ConditionalAccessPolicy erstellen
Artikel
07/18/2022
22 Minuten Lesedauer
3 Mitwirkende
In diesem Artikel
Namespace: microsoft.graph
Erstellen Sie eine neue conditionalAccessPolicy .
Berechtigungen
Eine der nachfolgenden Berechtigungen ist erforderlich, um diese API aufrufen zu können. Weitere Informationen, unter anderem zur Auswahl von Berechtigungen, finden Sie im Artikel zum Thema Berechtigungen .
Berechtigungstyp
Berechtigungen (von der Berechtigung mit den wenigsten Rechten zu der mit den meisten Rechten)
Delegiert (Geschäfts-, Schul- oder Unikonto)
Policy.Read.All, Policy.ReadWrite.ConditionalAccess und Application.Read.All
Delegiert (persönliches Microsoft-Konto)
Nicht unterstützt
Anwendung
Policy.Read.All, Policy.ReadWrite.ConditionalAccess und Application.Read.All
HTTP-Anforderung
POST /identity/conditionalAccess/policies
Name
Beschreibung
Authorization
Bearer {token}. Erforderlich.
Content-Type
application/json. Erforderlich.
Anforderungstext
Geben Sie im Anforderungstext eine JSON-Darstellung eines conditionalAccessPolicy-Objekts an.
Eine gültige Richtlinie sollte mindestens eine der folgenden Elemente enthalten:
Antwort
Bei erfolgreicher Ausführung gibt die Methode den 201 Created Antwortcode und ein neues conditionalAccessPolicy-Objekt im Antworttext zurück.
Beispiele
Beispiel 1: MFA für den Zugriff auf Exchange Online außerhalb vertrauenswürdiger Speicherorte anfordern
Anforderung
Das folgende Beispiel zeigt eine häufige Anforderung, die mehrstufige Authentifizierung für den Zugriff auf Exchange Online von modernen Authentifizierungsclients außerhalb vertrauenswürdiger Speicherorte für eine bestimmte Gruppe anzufordern.
Hinweis: Sie müssen Ihre vertrauenswürdigen Speicherorte einrichten, bevor Sie diesen Vorgang verwenden.
POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Access to EXO requires MFA",
"state": "enabled",
"conditions": {
"clientAppTypes": [
"mobileAppsAndDesktopClients",
"browser"
],
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
]
},
"users": {
"includeGroups": ["ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"]
},
"locations": {
"includeLocations": [
"All"
],
"excludeLocations": [
"AllTrusted"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
]
}
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var conditionalAccessPolicy = new ConditionalAccessPolicy
{
DisplayName = "Access to EXO requires MFA",
State = ConditionalAccessPolicyState.Enabled,
Conditions = new ConditionalAccessConditionSet
{
ClientAppTypes = new List<ConditionalAccessClientApp>()
{
ConditionalAccessClientApp.MobileAppsAndDesktopClients,
ConditionalAccessClientApp.Browser
},
Applications = new ConditionalAccessApplications
{
IncludeApplications = new List<String>()
{
"00000002-0000-0ff1-ce00-000000000000"
}
},
Users = new ConditionalAccessUsers
{
IncludeGroups = new List<String>()
{
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
}
},
Locations = new ConditionalAccessLocations
{
IncludeLocations = new List<String>()
{
"All"
},
ExcludeLocations = new List<String>()
{
"AllTrusted"
}
}
},
GrantControls = new ConditionalAccessGrantControls
{
Operator = "OR",
BuiltInControls = new List<ConditionalAccessGrantControl>()
{
ConditionalAccessGrantControl.Mfa
}
}
};
await graphClient.Identity.ConditionalAccess.Policies
.Request()
.AddAsync(conditionalAccessPolicy);
Ausführliche Informationen zum Hinzufügen des SDK zu Ihrem Projekt und zum Erstellen einer authProvider-Instanz finden Sie in der SDK-Dokumentation .
const options = {
authProvider,
};
const client = Client.init(options);
const conditionalAccessPolicy = {
displayName: 'Access to EXO requires MFA',
state: 'enabled',
conditions: {
clientAppTypes: [
'mobileAppsAndDesktopClients',
'browser'
],
applications: {
includeApplications: [
'00000002-0000-0ff1-ce00-000000000000'
]
},
users: {
includeGroups: ['ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba']
},
locations: {
includeLocations: [
'All'
],
excludeLocations: [
'AllTrusted'
]
}
},
grantControls: {
operator: 'OR',
builtInControls: [
'mfa'
]
}
};
await client.api('/identity/conditionalAccess/policies')
.post(conditionalAccessPolicy);
Ausführliche Informationen zum Hinzufügen des SDK zu Ihrem Projekt und zum Erstellen einer authProvider-Instanz finden Sie in der SDK-Dokumentation .
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];
NSString *MSGraphBaseURL = @"https://graph.microsoft.com/v1.0/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/identity/conditionalAccess/policies"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
MSGraphConditionalAccessPolicy *conditionalAccessPolicy = [[MSGraphConditionalAccessPolicy alloc] init];
[conditionalAccessPolicy setDisplayName:@"Access to EXO requires MFA"];
[conditionalAccessPolicy setState: [MSGraphConditionalAccessPolicyState enabled]];
MSGraphConditionalAccessConditionSet *conditions = [[MSGraphConditionalAccessConditionSet alloc] init];
NSMutableArray *clientAppTypesList = [[NSMutableArray alloc] init];
[clientAppTypesList addObject: @"mobileAppsAndDesktopClients"];
[clientAppTypesList addObject: @"browser"];
[conditions setClientAppTypes:clientAppTypesList];
MSGraphConditionalAccessApplications *applications = [[MSGraphConditionalAccessApplications alloc] init];
NSMutableArray *includeApplicationsList = [[NSMutableArray alloc] init];
[includeApplicationsList addObject: @"00000002-0000-0ff1-ce00-000000000000"];
[applications setIncludeApplications:includeApplicationsList];
[conditions setApplications:applications];
MSGraphConditionalAccessUsers *users = [[MSGraphConditionalAccessUsers alloc] init];
NSMutableArray *includeGroupsList = [[NSMutableArray alloc] init];
[includeGroupsList addObject: @"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"];
[users setIncludeGroups:includeGroupsList];
[conditions setUsers:users];
MSGraphConditionalAccessLocations *locations = [[MSGraphConditionalAccessLocations alloc] init];
NSMutableArray *includeLocationsList = [[NSMutableArray alloc] init];
[includeLocationsList addObject: @"All"];
[locations setIncludeLocations:includeLocationsList];
NSMutableArray *excludeLocationsList = [[NSMutableArray alloc] init];
[excludeLocationsList addObject: @"AllTrusted"];
[locations setExcludeLocations:excludeLocationsList];
[conditions setLocations:locations];
[conditionalAccessPolicy setConditions:conditions];
MSGraphConditionalAccessGrantControls *grantControls = [[MSGraphConditionalAccessGrantControls alloc] init];
[grantControls setOperator:@"OR"];
NSMutableArray *builtInControlsList = [[NSMutableArray alloc] init];
[builtInControlsList addObject: @"mfa"];
[grantControls setBuiltInControls:builtInControlsList];
[conditionalAccessPolicy setGrantControls:grantControls];
NSError *error;
NSData *conditionalAccessPolicyData = [conditionalAccessPolicy getSerializedDataWithError:&error];
[urlRequest setHTTPBody:conditionalAccessPolicyData];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {
//Request Completed
}];
[meDataTask execute];
Ausführliche Informationen zum Hinzufügen des SDK zu Ihrem Projekt und zum Erstellen einer authProvider-Instanz finden Sie in der SDK-Dokumentation .
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
ConditionalAccessPolicy conditionalAccessPolicy = new ConditionalAccessPolicy();
conditionalAccessPolicy.displayName = "Access to EXO requires MFA";
conditionalAccessPolicy.state = ConditionalAccessPolicyState.ENABLED;
ConditionalAccessConditionSet conditions = new ConditionalAccessConditionSet();
LinkedList<ConditionalAccessClientApp> clientAppTypesList = new LinkedList<ConditionalAccessClientApp>();
clientAppTypesList.add(ConditionalAccessClientApp.MOBILE_APPS_AND_DESKTOP_CLIENTS);
clientAppTypesList.add(ConditionalAccessClientApp.BROWSER);
conditions.clientAppTypes = clientAppTypesList;
ConditionalAccessApplications applications = new ConditionalAccessApplications();
LinkedList<String> includeApplicationsList = new LinkedList<String>();
includeApplicationsList.add("00000002-0000-0ff1-ce00-000000000000");
applications.includeApplications = includeApplicationsList;
conditions.applications = applications;
ConditionalAccessUsers users = new ConditionalAccessUsers();
LinkedList<String> includeGroupsList = new LinkedList<String>();
includeGroupsList.add("ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba");
users.includeGroups = includeGroupsList;
conditions.users = users;
ConditionalAccessLocations locations = new ConditionalAccessLocations();
LinkedList<String> includeLocationsList = new LinkedList<String>();
includeLocationsList.add("All");
locations.includeLocations = includeLocationsList;
LinkedList<String> excludeLocationsList = new LinkedList<String>();
excludeLocationsList.add("AllTrusted");
locations.excludeLocations = excludeLocationsList;
conditions.locations = locations;
conditionalAccessPolicy.conditions = conditions;
ConditionalAccessGrantControls grantControls = new ConditionalAccessGrantControls();
grantControls.operator = "OR";
LinkedList<ConditionalAccessGrantControl> builtInControlsList = new LinkedList<ConditionalAccessGrantControl>();
builtInControlsList.add(ConditionalAccessGrantControl.MFA);
grantControls.builtInControls = builtInControlsList;
conditionalAccessPolicy.grantControls = grantControls;
graphClient.identity().conditionalAccess().policies()
.buildRequest()
.post(conditionalAccessPolicy);
Ausführliche Informationen zum Hinzufügen des SDK zu Ihrem Projekt und zum Erstellen einer authProvider-Instanz finden Sie in der SDK-Dokumentation .
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := msgraphsdk.NewConditionalAccessPolicy()
displayName := "Access to EXO requires MFA"
requestBody.SetDisplayName(&displayName)
state := "enabled"
requestBody.SetState(&state)
conditions := msgraphsdk.NewConditionalAccessConditionSet()
requestBody.SetConditions(conditions)
conditions.SetClientAppTypes( []ConditionalAccessClientApp {
"mobileAppsAndDesktopClients",
"browser",
}
applications := msgraphsdk.NewConditionalAccessApplications()
conditions.SetApplications(applications)
applications.SetIncludeApplications( []String {
"00000002-0000-0ff1-ce00-000000000000",
}
users := msgraphsdk.NewConditionalAccessUsers()
conditions.SetUsers(users)
users.SetIncludeGroups( []String {
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
}
locations := msgraphsdk.NewConditionalAccessLocations()
conditions.SetLocations(locations)
locations.SetIncludeLocations( []String {
"All",
}
locations.SetExcludeLocations( []String {
"AllTrusted",
}
grantControls := msgraphsdk.NewConditionalAccessGrantControls()
requestBody.SetGrantControls(grantControls)
operator := "OR"
grantControls.SetOperator(&operator)
grantControls.SetBuiltInControls( []ConditionalAccessGrantControl {
"mfa",
}
result, err := graphClient.Identity().ConditionalAccess().Policies().Post(requestBody)
Ausführliche Informationen zum Hinzufügen des SDK zu Ihrem Projekt und zum Erstellen einer authProvider-Instanz finden Sie in der SDK-Dokumentation .
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{
DisplayName = "Access to EXO requires MFA"
State = "enabled"
Conditions = @{
ClientAppTypes = @(
"mobileAppsAndDesktopClients"
"browser"
)
Applications = @{
IncludeApplications = @(
"00000002-0000-0ff1-ce00-000000000000"
)
}
Users = @{
IncludeGroups = @(
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
)
}
Locations = @{
IncludeLocations = @(
"All"
)
ExcludeLocations = @(
"AllTrusted"
)
}
}
GrantControls = @{
Operator = "OR"
BuiltInControls = @(
"mfa"
)
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $params
Ausführliche Informationen zum Hinzufügen des SDK zu Ihrem Projekt und zum Erstellen einer authProvider-Instanz finden Sie in der SDK-Dokumentation .
Antwort
Nachfolgend sehen Sie ein Beispiel der Antwort.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#conditionalAccess/policies/$entity",
"id": "7359d0e0-d8a9-4afa-8a93-e23e099d7be8",
"displayName": "Access to EXO requires MFA",
"createdDateTime": "2019-10-14T19:52:00.050958Z",
"modifiedDateTime": null,
"state": "enabled",
"sessionControls": null,
"conditions": {
"signInRiskLevels": [],
"clientAppTypes": [
"mobileAppsAndDesktopClients",
"browser"
],
"platforms": null,
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
],
"excludeApplications": [],
"includeUserActions": []
},
"users": {
"includeUsers": [],
"excludeUsers": [],
"includeGroups": [
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": []
},
"locations": {
"includeLocations": [
"All"
],
"excludeLocations": [
"AllTrusted"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
],
"customAuthenticationFactors": [],
"termsOfUse": []
}
}
Beispiel 2: Blockieren des Zugriffs auf Exchange Online aus nicht vertrauenswürdigen Regionen
Anforderung
Das folgende Beispiel zeigt eine Anforderung zum Blockieren des Zugriffs auf Exchange Online aus nicht vertrauenswürdigen/unbekannten Regionen.
In diesem Beispiel wird davon ausgegangen, dass der benannte Speicherort mit id = 198ad66e-87b3-4157-85a3-8a7b51794ee9 einer Liste nicht vertrauenswürdiger/unbekannter Regionen entspricht.
POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Block access to EXO non-trusted regions.",
"state": "enabled",
"conditions": {
"clientAppTypes": [
"all"
],
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
]
},
"users": {
"includeGroups": ["ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"]
},
"locations": {
"includeLocations": [
"198ad66e-87b3-4157-85a3-8a7b51794ee9"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
]
}
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var conditionalAccessPolicy = new ConditionalAccessPolicy
{
DisplayName = "Block access to EXO non-trusted regions.",
State = ConditionalAccessPolicyState.Enabled,
Conditions = new ConditionalAccessConditionSet
{
ClientAppTypes = new List<ConditionalAccessClientApp>()
{
ConditionalAccessClientApp.All
},
Applications = new ConditionalAccessApplications
{
IncludeApplications = new List<String>()
{
"00000002-0000-0ff1-ce00-000000000000"
}
},
Users = new ConditionalAccessUsers
{
IncludeGroups = new List<String>()
{
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
}
},
Locations = new ConditionalAccessLocations
{
IncludeLocations = new List<String>()
{
"198ad66e-87b3-4157-85a3-8a7b51794ee9"
}
}
},
GrantControls = new ConditionalAccessGrantControls
{
Operator = "OR",
BuiltInControls = new List<ConditionalAccessGrantControl>()
{
ConditionalAccessGrantControl.Block
}
}
};
await graphClient.Identity.ConditionalAccess.Policies
.Request()
.AddAsync(conditionalAccessPolicy);
Ausführliche Informationen zum Hinzufügen des SDK zu Ihrem Projekt und zum Erstellen einer authProvider-Instanz finden Sie in der SDK-Dokumentation .
const options = {
authProvider,
};
const client = Client.init(options);
const conditionalAccessPolicy = {
displayName: 'Block access to EXO non-trusted regions.',
state: 'enabled',
conditions: {
clientAppTypes: [
'all'
],
applications: {
includeApplications: [
'00000002-0000-0ff1-ce00-000000000000'
]
},
users: {
includeGroups: ['ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba']
},
locations: {
includeLocations: [
'198ad66e-87b3-4157-85a3-8a7b51794ee9'
]
}
},
grantControls: {
operator: 'OR',
builtInControls: [
'block'
]
}
};
await client.api('/identity/conditionalAccess/policies')
.post(conditionalAccessPolicy);
Ausführliche Informationen zum Hinzufügen des SDK zu Ihrem Projekt und zum Erstellen einer authProvider-Instanz finden Sie in der SDK-Dokumentation .
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];
NSString *MSGraphBaseURL = @"https://graph.microsoft.com/v1.0/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/identity/conditionalAccess/policies"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
MSGraphConditionalAccessPolicy *conditionalAccessPolicy = [[MSGraphConditionalAccessPolicy alloc] init];
[conditionalAccessPolicy setDisplayName:@"Block access to EXO non-trusted regions."];
[conditionalAccessPolicy setState: [MSGraphConditionalAccessPolicyState enabled]];
MSGraphConditionalAccessConditionSet *conditions = [[MSGraphConditionalAccessConditionSet alloc] init];
NSMutableArray *clientAppTypesList = [[NSMutableArray alloc] init];
[clientAppTypesList addObject: @"all"];
[conditions setClientAppTypes:clientAppTypesList];
MSGraphConditionalAccessApplications *applications = [[MSGraphConditionalAccessApplications alloc] init];
NSMutableArray *includeApplicationsList = [[NSMutableArray alloc] init];
[includeApplicationsList addObject: @"00000002-0000-0ff1-ce00-000000000000"];
[applications setIncludeApplications:includeApplicationsList];
[conditions setApplications:applications];
MSGraphConditionalAccessUsers *users = [[MSGraphConditionalAccessUsers alloc] init];
NSMutableArray *includeGroupsList = [[NSMutableArray alloc] init];
[includeGroupsList addObject: @"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"];
[users setIncludeGroups:includeGroupsList];
[conditions setUsers:users];
MSGraphConditionalAccessLocations *locations = [[MSGraphConditionalAccessLocations alloc] init];
NSMutableArray *includeLocationsList = [[NSMutableArray alloc] init];
[includeLocationsList addObject: @"198ad66e-87b3-4157-85a3-8a7b51794ee9"];
[locations setIncludeLocations:includeLocationsList];
[conditions setLocations:locations];
[conditionalAccessPolicy setConditions:conditions];
MSGraphConditionalAccessGrantControls *grantControls = [[MSGraphConditionalAccessGrantControls alloc] init];
[grantControls setOperator:@"OR"];
NSMutableArray *builtInControlsList = [[NSMutableArray alloc] init];
[builtInControlsList addObject: @"block"];
[grantControls setBuiltInControls:builtInControlsList];
[conditionalAccessPolicy setGrantControls:grantControls];
NSError *error;
NSData *conditionalAccessPolicyData = [conditionalAccessPolicy getSerializedDataWithError:&error];
[urlRequest setHTTPBody:conditionalAccessPolicyData];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {
//Request Completed
}];
[meDataTask execute];
Ausführliche Informationen zum Hinzufügen des SDK zu Ihrem Projekt und zum Erstellen einer authProvider-Instanz finden Sie in der SDK-Dokumentation .
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
ConditionalAccessPolicy conditionalAccessPolicy = new ConditionalAccessPolicy();
conditionalAccessPolicy.displayName = "Block access to EXO non-trusted regions.";
conditionalAccessPolicy.state = ConditionalAccessPolicyState.ENABLED;
ConditionalAccessConditionSet conditions = new ConditionalAccessConditionSet();
LinkedList<ConditionalAccessClientApp> clientAppTypesList = new LinkedList<ConditionalAccessClientApp>();
clientAppTypesList.add(ConditionalAccessClientApp.ALL);
conditions.clientAppTypes = clientAppTypesList;
ConditionalAccessApplications applications = new ConditionalAccessApplications();
LinkedList<String> includeApplicationsList = new LinkedList<String>();
includeApplicationsList.add("00000002-0000-0ff1-ce00-000000000000");
applications.includeApplications = includeApplicationsList;
conditions.applications = applications;
ConditionalAccessUsers users = new ConditionalAccessUsers();
LinkedList<String> includeGroupsList = new LinkedList<String>();
includeGroupsList.add("ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba");
users.includeGroups = includeGroupsList;
conditions.users = users;
ConditionalAccessLocations locations = new ConditionalAccessLocations();
LinkedList<String> includeLocationsList = new LinkedList<String>();
includeLocationsList.add("198ad66e-87b3-4157-85a3-8a7b51794ee9");
locations.includeLocations = includeLocationsList;
conditions.locations = locations;
conditionalAccessPolicy.conditions = conditions;
ConditionalAccessGrantControls grantControls = new ConditionalAccessGrantControls();
grantControls.operator = "OR";
LinkedList<ConditionalAccessGrantControl> builtInControlsList = new LinkedList<ConditionalAccessGrantControl>();
builtInControlsList.add(ConditionalAccessGrantControl.BLOCK);
grantControls.builtInControls = builtInControlsList;
conditionalAccessPolicy.grantControls = grantControls;
graphClient.identity().conditionalAccess().policies()
.buildRequest()
.post(conditionalAccessPolicy);
Ausführliche Informationen zum Hinzufügen des SDK zu Ihrem Projekt und zum Erstellen einer authProvider-Instanz finden Sie in der SDK-Dokumentation .
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := msgraphsdk.NewConditionalAccessPolicy()
displayName := "Block access to EXO non-trusted regions."
requestBody.SetDisplayName(&displayName)
state := "enabled"
requestBody.SetState(&state)
conditions := msgraphsdk.NewConditionalAccessConditionSet()
requestBody.SetConditions(conditions)
conditions.SetClientAppTypes( []ConditionalAccessClientApp {
"all",
}
applications := msgraphsdk.NewConditionalAccessApplications()
conditions.SetApplications(applications)
applications.SetIncludeApplications( []String {
"00000002-0000-0ff1-ce00-000000000000",
}
users := msgraphsdk.NewConditionalAccessUsers()
conditions.SetUsers(users)
users.SetIncludeGroups( []String {
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
}
locations := msgraphsdk.NewConditionalAccessLocations()
conditions.SetLocations(locations)
locations.SetIncludeLocations( []String {
"198ad66e-87b3-4157-85a3-8a7b51794ee9",
}
grantControls := msgraphsdk.NewConditionalAccessGrantControls()
requestBody.SetGrantControls(grantControls)
operator := "OR"
grantControls.SetOperator(&operator)
grantControls.SetBuiltInControls( []ConditionalAccessGrantControl {
"block",
}
result, err := graphClient.Identity().ConditionalAccess().Policies().Post(requestBody)
Ausführliche Informationen zum Hinzufügen des SDK zu Ihrem Projekt und zum Erstellen einer authProvider-Instanz finden Sie in der SDK-Dokumentation .
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{
DisplayName = "Block access to EXO non-trusted regions."
State = "enabled"
Conditions = @{
ClientAppTypes = @(
"all"
)
Applications = @{
IncludeApplications = @(
"00000002-0000-0ff1-ce00-000000000000"
)
}
Users = @{
IncludeGroups = @(
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
)
}
Locations = @{
IncludeLocations = @(
"198ad66e-87b3-4157-85a3-8a7b51794ee9"
)
}
}
GrantControls = @{
Operator = "OR"
BuiltInControls = @(
"block"
)
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $params
Ausführliche Informationen zum Hinzufügen des SDK zu Ihrem Projekt und zum Erstellen einer authProvider-Instanz finden Sie in der SDK-Dokumentation .
Antwort
Nachfolgend sehen Sie ein Beispiel der Antwort.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#conditionalAccess/policies/$entity",
"id": "c98e6c3d-f6ca-42ea-a927-773b6f12a0c2",
"displayName": "Block access to EXO non-trusted regions.",
"createdDateTime": "2019-10-14T19:53:11.3705634Z",
"modifiedDateTime": null,
"state": "enabled",
"sessionControls": null,
"conditions": {
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"platforms": null,
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
],
"excludeApplications": [],
"includeUserActions": []
},
"users": {
"includeUsers": [],
"excludeUsers": [],
"includeGroups": [
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": []
},
"locations": {
"includeLocations": [
"198ad66e-87b3-4157-85a3-8a7b51794ee9"
],
"excludeLocations": []
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
],
"customAuthenticationFactors": [],
"termsOfUse": []
}
}
Beispiel 3: Verwenden aller Bedingungen und Steuerelemente
Anforderung
Es folgt ein Beispiel für die Anforderung, alle Bedingungen und Steuerelemente zu verwenden.
POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Demo app for documentation",
"state": "disabled",
"conditions": {
"signInRiskLevels": [
"high",
"medium"
],
"clientAppTypes": [
"mobileAppsAndDesktopClients",
"exchangeActiveSync",
"other"
],
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [
"499b84ac-1321-427f-aa17-267ca6975798",
"00000007-0000-0000-c000-000000000000",
"de8bc8b5-d9f9-48b1-a8ad-b748da725064",
"00000012-0000-0000-c000-000000000000",
"797f4846-ba00-4fd7-ba43-dac1f8f63013",
"05a65629-4c1b-48c1-a78b-804c4abdd4af",
"7df0a125-d3be-4c96-aa54-591f83ff541c"
],
"includeUserActions": []
},
"users": {
"includeUsers": [
"a702a13d-a437-4a07-8a7e-8c052de62dfd"
],
"excludeUsers": [
"124c5b6a-ffa5-483a-9b88-04c3fce5574a",
"GuestsOrExternalUsers"
],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"cf1c38e5-3621-4004-a7cb-879624dced7c",
"c4e39bd9-1100-46d3-8c65-fb160da0071f"
],
"excludeRoles": [
"b0f54661-2d74-4c50-afa3-1ec803f12efe"
]
},
"platforms": {
"includePlatforms": [
"all"
],
"excludePlatforms": [
"iOS",
"windowsPhone"
]
},
"locations": {
"includeLocations": [
"AllTrusted"
],
"excludeLocations": [
"00000000-0000-0000-0000-000000000000",
"d2136c9c-b049-47ae-b9cf-316e04ef7198"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa",
"compliantDevice",
"domainJoinedDevice",
"approvedApplication",
"compliantApplication"
],
"customAuthenticationFactors": [],
"termsOfUse": [
"ce580154-086a-40fd-91df-8a60abac81a0",
"7f29d675-caff-43e1-8a53-1b8516ed2075"
]
},
"sessionControls": {
"applicationEnforcedRestrictions": null,
"persistentBrowser": null,
"cloudAppSecurity": {
"cloudAppSecurityType": "blockDownloads",
"isEnabled": true
},
"signInFrequency": {
"value": 4,
"type": "hours",
"isEnabled": true
}
}
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var conditionalAccessPolicy = new ConditionalAccessPolicy
{
DisplayName = "Demo app for documentation",
State = ConditionalAccessPolicyState.Disabled,
Conditions = new ConditionalAccessConditionSet
{
SignInRiskLevels = new List<RiskLevel>()
{
RiskLevel.High,
RiskLevel.Medium
},
ClientAppTypes = new List<ConditionalAccessClientApp>()
{
ConditionalAccessClientApp.MobileAppsAndDesktopClients,
ConditionalAccessClientApp.ExchangeActiveSync,
ConditionalAccessClientApp.Other
},
Applications = new ConditionalAccessApplications
{
IncludeApplications = new List<String>()
{
"All"
},
ExcludeApplications = new List<String>()
{
"499b84ac-1321-427f-aa17-267ca6975798",
"00000007-0000-0000-c000-000000000000",
"de8bc8b5-d9f9-48b1-a8ad-b748da725064",
"00000012-0000-0000-c000-000000000000",
"797f4846-ba00-4fd7-ba43-dac1f8f63013",
"05a65629-4c1b-48c1-a78b-804c4abdd4af",
"7df0a125-d3be-4c96-aa54-591f83ff541c"
},
IncludeUserActions = new List<String>()
{
}
},
Users = new ConditionalAccessUsers
{
IncludeUsers = new List<String>()
{
"a702a13d-a437-4a07-8a7e-8c052de62dfd"
},
ExcludeUsers = new List<String>()
{
"124c5b6a-ffa5-483a-9b88-04c3fce5574a",
"GuestsOrExternalUsers"
},
IncludeGroups = new List<String>()
{
},
ExcludeGroups = new List<String>()
{
},
IncludeRoles = new List<String>()
{
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"cf1c38e5-3621-4004-a7cb-879624dced7c",
"c4e39bd9-1100-46d3-8c65-fb160da0071f"
},
ExcludeRoles = new List<String>()
{
"b0f54661-2d74-4c50-afa3-1ec803f12efe"
}
},
Platforms = new ConditionalAccessPlatforms
{
IncludePlatforms = new List<ConditionalAccessDevicePlatform>()
{
ConditionalAccessDevicePlatform.All
},
ExcludePlatforms = new List<ConditionalAccessDevicePlatform>()
{
ConditionalAccessDevicePlatform.IOS,
ConditionalAccessDevicePlatform.WindowsPhone
}
},
Locations = new ConditionalAccessLocations
{
IncludeLocations = new List<String>()
{
"AllTrusted"
},
ExcludeLocations = new List<String>()
{
"00000000-0000-0000-0000-000000000000",
"d2136c9c-b049-47ae-b9cf-316e04ef7198"
}
}
},
GrantControls = new ConditionalAccessGrantControls
{
Operator = "OR",
BuiltInControls = new List<ConditionalAccessGrantControl>()
{
ConditionalAccessGrantControl.Mfa,
ConditionalAccessGrantControl.CompliantDevice,
ConditionalAccessGrantControl.DomainJoinedDevice,
ConditionalAccessGrantControl.ApprovedApplication,
ConditionalAccessGrantControl.CompliantApplication
},
CustomAuthenticationFactors = new List<String>()
{
},
TermsOfUse = new List<String>()
{
"ce580154-086a-40fd-91df-8a60abac81a0",
"7f29d675-caff-43e1-8a53-1b8516ed2075"
}
},
SessionControls = new ConditionalAccessSessionControls
{
ApplicationEnforcedRestrictions = null,
PersistentBrowser = null,
CloudAppSecurity = new CloudAppSecuritySessionControl
{
CloudAppSecurityType = CloudAppSecuritySessionControlType.BlockDownloads,
IsEnabled = true
},
SignInFrequency = new SignInFrequencySessionControl
{
Value = 4,
Type = SigninFrequencyType.Hours,
IsEnabled = true
}
}
};
await graphClient.Identity.ConditionalAccess.Policies
.Request()
.AddAsync(conditionalAccessPolicy);
Ausführliche Informationen zum Hinzufügen des SDK zu Ihrem Projekt und zum Erstellen einer authProvider-Instanz finden Sie in der SDK-Dokumentation .
const options = {
authProvider,
};
const client = Client.init(options);
const conditionalAccessPolicy = {
displayName: 'Demo app for documentation',
state: 'disabled',
conditions: {
signInRiskLevels: [
'high',
'medium'
],
clientAppTypes: [
'mobileAppsAndDesktopClients',
'exchangeActiveSync',
'other'
],
applications: {
includeApplications: [
'All'
],
excludeApplications: [
'499b84ac-1321-427f-aa17-267ca6975798',
'00000007-0000-0000-c000-000000000000',
'de8bc8b5-d9f9-48b1-a8ad-b748da725064',
'00000012-0000-0000-c000-000000000000',
'797f4846-ba00-4fd7-ba43-dac1f8f63013',
'05a65629-4c1b-48c1-a78b-804c4abdd4af',
'7df0a125-d3be-4c96-aa54-591f83ff541c'
],
includeUserActions: []
},
users: {
includeUsers: [
'a702a13d-a437-4a07-8a7e-8c052de62dfd'
],
excludeUsers: [
'124c5b6a-ffa5-483a-9b88-04c3fce5574a',
'GuestsOrExternalUsers'
],
includeGroups: [],
excludeGroups: [],
includeRoles: [
'9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3',
'cf1c38e5-3621-4004-a7cb-879624dced7c',
'c4e39bd9-1100-46d3-8c65-fb160da0071f'
],
excludeRoles: [
'b0f54661-2d74-4c50-afa3-1ec803f12efe'
]
},
platforms: {
includePlatforms: [
'all'
],
excludePlatforms: [
'iOS',
'windowsPhone'
]
},
locations: {
includeLocations: [
'AllTrusted'
],
excludeLocations: [
'00000000-0000-0000-0000-000000000000',
'd2136c9c-b049-47ae-b9cf-316e04ef7198'
]
}
},
grantControls: {
operator: 'OR',
builtInControls: [
'mfa',
'compliantDevice',
'domainJoinedDevice',
'approvedApplication',
'compliantApplication'
],
customAuthenticationFactors: [],
termsOfUse: [
'ce580154-086a-40fd-91df-8a60abac81a0',
'7f29d675-caff-43e1-8a53-1b8516ed2075'
]
},
sessionControls: {
applicationEnforcedRestrictions: null,
persistentBrowser: null,
cloudAppSecurity: {
cloudAppSecurityType: 'blockDownloads',
isEnabled: true
},
signInFrequency: {
value: 4,
type: 'hours',
isEnabled: true
}
}
};
await client.api('/identity/conditionalAccess/policies')
.post(conditionalAccessPolicy);
Ausführliche Informationen zum Hinzufügen des SDK zu Ihrem Projekt und zum Erstellen einer authProvider-Instanz finden Sie in der SDK-Dokumentation .
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];
NSString *MSGraphBaseURL = @"https://graph.microsoft.com/v1.0/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/identity/conditionalAccess/policies"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
MSGraphConditionalAccessPolicy *conditionalAccessPolicy = [[MSGraphConditionalAccessPolicy alloc] init];
[conditionalAccessPolicy setDisplayName:@"Demo app for documentation"];
[conditionalAccessPolicy setState: [MSGraphConditionalAccessPolicyState disabled]];
MSGraphConditionalAccessConditionSet *conditions = [[MSGraphConditionalAccessConditionSet alloc] init];
NSMutableArray *signInRiskLevelsList = [[NSMutableArray alloc] init];
[signInRiskLevelsList addObject: @"high"];
[signInRiskLevelsList addObject: @"medium"];
[conditions setSignInRiskLevels:signInRiskLevelsList];
NSMutableArray *clientAppTypesList = [[NSMutableArray alloc] init];
[clientAppTypesList addObject: @"mobileAppsAndDesktopClients"];
[clientAppTypesList addObject: @"exchangeActiveSync"];
[clientAppTypesList addObject: @"other"];
[conditions setClientAppTypes:clientAppTypesList];
MSGraphConditionalAccessApplications *applications = [[MSGraphConditionalAccessApplications alloc] init];
NSMutableArray *includeApplicationsList = [[NSMutableArray alloc] init];
[includeApplicationsList addObject: @"All"];
[applications setIncludeApplications:includeApplicationsList];
NSMutableArray *excludeApplicationsList = [[NSMutableArray alloc] init];
[excludeApplicationsList addObject: @"499b84ac-1321-427f-aa17-267ca6975798"];
[excludeApplicationsList addObject: @"00000007-0000-0000-c000-000000000000"];
[excludeApplicationsList addObject: @"de8bc8b5-d9f9-48b1-a8ad-b748da725064"];
[excludeApplicationsList addObject: @"00000012-0000-0000-c000-000000000000"];
[excludeApplicationsList addObject: @"797f4846-ba00-4fd7-ba43-dac1f8f63013"];
[excludeApplicationsList addObject: @"05a65629-4c1b-48c1-a78b-804c4abdd4af"];
[excludeApplicationsList addObject: @"7df0a125-d3be-4c96-aa54-591f83ff541c"];
[applications setExcludeApplications:excludeApplicationsList];
NSMutableArray *includeUserActionsList = [[NSMutableArray alloc] init];
[applications setIncludeUserActions:includeUserActionsList];
[conditions setApplications:applications];
MSGraphConditionalAccessUsers *users = [[MSGraphConditionalAccessUsers alloc] init];
NSMutableArray *includeUsersList = [[NSMutableArray alloc] init];
[includeUsersList addObject: @"a702a13d-a437-4a07-8a7e-8c052de62dfd"];
[users setIncludeUsers:includeUsersList];
NSMutableArray *excludeUsersList = [[NSMutableArray alloc] init];
[excludeUsersList addObject: @"124c5b6a-ffa5-483a-9b88-04c3fce5574a"];
[excludeUsersList addObject: @"GuestsOrExternalUsers"];
[users setExcludeUsers:excludeUsersList];
NSMutableArray *includeGroupsList = [[NSMutableArray alloc] init];
[users setIncludeGroups:includeGroupsList];
NSMutableArray *excludeGroupsList = [[NSMutableArray alloc] init];
[users setExcludeGroups:excludeGroupsList];
NSMutableArray *includeRolesList = [[NSMutableArray alloc] init];
[includeRolesList addObject: @"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"];
[includeRolesList addObject: @"cf1c38e5-3621-4004-a7cb-879624dced7c"];
[includeRolesList addObject: @"c4e39bd9-1100-46d3-8c65-fb160da0071f"];
[users setIncludeRoles:includeRolesList];
NSMutableArray *excludeRolesList = [[NSMutableArray alloc] init];
[excludeRolesList addObject: @"b0f54661-2d74-4c50-afa3-1ec803f12efe"];
[users setExcludeRoles:excludeRolesList];
[conditions setUsers:users];
MSGraphConditionalAccessPlatforms *platforms = [[MSGraphConditionalAccessPlatforms alloc] init];
NSMutableArray *includePlatformsList = [[NSMutableArray alloc] init];
[includePlatformsList addObject: @"all"];
[platforms setIncludePlatforms:includePlatformsList];
NSMutableArray *excludePlatformsList = [[NSMutableArray alloc] init];
[excludePlatformsList addObject: @"iOS"];
[excludePlatformsList addObject: @"windowsPhone"];
[platforms setExcludePlatforms:excludePlatformsList];
[conditions setPlatforms:platforms];
MSGraphConditionalAccessLocations *locations = [[MSGraphConditionalAccessLocations alloc] init];
NSMutableArray *includeLocationsList = [[NSMutableArray alloc] init];
[includeLocationsList addObject: @"AllTrusted"];
[locations setIncludeLocations:includeLocationsList];
NSMutableArray *excludeLocationsList = [[NSMutableArray alloc] init];
[excludeLocationsList addObject: @"00000000-0000-0000-0000-000000000000"];
[excludeLocationsList addObject: @"d2136c9c-b049-47ae-b9cf-316e04ef7198"];
[locations setExcludeLocations:excludeLocationsList];
[conditions setLocations:locations];
[conditionalAccessPolicy setConditions:conditions];
MSGraphConditionalAccessGrantControls *grantControls = [[MSGraphConditionalAccessGrantControls alloc] init];
[grantControls setOperator:@"OR"];
NSMutableArray *builtInControlsList = [[NSMutableArray alloc] init];
[builtInControlsList addObject: @"mfa"];
[builtInControlsList addObject: @"compliantDevice"];
[builtInControlsList addObject: @"domainJoinedDevice"];
[builtInControlsList addObject: @"approvedApplication"];
[builtInControlsList addObject: @"compliantApplication"];
[grantControls setBuiltInControls:builtInControlsList];
NSMutableArray *customAuthenticationFactorsList = [[NSMutableArray alloc] init];
[grantControls setCustomAuthenticationFactors:customAuthenticationFactorsList];
NSMutableArray *termsOfUseList = [[NSMutableArray alloc] init];
[termsOfUseList addObject: @"ce580154-086a-40fd-91df-8a60abac81a0"];
[termsOfUseList addObject: @"7f29d675-caff-43e1-8a53-1b8516ed2075"];
[grantControls setTermsOfUse:termsOfUseList];
[conditionalAccessPolicy setGrantControls:grantControls];
MSGraphConditionalAccessSessionControls *sessionControls = [[MSGraphConditionalAccessSessionControls alloc] init];
[sessionControls setApplicationEnforcedRestrictions: null];
[sessionControls setPersistentBrowser: null];
MSGraphCloudAppSecuritySessionControl *cloudAppSecurity = [[MSGraphCloudAppSecuritySessionControl alloc] init];
[cloudAppSecurity setCloudAppSecurityType: [MSGraphCloudAppSecuritySessionControlType blockDownloads]];
[cloudAppSecurity setIsEnabled: true];
[sessionControls setCloudAppSecurity:cloudAppSecurity];
MSGraphSignInFrequencySessionControl *signInFrequency = [[MSGraphSignInFrequencySessionControl alloc] init];
[signInFrequency setValue: 4];
[signInFrequency setType: [MSGraphSigninFrequencyType hours]];
[signInFrequency setIsEnabled: true];
[sessionControls setSignInFrequency:signInFrequency];
[conditionalAccessPolicy setSessionControls:sessionControls];
NSError *error;
NSData *conditionalAccessPolicyData = [conditionalAccessPolicy getSerializedDataWithError:&error];
[urlRequest setHTTPBody:conditionalAccessPolicyData];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {
//Request Completed
}];
[meDataTask execute];
Ausführliche Informationen zum Hinzufügen des SDK zu Ihrem Projekt und zum Erstellen einer authProvider-Instanz finden Sie in der SDK-Dokumentation .
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
ConditionalAccessPolicy conditionalAccessPolicy = new ConditionalAccessPolicy();
conditionalAccessPolicy.displayName = "Demo app for documentation";
conditionalAccessPolicy.state = ConditionalAccessPolicyState.DISABLED;
ConditionalAccessConditionSet conditions = new ConditionalAccessConditionSet();
LinkedList<RiskLevel> signInRiskLevelsList = new LinkedList<RiskLevel>();
signInRiskLevelsList.add(RiskLevel.HIGH);
signInRiskLevelsList.add(RiskLevel.MEDIUM);
conditions.signInRiskLevels = signInRiskLevelsList;
LinkedList<ConditionalAccessClientApp> clientAppTypesList = new LinkedList<ConditionalAccessClientApp>();
clientAppTypesList.add(ConditionalAccessClientApp.MOBILE_APPS_AND_DESKTOP_CLIENTS);
clientAppTypesList.add(ConditionalAccessClientApp.EXCHANGE_ACTIVE_SYNC);
clientAppTypesList.add(ConditionalAccessClientApp.OTHER);
conditions.clientAppTypes = clientAppTypesList;
ConditionalAccessApplications applications = new ConditionalAccessApplications();
LinkedList<String> includeApplicationsList = new LinkedList<String>();
includeApplicationsList.add("All");
applications.includeApplications = includeApplicationsList;
LinkedList<String> excludeApplicationsList = new LinkedList<String>();
excludeApplicationsList.add("499b84ac-1321-427f-aa17-267ca6975798");
excludeApplicationsList.add("00000007-0000-0000-c000-000000000000");
excludeApplicationsList.add("de8bc8b5-d9f9-48b1-a8ad-b748da725064");
excludeApplicationsList.add("00000012-0000-0000-c000-000000000000");
excludeApplicationsList.add("797f4846-ba00-4fd7-ba43-dac1f8f63013");
excludeApplicationsList.add("05a65629-4c1b-48c1-a78b-804c4abdd4af");
excludeApplicationsList.add("7df0a125-d3be-4c96-aa54-591f83ff541c");
applications.excludeApplications = excludeApplicationsList;
LinkedList<String> includeUserActionsList = new LinkedList<String>();
applications.includeUserActions = includeUserActionsList;
conditions.applications = applications;
ConditionalAccessUsers users = new ConditionalAccessUsers();
LinkedList<String> includeUsersList = new LinkedList<String>();
includeUsersList.add("a702a13d-a437-4a07-8a7e-8c052de62dfd");
users.includeUsers = includeUsersList;
LinkedList<String> excludeUsersList = new LinkedList<String>();
excludeUsersList.add("124c5b6a-ffa5-483a-9b88-04c3fce5574a");
excludeUsersList.add("GuestsOrExternalUsers");
users.excludeUsers = excludeUsersList;
LinkedList<String> includeGroupsList = new LinkedList<String>();
users.includeGroups = includeGroupsList;
LinkedList<String> excludeGroupsList = new LinkedList<String>();
users.excludeGroups = excludeGroupsList;
LinkedList<String> includeRolesList = new LinkedList<String>();
includeRolesList.add("9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3");
includeRolesList.add("cf1c38e5-3621-4004-a7cb-879624dced7c");
includeRolesList.add("c4e39bd9-1100-46d3-8c65-fb160da0071f");
users.includeRoles = includeRolesList;
LinkedList<String> excludeRolesList = new LinkedList<String>();
excludeRolesList.add("b0f54661-2d74-4c50-afa3-1ec803f12efe");
users.excludeRoles = excludeRolesList;
conditions.users = users;
ConditionalAccessPlatforms platforms = new ConditionalAccessPlatforms();
LinkedList<ConditionalAccessDevicePlatform> includePlatformsList = new LinkedList<ConditionalAccessDevicePlatform>();
includePlatformsList.add(ConditionalAccessDevicePlatform.ALL);
platforms.includePlatforms = includePlatformsList;
LinkedList<ConditionalAccessDevicePlatform> excludePlatformsList = new LinkedList<ConditionalAccessDevicePlatform>();
excludePlatformsList.add(ConditionalAccessDevicePlatform.I_O_S);
excludePlatformsList.add(ConditionalAccessDevicePlatform.WINDOWS_PHONE);
platforms.excludePlatforms = excludePlatformsList;
conditions.platforms = platforms;
ConditionalAccessLocations locations = new ConditionalAccessLocations();
LinkedList<String> includeLocationsList = new LinkedList<String>();
includeLocationsList.add("AllTrusted");
locations.includeLocations = includeLocationsList;
LinkedList<String> excludeLocationsList = new LinkedList<String>();
excludeLocationsList.add("00000000-0000-0000-0000-000000000000");
excludeLocationsList.add("d2136c9c-b049-47ae-b9cf-316e04ef7198");
locations.excludeLocations = excludeLocationsList;
conditions.locations = locations;
conditionalAccessPolicy.conditions = conditions;
ConditionalAccessGrantControls grantControls = new ConditionalAccessGrantControls();
grantControls.operator = "OR";
LinkedList<ConditionalAccessGrantControl> builtInControlsList = new LinkedList<ConditionalAccessGrantControl>();
builtInControlsList.add(ConditionalAccessGrantControl.MFA);
builtInControlsList.add(ConditionalAccessGrantControl.COMPLIANT_DEVICE);
builtInControlsList.add(ConditionalAccessGrantControl.DOMAIN_JOINED_DEVICE);
builtInControlsList.add(ConditionalAccessGrantControl.APPROVED_APPLICATION);
builtInControlsList.add(ConditionalAccessGrantControl.COMPLIANT_APPLICATION);
grantControls.builtInControls = builtInControlsList;
LinkedList<String> customAuthenticationFactorsList = new LinkedList<String>();
grantControls.customAuthenticationFactors = customAuthenticationFactorsList;
LinkedList<String> termsOfUseList = new LinkedList<String>();
termsOfUseList.add("ce580154-086a-40fd-91df-8a60abac81a0");
termsOfUseList.add("7f29d675-caff-43e1-8a53-1b8516ed2075");
grantControls.termsOfUse = termsOfUseList;
conditionalAccessPolicy.grantControls = grantControls;
ConditionalAccessSessionControls sessionControls = new ConditionalAccessSessionControls();
sessionControls.applicationEnforcedRestrictions = null;
sessionControls.persistentBrowser = null;
CloudAppSecuritySessionControl cloudAppSecurity = new CloudAppSecuritySessionControl();
cloudAppSecurity.cloudAppSecurityType = CloudAppSecuritySessionControlType.BLOCK_DOWNLOADS;
cloudAppSecurity.isEnabled = true;
sessionControls.cloudAppSecurity = cloudAppSecurity;
SignInFrequencySessionControl signInFrequency = new SignInFrequencySessionControl();
signInFrequency.value = 4;
signInFrequency.type = SigninFrequencyType.HOURS;
signInFrequency.isEnabled = true;
sessionControls.signInFrequency = signInFrequency;
conditionalAccessPolicy.sessionControls = sessionControls;
graphClient.identity().conditionalAccess().policies()
.buildRequest()
.post(conditionalAccessPolicy);
Ausführliche Informationen zum Hinzufügen des SDK zu Ihrem Projekt und zum Erstellen einer authProvider-Instanz finden Sie in der SDK-Dokumentation .
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := msgraphsdk.NewConditionalAccessPolicy()
displayName := "Demo app for documentation"
requestBody.SetDisplayName(&displayName)
state := "disabled"
requestBody.SetState(&state)
conditions := msgraphsdk.NewConditionalAccessConditionSet()
requestBody.SetConditions(conditions)
conditions.SetSignInRiskLevels( []RiskLevel {
"high",
"medium",
}
conditions.SetClientAppTypes( []ConditionalAccessClientApp {
"mobileAppsAndDesktopClients",
"exchangeActiveSync",
"other",
}
applications := msgraphsdk.NewConditionalAccessApplications()
conditions.SetApplications(applications)
applications.SetIncludeApplications( []String {
"All",
}
applications.SetExcludeApplications( []String {
"499b84ac-1321-427f-aa17-267ca6975798",
"00000007-0000-0000-c000-000000000000",
"de8bc8b5-d9f9-48b1-a8ad-b748da725064",
"00000012-0000-0000-c000-000000000000",
"797f4846-ba00-4fd7-ba43-dac1f8f63013",
"05a65629-4c1b-48c1-a78b-804c4abdd4af",
"7df0a125-d3be-4c96-aa54-591f83ff541c",
}
applications.SetIncludeUserActions( []string {
}
users := msgraphsdk.NewConditionalAccessUsers()
conditions.SetUsers(users)
users.SetIncludeUsers( []String {
"a702a13d-a437-4a07-8a7e-8c052de62dfd",
}
users.SetExcludeUsers( []String {
"124c5b6a-ffa5-483a-9b88-04c3fce5574a",
"GuestsOrExternalUsers",
}
users.SetIncludeGroups( []string {
}
users.SetExcludeGroups( []string {
}
users.SetIncludeRoles( []String {
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"cf1c38e5-3621-4004-a7cb-879624dced7c",
"c4e39bd9-1100-46d3-8c65-fb160da0071f",
}
users.SetExcludeRoles( []String {
"b0f54661-2d74-4c50-afa3-1ec803f12efe",
}
platforms := msgraphsdk.NewConditionalAccessPlatforms()
conditions.SetPlatforms(platforms)
platforms.SetIncludePlatforms( []ConditionalAccessDevicePlatform {
"all",
}
platforms.SetExcludePlatforms( []ConditionalAccessDevicePlatform {
"iOS",
"windowsPhone",
}
locations := msgraphsdk.NewConditionalAccessLocations()
conditions.SetLocations(locations)
locations.SetIncludeLocations( []String {
"AllTrusted",
}
locations.SetExcludeLocations( []String {
"00000000-0000-0000-0000-000000000000",
"d2136c9c-b049-47ae-b9cf-316e04ef7198",
}
grantControls := msgraphsdk.NewConditionalAccessGrantControls()
requestBody.SetGrantControls(grantControls)
operator := "OR"
grantControls.SetOperator(&operator)
grantControls.SetBuiltInControls( []ConditionalAccessGrantControl {
"mfa",
"compliantDevice",
"domainJoinedDevice",
"approvedApplication",
"compliantApplication",
}
grantControls.SetCustomAuthenticationFactors( []string {
}
grantControls.SetTermsOfUse( []String {
"ce580154-086a-40fd-91df-8a60abac81a0",
"7f29d675-caff-43e1-8a53-1b8516ed2075",
}
sessionControls := msgraphsdk.NewConditionalAccessSessionControls()
requestBody.SetSessionControls(sessionControls)
sessionControls.SetApplicationEnforcedRestrictions(nil)
sessionControls.SetPersistentBrowser(nil)
cloudAppSecurity := msgraphsdk.NewCloudAppSecuritySessionControl()
sessionControls.SetCloudAppSecurity(cloudAppSecurity)
cloudAppSecurityType := "blockDownloads"
cloudAppSecurity.SetCloudAppSecurityType(&cloudAppSecurityType)
isEnabled := true
cloudAppSecurity.SetIsEnabled(&isEnabled)
signInFrequency := msgraphsdk.NewSignInFrequencySessionControl()
sessionControls.SetSignInFrequency(signInFrequency)
value := int32(4)
signInFrequency.SetValue(&value)
type := "hours"
signInFrequency.SetType(&type)
isEnabled := true
signInFrequency.SetIsEnabled(&isEnabled)
result, err := graphClient.Identity().ConditionalAccess().Policies().Post(requestBody)
Ausführliche Informationen zum Hinzufügen des SDK zu Ihrem Projekt und zum Erstellen einer authProvider-Instanz finden Sie in der SDK-Dokumentation .
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{
DisplayName = "Demo app for documentation"
State = "disabled"
Conditions = @{
SignInRiskLevels = @(
"high"
"medium"
)
ClientAppTypes = @(
"mobileAppsAndDesktopClients"
"exchangeActiveSync"
"other"
)
Applications = @{
IncludeApplications = @(
"All"
)
ExcludeApplications = @(
"499b84ac-1321-427f-aa17-267ca6975798"
"00000007-0000-0000-c000-000000000000"
"de8bc8b5-d9f9-48b1-a8ad-b748da725064"
"00000012-0000-0000-c000-000000000000"
"797f4846-ba00-4fd7-ba43-dac1f8f63013"
"05a65629-4c1b-48c1-a78b-804c4abdd4af"
"7df0a125-d3be-4c96-aa54-591f83ff541c"
)
IncludeUserActions = @(
)
}
Users = @{
IncludeUsers = @(
"a702a13d-a437-4a07-8a7e-8c052de62dfd"
)
ExcludeUsers = @(
"124c5b6a-ffa5-483a-9b88-04c3fce5574a"
"GuestsOrExternalUsers"
)
IncludeGroups = @(
)
ExcludeGroups = @(
)
IncludeRoles = @(
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"
"cf1c38e5-3621-4004-a7cb-879624dced7c"
"c4e39bd9-1100-46d3-8c65-fb160da0071f"
)
ExcludeRoles = @(
"b0f54661-2d74-4c50-afa3-1ec803f12efe"
)
}
Platforms = @{
IncludePlatforms = @(
"all"
)
ExcludePlatforms = @(
"iOS"
"windowsPhone"
)
}
Locations = @{
IncludeLocations = @(
"AllTrusted"
)
ExcludeLocations = @(
"00000000-0000-0000-0000-000000000000"
"d2136c9c-b049-47ae-b9cf-316e04ef7198"
)
}
}
GrantControls = @{
Operator = "OR"
BuiltInControls = @(
"mfa"
"compliantDevice"
"domainJoinedDevice"
"approvedApplication"
"compliantApplication"
)
CustomAuthenticationFactors = @(
)
TermsOfUse = @(
"ce580154-086a-40fd-91df-8a60abac81a0"
"7f29d675-caff-43e1-8a53-1b8516ed2075"
)
}
SessionControls = @{
ApplicationEnforcedRestrictions = $null
PersistentBrowser = $null
CloudAppSecurity = @{
CloudAppSecurityType = "blockDownloads"
IsEnabled = $true
}
SignInFrequency = @{
Value = 4
Type = "hours"
IsEnabled = $true
}
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $params
Ausführliche Informationen zum Hinzufügen des SDK zu Ihrem Projekt und zum Erstellen einer authProvider-Instanz finden Sie in der SDK-Dokumentation .
Antwort
Nachfolgend sehen Sie ein Beispiel der Antwort.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#conditionalAccess/policies/$entity",
"id": "6b5e999b-0ba8-4186-a106-e0296c1c4358",
"displayName": "Demo app for documentation",
"createdDateTime": "2019-09-26T23:12:16.0792706Z",
"modifiedDateTime": null,
"state": "disabled",
"conditions": {
"signInRiskLevels": [
"high",
"medium"
],
"clientAppTypes": [
"mobileAppsAndDesktopClients",
"exchangeActiveSync",
"other"
],
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [
"499b84ac-1321-427f-aa17-267ca6975798",
"00000007-0000-0000-c000-000000000000",
"de8bc8b5-d9f9-48b1-a8ad-b748da725064",
"00000012-0000-0000-c000-000000000000",
"797f4846-ba00-4fd7-ba43-dac1f8f63013",
"05a65629-4c1b-48c1-a78b-804c4abdd4af",
"7df0a125-d3be-4c96-aa54-591f83ff541c"
],
"includeUserActions": []
},
"users": {
"includeUsers": [
"a702a13d-a437-4a07-8a7e-8c052de62dfd"
],
"excludeUsers": [
"124c5b6a-ffa5-483a-9b88-04c3fce5574a",
"GuestsOrExternalUsers"
],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"cf1c38e5-3621-4004-a7cb-879624dced7c",
"c4e39bd9-1100-46d3-8c65-fb160da0071f"
],
"excludeRoles": [
"b0f54661-2d74-4c50-afa3-1ec803f12efe"
]
},
"platforms": {
"includePlatforms": [
"all"
],
"excludePlatforms": [
"iOS",
"windowsPhone"
]
},
"locations": {
"includeLocations": [
"AllTrusted"
],
"excludeLocations": [
"00000000-0000-0000-0000-000000000000",
"d2136c9c-b049-47ae-b9cf-316e04ef7198"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa",
"compliantDevice",
"domainJoinedDevice",
"approvedApplication",
"compliantApplication"
],
"customAuthenticationFactors": [],
"termsOfUse": [
"ce580154-086a-40fd-91df-8a60abac81a0",
"7f29d675-caff-43e1-8a53-1b8516ed2075"
]
},
"sessionControls": {
"applicationEnforcedRestrictions": null,
"persistentBrowser": null,
"cloudAppSecurity": {
"cloudAppSecurityType": "blockDownloads",
"isEnabled": true
},
"signInFrequency": {
"value": 4,
"type": "hours",
"isEnabled": true
}
}
}
Beispiel 4: MFA zum Exchange Online von nicht kompatiblen Geräten anfordern
Anforderung
Das folgende Beispiel zeigt eine Anforderung zum Anfordern der MFA zum Exchange Online von nicht kompatiblen Geräten.
POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Require MFA to EXO from non-compliant devices.",
"state": "enabled",
"conditions": {
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
]
},
"users": {
"includeGroups": ["ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
]
}
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var conditionalAccessPolicy = new ConditionalAccessPolicy
{
DisplayName = "Require MFA to EXO from non-compliant devices.",
State = ConditionalAccessPolicyState.Enabled,
Conditions = new ConditionalAccessConditionSet
{
Applications = new ConditionalAccessApplications
{
IncludeApplications = new List<String>()
{
"00000002-0000-0ff1-ce00-000000000000"
}
},
Users = new ConditionalAccessUsers
{
IncludeGroups = new List<String>()
{
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
}
}
},
GrantControls = new ConditionalAccessGrantControls
{
Operator = "OR",
BuiltInControls = new List<ConditionalAccessGrantControl>()
{
ConditionalAccessGrantControl.Mfa
}
}
};
await graphClient.Identity.ConditionalAccess.Policies
.Request()
.AddAsync(conditionalAccessPolicy);
Ausführliche Informationen zum Hinzufügen des SDK zu Ihrem Projekt und zum Erstellen einer authProvider-Instanz finden Sie in der SDK-Dokumentation .
const options = {
authProvider,
};
const client = Client.init(options);
const conditionalAccessPolicy = {
displayName: 'Require MFA to EXO from non-compliant devices.',
state: 'enabled',
conditions: {
applications: {
includeApplications: [
'00000002-0000-0ff1-ce00-000000000000'
]
},
users: {
includeGroups: ['ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba']
}
},
grantControls: {
operator: 'OR',
builtInControls: [
'mfa'
]
}
};
await client.api('/identity/conditionalAccess/policies')
.post(conditionalAccessPolicy);
Ausführliche Informationen zum Hinzufügen des SDK zu Ihrem Projekt und zum Erstellen einer authProvider-Instanz finden Sie in der SDK-Dokumentation .
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];
NSString *MSGraphBaseURL = @"https://graph.microsoft.com/v1.0/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/identity/conditionalAccess/policies"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
MSGraphConditionalAccessPolicy *conditionalAccessPolicy = [[MSGraphConditionalAccessPolicy alloc] init];
[conditionalAccessPolicy setDisplayName:@"Require MFA to EXO from non-compliant devices."];
[conditionalAccessPolicy setState: [MSGraphConditionalAccessPolicyState enabled]];
MSGraphConditionalAccessConditionSet *conditions = [[MSGraphConditionalAccessConditionSet alloc] init];
MSGraphConditionalAccessApplications *applications = [[MSGraphConditionalAccessApplications alloc] init];
NSMutableArray *includeApplicationsList = [[NSMutableArray alloc] init];
[includeApplicationsList addObject: @"00000002-0000-0ff1-ce00-000000000000"];
[applications setIncludeApplications:includeApplicationsList];
[conditions setApplications:applications];
MSGraphConditionalAccessUsers *users = [[MSGraphConditionalAccessUsers alloc] init];
NSMutableArray *includeGroupsList = [[NSMutableArray alloc] init];
[includeGroupsList addObject: @"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"];
[users setIncludeGroups:includeGroupsList];
[conditions setUsers:users];
[conditionalAccessPolicy setConditions:conditions];
MSGraphConditionalAccessGrantControls *grantControls = [[MSGraphConditionalAccessGrantControls alloc] init];
[grantControls setOperator:@"OR"];
NSMutableArray *builtInControlsList = [[NSMutableArray alloc] init];
[builtInControlsList addObject: @"mfa"];
[grantControls setBuiltInControls:builtInControlsList];
[conditionalAccessPolicy setGrantControls:grantControls];
NSError *error;
NSData *conditionalAccessPolicyData = [conditionalAccessPolicy getSerializedDataWithError:&error];
[urlRequest setHTTPBody:conditionalAccessPolicyData];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {
//Request Completed
}];
[meDataTask execute];
Ausführliche Informationen zum Hinzufügen des SDK zu Ihrem Projekt und zum Erstellen einer authProvider-Instanz finden Sie in der SDK-Dokumentation .
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
ConditionalAccessPolicy conditionalAccessPolicy = new ConditionalAccessPolicy();
conditionalAccessPolicy.displayName = "Require MFA to EXO from non-compliant devices.";
conditionalAccessPolicy.state = ConditionalAccessPolicyState.ENABLED;
ConditionalAccessConditionSet conditions = new ConditionalAccessConditionSet();
ConditionalAccessApplications applications = new ConditionalAccessApplications();
LinkedList<String> includeApplicationsList = new LinkedList<String>();
includeApplicationsList.add("00000002-0000-0ff1-ce00-000000000000");
applications.includeApplications = includeApplicationsList;
conditions.applications = applications;
ConditionalAccessUsers users = new ConditionalAccessUsers();
LinkedList<String> includeGroupsList = new LinkedList<String>();
includeGroupsList.add("ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba");
users.includeGroups = includeGroupsList;
conditions.users = users;
conditionalAccessPolicy.conditions = conditions;
ConditionalAccessGrantControls grantControls = new ConditionalAccessGrantControls();
grantControls.operator = "OR";
LinkedList<ConditionalAccessGrantControl> builtInControlsList = new LinkedList<ConditionalAccessGrantControl>();
builtInControlsList.add(ConditionalAccessGrantControl.MFA);
grantControls.builtInControls = builtInControlsList;
conditionalAccessPolicy.grantControls = grantControls;
graphClient.identity().conditionalAccess().policies()
.buildRequest()
.post(conditionalAccessPolicy);
Ausführliche Informationen zum Hinzufügen des SDK zu Ihrem Projekt und zum Erstellen einer authProvider-Instanz finden Sie in der SDK-Dokumentation .
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := msgraphsdk.NewConditionalAccessPolicy()
displayName := "Require MFA to EXO from non-compliant devices."
requestBody.SetDisplayName(&displayName)
state := "enabled"
requestBody.SetState(&state)
conditions := msgraphsdk.NewConditionalAccessConditionSet()
requestBody.SetConditions(conditions)
applications := msgraphsdk.NewConditionalAccessApplications()
conditions.SetApplications(applications)
applications.SetIncludeApplications( []String {
"00000002-0000-0ff1-ce00-000000000000",
}
users := msgraphsdk.NewConditionalAccessUsers()
conditions.SetUsers(users)
users.SetIncludeGroups( []String {
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
}
grantControls := msgraphsdk.NewConditionalAccessGrantControls()
requestBody.SetGrantControls(grantControls)
operator := "OR"
grantControls.SetOperator(&operator)
grantControls.SetBuiltInControls( []ConditionalAccessGrantControl {
"mfa",
}
result, err := graphClient.Identity().ConditionalAccess().Policies().Post(requestBody)
Ausführliche Informationen zum Hinzufügen des SDK zu Ihrem Projekt und zum Erstellen einer authProvider-Instanz finden Sie in der SDK-Dokumentation .
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{
DisplayName = "Require MFA to EXO from non-compliant devices."
State = "enabled"
Conditions = @{
Applications = @{
IncludeApplications = @(
"00000002-0000-0ff1-ce00-000000000000"
)
}
Users = @{
IncludeGroups = @(
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
)
}
}
GrantControls = @{
Operator = "OR"
BuiltInControls = @(
"mfa"
)
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $params
Ausführliche Informationen zum Hinzufügen des SDK zu Ihrem Projekt und zum Erstellen einer authProvider-Instanz finden Sie in der SDK-Dokumentation .
Antwort
Nachfolgend sehen Sie ein Beispiel der Antwort.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#conditionalAccess/policies/$entity",
"id": "b3f1298e-8e93-49af-bdbf-94cf7d453ca3",
"displayName": "Require MFA to EXO from non-compliant devices.",
"createdDateTime": "2020-04-01T00:55:12.9571747Z",
"modifiedDateTime": null,
"state": "enabled",
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"platforms": null,
"locations": null,
"times": null,
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
],
"excludeApplications": [],
"includeUserActions": [],
"includeProtectionLevels": []
},
"users": {
"includeUsers": [],
"excludeUsers": [],
"includeGroups": [
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": []
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
],
"customAuthenticationFactors": [],
"termsOfUse": []
}
}