c50-afa3-1ec803f12efe",
},
},
Platforms = new ConditionalAccessPlatforms
{
IncludePlatforms = new List<ConditionalAccessDevicePlatform?>
{
ConditionalAccessDevicePlatform.All,
},
ExcludePlatforms = new List<ConditionalAccessDevicePlatform?>
{
ConditionalAccessDevicePlatform.IOS,
ConditionalAccessDevicePlatform.WindowsPhone,
},
},
Locations = new ConditionalAccessLocations
{
IncludeLocations = new List<string>
{
"AllTrusted",
},
ExcludeLocations = new List<string>
{
"00000000-0000-0000-0000-000000000000",
"d2136c9c-b049-47ae-b9cf-316e04ef7198",
},
},
DeviceStates = new ConditionalAccessDeviceStates
{
IncludeStates = new List<string>
{
"All",
},
ExcludeStates = new List<string>
{
"Compliant",
},
},
},
GrantControls = new ConditionalAccessGrantControls
{
Operator = "OR",
BuiltInControls = new List<ConditionalAccessGrantControl?>
{
ConditionalAccessGrantControl.Mfa,
ConditionalAccessGrantControl.CompliantDevice,
ConditionalAccessGrantControl.DomainJoinedDevice,
ConditionalAccessGrantControl.ApprovedApplication,
ConditionalAccessGrantControl.CompliantApplication,
},
CustomAuthenticationFactors = new List<string>
{
},
TermsOfUse = new List<string>
{
"ce580154-086a-40fd-91df-8a60abac81a0",
"7f29d675-caff-43e1-8a53-1b8516ed2075",
},
},
SessionControls = new ConditionalAccessSessionControls
{
ApplicationEnforcedRestrictions = null,
PersistentBrowser = null,
CloudAppSecurity = new CloudAppSecuritySessionControl
{
CloudAppSecurityType = CloudAppSecuritySessionControlType.BlockDownloads,
IsEnabled = true,
},
SignInFrequency = new SignInFrequencySessionControl
{
Value = 4,
Type = SigninFrequencyType.Hours,
IsEnabled = true,
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Identity.ConditionalAccess.Policies.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewConditionalAccessPolicy()
displayName := "Demo app for documentation"
requestBody.SetDisplayName(&displayName)
state := graphmodels.DISABLED_CONDITIONALACCESSPOLICYSTATE
requestBody.SetState(&state)
conditions := graphmodels.NewConditionalAccessConditionSet()
signInRiskLevels := []graphmodels.RiskLevelable {
riskLevel := graphmodels.HIGH_RISKLEVEL
conditions.SetRiskLevel(&riskLevel)
riskLevel := graphmodels.MEDIUM_RISKLEVEL
conditions.SetRiskLevel(&riskLevel)
}
conditions.SetSignInRiskLevels(signInRiskLevels)
clientAppTypes := []graphmodels.ConditionalAccessClientAppable {
conditionalAccessClientApp := graphmodels.MOBILEAPPSANDDESKTOPCLIENTS_CONDITIONALACCESSCLIENTAPP
conditions.SetConditionalAccessClientApp(&conditionalAccessClientApp)
conditionalAccessClientApp := graphmodels.EXCHANGEACTIVESYNC_CONDITIONALACCESSCLIENTAPP
conditions.SetConditionalAccessClientApp(&conditionalAccessClientApp)
conditionalAccessClientApp := graphmodels.OTHER_CONDITIONALACCESSCLIENTAPP
conditions.SetConditionalAccessClientApp(&conditionalAccessClientApp)
}
conditions.SetClientAppTypes(clientAppTypes)
applications := graphmodels.NewConditionalAccessApplications()
includeApplications := []string {
"All",
}
applications.SetIncludeApplications(includeApplications)
excludeApplications := []string {
"499b84ac-1321-427f-aa17-267ca6975798",
"00000007-0000-0000-c000-000000000000",
"de8bc8b5-d9f9-48b1-a8ad-b748da725064",
"00000012-0000-0000-c000-000000000000",
"797f4846-ba00-4fd7-ba43-dac1f8f63013",
"05a65629-4c1b-48c1-a78b-804c4abdd4af",
"7df0a125-d3be-4c96-aa54-591f83ff541c",
}
applications.SetExcludeApplications(excludeApplications)
includeUserActions := []string {
}
applications.SetIncludeUserActions(includeUserActions)
conditions.SetApplications(applications)
users := graphmodels.NewConditionalAccessUsers()
includeUsers := []string {
"a702a13d-a437-4a07-8a7e-8c052de62dfd",
}
users.SetIncludeUsers(includeUsers)
excludeUsers := []string {
"124c5b6a-ffa5-483a-9b88-04c3fce5574a",
"GuestsOrExternalUsers",
}
users.SetExcludeUsers(excludeUsers)
includeGroups := []string {
}
users.SetIncludeGroups(includeGroups)
excludeGroups := []string {
}
users.SetExcludeGroups(excludeGroups)
includeRoles := []string {
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"cf1c38e5-3621-4004-a7cb-879624dced7c",
"c4e39bd9-1100-46d3-8c65-fb160da0071f",
}
users.SetIncludeRoles(includeRoles)
excludeRoles := []string {
"b0f54661-2d74-4c50-afa3-1ec803f12efe",
}
users.SetExcludeRoles(excludeRoles)
conditions.SetUsers(users)
platforms := graphmodels.NewConditionalAccessPlatforms()
includePlatforms := []graphmodels.ConditionalAccessDevicePlatformable {
conditionalAccessDevicePlatform := graphmodels.ALL_CONDITIONALACCESSDEVICEPLATFORM
platforms.SetConditionalAccessDevicePlatform(&conditionalAccessDevicePlatform)
}
platforms.SetIncludePlatforms(includePlatforms)
excludePlatforms := []graphmodels.ConditionalAccessDevicePlatformable {
conditionalAccessDevicePlatform := graphmodels.IOS_CONDITIONALACCESSDEVICEPLATFORM
platforms.SetConditionalAccessDevicePlatform(&conditionalAccessDevicePlatform)
conditionalAccessDevicePlatform := graphmodels.WINDOWSPHONE_CONDITIONALACCESSDEVICEPLATFORM
platforms.SetConditionalAccessDevicePlatform(&conditionalAccessDevicePlatform)
}
platforms.SetExcludePlatforms(excludePlatforms)
conditions.SetPlatforms(platforms)
locations := graphmodels.NewConditionalAccessLocations()
includeLocations := []string {
"AllTrusted",
}
locations.SetIncludeLocations(includeLocations)
excludeLocations := []string {
"00000000-0000-0000-0000-000000000000",
"d2136c9c-b049-47ae-b9cf-316e04ef7198",
}
locations.SetExcludeLocations(excludeLocations)
conditions.SetLocations(locations)
deviceStates := graphmodels.NewConditionalAccessDeviceStates()
includeStates := []string {
"All",
}
deviceStates.SetIncludeStates(includeStates)
excludeStates := []string {
"Compliant",
}
deviceStates.SetExcludeStates(excludeStates)
conditions.SetDeviceStates(deviceStates)
requestBody.SetConditions(conditions)
grantControls := graphmodels.NewConditionalAccessGrantControls()
operator := "OR"
grantControls.SetOperator(&operator)
builtInControls := []graphmodels.ConditionalAccessGrantControlable {
conditionalAccessGrantControl := graphmodels.MFA_CONDITIONALACCESSGRANTCONTROL
grantControls.SetConditionalAccessGrantControl(&conditionalAccessGrantControl)
conditionalAccessGrantControl := graphmodels.COMPLIANTDEVICE_CONDITIONALACCESSGRANTCONTROL
grantControls.SetConditionalAccessGrantControl(&conditionalAccessGrantControl)
conditionalAccessGrantControl := graphmodels.DOMAINJOINEDDEVICE_CONDITIONALACCESSGRANTCONTROL
grantControls.SetConditionalAccessGrantControl(&conditionalAccessGrantControl)
conditionalAccessGrantControl := graphmodels.APPROVEDAPPLICATION_CONDITIONALACCESSGRANTCONTROL
grantControls.SetConditionalAccessGrantControl(&conditionalAccessGrantControl)
conditionalAccessGrantControl := graphmodels.COMPLIANTAPPLICATION_CONDITIONALACCESSGRANTCONTROL
grantControls.SetConditionalAccessGrantControl(&conditionalAccessGrantControl)
}
grantControls.SetBuiltInControls(builtInControls)
customAuthenticationFactors := []string {
}
grantControls.SetCustomAuthenticationFactors(customAuthenticationFactors)
termsOfUse := []string {
"ce580154-086a-40fd-91df-8a60abac81a0",
"7f29d675-caff-43e1-8a53-1b8516ed2075",
}
grantControls.SetTermsOfUse(termsOfUse)
requestBody.SetGrantControls(grantControls)
sessionControls := graphmodels.NewConditionalAccessSessionControls()
applicationEnforcedRestrictions := null
sessionControls.SetApplicationEnforcedRestrictions(&applicationEnforcedRestrictions)
persistentBrowser := null
sessionControls.SetPersistentBrowser(&persistentBrowser)
cloudAppSecurity := graphmodels.NewCloudAppSecuritySessionControl()
cloudAppSecurityType := graphmodels.BLOCKDOWNLOADS_CLOUDAPPSECURITYSESSIONCONTROLTYPE
cloudAppSecurity.SetCloudAppSecurityType(&cloudAppSecurityType)
isEnabled := true
cloudAppSecurity.SetIsEnabled(&isEnabled)
sessionControls.SetCloudAppSecurity(cloudAppSecurity)
signInFrequency := graphmodels.NewSignInFrequencySessionControl()
value := int32(4)
signInFrequency.SetValue(&value)
type := graphmodels.HOURS_SIGNINFREQUENCYTYPE
signInFrequency.SetType(&type)
isEnabled := true
signInFrequency.SetIsEnabled(&isEnabled)
sessionControls.SetSignInFrequency(signInFrequency)
requestBody.SetSessionControls(sessionControls)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
policies, err := graphClient.Identity().ConditionalAccess().Policies().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ConditionalAccessPolicy conditionalAccessPolicy = new ConditionalAccessPolicy();
conditionalAccessPolicy.setDisplayName("Demo app for documentation");
conditionalAccessPolicy.setState(ConditionalAccessPolicyState.Disabled);
ConditionalAccessConditionSet conditions = new ConditionalAccessConditionSet();
LinkedList<RiskLevel> signInRiskLevels = new LinkedList<RiskLevel>();
signInRiskLevels.add(RiskLevel.High);
signInRiskLevels.add(RiskLevel.Medium);
conditions.setSignInRiskLevels(signInRiskLevels);
LinkedList<ConditionalAccessClientApp> clientAppTypes = new LinkedList<ConditionalAccessClientApp>();
clientAppTypes.add(ConditionalAccessClientApp.MobileAppsAndDesktopClients);
clientAppTypes.add(ConditionalAccessClientApp.ExchangeActiveSync);
clientAppTypes.add(ConditionalAccessClientApp.Other);
conditions.setClientAppTypes(clientAppTypes);
ConditionalAccessApplications applications = new ConditionalAccessApplications();
LinkedList<String> includeApplications = new LinkedList<String>();
includeApplications.add("All");
applications.setIncludeApplications(includeApplications);
LinkedList<String> excludeApplications = new LinkedList<String>();
excludeApplications.add("499b84ac-1321-427f-aa17-267ca6975798");
excludeApplications.add("00000007-0000-0000-c000-000000000000");
excludeApplications.add("de8bc8b5-d9f9-48b1-a8ad-b748da725064");
excludeApplications.add("00000012-0000-0000-c000-000000000000");
excludeApplications.add("797f4846-ba00-4fd7-ba43-dac1f8f63013");
excludeApplications.add("05a65629-4c1b-48c1-a78b-804c4abdd4af");
excludeApplications.add("7df0a125-d3be-4c96-aa54-591f83ff541c");
applications.setExcludeApplications(excludeApplications);
LinkedList<String> includeUserActions = new LinkedList<String>();
applications.setIncludeUserActions(includeUserActions);
conditions.setApplications(applications);
ConditionalAccessUsers users = new ConditionalAccessUsers();
LinkedList<String> includeUsers = new LinkedList<String>();
includeUsers.add("a702a13d-a437-4a07-8a7e-8c052de62dfd");
users.setIncludeUsers(includeUsers);
LinkedList<String> excludeUsers = new LinkedList<String>();
excludeUsers.add("124c5b6a-ffa5-483a-9b88-04c3fce5574a");
excludeUsers.add("GuestsOrExternalUsers");
users.setExcludeUsers(excludeUsers);
LinkedList<String> includeGroups = new LinkedList<String>();
users.setIncludeGroups(includeGroups);
LinkedList<String> excludeGroups = new LinkedList<String>();
users.setExcludeGroups(excludeGroups);
LinkedList<String> includeRoles = new LinkedList<String>();
includeRoles.add("9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3");
includeRoles.add("cf1c38e5-3621-4004-a7cb-879624dced7c");
includeRoles.add("c4e39bd9-1100-46d3-8c65-fb160da0071f");
users.setIncludeRoles(includeRoles);
LinkedList<String> excludeRoles = new LinkedList<String>();
excludeRoles.add("b0f54661-2d74-4c50-afa3-1ec803f12efe");
users.setExcludeRoles(excludeRoles);
conditions.setUsers(users);
ConditionalAccessPlatforms platforms = new ConditionalAccessPlatforms();
LinkedList<ConditionalAccessDevicePlatform> includePlatforms = new LinkedList<ConditionalAccessDevicePlatform>();
includePlatforms.add(ConditionalAccessDevicePlatform.All);
platforms.setIncludePlatforms(includePlatforms);
LinkedList<ConditionalAccessDevicePlatform> excludePlatforms = new LinkedList<ConditionalAccessDevicePlatform>();
excludePlatforms.add(ConditionalAccessDevicePlatform.IOS);
excludePlatforms.add(ConditionalAccessDevicePlatform.WindowsPhone);
platforms.setExcludePlatforms(excludePlatforms);
conditions.setPlatforms(platforms);
ConditionalAccessLocations locations = new ConditionalAccessLocations();
LinkedList<String> includeLocations = new LinkedList<String>();
includeLocations.add("AllTrusted");
locations.setIncludeLocations(includeLocations);
LinkedList<String> excludeLocations = new LinkedList<String>();
excludeLocations.add("00000000-0000-0000-0000-000000000000");
excludeLocations.add("d2136c9c-b049-47ae-b9cf-316e04ef7198");
locations.setExcludeLocations(excludeLocations);
conditions.setLocations(locations);
ConditionalAccessDeviceStates deviceStates = new ConditionalAccessDeviceStates();
LinkedList<String> includeStates = new LinkedList<String>();
includeStates.add("All");
deviceStates.setIncludeStates(includeStates);
LinkedList<String> excludeStates = new LinkedList<String>();
excludeStates.add("Compliant");
deviceStates.setExcludeStates(excludeStates);
conditions.setDeviceStates(deviceStates);
conditionalAccessPolicy.setConditions(conditions);
ConditionalAccessGrantControls grantControls = new ConditionalAccessGrantControls();
grantControls.setOperator("OR");
LinkedList<ConditionalAccessGrantControl> builtInControls = new LinkedList<ConditionalAccessGrantControl>();
builtInControls.add(ConditionalAccessGrantControl.Mfa);
builtInControls.add(ConditionalAccessGrantControl.CompliantDevice);
builtInControls.add(ConditionalAccessGrantControl.DomainJoinedDevice);
builtInControls.add(ConditionalAccessGrantControl.ApprovedApplication);
builtInControls.add(ConditionalAccessGrantControl.CompliantApplication);
grantControls.setBuiltInControls(builtInControls);
LinkedList<String> customAuthenticationFactors = new LinkedList<String>();
grantControls.setCustomAuthenticationFactors(customAuthenticationFactors);
LinkedList<String> termsOfUse = new LinkedList<String>();
termsOfUse.add("ce580154-086a-40fd-91df-8a60abac81a0");
termsOfUse.add("7f29d675-caff-43e1-8a53-1b8516ed2075");
grantControls.setTermsOfUse(termsOfUse);
conditionalAccessPolicy.setGrantControls(grantControls);
ConditionalAccessSessionControls sessionControls = new ConditionalAccessSessionControls();
sessionControls.setApplicationEnforcedRestrictions(null);
sessionControls.setPersistentBrowser(null);
CloudAppSecuritySessionControl cloudAppSecurity = new CloudAppSecuritySessionControl();
cloudAppSecurity.setCloudAppSecurityType(CloudAppSecuritySessionControlType.BlockDownloads);
cloudAppSecurity.setIsEnabled(true);
sessionControls.setCloudAppSecurity(cloudAppSecurity);
SignInFrequencySessionControl signInFrequency = new SignInFrequencySessionControl();
signInFrequency.setValue(4);
signInFrequency.setType(SigninFrequencyType.Hours);
signInFrequency.setIsEnabled(true);
sessionControls.setSignInFrequency(signInFrequency);
conditionalAccessPolicy.setSessionControls(sessionControls);
ConditionalAccessPolicy result = graphClient.identity().conditionalAccess().policies().post(conditionalAccessPolicy);
const options = {
authProvider,
};
const client = Client.init(options);
const conditionalAccessPolicy = {
displayName: 'Demo app for documentation',
state: 'disabled',
conditions: {
signInRiskLevels: [
'high',
'medium'
],
clientAppTypes: [
'mobileAppsAndDesktopClients',
'exchangeActiveSync',
'other'
],
applications: {
includeApplications: [
'All'
],
excludeApplications: [
'499b84ac-1321-427f-aa17-267ca6975798',
'00000007-0000-0000-c000-000000000000',
'de8bc8b5-d9f9-48b1-a8ad-b748da725064',
'00000012-0000-0000-c000-000000000000',
'797f4846-ba00-4fd7-ba43-dac1f8f63013',
'05a65629-4c1b-48c1-a78b-804c4abdd4af',
'7df0a125-d3be-4c96-aa54-591f83ff541c'
],
includeUserActions: []
},
users: {
includeUsers: [
'a702a13d-a437-4a07-8a7e-8c052de62dfd'
],
excludeUsers: [
'124c5b6a-ffa5-483a-9b88-04c3fce5574a',
'GuestsOrExternalUsers'
],
includeGroups: [],
excludeGroups: [],
includeRoles: [
'9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3',
'cf1c38e5-3621-4004-a7cb-879624dced7c',
'c4e39bd9-1100-46d3-8c65-fb160da0071f'
],
excludeRoles: [
'b0f54661-2d74-4c50-afa3-1ec803f12efe'
]
},
platforms: {
includePlatforms: [
'all'
],
excludePlatforms: [
'iOS',
'windowsPhone'
]
},
locations: {
includeLocations: [
'AllTrusted'
],
excludeLocations: [
'00000000-0000-0000-0000-000000000000',
'd2136c9c-b049-47ae-b9cf-316e04ef7198'
]
},
deviceStates: {
includeStates: [
'All'
],
excludeStates: [
'Compliant'
]
}
},
grantControls: {
operator: 'OR',
builtInControls: [
'mfa',
'compliantDevice',
'domainJoinedDevice',
'approvedApplication',
'compliantApplication'
],
customAuthenticationFactors: [],
termsOfUse: [
'ce580154-086a-40fd-91df-8a60abac81a0',
'7f29d675-caff-43e1-8a53-1b8516ed2075'
]
},
sessionControls: {
applicationEnforcedRestrictions: null,
persistentBrowser: null,
cloudAppSecurity: {
cloudAppSecurityType: 'blockDownloads',
isEnabled: true
},
signInFrequency: {
value: 4,
type: 'hours',
isEnabled: true
}
}
};
await client.api('/identity/conditionalAccess/policies')
.version('beta')
.post(conditionalAccessPolicy);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessPolicy;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessPolicyState;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessConditionSet;
use Microsoft\Graph\Beta\Generated\Models\RiskLevel;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessClientApp;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessApplications;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessUsers;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessPlatforms;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessDevicePlatform;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessLocations;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessDeviceStates;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessGrantControls;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessGrantControl;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessSessionControls;
use Microsoft\Graph\Beta\Generated\Models\CloudAppSecuritySessionControl;
use Microsoft\Graph\Beta\Generated\Models\CloudAppSecuritySessionControlType;
use Microsoft\Graph\Beta\Generated\Models\SignInFrequencySessionControl;
use Microsoft\Graph\Beta\Generated\Models\SigninFrequencyType;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ConditionalAccessPolicy();
$requestBody->setDisplayName('Demo app for documentation');
$requestBody->setState(new ConditionalAccessPolicyState('disabled'));
$conditions = new ConditionalAccessConditionSet();
$conditions->setSignInRiskLevels([new RiskLevel('high'),new RiskLevel('medium'), ]);
$conditions->setClientAppTypes([new ConditionalAccessClientApp('mobileAppsAndDesktopClients'),new ConditionalAccessClientApp('exchangeActiveSync'),new ConditionalAccessClientApp('other'), ]);
$conditionsApplications = new ConditionalAccessApplications();
$conditionsApplications->setIncludeApplications(['All', ]);
$conditionsApplications->setExcludeApplications(['499b84ac-1321-427f-aa17-267ca6975798', '00000007-0000-0000-c000-000000000000', 'de8bc8b5-d9f9-48b1-a8ad-b748da725064', '00000012-0000-0000-c000-000000000000', '797f4846-ba00-4fd7-ba43-dac1f8f63013', '05a65629-4c1b-48c1-a78b-804c4abdd4af', '7df0a125-d3be-4c96-aa54-591f83ff541c', ]);
$conditionsApplications->setIncludeUserActions([ ]);
$conditions->setApplications($conditionsApplications);
$conditionsUsers = new ConditionalAccessUsers();
$conditionsUsers->setIncludeUsers(['a702a13d-a437-4a07-8a7e-8c052de62dfd', ]);
$conditionsUsers->setExcludeUsers(['124c5b6a-ffa5-483a-9b88-04c3fce5574a', 'GuestsOrExternalUsers', ]);
$conditionsUsers->setIncludeGroups([ ]);
$conditionsUsers->setExcludeGroups([ ]);
$conditionsUsers->setIncludeRoles(['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3', 'cf1c38e5-3621-4004-a7cb-879624dced7c', 'c4e39bd9-1100-46d3-8c65-fb160da0071f', ]);
$conditionsUsers->setExcludeRoles(['b0f54661-2d74-4c50-afa3-1ec803f12efe', ]);
$conditions->setUsers($conditionsUsers);
$conditionsPlatforms = new ConditionalAccessPlatforms();
$conditionsPlatforms->setIncludePlatforms([new ConditionalAccessDevicePlatform('all'), ]);
$conditionsPlatforms->setExcludePlatforms([new ConditionalAccessDevicePlatform('iOS'),new ConditionalAccessDevicePlatform('windowsPhone'), ]);
$conditions->setPlatforms($conditionsPlatforms);
$conditionsLocations = new ConditionalAccessLocations();
$conditionsLocations->setIncludeLocations(['AllTrusted', ]);
$conditionsLocations->setExcludeLocations(['00000000-0000-0000-0000-000000000000', 'd2136c9c-b049-47ae-b9cf-316e04ef7198', ]);
$conditions->setLocations($conditionsLocations);
$conditionsDeviceStates = new ConditionalAccessDeviceStates();
$conditionsDeviceStates->setIncludeStates(['All', ]);
$conditionsDeviceStates->setExcludeStates(['Compliant', ]);
$conditions->setDeviceStates($conditionsDeviceStates);
$requestBody->setConditions($conditions);
$grantControls = new ConditionalAccessGrantControls();
$grantControls->setOperator('OR');
$grantControls->setBuiltInControls([new ConditionalAccessGrantControl('mfa'),new ConditionalAccessGrantControl('compliantDevice'),new ConditionalAccessGrantControl('domainJoinedDevice'),new ConditionalAccessGrantControl('approvedApplication'),new ConditionalAccessGrantControl('compliantApplication'), ]);
$grantControls->setCustomAuthenticationFactors([ ]);
$grantControls->setTermsOfUse(['ce580154-086a-40fd-91df-8a60abac81a0', '7f29d675-caff-43e1-8a53-1b8516ed2075', ]);
$requestBody->setGrantControls($grantControls);
$sessionControls = new ConditionalAccessSessionControls();
$sessionControls->setApplicationEnforcedRestrictions(null);
$sessionControls->setPersistentBrowser(null);
$sessionControlsCloudAppSecurity = new CloudAppSecuritySessionControl();
$sessionControlsCloudAppSecurity->setCloudAppSecurityType(new CloudAppSecuritySessionControlType('blockDownloads'));
$sessionControlsCloudAppSecurity->setIsEnabled(true);
$sessionControls->setCloudAppSecurity($sessionControlsCloudAppSecurity);
$sessionControlsSignInFrequency = new SignInFrequencySessionControl();
$sessionControlsSignInFrequency->setValue(4);
$sessionControlsSignInFrequency->setType(new SigninFrequencyType('hours'));
$sessionControlsSignInFrequency->setIsEnabled(true);
$sessionControls->setSignInFrequency($sessionControlsSignInFrequency);
$requestBody->setSessionControls($sessionControls);
$result = $graphServiceClient->identity()->conditionalAccess()->policies()->post($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.conditional_access_policy import ConditionalAccessPolicy
from msgraph_beta.generated.models.conditional_access_policy_state import ConditionalAccessPolicyState
from msgraph_beta.generated.models.conditional_access_condition_set import ConditionalAccessConditionSet
from msgraph_beta.generated.models.risk_level import RiskLevel
from msgraph_beta.generated.models.conditional_access_client_app import ConditionalAccessClientApp
from msgraph_beta.generated.models.conditional_access_applications import ConditionalAccessApplications
from msgraph_beta.generated.models.conditional_access_users import ConditionalAccessUsers
from msgraph_beta.generated.models.conditional_access_platforms import ConditionalAccessPlatforms
from msgraph_beta.generated.models.conditional_access_device_platform import ConditionalAccessDevicePlatform
from msgraph_beta.generated.models.conditional_access_locations import ConditionalAccessLocations
from msgraph_beta.generated.models.conditional_access_device_states import ConditionalAccessDeviceStates
from msgraph_beta.generated.models.conditional_access_grant_controls import ConditionalAccessGrantControls
from msgraph_beta.generated.models.conditional_access_grant_control import ConditionalAccessGrantControl
from msgraph_beta.generated.models.conditional_access_session_controls import ConditionalAccessSessionControls
from msgraph_beta.generated.models.cloud_app_security_session_control import CloudAppSecuritySessionControl
from msgraph_beta.generated.models.cloud_app_security_session_control_type import CloudAppSecuritySessionControlType
from msgraph_beta.generated.models.sign_in_frequency_session_control import SignInFrequencySessionControl
from msgraph_beta.generated.models.signin_frequency_type import SigninFrequencyType
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ConditionalAccessPolicy(
display_name = "Demo app for documentation",
state = ConditionalAccessPolicyState.Disabled,
conditions = ConditionalAccessConditionSet(
sign_in_risk_levels = [
RiskLevel.High,
RiskLevel.Medium,
],
client_app_types = [
ConditionalAccessClientApp.MobileAppsAndDesktopClients,
ConditionalAccessClientApp.ExchangeActiveSync,
ConditionalAccessClientApp.Other,
],
applications = ConditionalAccessApplications(
include_applications = [
"All",
],
exclude_applications = [
"499b84ac-1321-427f-aa17-267ca6975798",
"00000007-0000-0000-c000-000000000000",
"de8bc8b5-d9f9-48b1-a8ad-b748da725064",
"00000012-0000-0000-c000-000000000000",
"797f4846-ba00-4fd7-ba43-dac1f8f63013",
"05a65629-4c1b-48c1-a78b-804c4abdd4af",
"7df0a125-d3be-4c96-aa54-591f83ff541c",
],
include_user_actions = [
],
),
users = ConditionalAccessUsers(
include_users = [
"a702a13d-a437-4a07-8a7e-8c052de62dfd",
],
exclude_users = [
"124c5b6a-ffa5-483a-9b88-04c3fce5574a",
"GuestsOrExternalUsers",
],
include_groups = [
],
exclude_groups = [
],
include_roles = [
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"cf1c38e5-3621-4004-a7cb-879624dced7c",
"c4e39bd9-1100-46d3-8c65-fb160da0071f",
],
exclude_roles = [
"b0f54661-2d74-4c50-afa3-1ec803f12efe",
],
),
platforms = ConditionalAccessPlatforms(
include_platforms = [
ConditionalAccessDevicePlatform.All,
],
exclude_platforms = [
ConditionalAccessDevicePlatform.IOS,
ConditionalAccessDevicePlatform.WindowsPhone,
],
),
locations = ConditionalAccessLocations(
include_locations = [
"AllTrusted",
],
exclude_locations = [
"00000000-0000-0000-0000-000000000000",
"d2136c9c-b049-47ae-b9cf-316e04ef7198",
],
),
device_states = ConditionalAccessDeviceStates(
include_states = [
"All",
],
exclude_states = [
"Compliant",
],
),
),
grant_controls = ConditionalAccessGrantControls(
operator = "OR",
built_in_controls = [
ConditionalAccessGrantControl.Mfa,
ConditionalAccessGrantControl.CompliantDevice,
ConditionalAccessGrantControl.DomainJoinedDevice,
ConditionalAccessGrantControl.ApprovedApplication,
ConditionalAccessGrantControl.CompliantApplication,
],
custom_authentication_factors = [
],
terms_of_use = [
"ce580154-086a-40fd-91df-8a60abac81a0",
"7f29d675-caff-43e1-8a53-1b8516ed2075",
],
),
session_controls = ConditionalAccessSessionControls(
application_enforced_restrictions = None,
persistent_browser = None,
cloud_app_security = CloudAppSecuritySessionControl(
cloud_app_security_type = CloudAppSecuritySessionControlType.BlockDownloads,
is_enabled = True,
),
sign_in_frequency = SignInFrequencySessionControl(
value = 4,
type = SigninFrequencyType.Hours,
is_enabled = True,
),
),
)
result = await graph_client.identity.conditional_access.policies.post(request_body)
Resposta
O exemplo a seguir mostra a resposta.
Observação: o objeto de resposta mostrado aqui pode ser encurtado para legibilidade.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#conditionalAccess/policies/$entity",
"id": "6b5e999b-0ba8-4186-a106-e0296c1c4358",
"displayName": "Demo app for documentation",
"createdDateTime": "2019-09-26T23:12:16.0792706Z",
"modifiedDateTime": null,
"state": "disabled",
"conditions": {
"signInRiskLevels": [
"high",
"medium"
],
"clientAppTypes": [
"mobileAppsAndDesktopClients",
"exchangeActiveSync",
"other"
],
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [
"499b84ac-1321-427f-aa17-267ca6975798",
"00000007-0000-0000-c000-000000000000",
"de8bc8b5-d9f9-48b1-a8ad-b748da725064",
"00000012-0000-0000-c000-000000000000",
"797f4846-ba00-4fd7-ba43-dac1f8f63013",
"05a65629-4c1b-48c1-a78b-804c4abdd4af",
"7df0a125-d3be-4c96-aa54-591f83ff541c"
],
"includeUserActions": []
},
"users": {
"includeUsers": [
"a702a13d-a437-4a07-8a7e-8c052de62dfd"
],
"excludeUsers": [
"124c5b6a-ffa5-483a-9b88-04c3fce5574a",
"GuestsOrExternalUsers"
],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"cf1c38e5-3621-4004-a7cb-879624dced7c",
"c4e39bd9-1100-46d3-8c65-fb160da0071f"
],
"excludeRoles": [
"b0f54661-2d74-4c50-afa3-1ec803f12efe"
]
},
"platforms": {
"includePlatforms": [
"all"
],
"excludePlatforms": [
"iOS",
"windowsPhone"
]
},
"locations": {
"includeLocations": [
"AllTrusted"
],
"excludeLocations": [
"00000000-0000-0000-0000-000000000000",
"d2136c9c-b049-47ae-b9cf-316e04ef7198"
]
},
"deviceStates": {
"includeStates": [
"All"
],
"excludeStates": [
"Compliant"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa",
"compliantDevice",
"domainJoinedDevice",
"approvedApplication",
"compliantApplication"
],
"customAuthenticationFactors": [],
"termsOfUse": [
"ce580154-086a-40fd-91df-8a60abac81a0",
"7f29d675-caff-43e1-8a53-1b8516ed2075"
]
},
"sessionControls": {
"applicationEnforcedRestrictions": null,
"persistentBrowser": null,
"cloudAppSecurity": {
"cloudAppSecurityType": "blockDownloads",
"isEnabled": true
},
"signInFrequency": {
"value": 4,
"type": "hours",
"isEnabled": true
}
}
}
Exemplo 4: Exigir que a MFA Exchange Online a partir de dispositivos não conformes
Nota: Estamos a preterir a condição deviceStates e esta poderá ser removida no futuro. No futuro, utilize a condição de dispositivos .
Solicitação
O exemplo seguinte mostra um pedido para exigir que a MFA Exchange Online a partir de dispositivos não conformes.
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Require MFA to EXO from non-compliant devices.",
"state": "enabled",
"conditions": {
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
]
},
"users": {
"includeGroups": ["ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"]
},
"devices": {
"includeDevices": [
"All"
],
"excludeDevices": [
"Compliant"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
]
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new ConditionalAccessPolicy
{
DisplayName = "Require MFA to EXO from non-compliant devices.",
State = ConditionalAccessPolicyState.Enabled,
Conditions = new ConditionalAccessConditionSet
{
Applications = new ConditionalAccessApplications
{
IncludeApplications = new List<string>
{
"00000002-0000-0ff1-ce00-000000000000",
},
},
Users = new ConditionalAccessUsers
{
IncludeGroups = new List<string>
{
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
},
},
Devices = new ConditionalAccessDevices
{
IncludeDevices = new List<string>
{
"All",
},
ExcludeDevices = new List<string>
{
"Compliant",
},
},
},
GrantControls = new ConditionalAccessGrantControls
{
Operator = "OR",
BuiltInControls = new List<ConditionalAccessGrantControl?>
{
ConditionalAccessGrantControl.Mfa,
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Identity.ConditionalAccess.Policies.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewConditionalAccessPolicy()
displayName := "Require MFA to EXO from non-compliant devices."
requestBody.SetDisplayName(&displayName)
state := graphmodels.ENABLED_CONDITIONALACCESSPOLICYSTATE
requestBody.SetState(&state)
conditions := graphmodels.NewConditionalAccessConditionSet()
applications := graphmodels.NewConditionalAccessApplications()
includeApplications := []string {
"00000002-0000-0ff1-ce00-000000000000",
}
applications.SetIncludeApplications(includeApplications)
conditions.SetApplications(applications)
users := graphmodels.NewConditionalAccessUsers()
includeGroups := []string {
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
}
users.SetIncludeGroups(includeGroups)
conditions.SetUsers(users)
devices := graphmodels.NewConditionalAccessDevices()
includeDevices := []string {
"All",
}
devices.SetIncludeDevices(includeDevices)
excludeDevices := []string {
"Compliant",
}
devices.SetExcludeDevices(excludeDevices)
conditions.SetDevices(devices)
requestBody.SetConditions(conditions)
grantControls := graphmodels.NewConditionalAccessGrantControls()
operator := "OR"
grantControls.SetOperator(&operator)
builtInControls := []graphmodels.ConditionalAccessGrantControlable {
conditionalAccessGrantControl := graphmodels.MFA_CONDITIONALACCESSGRANTCONTROL
grantControls.SetConditionalAccessGrantControl(&conditionalAccessGrantControl)
}
grantControls.SetBuiltInControls(builtInControls)
requestBody.SetGrantControls(grantControls)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
policies, err := graphClient.Identity().ConditionalAccess().Policies().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ConditionalAccessPolicy conditionalAccessPolicy = new ConditionalAccessPolicy();
conditionalAccessPolicy.setDisplayName("Require MFA to EXO from non-compliant devices.");
conditionalAccessPolicy.setState(ConditionalAccessPolicyState.Enabled);
ConditionalAccessConditionSet conditions = new ConditionalAccessConditionSet();
ConditionalAccessApplications applications = new ConditionalAccessApplications();
LinkedList<String> includeApplications = new LinkedList<String>();
includeApplications.add("00000002-0000-0ff1-ce00-000000000000");
applications.setIncludeApplications(includeApplications);
conditions.setApplications(applications);
ConditionalAccessUsers users = new ConditionalAccessUsers();
LinkedList<String> includeGroups = new LinkedList<String>();
includeGroups.add("ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba");
users.setIncludeGroups(includeGroups);
conditions.setUsers(users);
ConditionalAccessDevices devices = new ConditionalAccessDevices();
LinkedList<String> includeDevices = new LinkedList<String>();
includeDevices.add("All");
devices.setIncludeDevices(includeDevices);
LinkedList<String> excludeDevices = new LinkedList<String>();
excludeDevices.add("Compliant");
devices.setExcludeDevices(excludeDevices);
conditions.setDevices(devices);
conditionalAccessPolicy.setConditions(conditions);
ConditionalAccessGrantControls grantControls = new ConditionalAccessGrantControls();
grantControls.setOperator("OR");
LinkedList<ConditionalAccessGrantControl> builtInControls = new LinkedList<ConditionalAccessGrantControl>();
builtInControls.add(ConditionalAccessGrantControl.Mfa);
grantControls.setBuiltInControls(builtInControls);
conditionalAccessPolicy.setGrantControls(grantControls);
ConditionalAccessPolicy result = graphClient.identity().conditionalAccess().policies().post(conditionalAccessPolicy);
const options = {
authProvider,
};
const client = Client.init(options);
const conditionalAccessPolicy = {
displayName: 'Require MFA to EXO from non-compliant devices.',
state: 'enabled',
conditions: {
applications: {
includeApplications: [
'00000002-0000-0ff1-ce00-000000000000'
]
},
users: {
includeGroups: ['ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba']
},
devices: {
includeDevices: [
'All'
],
excludeDevices: [
'Compliant'
]
}
},
grantControls: {
operator: 'OR',
builtInControls: [
'mfa'
]
}
};
await client.api('/identity/conditionalAccess/policies')
.version('beta')
.post(conditionalAccessPolicy);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessPolicy;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessPolicyState;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessConditionSet;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessApplications;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessUsers;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessDevices;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessGrantControls;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessGrantControl;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ConditionalAccessPolicy();
$requestBody->setDisplayName('Require MFA to EXO from non-compliant devices.');
$requestBody->setState(new ConditionalAccessPolicyState('enabled'));
$conditions = new ConditionalAccessConditionSet();
$conditionsApplications = new ConditionalAccessApplications();
$conditionsApplications->setIncludeApplications(['00000002-0000-0ff1-ce00-000000000000', ]);
$conditions->setApplications($conditionsApplications);
$conditionsUsers = new ConditionalAccessUsers();
$conditionsUsers->setIncludeGroups(['ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba', ]);
$conditions->setUsers($conditionsUsers);
$conditionsDevices = new ConditionalAccessDevices();
$conditionsDevices->setIncludeDevices(['All', ]);
$conditionsDevices->setExcludeDevices(['Compliant', ]);
$conditions->setDevices($conditionsDevices);
$requestBody->setConditions($conditions);
$grantControls = new ConditionalAccessGrantControls();
$grantControls->setOperator('OR');
$grantControls->setBuiltInControls([new ConditionalAccessGrantControl('mfa'), ]);
$requestBody->setGrantControls($grantControls);
$result = $graphServiceClient->identity()->conditionalAccess()->policies()->post($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.conditional_access_policy import ConditionalAccessPolicy
from msgraph_beta.generated.models.conditional_access_policy_state import ConditionalAccessPolicyState
from msgraph_beta.generated.models.conditional_access_condition_set import ConditionalAccessConditionSet
from msgraph_beta.generated.models.conditional_access_applications import ConditionalAccessApplications
from msgraph_beta.generated.models.conditional_access_users import ConditionalAccessUsers
from msgraph_beta.generated.models.conditional_access_devices import ConditionalAccessDevices
from msgraph_beta.generated.models.conditional_access_grant_controls import ConditionalAccessGrantControls
from msgraph_beta.generated.models.conditional_access_grant_control import ConditionalAccessGrantControl
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ConditionalAccessPolicy(
display_name = "Require MFA to EXO from non-compliant devices.",
state = ConditionalAccessPolicyState.Enabled,
conditions = ConditionalAccessConditionSet(
applications = ConditionalAccessApplications(
include_applications = [
"00000002-0000-0ff1-ce00-000000000000",
],
),
users = ConditionalAccessUsers(
include_groups = [
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
],
),
devices = ConditionalAccessDevices(
include_devices = [
"All",
],
exclude_devices = [
"Compliant",
],
),
),
grant_controls = ConditionalAccessGrantControls(
operator = "OR",
built_in_controls = [
ConditionalAccessGrantControl.Mfa,
],
),
)
result = await graph_client.identity.conditional_access.policies.post(request_body)
Resposta
O exemplo a seguir mostra a resposta.
Observação: o objeto de resposta mostrado aqui pode ser encurtado para legibilidade.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#conditionalAccess/policies/$entity",
"id": "b3f1298e-8e93-49af-bdbf-94cf7d453ca3",
"displayName": "Require MFA to EXO from non-complaint devices.",
"createdDateTime": "2020-04-01T00:55:12.9571747Z",
"modifiedDateTime": null,
"state": "enabled",
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
],
"excludeApplications": [],
"includeUserActions": [],
"includeProtectionLevels": []
},
"users": {
"includeUsers": [],
"excludeUsers": [],
"includeGroups": [
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": []
},
"devices": {
"includeDevices": [
"All"
],
"excludeDevices": [
"Compliant"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
],
"customAuthenticationFactors": [],
"termsOfUse": []
}
}
Exemplo 5: Criar uma política de Acesso Condicional para permitir que apenas as identidades do agente com a etiqueta de atributo de segurança personalizada "aprovada" acedam a recursos com a etiqueta de atributo de segurança personalizada "RH"
Solicitação
O exemplo seguinte mostra como criar uma política com atributos de segurança personalizados
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Allow only approved agents to access resources",
"conditions": {
"clientApplications": {
"includeAgentIdServicePrincipals": [
"All"
],
"excludeAgentIdServicePrincipals": [],
"agentIdServicePrincipalFilter": {
"mode": "exclude",
"rule": "CustomSecurityAttribute.AgentAttributes_AgentStatus -eq \"Approved\""
}
},
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"applicationFilter": {
"mode": "exclude",
"rule": "CustomSecurityAttribute.AgenticResources_ResourceType -eq \"HR\""
}
}
},
"grantControls": {
"operator": "AND",
"builtInControls": [
"block"
]
},
"state": "enabledForReportingButNotEnforced"
}
Resposta
O exemplo a seguir mostra a resposta.
Observação: o objeto de resposta mostrado aqui pode ser encurtado para legibilidade.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identity/conditionalAccess/policies/$entity",
"id": "baf90002-11d1-4ba4-8275-6f9c6218c2d4",
"templateId": null,
"displayName": "Allow only approved agents to access resources",
"createdDateTime": "2025-11-05T06:13:51.6950045Z",
"modifiedDateTime": null,
"state": "enabledForReportingButNotEnforced",
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": [],
"insiderRiskLevels": null,
"platforms": null,
"locations": null,
"devices": null,
"authenticationFlows": null,
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": {
"mode": "exclude",
"rule": "CustomSecurityAttribute.AgenticResources_ResourceType -eq \"HR\""
}
},
"users": {
"includeUsers": [
"None"
],
"excludeUsers": [],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
},
"clientApplications": {
"includeServicePrincipals": [],
"excludeServicePrincipals": [],
"servicePrincipalFilter": null
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identity/conditionalAccess/policies('baf90002-11d1-4ba4-8275-6f9c6218c2d4')/grantControls/authenticationStrength/$entity",
"authenticationStrength": null
}
}
Exemplo 6: Criar uma política de Acesso Condicional para impedir que todas as identidades dos agentes acedam a todos os recursos
Solicitação
O exemplo seguinte mostra um pedido para bloquear o acesso de todas as identidades de agentes a todos os recursos.
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Block all agent identities from accessing resources",
"conditions": {
"clientApplications": {
"includeAgentIdServicePrincipals": [
"All"
],
"excludeAgentIdServicePrincipals": [],
"agentIdServicePrincipalFilter": null
},
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": []
}
},
"grantControls": {
"operator": "AND",
"builtInControls": [
"block"
]
},
"state": "enabledForReportingButNotEnforced"
}
Resposta
O exemplo a seguir mostra a resposta.
Observação: o objeto de resposta mostrado aqui pode ser encurtado para legibilidade.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies/$entity",
"id": "86d20244-3175-4847-8b2f-3c60c8fc2aef",
"templateId": null,
"displayName": "Block all agent identities from accessing resources",
"createdDateTime": "2025-11-04T16:30:48.295918Z",
"modifiedDateTime": null,
"state": "enabled",
"deletedDateTime": null,
"partialEnablementStrategy": null,
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null
},
"users": {
"includeUsers": [
"None"
],
"excludeUsers": [],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
},
"clientApplications": {
"includeServicePrincipals": [],
"includeAgentIdServicePrincipals": [
"All"
],
"excludeServicePrincipals": []
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies('86d20244-3175-4847-8b2f-3c60c8fc2aef')/grantControls/authenticationStrength/$entity",
"authenticationStrength": null
}
}
Exemplo 7: Criar uma política de Acesso Condicional para impedir que todas as identidades de agentes de alto risco acedam a todos os recursos
Solicitação
O exemplo seguinte mostra um pedido para impedir que todas as identidades de agente de alto risco acedam a todos os recursos.
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Block all agent identities from accessing resources",
"conditions": {
"clientApplications": {
"includeAgentIdServicePrincipals": [
"All"
],
"excludeAgentIdServicePrincipals": [],
"agentIdServicePrincipalFilter": null
},
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": []
},
"agentIdRiskLevels": "high"
},
"grantControls": {
"operator": "AND",
"builtInControls": [
"block"
]
},
"state": "enabledForReportingButNotEnforced"
}
Resposta
O exemplo a seguir mostra a resposta.
Observação: o objeto de resposta mostrado aqui pode ser encurtado para legibilidade.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies/$entity",
"id": "86d20244-3175-4847-8b2f-3c60c8fc2aef",
"templateId": null,
"displayName": "Block all high risk agent identities from accessing resources",
"createdDateTime": "2025-11-04T16:30:48.295918Z",
"modifiedDateTime": null,
"state": "enabled",
"deletedDateTime": null,
"partialEnablementStrategy": null,
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"agentIdRiskLevels": "high"
"clientAppTypes": [
"all"
],
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null
},
"users": {
"includeUsers": [
"None"
],
"excludeUsers": [],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
},
"clientApplications": {
"includeServicePrincipals": [],
"includeAgentIdServicePrincipals": [
"All"
],
"excludeServicePrincipals": []
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies('86d20244-3175-4847-8b2f-3c60c8fc2aef')/grantControls/authenticationStrength/$entity",
"authenticationStrength": null
}
}
Exemplo 8: Criar uma política de Acesso Condicional para impedir que todos os utilizadores do agente acedam a todos os recursos
Solicitação
O exemplo seguinte mostra um pedido para impedir que todos os utilizadores do agente acedam a todos os recursos.
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Block all agent users from accessing resources",
"conditions": {
"users": {
"includeUsers": [
"AllAgentIdUsers"
]},
"applications": {
"includeApplications": [
"All"
]
}
},
"grantControls": {
"operator": "AND",
"builtInControls": [
"block"
]
},
"state": "enabled"
}
Resposta
O exemplo a seguir mostra a resposta.
Observação: o objeto de resposta mostrado aqui pode ser encurtado para legibilidade.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies/$entity",
"id": "0f9848ad-884e-46b2-b3ab-e26e1594f5e4",
"templateId": null,
"displayName": "Block all agent users from accessing resources",
"createdDateTime": "2025-11-04T16:28:54.84246Z",
"modifiedDateTime": null,
"state": "enabled",
"deletedDateTime": null,
"partialEnablementStrategy": null,
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"clientApplications": null,
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null
},
"users": {
"includeUsers": [
"AllAgentIdUsers"
],
"excludeUsers": [],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies('0f9848ad-884e-46b2-b3ab-e26e1594f5e4')/grantControls/authenticationStrength/$entity",
"authenticationStrength": null
}
}
Solicitação
O exemplo seguinte mostra um pedido para exigir que todos os utilizadores executem a MFA para aceder a todos os recursos do agente
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Require MFA for all users accessing agent resources",
"conditions": {
"users": {
"includeUsers": [
"All"
]
},
"applications": {
"includeApplications": [
"AllAgentIdResources"
],
"excludeApplications": []
}
},
"grantControls": {
"operator": "AND",
"builtInControls": [
"mfa"
]
},
"state": "enabledForReportingButNotEnforced"
}
Resposta
O exemplo a seguir mostra a resposta.
Observação: o objeto de resposta mostrado aqui pode ser encurtado para legibilidade.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies/$entity",
"id": "4efea1cf-1eb7-4a33-b580-43d1c5c4c6e6",
"templateId": null,
"displayName": "Require MFA for all users accessing agent resources",
"createdDateTime": "2025-11-04T16:32:00.8699295Z",
"modifiedDateTime": null,
"state": "enabledForReportingButNotEnforced",
"deletedDateTime": null,
"partialEnablementStrategy": null,
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"clientApplications": null,
"applications": {
"includeApplications": [
"AllAgentIdResources"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null
},
"users": {
"includeUsers": [
"All"
],
"excludeUsers": [],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength@odata.context": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies('4efea1cf-1eb7-4a33-b580-43d1c5c4c6e6')/grantControls/authenticationStrength/$entity",
"authenticationStrength": null
}
}