Create conditionalAccessPolicy

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Create a new conditionalAccessPolicy.

Permissions

One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permission type	Permissions (from least to most privileged)
Delegated (work or school account)	Policy.Read.All, Policy.ReadWrite.ConditionalAccess and Application.Read.All
Delegated (personal Microsoft account)	Not supported.
Application	Policy.Read.All, Policy.ReadWrite.ConditionalAccess and Application.Read.All

Note

This API has a known issue related to permissions.

HTTP request

POST /identity/conditionalAccess/policies

Request headers

Name	Description
Authorization	Bearer {token}. Required.
Content-Type	application/json. Required.

Request body

In the request body, supply a JSON representation of a conditionalAccessPolicy object.

A valid policy should contain at least one application rule - for example, 'includeApplications': 'none', one user rule - for example, 'includeUsers': 'none', and at least one grant/session control.

Response

If successful, this method returns a 201 Created response code and a new conditionalAccessPolicy object in the response body.

Examples

Example 1: Require MFA to access Exchange Online outside of trusted locations

Request

The following example shows a common request to require multi-factor authentication for access to Exchange Online from modern authentication clients outside of trusted locations for a particular group.

Note: You must set up your trusted locations before using this operation.

HTTP

POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json

{
    "displayName": "Access to EXO requires MFA",
    "state": "enabled",
    "conditions": {
        "clientAppTypes": [
            "mobileAppsAndDesktopClients",
            "browser"
        ],
        "applications": {
            "includeApplications": [
                "00000002-0000-0ff1-ce00-000000000000"
            ]
        },
        "users": {
            "includeGroups": ["ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"]
        },
        "locations": {
            "includeLocations": [
                "All"
            ],
            "excludeLocations": [
                "AllTrusted"
            ]
        }
    },
    "grantControls": {
        "operator": "OR",
        "builtInControls": [
            "mfa"
        ]
    }
}

C#

GraphServiceClient graphClient = new GraphServiceClient( authProvider );

var conditionalAccessPolicy = new ConditionalAccessPolicy
{
	DisplayName = "Access to EXO requires MFA",
	State = ConditionalAccessPolicyState.Enabled,
	Conditions = new ConditionalAccessConditionSet
	{
		ClientAppTypes = new List<ConditionalAccessClientApp>()
		{
			ConditionalAccessClientApp.MobileAppsAndDesktopClients,
			ConditionalAccessClientApp.Browser
		},
		Applications = new ConditionalAccessApplications
		{
			IncludeApplications = new List<String>()
			{
				"00000002-0000-0ff1-ce00-000000000000"
			}
		},
		Users = new ConditionalAccessUsers
		{
			IncludeGroups = new List<String>()
			{
				"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
			}
		},
		Locations = new ConditionalAccessLocations
		{
			IncludeLocations = new List<String>()
			{
				"All"
			},
			ExcludeLocations = new List<String>()
			{
				"AllTrusted"
			}
		}
	},
	GrantControls = new ConditionalAccessGrantControls
	{
		Operator = "OR",
		BuiltInControls = new List<ConditionalAccessGrantControl>()
		{
			ConditionalAccessGrantControl.Mfa
		}
	}
};

await graphClient.Identity.ConditionalAccess.Policies
	.Request()
	.AddAsync(conditionalAccessPolicy);

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

JavaScript

const options = {
	authProvider,
};

const client = Client.init(options);

const conditionalAccessPolicy = {
    displayName: 'Access to EXO requires MFA',
    state: 'enabled',
    conditions: {
        clientAppTypes: [
            'mobileAppsAndDesktopClients',
            'browser'
        ],
        applications: {
            includeApplications: [
                '00000002-0000-0ff1-ce00-000000000000'
            ]
        },
        users: {
            includeGroups: ['ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba']
        },
        locations: {
            includeLocations: [
                'All'
            ],
            excludeLocations: [
                'AllTrusted'
            ]
        }
    },
    grantControls: {
        operator: 'OR',
        builtInControls: [
            'mfa'
        ]
    }
};

await client.api('/identity/conditionalAccess/policies')
	.version('beta')
	.post(conditionalAccessPolicy);

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Objective-C

MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];

NSString *MSGraphBaseURL = @"https://graph.microsoft.com/beta/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/identity/conditionalAccess/policies"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];

MSGraphConditionalAccessPolicy *conditionalAccessPolicy = [[MSGraphConditionalAccessPolicy alloc] init];
[conditionalAccessPolicy setDisplayName:@"Access to EXO requires MFA"];
[conditionalAccessPolicy setState: [MSGraphConditionalAccessPolicyState enabled]];
MSGraphConditionalAccessConditionSet *conditions = [[MSGraphConditionalAccessConditionSet alloc] init];
NSMutableArray *clientAppTypesList = [[NSMutableArray alloc] init];
[clientAppTypesList addObject: @"mobileAppsAndDesktopClients"];
[clientAppTypesList addObject: @"browser"];
[conditions setClientAppTypes:clientAppTypesList];
MSGraphConditionalAccessApplications *applications = [[MSGraphConditionalAccessApplications alloc] init];
NSMutableArray *includeApplicationsList = [[NSMutableArray alloc] init];
[includeApplicationsList addObject: @"00000002-0000-0ff1-ce00-000000000000"];
[applications setIncludeApplications:includeApplicationsList];
[conditions setApplications:applications];
MSGraphConditionalAccessUsers *users = [[MSGraphConditionalAccessUsers alloc] init];
NSMutableArray *includeGroupsList = [[NSMutableArray alloc] init];
[includeGroupsList addObject: @"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"];
[users setIncludeGroups:includeGroupsList];
[conditions setUsers:users];
MSGraphConditionalAccessLocations *locations = [[MSGraphConditionalAccessLocations alloc] init];
NSMutableArray *includeLocationsList = [[NSMutableArray alloc] init];
[includeLocationsList addObject: @"All"];
[locations setIncludeLocations:includeLocationsList];
NSMutableArray *excludeLocationsList = [[NSMutableArray alloc] init];
[excludeLocationsList addObject: @"AllTrusted"];
[locations setExcludeLocations:excludeLocationsList];
[conditions setLocations:locations];
[conditionalAccessPolicy setConditions:conditions];
MSGraphConditionalAccessGrantControls *grantControls = [[MSGraphConditionalAccessGrantControls alloc] init];
[grantControls setOperator:@"OR"];
NSMutableArray *builtInControlsList = [[NSMutableArray alloc] init];
[builtInControlsList addObject: @"mfa"];
[grantControls setBuiltInControls:builtInControlsList];
[conditionalAccessPolicy setGrantControls:grantControls];

NSError *error;
NSData *conditionalAccessPolicyData = [conditionalAccessPolicy getSerializedDataWithError:&error];
[urlRequest setHTTPBody:conditionalAccessPolicyData];

MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest 
	completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {

		//Request Completed

}];

[meDataTask execute];

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Java

GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();

ConditionalAccessPolicy conditionalAccessPolicy = new ConditionalAccessPolicy();
conditionalAccessPolicy.displayName = "Access to EXO requires MFA";
conditionalAccessPolicy.state = ConditionalAccessPolicyState.ENABLED;
ConditionalAccessConditionSet conditions = new ConditionalAccessConditionSet();
LinkedList<ConditionalAccessClientApp> clientAppTypesList = new LinkedList<ConditionalAccessClientApp>();
clientAppTypesList.add(ConditionalAccessClientApp.MOBILE_APPS_AND_DESKTOP_CLIENTS);
clientAppTypesList.add(ConditionalAccessClientApp.BROWSER);
conditions.clientAppTypes = clientAppTypesList;
ConditionalAccessApplications applications = new ConditionalAccessApplications();
LinkedList<String> includeApplicationsList = new LinkedList<String>();
includeApplicationsList.add("00000002-0000-0ff1-ce00-000000000000");
applications.includeApplications = includeApplicationsList;
conditions.applications = applications;
ConditionalAccessUsers users = new ConditionalAccessUsers();
LinkedList<String> includeGroupsList = new LinkedList<String>();
includeGroupsList.add("ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba");
users.includeGroups = includeGroupsList;
conditions.users = users;
ConditionalAccessLocations locations = new ConditionalAccessLocations();
LinkedList<String> includeLocationsList = new LinkedList<String>();
includeLocationsList.add("All");
locations.includeLocations = includeLocationsList;
LinkedList<String> excludeLocationsList = new LinkedList<String>();
excludeLocationsList.add("AllTrusted");
locations.excludeLocations = excludeLocationsList;
conditions.locations = locations;
conditionalAccessPolicy.conditions = conditions;
ConditionalAccessGrantControls grantControls = new ConditionalAccessGrantControls();
grantControls.operator = "OR";
LinkedList<ConditionalAccessGrantControl> builtInControlsList = new LinkedList<ConditionalAccessGrantControl>();
builtInControlsList.add(ConditionalAccessGrantControl.MFA);
grantControls.builtInControls = builtInControlsList;
conditionalAccessPolicy.grantControls = grantControls;

graphClient.identity().conditionalAccess().policies()
	.buildRequest()
	.post(conditionalAccessPolicy);

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Go

//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)

requestBody := msgraphsdk.NewConditionalAccessPolicy()
displayName := "Access to EXO requires MFA"
requestBody.SetDisplayName(&displayName)
state := "enabled"
requestBody.SetState(&state)
conditions := msgraphsdk.NewConditionalAccessConditionSet()
requestBody.SetConditions(conditions)
conditions.SetClientAppTypes( []ConditionalAccessClientApp {
	"mobileAppsAndDesktopClients",
	"browser",
}
applications := msgraphsdk.NewConditionalAccessApplications()
conditions.SetApplications(applications)
applications.SetIncludeApplications( []String {
	"00000002-0000-0ff1-ce00-000000000000",
}
users := msgraphsdk.NewConditionalAccessUsers()
conditions.SetUsers(users)
users.SetIncludeGroups( []String {
	"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
}
locations := msgraphsdk.NewConditionalAccessLocations()
conditions.SetLocations(locations)
locations.SetIncludeLocations( []String {
	"All",
}
locations.SetExcludeLocations( []String {
	"AllTrusted",
}
grantControls := msgraphsdk.NewConditionalAccessGrantControls()
requestBody.SetGrantControls(grantControls)
operator := "OR"
grantControls.SetOperator(&operator)
grantControls.SetBuiltInControls( []ConditionalAccessGrantControl {
	"mfa",
}
result, err := graphClient.Identity().ConditionalAccess().Policies().Post(requestBody)

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

PowerShell

Import-Module Microsoft.Graph.Identity.SignIns

$params = @{
	DisplayName = "Access to EXO requires MFA"
	State = "enabled"
	Conditions = @{
		ClientAppTypes = @(
			"mobileAppsAndDesktopClients"
			"browser"
		)
		Applications = @{
			IncludeApplications = @(
				"00000002-0000-0ff1-ce00-000000000000"
			)
		}
		Users = @{
			IncludeGroups = @(
				"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
			)
		}
		Locations = @{
			IncludeLocations = @(
				"All"
			)
			ExcludeLocations = @(
				"AllTrusted"
			)
		}
	}
	GrantControls = @{
		Operator = "OR"
		BuiltInControls = @(
			"mfa"
		)
	}
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $params

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Response

The following is an example of the response.

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#conditionalAccess/policies/$entity",
    "id": "7359d0e0-d8a9-4afa-8a93-e23e099d7be8",
    "displayName": "Access to EXO requires MFA",
    "createdDateTime": "2019-10-14T19:52:00.050958Z",
    "modifiedDateTime": null,
    "state": "enabled",
    "sessionControls": null,
    "conditions": {
        "signInRiskLevels": [],
        "clientAppTypes": [
            "mobileAppsAndDesktopClients",
            "browser"
        ],
        "platforms": null,
        "deviceStates": null,
        "applications": {
            "includeApplications": [
                "00000002-0000-0ff1-ce00-000000000000"
            ],
            "excludeApplications": [],
            "includeUserActions": []
        },
        "users": {
            "includeUsers": [],
            "excludeUsers": [],
            "includeGroups": [
                "ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
            ],
            "excludeGroups": [],
            "includeRoles": [],
            "excludeRoles": []
        },
        "locations": {
            "includeLocations": [
                "All"
            ],
            "excludeLocations": [
                "AllTrusted"
            ]
        }
    },
    "grantControls": {
        "operator": "OR",
        "builtInControls": [
            "mfa"
        ],
        "customAuthenticationFactors": [],
        "termsOfUse": []
    }
}

Example 2: Block access to Exchange Online from non-trusted regions

Request

The following example shows a request to block access to Exchange Online from non-trusted/unknown regions. This example assumes that the named location with id = 198ad66e-87b3-4157-85a3-8a7b51794ee9 corresponds to a list of non-trusted/unknown regions.

HTTP

POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json

{
    "displayName": "Block access to EXO non-trusted regions.",
    "state": "enabled",
    "conditions": {
        "clientAppTypes": [
            "all"
        ],
        "applications": {
            "includeApplications": [
                "00000002-0000-0ff1-ce00-000000000000"
            ]
        },
        "users": {
            "includeGroups": ["ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"]
        },
        "locations": {
            "includeLocations": [
                "198ad66e-87b3-4157-85a3-8a7b51794ee9"
            ]
        }
    },
    "grantControls": {
        "operator": "OR",
        "builtInControls": [
            "block"
        ]
    }
}

C#

GraphServiceClient graphClient = new GraphServiceClient( authProvider );

var conditionalAccessPolicy = new ConditionalAccessPolicy
{
	DisplayName = "Block access to EXO non-trusted regions.",
	State = ConditionalAccessPolicyState.Enabled,
	Conditions = new ConditionalAccessConditionSet
	{
		ClientAppTypes = new List<ConditionalAccessClientApp>()
		{
			ConditionalAccessClientApp.All
		},
		Applications = new ConditionalAccessApplications
		{
			IncludeApplications = new List<String>()
			{
				"00000002-0000-0ff1-ce00-000000000000"
			}
		},
		Users = new ConditionalAccessUsers
		{
			IncludeGroups = new List<String>()
			{
				"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
			}
		},
		Locations = new ConditionalAccessLocations
		{
			IncludeLocations = new List<String>()
			{
				"198ad66e-87b3-4157-85a3-8a7b51794ee9"
			}
		}
	},
	GrantControls = new ConditionalAccessGrantControls
	{
		Operator = "OR",
		BuiltInControls = new List<ConditionalAccessGrantControl>()
		{
			ConditionalAccessGrantControl.Block
		}
	}
};

await graphClient.Identity.ConditionalAccess.Policies
	.Request()
	.AddAsync(conditionalAccessPolicy);

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

JavaScript

const options = {
	authProvider,
};

const client = Client.init(options);

const conditionalAccessPolicy = {
    displayName: 'Block access to EXO non-trusted regions.',
    state: 'enabled',
    conditions: {
        clientAppTypes: [
            'all'
        ],
        applications: {
            includeApplications: [
                '00000002-0000-0ff1-ce00-000000000000'
            ]
        },
        users: {
            includeGroups: ['ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba']
        },
        locations: {
            includeLocations: [
                '198ad66e-87b3-4157-85a3-8a7b51794ee9'
            ]
        }
    },
    grantControls: {
        operator: 'OR',
        builtInControls: [
            'block'
        ]
    }
};

await client.api('/identity/conditionalAccess/policies')
	.version('beta')
	.post(conditionalAccessPolicy);

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Objective-C

MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];

NSString *MSGraphBaseURL = @"https://graph.microsoft.com/beta/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/identity/conditionalAccess/policies"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];

MSGraphConditionalAccessPolicy *conditionalAccessPolicy = [[MSGraphConditionalAccessPolicy alloc] init];
[conditionalAccessPolicy setDisplayName:@"Block access to EXO non-trusted regions."];
[conditionalAccessPolicy setState: [MSGraphConditionalAccessPolicyState enabled]];
MSGraphConditionalAccessConditionSet *conditions = [[MSGraphConditionalAccessConditionSet alloc] init];
NSMutableArray *clientAppTypesList = [[NSMutableArray alloc] init];
[clientAppTypesList addObject: @"all"];
[conditions setClientAppTypes:clientAppTypesList];
MSGraphConditionalAccessApplications *applications = [[MSGraphConditionalAccessApplications alloc] init];
NSMutableArray *includeApplicationsList = [[NSMutableArray alloc] init];
[includeApplicationsList addObject: @"00000002-0000-0ff1-ce00-000000000000"];
[applications setIncludeApplications:includeApplicationsList];
[conditions setApplications:applications];
MSGraphConditionalAccessUsers *users = [[MSGraphConditionalAccessUsers alloc] init];
NSMutableArray *includeGroupsList = [[NSMutableArray alloc] init];
[includeGroupsList addObject: @"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"];
[users setIncludeGroups:includeGroupsList];
[conditions setUsers:users];
MSGraphConditionalAccessLocations *locations = [[MSGraphConditionalAccessLocations alloc] init];
NSMutableArray *includeLocationsList = [[NSMutableArray alloc] init];
[includeLocationsList addObject: @"198ad66e-87b3-4157-85a3-8a7b51794ee9"];
[locations setIncludeLocations:includeLocationsList];
[conditions setLocations:locations];
[conditionalAccessPolicy setConditions:conditions];
MSGraphConditionalAccessGrantControls *grantControls = [[MSGraphConditionalAccessGrantControls alloc] init];
[grantControls setOperator:@"OR"];
NSMutableArray *builtInControlsList = [[NSMutableArray alloc] init];
[builtInControlsList addObject: @"block"];
[grantControls setBuiltInControls:builtInControlsList];
[conditionalAccessPolicy setGrantControls:grantControls];

NSError *error;
NSData *conditionalAccessPolicyData = [conditionalAccessPolicy getSerializedDataWithError:&error];
[urlRequest setHTTPBody:conditionalAccessPolicyData];

MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest 
	completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {

		//Request Completed

}];

[meDataTask execute];

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Java

GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();

ConditionalAccessPolicy conditionalAccessPolicy = new ConditionalAccessPolicy();
conditionalAccessPolicy.displayName = "Block access to EXO non-trusted regions.";
conditionalAccessPolicy.state = ConditionalAccessPolicyState.ENABLED;
ConditionalAccessConditionSet conditions = new ConditionalAccessConditionSet();
LinkedList<ConditionalAccessClientApp> clientAppTypesList = new LinkedList<ConditionalAccessClientApp>();
clientAppTypesList.add(ConditionalAccessClientApp.ALL);
conditions.clientAppTypes = clientAppTypesList;
ConditionalAccessApplications applications = new ConditionalAccessApplications();
LinkedList<String> includeApplicationsList = new LinkedList<String>();
includeApplicationsList.add("00000002-0000-0ff1-ce00-000000000000");
applications.includeApplications = includeApplicationsList;
conditions.applications = applications;
ConditionalAccessUsers users = new ConditionalAccessUsers();
LinkedList<String> includeGroupsList = new LinkedList<String>();
includeGroupsList.add("ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba");
users.includeGroups = includeGroupsList;
conditions.users = users;
ConditionalAccessLocations locations = new ConditionalAccessLocations();
LinkedList<String> includeLocationsList = new LinkedList<String>();
includeLocationsList.add("198ad66e-87b3-4157-85a3-8a7b51794ee9");
locations.includeLocations = includeLocationsList;
conditions.locations = locations;
conditionalAccessPolicy.conditions = conditions;
ConditionalAccessGrantControls grantControls = new ConditionalAccessGrantControls();
grantControls.operator = "OR";
LinkedList<ConditionalAccessGrantControl> builtInControlsList = new LinkedList<ConditionalAccessGrantControl>();
builtInControlsList.add(ConditionalAccessGrantControl.BLOCK);
grantControls.builtInControls = builtInControlsList;
conditionalAccessPolicy.grantControls = grantControls;

graphClient.identity().conditionalAccess().policies()
	.buildRequest()
	.post(conditionalAccessPolicy);

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Go

//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)

requestBody := msgraphsdk.NewConditionalAccessPolicy()
displayName := "Block access to EXO non-trusted regions."
requestBody.SetDisplayName(&displayName)
state := "enabled"
requestBody.SetState(&state)
conditions := msgraphsdk.NewConditionalAccessConditionSet()
requestBody.SetConditions(conditions)
conditions.SetClientAppTypes( []ConditionalAccessClientApp {
	"all",
}
applications := msgraphsdk.NewConditionalAccessApplications()
conditions.SetApplications(applications)
applications.SetIncludeApplications( []String {
	"00000002-0000-0ff1-ce00-000000000000",
}
users := msgraphsdk.NewConditionalAccessUsers()
conditions.SetUsers(users)
users.SetIncludeGroups( []String {
	"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
}
locations := msgraphsdk.NewConditionalAccessLocations()
conditions.SetLocations(locations)
locations.SetIncludeLocations( []String {
	"198ad66e-87b3-4157-85a3-8a7b51794ee9",
}
grantControls := msgraphsdk.NewConditionalAccessGrantControls()
requestBody.SetGrantControls(grantControls)
operator := "OR"
grantControls.SetOperator(&operator)
grantControls.SetBuiltInControls( []ConditionalAccessGrantControl {
	"block",
}
result, err := graphClient.Identity().ConditionalAccess().Policies().Post(requestBody)

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

PowerShell

Import-Module Microsoft.Graph.Identity.SignIns

$params = @{
	DisplayName = "Block access to EXO non-trusted regions."
	State = "enabled"
	Conditions = @{
		ClientAppTypes = @(
			"all"
		)
		Applications = @{
			IncludeApplications = @(
				"00000002-0000-0ff1-ce00-000000000000"
			)
		}
		Users = @{
			IncludeGroups = @(
				"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
			)
		}
		Locations = @{
			IncludeLocations = @(
				"198ad66e-87b3-4157-85a3-8a7b51794ee9"
			)
		}
	}
	GrantControls = @{
		Operator = "OR"
		BuiltInControls = @(
			"block"
		)
	}
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $params

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Response

The following is an example of the response.

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://canary.graph.microsoft.com/testprodbetaconditionalAccessBetaDocs/$metadata#conditionalAccess/policies/$entity",
    "id": "c98e6c3d-f6ca-42ea-a927-773b6f12a0c2",
    "displayName": "Block access to EXO non-trusted regions.",
    "createdDateTime": "2019-10-14T19:53:11.3705634Z",
    "modifiedDateTime": null,
    "state": "enabled",
    "sessionControls": null,
    "conditions": {
        "signInRiskLevels": [],
        "clientAppTypes": [
            "all"
        ],
        "platforms": null,
        "deviceStates": null,
        "applications": {
            "includeApplications": [
                "00000002-0000-0ff1-ce00-000000000000"
            ],
            "excludeApplications": [],
            "includeUserActions": []
        },
        "users": {
            "includeUsers": [],
            "excludeUsers": [],
            "includeGroups": [
                "ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
            ],
            "excludeGroups": [],
            "includeRoles": [],
            "excludeRoles": []
        },
        "locations": {
            "includeLocations": [
                "198ad66e-87b3-4157-85a3-8a7b51794ee9"
            ],
            "excludeLocations": []
        }
    },
    "grantControls": {
        "operator": "OR",
        "builtInControls": [
            "block"
        ],
        "customAuthenticationFactors": [],
        "termsOfUse": []
    }
}

Example 3: Use all conditions/controls

Request

The following is an example of the request to use all the conditions/controls.

HTTP

POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json

{
    "displayName": "Demo app for documentation",
    "state": "disabled",
    "conditions": {
        "signInRiskLevels": [
            "high",
            "medium"
        ],
        "clientAppTypes": [
            "mobileAppsAndDesktopClients",
            "exchangeActiveSync",
            "other"
        ],
        "applications": {
            "includeApplications": [
                "All"
            ],
            "excludeApplications": [
                "499b84ac-1321-427f-aa17-267ca6975798",
                "00000007-0000-0000-c000-000000000000",
                "de8bc8b5-d9f9-48b1-a8ad-b748da725064",
                "00000012-0000-0000-c000-000000000000",
                "797f4846-ba00-4fd7-ba43-dac1f8f63013",
                "05a65629-4c1b-48c1-a78b-804c4abdd4af",
                "7df0a125-d3be-4c96-aa54-591f83ff541c"
            ],
            "includeUserActions": []
        },
        "users": {
            "includeUsers": [
                "a702a13d-a437-4a07-8a7e-8c052de62dfd"
            ],
            "excludeUsers": [
                "124c5b6a-ffa5-483a-9b88-04c3fce5574a",
                "GuestsOrExternalUsers"
            ],
            "includeGroups": [],
            "excludeGroups": [],
            "includeRoles": [
                "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
                "cf1c38e5-3621-4004-a7cb-879624dced7c",
                "c4e39bd9-1100-46d3-8c65-fb160da0071f"
            ],
            "excludeRoles": [
                "b0f54661-2d74-4c50-afa3-1ec803f12efe"
            ]
        },
        "platforms": {
            "includePlatforms": [
                "all"
            ],
            "excludePlatforms": [
                "iOS",
                "windowsPhone"
            ]
        },
        "locations": {
            "includeLocations": [
                "AllTrusted"
            ],
            "excludeLocations": [
                "00000000-0000-0000-0000-000000000000",
                "d2136c9c-b049-47ae-b9cf-316e04ef7198"
            ]
        },
        "deviceStates": {
            "includeStates": [
                "All"
            ],
            "excludeStates": [
                "Compliant"
            ]
        }
    },
    "grantControls": {
        "operator": "OR",
        "builtInControls": [
            "mfa",
            "compliantDevice",
            "domainJoinedDevice",
            "approvedApplication",
            "compliantApplication"
        ],
        "customAuthenticationFactors": [],
        "termsOfUse": [
            "ce580154-086a-40fd-91df-8a60abac81a0",
            "7f29d675-caff-43e1-8a53-1b8516ed2075"
        ]
    },
    "sessionControls": {
        "applicationEnforcedRestrictions": null,
        "persistentBrowser": null,
        "cloudAppSecurity": {
            "cloudAppSecurityType": "blockDownloads",
            "isEnabled": true
        },
        "signInFrequency": {
            "value": 4,
            "type": "hours",
            "isEnabled": true
        }
    }
}

C#

GraphServiceClient graphClient = new GraphServiceClient( authProvider );

var conditionalAccessPolicy = new ConditionalAccessPolicy
{
	DisplayName = "Demo app for documentation",
	State = ConditionalAccessPolicyState.Disabled,
	Conditions = new ConditionalAccessConditionSet
	{
		SignInRiskLevels = new List<RiskLevel>()
		{
			RiskLevel.High,
			RiskLevel.Medium
		},
		ClientAppTypes = new List<ConditionalAccessClientApp>()
		{
			ConditionalAccessClientApp.MobileAppsAndDesktopClients,
			ConditionalAccessClientApp.ExchangeActiveSync,
			ConditionalAccessClientApp.Other
		},
		Applications = new ConditionalAccessApplications
		{
			IncludeApplications = new List<String>()
			{
				"All"
			},
			ExcludeApplications = new List<String>()
			{
				"499b84ac-1321-427f-aa17-267ca6975798",
				"00000007-0000-0000-c000-000000000000",
				"de8bc8b5-d9f9-48b1-a8ad-b748da725064",
				"00000012-0000-0000-c000-000000000000",
				"797f4846-ba00-4fd7-ba43-dac1f8f63013",
				"05a65629-4c1b-48c1-a78b-804c4abdd4af",
				"7df0a125-d3be-4c96-aa54-591f83ff541c"
			},
			IncludeUserActions = new List<String>()
			{
			}
		},
		Users = new ConditionalAccessUsers
		{
			IncludeUsers = new List<String>()
			{
				"a702a13d-a437-4a07-8a7e-8c052de62dfd"
			},
			ExcludeUsers = new List<String>()
			{
				"124c5b6a-ffa5-483a-9b88-04c3fce5574a",
				"GuestsOrExternalUsers"
			},
			IncludeGroups = new List<String>()
			{
			},
			ExcludeGroups = new List<String>()
			{
			},
			IncludeRoles = new List<String>()
			{
				"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
				"cf1c38e5-3621-4004-a7cb-879624dced7c",
				"c4e39bd9-1100-46d3-8c65-fb160da0071f"
			},
			ExcludeRoles = new List<String>()
			{
				"b0f54661-2d74-4c50-afa3-1ec803f12efe"
			}
		},
		Platforms = new ConditionalAccessPlatforms
		{
			IncludePlatforms = new List<ConditionalAccessDevicePlatform>()
			{
				ConditionalAccessDevicePlatform.All
			},
			ExcludePlatforms = new List<ConditionalAccessDevicePlatform>()
			{
				ConditionalAccessDevicePlatform.IOS,
				ConditionalAccessDevicePlatform.WindowsPhone
			}
		},
		Locations = new ConditionalAccessLocations
		{
			IncludeLocations = new List<String>()
			{
				"AllTrusted"
			},
			ExcludeLocations = new List<String>()
			{
				"00000000-0000-0000-0000-000000000000",
				"d2136c9c-b049-47ae-b9cf-316e04ef7198"
			}
		},
		DeviceStates = new ConditionalAccessDeviceStates
		{
			IncludeStates = new List<String>()
			{
				"All"
			},
			ExcludeStates = new List<String>()
			{
				"Compliant"
			}
		}
	},
	GrantControls = new ConditionalAccessGrantControls
	{
		Operator = "OR",
		BuiltInControls = new List<ConditionalAccessGrantControl>()
		{
			ConditionalAccessGrantControl.Mfa,
			ConditionalAccessGrantControl.CompliantDevice,
			ConditionalAccessGrantControl.DomainJoinedDevice,
			ConditionalAccessGrantControl.ApprovedApplication,
			ConditionalAccessGrantControl.CompliantApplication
		},
		CustomAuthenticationFactors = new List<String>()
		{
		},
		TermsOfUse = new List<String>()
		{
			"ce580154-086a-40fd-91df-8a60abac81a0",
			"7f29d675-caff-43e1-8a53-1b8516ed2075"
		}
	},
	SessionControls = new ConditionalAccessSessionControls
	{
		ApplicationEnforcedRestrictions = null,
		PersistentBrowser = null,
		CloudAppSecurity = new CloudAppSecuritySessionControl
		{
			CloudAppSecurityType = CloudAppSecuritySessionControlType.BlockDownloads,
			IsEnabled = true
		},
		SignInFrequency = new SignInFrequencySessionControl
		{
			Value = 4,
			Type = SigninFrequencyType.Hours,
			IsEnabled = true
		}
	}
};

await graphClient.Identity.ConditionalAccess.Policies
	.Request()
	.AddAsync(conditionalAccessPolicy);

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

JavaScript

const options = {
	authProvider,
};

const client = Client.init(options);

const conditionalAccessPolicy = {
    displayName: 'Demo app for documentation',
    state: 'disabled',
    conditions: {
        signInRiskLevels: [
            'high',
            'medium'
        ],
        clientAppTypes: [
            'mobileAppsAndDesktopClients',
            'exchangeActiveSync',
            'other'
        ],
        applications: {
            includeApplications: [
                'All'
            ],
            excludeApplications: [
                '499b84ac-1321-427f-aa17-267ca6975798',
                '00000007-0000-0000-c000-000000000000',
                'de8bc8b5-d9f9-48b1-a8ad-b748da725064',
                '00000012-0000-0000-c000-000000000000',
                '797f4846-ba00-4fd7-ba43-dac1f8f63013',
                '05a65629-4c1b-48c1-a78b-804c4abdd4af',
                '7df0a125-d3be-4c96-aa54-591f83ff541c'
            ],
            includeUserActions: []
        },
        users: {
            includeUsers: [
                'a702a13d-a437-4a07-8a7e-8c052de62dfd'
            ],
            excludeUsers: [
                '124c5b6a-ffa5-483a-9b88-04c3fce5574a',
                'GuestsOrExternalUsers'
            ],
            includeGroups: [],
            excludeGroups: [],
            includeRoles: [
                '9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3',
                'cf1c38e5-3621-4004-a7cb-879624dced7c',
                'c4e39bd9-1100-46d3-8c65-fb160da0071f'
            ],
            excludeRoles: [
                'b0f54661-2d74-4c50-afa3-1ec803f12efe'
            ]
        },
        platforms: {
            includePlatforms: [
                'all'
            ],
            excludePlatforms: [
                'iOS',
                'windowsPhone'
            ]
        },
        locations: {
            includeLocations: [
                'AllTrusted'
            ],
            excludeLocations: [
                '00000000-0000-0000-0000-000000000000',
                'd2136c9c-b049-47ae-b9cf-316e04ef7198'
            ]
        },
        deviceStates: {
            includeStates: [
                'All'
            ],
            excludeStates: [
                'Compliant'
            ]
        }
    },
    grantControls: {
        operator: 'OR',
        builtInControls: [
            'mfa',
            'compliantDevice',
            'domainJoinedDevice',
            'approvedApplication',
            'compliantApplication'
        ],
        customAuthenticationFactors: [],
        termsOfUse: [
            'ce580154-086a-40fd-91df-8a60abac81a0',
            '7f29d675-caff-43e1-8a53-1b8516ed2075'
        ]
    },
    sessionControls: {
        applicationEnforcedRestrictions: null,
        persistentBrowser: null,
        cloudAppSecurity: {
            cloudAppSecurityType: 'blockDownloads',
            isEnabled: true
        },
        signInFrequency: {
            value: 4,
            type: 'hours',
            isEnabled: true
        }
    }
};

await client.api('/identity/conditionalAccess/policies')
	.version('beta')
	.post(conditionalAccessPolicy);

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Objective-C

MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];

NSString *MSGraphBaseURL = @"https://graph.microsoft.com/beta/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/identity/conditionalAccess/policies"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];

MSGraphConditionalAccessPolicy *conditionalAccessPolicy = [[MSGraphConditionalAccessPolicy alloc] init];
[conditionalAccessPolicy setDisplayName:@"Demo app for documentation"];
[conditionalAccessPolicy setState: [MSGraphConditionalAccessPolicyState disabled]];
MSGraphConditionalAccessConditionSet *conditions = [[MSGraphConditionalAccessConditionSet alloc] init];
NSMutableArray *signInRiskLevelsList = [[NSMutableArray alloc] init];
[signInRiskLevelsList addObject: @"high"];
[signInRiskLevelsList addObject: @"medium"];
[conditions setSignInRiskLevels:signInRiskLevelsList];
NSMutableArray *clientAppTypesList = [[NSMutableArray alloc] init];
[clientAppTypesList addObject: @"mobileAppsAndDesktopClients"];
[clientAppTypesList addObject: @"exchangeActiveSync"];
[clientAppTypesList addObject: @"other"];
[conditions setClientAppTypes:clientAppTypesList];
MSGraphConditionalAccessApplications *applications = [[MSGraphConditionalAccessApplications alloc] init];
NSMutableArray *includeApplicationsList = [[NSMutableArray alloc] init];
[includeApplicationsList addObject: @"All"];
[applications setIncludeApplications:includeApplicationsList];
NSMutableArray *excludeApplicationsList = [[NSMutableArray alloc] init];
[excludeApplicationsList addObject: @"499b84ac-1321-427f-aa17-267ca6975798"];
[excludeApplicationsList addObject: @"00000007-0000-0000-c000-000000000000"];
[excludeApplicationsList addObject: @"de8bc8b5-d9f9-48b1-a8ad-b748da725064"];
[excludeApplicationsList addObject: @"00000012-0000-0000-c000-000000000000"];
[excludeApplicationsList addObject: @"797f4846-ba00-4fd7-ba43-dac1f8f63013"];
[excludeApplicationsList addObject: @"05a65629-4c1b-48c1-a78b-804c4abdd4af"];
[excludeApplicationsList addObject: @"7df0a125-d3be-4c96-aa54-591f83ff541c"];
[applications setExcludeApplications:excludeApplicationsList];
NSMutableArray *includeUserActionsList = [[NSMutableArray alloc] init];
[applications setIncludeUserActions:includeUserActionsList];
[conditions setApplications:applications];
MSGraphConditionalAccessUsers *users = [[MSGraphConditionalAccessUsers alloc] init];
NSMutableArray *includeUsersList = [[NSMutableArray alloc] init];
[includeUsersList addObject: @"a702a13d-a437-4a07-8a7e-8c052de62dfd"];
[users setIncludeUsers:includeUsersList];
NSMutableArray *excludeUsersList = [[NSMutableArray alloc] init];
[excludeUsersList addObject: @"124c5b6a-ffa5-483a-9b88-04c3fce5574a"];
[excludeUsersList addObject: @"GuestsOrExternalUsers"];
[users setExcludeUsers:excludeUsersList];
NSMutableArray *includeGroupsList = [[NSMutableArray alloc] init];
[users setIncludeGroups:includeGroupsList];
NSMutableArray *excludeGroupsList = [[NSMutableArray alloc] init];
[users setExcludeGroups:excludeGroupsList];
NSMutableArray *includeRolesList = [[NSMutableArray alloc] init];
[includeRolesList addObject: @"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"];
[includeRolesList addObject: @"cf1c38e5-3621-4004-a7cb-879624dced7c"];
[includeRolesList addObject: @"c4e39bd9-1100-46d3-8c65-fb160da0071f"];
[users setIncludeRoles:includeRolesList];
NSMutableArray *excludeRolesList = [[NSMutableArray alloc] init];
[excludeRolesList addObject: @"b0f54661-2d74-4c50-afa3-1ec803f12efe"];
[users setExcludeRoles:excludeRolesList];
[conditions setUsers:users];
MSGraphConditionalAccessPlatforms *platforms = [[MSGraphConditionalAccessPlatforms alloc] init];
NSMutableArray *includePlatformsList = [[NSMutableArray alloc] init];
[includePlatformsList addObject: @"all"];
[platforms setIncludePlatforms:includePlatformsList];
NSMutableArray *excludePlatformsList = [[NSMutableArray alloc] init];
[excludePlatformsList addObject: @"iOS"];
[excludePlatformsList addObject: @"windowsPhone"];
[platforms setExcludePlatforms:excludePlatformsList];
[conditions setPlatforms:platforms];
MSGraphConditionalAccessLocations *locations = [[MSGraphConditionalAccessLocations alloc] init];
NSMutableArray *includeLocationsList = [[NSMutableArray alloc] init];
[includeLocationsList addObject: @"AllTrusted"];
[locations setIncludeLocations:includeLocationsList];
NSMutableArray *excludeLocationsList = [[NSMutableArray alloc] init];
[excludeLocationsList addObject: @"00000000-0000-0000-0000-000000000000"];
[excludeLocationsList addObject: @"d2136c9c-b049-47ae-b9cf-316e04ef7198"];
[locations setExcludeLocations:excludeLocationsList];
[conditions setLocations:locations];
MSGraphConditionalAccessDeviceStates *deviceStates = [[MSGraphConditionalAccessDeviceStates alloc] init];
NSMutableArray *includeStatesList = [[NSMutableArray alloc] init];
[includeStatesList addObject: @"All"];
[deviceStates setIncludeStates:includeStatesList];
NSMutableArray *excludeStatesList = [[NSMutableArray alloc] init];
[excludeStatesList addObject: @"Compliant"];
[deviceStates setExcludeStates:excludeStatesList];
[conditions setDeviceStates:deviceStates];
[conditionalAccessPolicy setConditions:conditions];
MSGraphConditionalAccessGrantControls *grantControls = [[MSGraphConditionalAccessGrantControls alloc] init];
[grantControls setOperator:@"OR"];
NSMutableArray *builtInControlsList = [[NSMutableArray alloc] init];
[builtInControlsList addObject: @"mfa"];
[builtInControlsList addObject: @"compliantDevice"];
[builtInControlsList addObject: @"domainJoinedDevice"];
[builtInControlsList addObject: @"approvedApplication"];
[builtInControlsList addObject: @"compliantApplication"];
[grantControls setBuiltInControls:builtInControlsList];
NSMutableArray *customAuthenticationFactorsList = [[NSMutableArray alloc] init];
[grantControls setCustomAuthenticationFactors:customAuthenticationFactorsList];
NSMutableArray *termsOfUseList = [[NSMutableArray alloc] init];
[termsOfUseList addObject: @"ce580154-086a-40fd-91df-8a60abac81a0"];
[termsOfUseList addObject: @"7f29d675-caff-43e1-8a53-1b8516ed2075"];
[grantControls setTermsOfUse:termsOfUseList];
[conditionalAccessPolicy setGrantControls:grantControls];
MSGraphConditionalAccessSessionControls *sessionControls = [[MSGraphConditionalAccessSessionControls alloc] init];
[sessionControls setApplicationEnforcedRestrictions: null];
[sessionControls setPersistentBrowser: null];
MSGraphCloudAppSecuritySessionControl *cloudAppSecurity = [[MSGraphCloudAppSecuritySessionControl alloc] init];
[cloudAppSecurity setCloudAppSecurityType: [MSGraphCloudAppSecuritySessionControlType blockDownloads]];
[cloudAppSecurity setIsEnabled: true];
[sessionControls setCloudAppSecurity:cloudAppSecurity];
MSGraphSignInFrequencySessionControl *signInFrequency = [[MSGraphSignInFrequencySessionControl alloc] init];
[signInFrequency setValue: 4];
[signInFrequency setType: [MSGraphSigninFrequencyType hours]];
[signInFrequency setIsEnabled: true];
[sessionControls setSignInFrequency:signInFrequency];
[conditionalAccessPolicy setSessionControls:sessionControls];

NSError *error;
NSData *conditionalAccessPolicyData = [conditionalAccessPolicy getSerializedDataWithError:&error];
[urlRequest setHTTPBody:conditionalAccessPolicyData];

MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest 
	completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {

		//Request Completed

}];

[meDataTask execute];

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Java

GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();

ConditionalAccessPolicy conditionalAccessPolicy = new ConditionalAccessPolicy();
conditionalAccessPolicy.displayName = "Demo app for documentation";
conditionalAccessPolicy.state = ConditionalAccessPolicyState.DISABLED;
ConditionalAccessConditionSet conditions = new ConditionalAccessConditionSet();
LinkedList<RiskLevel> signInRiskLevelsList = new LinkedList<RiskLevel>();
signInRiskLevelsList.add(RiskLevel.HIGH);
signInRiskLevelsList.add(RiskLevel.MEDIUM);
conditions.signInRiskLevels = signInRiskLevelsList;
LinkedList<ConditionalAccessClientApp> clientAppTypesList = new LinkedList<ConditionalAccessClientApp>();
clientAppTypesList.add(ConditionalAccessClientApp.MOBILE_APPS_AND_DESKTOP_CLIENTS);
clientAppTypesList.add(ConditionalAccessClientApp.EXCHANGE_ACTIVE_SYNC);
clientAppTypesList.add(ConditionalAccessClientApp.OTHER);
conditions.clientAppTypes = clientAppTypesList;
ConditionalAccessApplications applications = new ConditionalAccessApplications();
LinkedList<String> includeApplicationsList = new LinkedList<String>();
includeApplicationsList.add("All");
applications.includeApplications = includeApplicationsList;
LinkedList<String> excludeApplicationsList = new LinkedList<String>();
excludeApplicationsList.add("499b84ac-1321-427f-aa17-267ca6975798");
excludeApplicationsList.add("00000007-0000-0000-c000-000000000000");
excludeApplicationsList.add("de8bc8b5-d9f9-48b1-a8ad-b748da725064");
excludeApplicationsList.add("00000012-0000-0000-c000-000000000000");
excludeApplicationsList.add("797f4846-ba00-4fd7-ba43-dac1f8f63013");
excludeApplicationsList.add("05a65629-4c1b-48c1-a78b-804c4abdd4af");
excludeApplicationsList.add("7df0a125-d3be-4c96-aa54-591f83ff541c");
applications.excludeApplications = excludeApplicationsList;
LinkedList<String> includeUserActionsList = new LinkedList<String>();
applications.includeUserActions = includeUserActionsList;
conditions.applications = applications;
ConditionalAccessUsers users = new ConditionalAccessUsers();
LinkedList<String> includeUsersList = new LinkedList<String>();
includeUsersList.add("a702a13d-a437-4a07-8a7e-8c052de62dfd");
users.includeUsers = includeUsersList;
LinkedList<String> excludeUsersList = new LinkedList<String>();
excludeUsersList.add("124c5b6a-ffa5-483a-9b88-04c3fce5574a");
excludeUsersList.add("GuestsOrExternalUsers");
users.excludeUsers = excludeUsersList;
LinkedList<String> includeGroupsList = new LinkedList<String>();
users.includeGroups = includeGroupsList;
LinkedList<String> excludeGroupsList = new LinkedList<String>();
users.excludeGroups = excludeGroupsList;
LinkedList<String> includeRolesList = new LinkedList<String>();
includeRolesList.add("9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3");
includeRolesList.add("cf1c38e5-3621-4004-a7cb-879624dced7c");
includeRolesList.add("c4e39bd9-1100-46d3-8c65-fb160da0071f");
users.includeRoles = includeRolesList;
LinkedList<String> excludeRolesList = new LinkedList<String>();
excludeRolesList.add("b0f54661-2d74-4c50-afa3-1ec803f12efe");
users.excludeRoles = excludeRolesList;
conditions.users = users;
ConditionalAccessPlatforms platforms = new ConditionalAccessPlatforms();
LinkedList<ConditionalAccessDevicePlatform> includePlatformsList = new LinkedList<ConditionalAccessDevicePlatform>();
includePlatformsList.add(ConditionalAccessDevicePlatform.ALL);
platforms.includePlatforms = includePlatformsList;
LinkedList<ConditionalAccessDevicePlatform> excludePlatformsList = new LinkedList<ConditionalAccessDevicePlatform>();
excludePlatformsList.add(ConditionalAccessDevicePlatform.I_O_S);
excludePlatformsList.add(ConditionalAccessDevicePlatform.WINDOWS_PHONE);
platforms.excludePlatforms = excludePlatformsList;
conditions.platforms = platforms;
ConditionalAccessLocations locations = new ConditionalAccessLocations();
LinkedList<String> includeLocationsList = new LinkedList<String>();
includeLocationsList.add("AllTrusted");
locations.includeLocations = includeLocationsList;
LinkedList<String> excludeLocationsList = new LinkedList<String>();
excludeLocationsList.add("00000000-0000-0000-0000-000000000000");
excludeLocationsList.add("d2136c9c-b049-47ae-b9cf-316e04ef7198");
locations.excludeLocations = excludeLocationsList;
conditions.locations = locations;
ConditionalAccessDeviceStates deviceStates = new ConditionalAccessDeviceStates();
LinkedList<String> includeStatesList = new LinkedList<String>();
includeStatesList.add("All");
deviceStates.includeStates = includeStatesList;
LinkedList<String> excludeStatesList = new LinkedList<String>();
excludeStatesList.add("Compliant");
deviceStates.excludeStates = excludeStatesList;
conditions.deviceStates = deviceStates;
conditionalAccessPolicy.conditions = conditions;
ConditionalAccessGrantControls grantControls = new ConditionalAccessGrantControls();
grantControls.operator = "OR";
LinkedList<ConditionalAccessGrantControl> builtInControlsList = new LinkedList<ConditionalAccessGrantControl>();
builtInControlsList.add(ConditionalAccessGrantControl.MFA);
builtInControlsList.add(ConditionalAccessGrantControl.COMPLIANT_DEVICE);
builtInControlsList.add(ConditionalAccessGrantControl.DOMAIN_JOINED_DEVICE);
builtInControlsList.add(ConditionalAccessGrantControl.APPROVED_APPLICATION);
builtInControlsList.add(ConditionalAccessGrantControl.COMPLIANT_APPLICATION);
grantControls.builtInControls = builtInControlsList;
LinkedList<String> customAuthenticationFactorsList = new LinkedList<String>();
grantControls.customAuthenticationFactors = customAuthenticationFactorsList;
LinkedList<String> termsOfUseList = new LinkedList<String>();
termsOfUseList.add("ce580154-086a-40fd-91df-8a60abac81a0");
termsOfUseList.add("7f29d675-caff-43e1-8a53-1b8516ed2075");
grantControls.termsOfUse = termsOfUseList;
conditionalAccessPolicy.grantControls = grantControls;
ConditionalAccessSessionControls sessionControls = new ConditionalAccessSessionControls();
sessionControls.applicationEnforcedRestrictions = null;
sessionControls.persistentBrowser = null;
CloudAppSecuritySessionControl cloudAppSecurity = new CloudAppSecuritySessionControl();
cloudAppSecurity.cloudAppSecurityType = CloudAppSecuritySessionControlType.BLOCK_DOWNLOADS;
cloudAppSecurity.isEnabled = true;
sessionControls.cloudAppSecurity = cloudAppSecurity;
SignInFrequencySessionControl signInFrequency = new SignInFrequencySessionControl();
signInFrequency.value = 4;
signInFrequency.type = SigninFrequencyType.HOURS;
signInFrequency.isEnabled = true;
sessionControls.signInFrequency = signInFrequency;
conditionalAccessPolicy.sessionControls = sessionControls;

graphClient.identity().conditionalAccess().policies()
	.buildRequest()
	.post(conditionalAccessPolicy);

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Go

//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)

requestBody := msgraphsdk.NewConditionalAccessPolicy()
displayName := "Demo app for documentation"
requestBody.SetDisplayName(&displayName)
state := "disabled"
requestBody.SetState(&state)
conditions := msgraphsdk.NewConditionalAccessConditionSet()
requestBody.SetConditions(conditions)
conditions.SetSignInRiskLevels( []RiskLevel {
	"high",
	"medium",
}
conditions.SetClientAppTypes( []ConditionalAccessClientApp {
	"mobileAppsAndDesktopClients",
	"exchangeActiveSync",
	"other",
}
applications := msgraphsdk.NewConditionalAccessApplications()
conditions.SetApplications(applications)
applications.SetIncludeApplications( []String {
	"All",
}
applications.SetExcludeApplications( []String {
	"499b84ac-1321-427f-aa17-267ca6975798",
	"00000007-0000-0000-c000-000000000000",
	"de8bc8b5-d9f9-48b1-a8ad-b748da725064",
	"00000012-0000-0000-c000-000000000000",
	"797f4846-ba00-4fd7-ba43-dac1f8f63013",
	"05a65629-4c1b-48c1-a78b-804c4abdd4af",
	"7df0a125-d3be-4c96-aa54-591f83ff541c",
}
applications.SetIncludeUserActions( []string {
}
users := msgraphsdk.NewConditionalAccessUsers()
conditions.SetUsers(users)
users.SetIncludeUsers( []String {
	"a702a13d-a437-4a07-8a7e-8c052de62dfd",
}
users.SetExcludeUsers( []String {
	"124c5b6a-ffa5-483a-9b88-04c3fce5574a",
	"GuestsOrExternalUsers",
}
users.SetIncludeGroups( []string {
}
users.SetExcludeGroups( []string {
}
users.SetIncludeRoles( []String {
	"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
	"cf1c38e5-3621-4004-a7cb-879624dced7c",
	"c4e39bd9-1100-46d3-8c65-fb160da0071f",
}
users.SetExcludeRoles( []String {
	"b0f54661-2d74-4c50-afa3-1ec803f12efe",
}
platforms := msgraphsdk.NewConditionalAccessPlatforms()
conditions.SetPlatforms(platforms)
platforms.SetIncludePlatforms( []ConditionalAccessDevicePlatform {
	"all",
}
platforms.SetExcludePlatforms( []ConditionalAccessDevicePlatform {
	"iOS",
	"windowsPhone",
}
locations := msgraphsdk.NewConditionalAccessLocations()
conditions.SetLocations(locations)
locations.SetIncludeLocations( []String {
	"AllTrusted",
}
locations.SetExcludeLocations( []String {
	"00000000-0000-0000-0000-000000000000",
	"d2136c9c-b049-47ae-b9cf-316e04ef7198",
}
deviceStates := msgraphsdk.NewConditionalAccessDeviceStates()
conditions.SetDeviceStates(deviceStates)
deviceStates.SetIncludeStates( []String {
	"All",
}
deviceStates.SetExcludeStates( []String {
	"Compliant",
}
grantControls := msgraphsdk.NewConditionalAccessGrantControls()
requestBody.SetGrantControls(grantControls)
operator := "OR"
grantControls.SetOperator(&operator)
grantControls.SetBuiltInControls( []ConditionalAccessGrantControl {
	"mfa",
	"compliantDevice",
	"domainJoinedDevice",
	"approvedApplication",
	"compliantApplication",
}
grantControls.SetCustomAuthenticationFactors( []string {
}
grantControls.SetTermsOfUse( []String {
	"ce580154-086a-40fd-91df-8a60abac81a0",
	"7f29d675-caff-43e1-8a53-1b8516ed2075",
}
sessionControls := msgraphsdk.NewConditionalAccessSessionControls()
requestBody.SetSessionControls(sessionControls)
sessionControls.SetApplicationEnforcedRestrictions(nil)
sessionControls.SetPersistentBrowser(nil)
cloudAppSecurity := msgraphsdk.NewCloudAppSecuritySessionControl()
sessionControls.SetCloudAppSecurity(cloudAppSecurity)
cloudAppSecurityType := "blockDownloads"
cloudAppSecurity.SetCloudAppSecurityType(&cloudAppSecurityType)
isEnabled := true
cloudAppSecurity.SetIsEnabled(&isEnabled)
signInFrequency := msgraphsdk.NewSignInFrequencySessionControl()
sessionControls.SetSignInFrequency(signInFrequency)
value := int32(4)
signInFrequency.SetValue(&value)
type := "hours"
signInFrequency.SetType(&type)
isEnabled := true
signInFrequency.SetIsEnabled(&isEnabled)
result, err := graphClient.Identity().ConditionalAccess().Policies().Post(requestBody)

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

PowerShell

Import-Module Microsoft.Graph.Identity.SignIns

$params = @{
	DisplayName = "Demo app for documentation"
	State = "disabled"
	Conditions = @{
		SignInRiskLevels = @(
			"high"
			"medium"
		)
		ClientAppTypes = @(
			"mobileAppsAndDesktopClients"
			"exchangeActiveSync"
			"other"
		)
		Applications = @{
			IncludeApplications = @(
				"All"
			)
			ExcludeApplications = @(
				"499b84ac-1321-427f-aa17-267ca6975798"
				"00000007-0000-0000-c000-000000000000"
				"de8bc8b5-d9f9-48b1-a8ad-b748da725064"
				"00000012-0000-0000-c000-000000000000"
				"797f4846-ba00-4fd7-ba43-dac1f8f63013"
				"05a65629-4c1b-48c1-a78b-804c4abdd4af"
				"7df0a125-d3be-4c96-aa54-591f83ff541c"
			)
			IncludeUserActions = @(
			)
		}
		Users = @{
			IncludeUsers = @(
				"a702a13d-a437-4a07-8a7e-8c052de62dfd"
			)
			ExcludeUsers = @(
				"124c5b6a-ffa5-483a-9b88-04c3fce5574a"
				"GuestsOrExternalUsers"
			)
			IncludeGroups = @(
			)
			ExcludeGroups = @(
			)
			IncludeRoles = @(
				"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"
				"cf1c38e5-3621-4004-a7cb-879624dced7c"
				"c4e39bd9-1100-46d3-8c65-fb160da0071f"
			)
			ExcludeRoles = @(
				"b0f54661-2d74-4c50-afa3-1ec803f12efe"
			)
		}
		Platforms = @{
			IncludePlatforms = @(
				"all"
			)
			ExcludePlatforms = @(
				"iOS"
				"windowsPhone"
			)
		}
		Locations = @{
			IncludeLocations = @(
				"AllTrusted"
			)
			ExcludeLocations = @(
				"00000000-0000-0000-0000-000000000000"
				"d2136c9c-b049-47ae-b9cf-316e04ef7198"
			)
		}
		DeviceStates = @{
			IncludeStates = @(
				"All"
			)
			ExcludeStates = @(
				"Compliant"
			)
		}
	}
	GrantControls = @{
		Operator = "OR"
		BuiltInControls = @(
			"mfa"
			"compliantDevice"
			"domainJoinedDevice"
			"approvedApplication"
			"compliantApplication"
		)
		CustomAuthenticationFactors = @(
		)
		TermsOfUse = @(
			"ce580154-086a-40fd-91df-8a60abac81a0"
			"7f29d675-caff-43e1-8a53-1b8516ed2075"
		)
	}
	SessionControls = @{
		ApplicationEnforcedRestrictions = $null
		PersistentBrowser = $null
		CloudAppSecurity = @{
			CloudAppSecurityType = "blockDownloads"
			IsEnabled = $true
		}
		SignInFrequency = @{
			Value = 4
			Type = "hours"
			IsEnabled = $true
		}
	}
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $params

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Response

The following is an example of the response.

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#conditionalAccess/policies/$entity",
    "id": "6b5e999b-0ba8-4186-a106-e0296c1c4358",
    "displayName": "Demo app for documentation",
    "createdDateTime": "2019-09-26T23:12:16.0792706Z",
    "modifiedDateTime": null,
    "state": "disabled",
    "conditions": {
        "signInRiskLevels": [
            "high",
            "medium"
        ],
        "clientAppTypes": [
            "mobileAppsAndDesktopClients",
            "exchangeActiveSync",
            "other"
        ],
        "applications": {
            "includeApplications": [
                "All"
            ],
            "excludeApplications": [
                "499b84ac-1321-427f-aa17-267ca6975798",
                "00000007-0000-0000-c000-000000000000",
                "de8bc8b5-d9f9-48b1-a8ad-b748da725064",
                "00000012-0000-0000-c000-000000000000",
                "797f4846-ba00-4fd7-ba43-dac1f8f63013",
                "05a65629-4c1b-48c1-a78b-804c4abdd4af",
                "7df0a125-d3be-4c96-aa54-591f83ff541c"
            ],
            "includeUserActions": []
        },
        "users": {
            "includeUsers": [
                "a702a13d-a437-4a07-8a7e-8c052de62dfd"
            ],
            "excludeUsers": [
                "124c5b6a-ffa5-483a-9b88-04c3fce5574a",
                "GuestsOrExternalUsers"
            ],
            "includeGroups": [],
            "excludeGroups": [],
            "includeRoles": [
                "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
                "cf1c38e5-3621-4004-a7cb-879624dced7c",
                "c4e39bd9-1100-46d3-8c65-fb160da0071f"
            ],
            "excludeRoles": [
                "b0f54661-2d74-4c50-afa3-1ec803f12efe"
            ]
        },
        "platforms": {
            "includePlatforms": [
                "all"
            ],
            "excludePlatforms": [
                "iOS",
                "windowsPhone"
            ]
        },
        "locations": {
            "includeLocations": [
                "AllTrusted"
            ],
            "excludeLocations": [
                "00000000-0000-0000-0000-000000000000",
                "d2136c9c-b049-47ae-b9cf-316e04ef7198"
            ]
        },
        "deviceStates": {
            "includeStates": [
                "All"
            ],
            "excludeStates": [
                "Compliant"
            ]
        }
    },
    "grantControls": {
        "operator": "OR",
        "builtInControls": [
            "mfa",
            "compliantDevice",
            "domainJoinedDevice",
            "approvedApplication",
            "compliantApplication"
        ],
        "customAuthenticationFactors": [],
        "termsOfUse": [
            "ce580154-086a-40fd-91df-8a60abac81a0",
            "7f29d675-caff-43e1-8a53-1b8516ed2075"
        ]
    },
    "sessionControls": {
        "applicationEnforcedRestrictions": null,
        "persistentBrowser": null,
        "cloudAppSecurity": {
            "cloudAppSecurityType": "blockDownloads",
            "isEnabled": true
        },
        "signInFrequency": {
            "value": 4,
            "type": "hours",
            "isEnabled": true
        }
    }
}

Example 4: Require MFA to Exchange Online from non-complaint devices

Note: We are deprecating the deviceStates condition, and it may be removed in the future. Going forward, use devices condition.

Request

The following example shows a request to require MFA to Exchange Online from non-complaint devices.

HTTP

POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json

{
    "displayName": "Require MFA to EXO from non-complaint devices.",
    "state": "enabled",
    "conditions": {
        "applications": {
            "includeApplications": [
                "00000002-0000-0ff1-ce00-000000000000"
            ]
        },
        "users": {
            "includeGroups": ["ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"]
        },
        "devices": {
            "includeDevices": [
                "All"
            ],
            "excludeDevices": [
                "Compliant"
            ]
        }
    },
    "grantControls": {
        "operator": "OR",
        "builtInControls": [
            "mfa"
        ]
    }
}

C#

GraphServiceClient graphClient = new GraphServiceClient( authProvider );

var conditionalAccessPolicy = new ConditionalAccessPolicy
{
	DisplayName = "Require MFA to EXO from non-complaint devices.",
	State = ConditionalAccessPolicyState.Enabled,
	Conditions = new ConditionalAccessConditionSet
	{
		Applications = new ConditionalAccessApplications
		{
			IncludeApplications = new List<String>()
			{
				"00000002-0000-0ff1-ce00-000000000000"
			}
		},
		Users = new ConditionalAccessUsers
		{
			IncludeGroups = new List<String>()
			{
				"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
			}
		},
		Devices = new ConditionalAccessDevices
		{
			IncludeDevices = new List<String>()
			{
				"All"
			},
			ExcludeDevices = new List<String>()
			{
				"Compliant"
			}
		}
	},
	GrantControls = new ConditionalAccessGrantControls
	{
		Operator = "OR",
		BuiltInControls = new List<ConditionalAccessGrantControl>()
		{
			ConditionalAccessGrantControl.Mfa
		}
	}
};

await graphClient.Identity.ConditionalAccess.Policies
	.Request()
	.AddAsync(conditionalAccessPolicy);

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

JavaScript

const options = {
	authProvider,
};

const client = Client.init(options);

const conditionalAccessPolicy = {
    displayName: 'Require MFA to EXO from non-complaint devices.',
    state: 'enabled',
    conditions: {
        applications: {
            includeApplications: [
                '00000002-0000-0ff1-ce00-000000000000'
            ]
        },
        users: {
            includeGroups: ['ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba']
        },
        devices: {
            includeDevices: [
                'All'
            ],
            excludeDevices: [
                'Compliant'
            ]
        }
    },
    grantControls: {
        operator: 'OR',
        builtInControls: [
            'mfa'
        ]
    }
};

await client.api('/identity/conditionalAccess/policies')
	.version('beta')
	.post(conditionalAccessPolicy);

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Objective-C

MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];

NSString *MSGraphBaseURL = @"https://graph.microsoft.com/beta/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/identity/conditionalAccess/policies"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];

MSGraphConditionalAccessPolicy *conditionalAccessPolicy = [[MSGraphConditionalAccessPolicy alloc] init];
[conditionalAccessPolicy setDisplayName:@"Require MFA to EXO from non-complaint devices."];
[conditionalAccessPolicy setState: [MSGraphConditionalAccessPolicyState enabled]];
MSGraphConditionalAccessConditionSet *conditions = [[MSGraphConditionalAccessConditionSet alloc] init];
MSGraphConditionalAccessApplications *applications = [[MSGraphConditionalAccessApplications alloc] init];
NSMutableArray *includeApplicationsList = [[NSMutableArray alloc] init];
[includeApplicationsList addObject: @"00000002-0000-0ff1-ce00-000000000000"];
[applications setIncludeApplications:includeApplicationsList];
[conditions setApplications:applications];
MSGraphConditionalAccessUsers *users = [[MSGraphConditionalAccessUsers alloc] init];
NSMutableArray *includeGroupsList = [[NSMutableArray alloc] init];
[includeGroupsList addObject: @"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"];
[users setIncludeGroups:includeGroupsList];
[conditions setUsers:users];
MSGraphConditionalAccessDevices *devices = [[MSGraphConditionalAccessDevices alloc] init];
NSMutableArray *includeDevicesList = [[NSMutableArray alloc] init];
[includeDevicesList addObject: @"All"];
[devices setIncludeDevices:includeDevicesList];
NSMutableArray *excludeDevicesList = [[NSMutableArray alloc] init];
[excludeDevicesList addObject: @"Compliant"];
[devices setExcludeDevices:excludeDevicesList];
[conditions setDevices:devices];
[conditionalAccessPolicy setConditions:conditions];
MSGraphConditionalAccessGrantControls *grantControls = [[MSGraphConditionalAccessGrantControls alloc] init];
[grantControls setOperator:@"OR"];
NSMutableArray *builtInControlsList = [[NSMutableArray alloc] init];
[builtInControlsList addObject: @"mfa"];
[grantControls setBuiltInControls:builtInControlsList];
[conditionalAccessPolicy setGrantControls:grantControls];

NSError *error;
NSData *conditionalAccessPolicyData = [conditionalAccessPolicy getSerializedDataWithError:&error];
[urlRequest setHTTPBody:conditionalAccessPolicyData];

MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest 
	completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {

		//Request Completed

}];

[meDataTask execute];

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Java

GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();

ConditionalAccessPolicy conditionalAccessPolicy = new ConditionalAccessPolicy();
conditionalAccessPolicy.displayName = "Require MFA to EXO from non-complaint devices.";
conditionalAccessPolicy.state = ConditionalAccessPolicyState.ENABLED;
ConditionalAccessConditionSet conditions = new ConditionalAccessConditionSet();
ConditionalAccessApplications applications = new ConditionalAccessApplications();
LinkedList<String> includeApplicationsList = new LinkedList<String>();
includeApplicationsList.add("00000002-0000-0ff1-ce00-000000000000");
applications.includeApplications = includeApplicationsList;
conditions.applications = applications;
ConditionalAccessUsers users = new ConditionalAccessUsers();
LinkedList<String> includeGroupsList = new LinkedList<String>();
includeGroupsList.add("ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba");
users.includeGroups = includeGroupsList;
conditions.users = users;
ConditionalAccessDevices devices = new ConditionalAccessDevices();
LinkedList<String> includeDevicesList = new LinkedList<String>();
includeDevicesList.add("All");
devices.includeDevices = includeDevicesList;
LinkedList<String> excludeDevicesList = new LinkedList<String>();
excludeDevicesList.add("Compliant");
devices.excludeDevices = excludeDevicesList;
conditions.devices = devices;
conditionalAccessPolicy.conditions = conditions;
ConditionalAccessGrantControls grantControls = new ConditionalAccessGrantControls();
grantControls.operator = "OR";
LinkedList<ConditionalAccessGrantControl> builtInControlsList = new LinkedList<ConditionalAccessGrantControl>();
builtInControlsList.add(ConditionalAccessGrantControl.MFA);
grantControls.builtInControls = builtInControlsList;
conditionalAccessPolicy.grantControls = grantControls;

graphClient.identity().conditionalAccess().policies()
	.buildRequest()
	.post(conditionalAccessPolicy);

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Go

//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)

requestBody := msgraphsdk.NewConditionalAccessPolicy()
displayName := "Require MFA to EXO from non-complaint devices."
requestBody.SetDisplayName(&displayName)
state := "enabled"
requestBody.SetState(&state)
conditions := msgraphsdk.NewConditionalAccessConditionSet()
requestBody.SetConditions(conditions)
applications := msgraphsdk.NewConditionalAccessApplications()
conditions.SetApplications(applications)
applications.SetIncludeApplications( []String {
	"00000002-0000-0ff1-ce00-000000000000",
}
users := msgraphsdk.NewConditionalAccessUsers()
conditions.SetUsers(users)
users.SetIncludeGroups( []String {
	"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
}
devices := msgraphsdk.NewConditionalAccessDevices()
conditions.SetDevices(devices)
devices.SetIncludeDevices( []String {
	"All",
}
devices.SetExcludeDevices( []String {
	"Compliant",
}
grantControls := msgraphsdk.NewConditionalAccessGrantControls()
requestBody.SetGrantControls(grantControls)
operator := "OR"
grantControls.SetOperator(&operator)
grantControls.SetBuiltInControls( []ConditionalAccessGrantControl {
	"mfa",
}
result, err := graphClient.Identity().ConditionalAccess().Policies().Post(requestBody)

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

PowerShell

Import-Module Microsoft.Graph.Identity.SignIns

$params = @{
	DisplayName = "Require MFA to EXO from non-complaint devices."
	State = "enabled"
	Conditions = @{
		Applications = @{
			IncludeApplications = @(
				"00000002-0000-0ff1-ce00-000000000000"
			)
		}
		Users = @{
			IncludeGroups = @(
				"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
			)
		}
		Devices = @{
			IncludeDevices = @(
				"All"
			)
			ExcludeDevices = @(
				"Compliant"
			)
		}
	}
	GrantControls = @{
		Operator = "OR"
		BuiltInControls = @(
			"mfa"
		)
	}
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $params

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Response

The following is an example of the response.

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#conditionalAccess/policies/$entity",
     "id": "b3f1298e-8e93-49af-bdbf-94cf7d453ca3",
    "displayName": "Require MFA to EXO from non-complaint devices.",
    "createdDateTime": "2020-04-01T00:55:12.9571747Z",
    "modifiedDateTime": null,
    "state": "enabled",
    "sessionControls": null,
    "conditions": {
        "userRiskLevels": [],
        "signInRiskLevels": [],
        "clientAppTypes": [
            "all"
        ],
        "platforms": null,
        "locations": null,
        "times": null,
        "deviceStates": null,
        "applications": {
            "includeApplications": [
                "00000002-0000-0ff1-ce00-000000000000"
            ],
            "excludeApplications": [],
            "includeUserActions": [],
            "includeProtectionLevels": []
        },
        "users": {
            "includeUsers": [],
            "excludeUsers": [],
            "includeGroups": [
                "ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
            ],
            "excludeGroups": [],
            "includeRoles": [],
            "excludeRoles": []
        },
        "devices": {
            "includeDevices": [
                "All"
            ],
            "excludeDevices": [
                "Compliant"
            ]
        }
    },
    "grantControls": {
        "operator": "OR",
        "builtInControls": [
            "mfa"
        ],
        "customAuthenticationFactors": [],
        "termsOfUse": []
    }
}