Update onPremisesConditionalAccessSettings

Article
11/30/2023

Namespace: microsoft.graph

Note: The Microsoft Graph API for Intune requires an active Intune license for the tenant.

Update the properties of a onPremisesConditionalAccessSettings object.

This API is available in the following national cloud deployments.

Global service	US Government L4	US Government L5 (DOD)	China operated by 21Vianet
✅	✅	✅	✅

Permissions

One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permission type	Permissions (from least to most privileged)
Delegated (work or school account)	DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All
Delegated (personal Microsoft account)	Not supported.
Application	DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All

HTTP Request

PATCH /deviceManagement/conditionalAccessSettings

Request headers

Header	Value
Authorization	Bearer {token}. Required. Learn more about authentication and authorization.
Accept	application/json

Request body

In the request body, supply a JSON representation for the onPremisesConditionalAccessSettings object.

The following table shows the properties that are required when you create the onPremisesConditionalAccessSettings.

Property	Type	Description
id	String	Not yet documented
enabled	Boolean	Indicates if on premises conditional access is enabled for this organization
includedGroups	Guid collection	User groups that will be targeted by on premises conditional access. All users in these groups will be required to have mobile device managed and compliant for mail access.
excludedGroups	Guid collection	User groups that will be exempt by on premises conditional access. All users in these groups will be exempt from the conditional access policy.
overrideDefaultRule	Boolean	Override the default access rule when allowing a device to ensure access is granted.

Response

If successful, this method returns a 200 OK response code and an updated onPremisesConditionalAccessSettings object in the response body.

Example

Request

Here is an example of the request.

PATCH https://graph.microsoft.com/v1.0/deviceManagement/conditionalAccessSettings
Content-type: application/json
Content-length: 275

{
  "@odata.type": "#microsoft.graph.onPremisesConditionalAccessSettings",
  "enabled": true,
  "includedGroups": [
    "77c9d466-d466-77c9-66d4-c97766d4c977"
  ],
  "excludedGroups": [
    "2a0afae4-fae4-2a0a-e4fa-0a2ae4fa0a2a"
  ],
  "overrideDefaultRule": true
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new OnPremisesConditionalAccessSettings
{
	OdataType = "#microsoft.graph.onPremisesConditionalAccessSettings",
	Enabled = true,
	IncludedGroups = new List<Guid?>
	{
		Guid.Parse("77c9d466-d466-77c9-66d4-c97766d4c977"),
	},
	ExcludedGroups = new List<Guid?>
	{
		Guid.Parse("2a0afae4-fae4-2a0a-e4fa-0a2ae4fa0a2a"),
	},
	OverrideDefaultRule = true,
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.DeviceManagement.ConditionalAccessSettings.PatchAsync(requestBody);

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.



mgc device-management conditional-access-settings patch --body '{\
  "@odata.type": "#microsoft.graph.onPremisesConditionalAccessSettings",\
  "enabled": true,\
  "includedGroups": [\
    "77c9d466-d466-77c9-66d4-c97766d4c977"\
  ],\
  "excludedGroups": [\
    "2a0afae4-fae4-2a0a-e4fa-0a2ae4fa0a2a"\
  ],\
  "overrideDefaultRule": true\
}\
'

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewOnPremisesConditionalAccessSettings()
enabled := true
requestBody.SetEnabled(&enabled) 
includedGroups := []uuid.UUID {
	uuid.MustParse("77c9d466-d466-77c9-66d4-c97766d4c977"),
}
requestBody.SetIncludedGroups(includedGroups)
excludedGroups := []uuid.UUID {
	uuid.MustParse("2a0afae4-fae4-2a0a-e4fa-0a2ae4fa0a2a"),
}
requestBody.SetExcludedGroups(excludedGroups)
overrideDefaultRule := true
requestBody.SetOverrideDefaultRule(&overrideDefaultRule) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
conditionalAccessSettings, err := graphClient.DeviceManagement().ConditionalAccessSettings().Patch(context.Background(), requestBody, nil)

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

OnPremisesConditionalAccessSettings onPremisesConditionalAccessSettings = new OnPremisesConditionalAccessSettings();
onPremisesConditionalAccessSettings.setOdataType("#microsoft.graph.onPremisesConditionalAccessSettings");
onPremisesConditionalAccessSettings.setEnabled(true);
LinkedList<UUID> includedGroups = new LinkedList<UUID>();
includedGroups.add(UUID.fromString("77c9d466-d466-77c9-66d4-c97766d4c977"));
onPremisesConditionalAccessSettings.setIncludedGroups(includedGroups);
LinkedList<UUID> excludedGroups = new LinkedList<UUID>();
excludedGroups.add(UUID.fromString("2a0afae4-fae4-2a0a-e4fa-0a2ae4fa0a2a"));
onPremisesConditionalAccessSettings.setExcludedGroups(excludedGroups);
onPremisesConditionalAccessSettings.setOverrideDefaultRule(true);
OnPremisesConditionalAccessSettings result = graphClient.deviceManagement().conditionalAccessSettings().patch(onPremisesConditionalAccessSettings);

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


const options = {
	authProvider,
};

const client = Client.init(options);

const onPremisesConditionalAccessSettings = {
  '@odata.type': '#microsoft.graph.onPremisesConditionalAccessSettings',
  enabled: true,
  includedGroups: [
    '77c9d466-d466-77c9-66d4-c97766d4c977'
  ],
  excludedGroups: [
    '2a0afae4-fae4-2a0a-e4fa-0a2ae4fa0a2a'
  ],
  overrideDefaultRule: true
};

await client.api('/deviceManagement/conditionalAccessSettings')
	.update(onPremisesConditionalAccessSettings);

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\OnPremisesConditionalAccessSettings;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new OnPremisesConditionalAccessSettings();
$requestBody->setOdataType('#microsoft.graph.onPremisesConditionalAccessSettings');
$requestBody->setEnabled(true);
$requestBody->setIncludedGroups(['77c9d466-d466-77c9-66d4-c97766d4c977', 	]);
$requestBody->setExcludedGroups(['2a0afae4-fae4-2a0a-e4fa-0a2ae4fa0a2a', 	]);
$requestBody->setOverrideDefaultRule(true);

$result = $graphServiceClient->deviceManagement()->conditionalAccessSettings()->patch($requestBody)->wait();

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


Import-Module Microsoft.Graph.DeviceManagement.Enrollment

$params = @{
	"@odata.type" = "#microsoft.graph.onPremisesConditionalAccessSettings"
	enabled = $true
	includedGroups = @(
	"77c9d466-d466-77c9-66d4-c97766d4c977"
)
excludedGroups = @(
"2a0afae4-fae4-2a0a-e4fa-0a2ae4fa0a2a"
)
overrideDefaultRule = $true
}

Update-MgDeviceManagementConditionalAccessSetting -BodyParameter $params

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.on_premises_conditional_access_settings import OnPremisesConditionalAccessSettings
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = OnPremisesConditionalAccessSettings(
	odata_type = "#microsoft.graph.onPremisesConditionalAccessSettings",
	enabled = True,
	included_groups = [
		UUID("77c9d466-d466-77c9-66d4-c97766d4c977"),
	],
	excluded_groups = [
		UUID("2a0afae4-fae4-2a0a-e4fa-0a2ae4fa0a2a"),
	],
	override_default_rule = True,
)

result = await graph_client.device_management.conditional_access_settings.patch(request_body)

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Response

Here is an example of the response. Note: The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 324

{
  "@odata.type": "#microsoft.graph.onPremisesConditionalAccessSettings",
  "id": "a0efde21-de21-a0ef-21de-efa021deefa0",
  "enabled": true,
  "includedGroups": [
    "77c9d466-d466-77c9-66d4-c97766d4c977"
  ],
  "excludedGroups": [
    "2a0afae4-fae4-2a0a-e4fa-0a2ae4fa0a2a"
  ],
  "overrideDefaultRule": true
}

Share via

Update onPremisesConditionalAccessSettings

Permissions

HTTP Request

Request headers

Request body

Response

Example

Request

Response

Feedback

Additional resources