appliedConditionalAccessPolicy resource type
Namespace: microsoft.graph
Important
APIs under the /beta
version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Indicates the attributes related to applied conditional access policy or policies that are triggered by a sign-in activity.
The data in this object is returned only for callers with privileges to read conditional access data. For more information, see Viewing applied conditional access (CA) policies in sign-ins.
Properties
Property | Type | Description |
---|---|---|
authenticationStrength | authenticationStrength | The custom authentication strength enforced in a Conditional Access policy. |
conditionsNotSatisfied | conditionalAccessConditions | Refers to the conditional access policy conditions that aren't satisfied. The possible values are: none , application , users , devicePlatform , location , clientType , signInRisk , userRisk , time , deviceState , client ,ipAddressSeenByAzureAD ,ipAddressSeenByResourceProvider ,unknownFutureValue ,servicePrincipals ,servicePrincipalRisk , authenticationFlows , insiderRisk . You must use the Prefer: include-unknown-enum-members request header to get the following values in this evolvable enum: servicePrincipals ,servicePrincipalRisk , authenticationFlows , insiderRisk . conditionalAccessConditions is a multi-valued enumeration and the property can contain multiple values in a comma-separated list. |
conditionsSatisfied | conditionalAccessConditions | Refers to the conditional access policy conditions that are satisfied. The possible values are: none , application , users , devicePlatform , location , clientType , signInRisk , userRisk , time , deviceState , client ,ipAddressSeenByAzureAD ,ipAddressSeenByResourceProvider ,unknownFutureValue ,servicePrincipals ,servicePrincipalRisk , authenticationFlows , insiderRisk . You must use the Prefer: include-unknown-enum-members request header to get the following values in this evolvable enum: servicePrincipals ,servicePrincipalRisk , authenticationFlows , insiderRisk . conditionalAccessConditions is a multi-valued enumeration and the property can contain multiple values in a comma-separated list. |
displayName | String | Name of the conditional access policy. |
enforcedGrantControls | String collection | Refers to the grant controls enforced by the conditional access policy (example: "Require multifactor authentication"). |
enforcedSessionControls | String collection | Refers to the session controls enforced by the conditional access policy (example: "Require app enforced controls"). |
excludeRulesSatisfied | conditionalAccessRuleSatisfied collection | List of key-value pairs containing each matched exclude condition in the conditional access policy. Example: [{"devicePlatform" : "DevicePlatform"}] means the policy didn't apply, because the DevicePlatform condition was a match. |
id | String | Identifier of the conditional access policy. |
includeRulesSatisfied | conditionalAccessRuleSatisfied collection | List of key-value pairs containing each matched include condition in the conditional access policy. Example: [{ "application" : "AllApps"}, {"users": "Group"}] , meaning Application condition was a match because AllApps are included and Users condition was a match because the user was part of the included Group rule. |
result | appliedConditionalAccessPolicyResult | Indicates the result of the CA policy that was triggered. Possible values are: success , failure , notApplied (policy isn't applied because policy conditions weren't met), notEnabled (this is due to the policy in a disabled state), unknown , unknownFutureValue , reportOnlySuccess , reportOnlyFailure , reportOnlyNotApplied , reportOnlyInterrupted . You must use the Prefer: include-unknown-enum-members request header to get the following values in this evolvable enum: reportOnlySuccess , reportOnlyFailure , reportOnlyNotApplied , reportOnlyInterrupted . |
sessionControlsNotSatisfied | String collection | Refers to the session controls that a sign-in activity didn't satisfy. (Example: Application enforced Restrictions ). |
JSON representation
The following JSON representation shows the resource type.
{
"@odata.type": "#microsoft.graph.appliedConditionalAccessPolicy",
"id": "String (identifier)",
"authenticationStrength": {"@odata.type": "microsoft.graph.authenticationStrength"},
"displayName": "String",
"enforcedGrantControls": [
"String"
],
"enforcedSessionControls": [
"String"
],
"conditionsSatisfied": "String",
"conditionsNotSatisfied": "String",
"includeRulesSatisfied": [
{
"@odata.type": "microsoft.graph.conditionalAccessRuleSatisfied"
}
],
"excludeRulesSatisfied": [
{
"@odata.type": "microsoft.graph.conditionalAccessRuleSatisfied"
}
],
"result": "String"
}