Create permissionGrantConditionSet in excludes collection of permissionGrantPolicy
Article
01/20/2022
2 minutes to read
4 contributors
In this article
Namespace: microsoft.graph
Add conditions under which a permission grant event is excluded in a permission grant policy. You do this by adding a permissionGrantConditionSet to the excludes collection of a permissionGrantPolicy .
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions .
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
Policy.ReadWrite.PermissionGrant
Delegated (personal Microsoft account)
Not supported.
Application
Policy.ReadWrite.PermissionGrant
HTTP request
POST /policies/permissionGrantPolicies/{id}/excludes
Name
Description
Authorization
Bearer {token}. Required.
Content-type
application/json. Required.
Request body
In the request body, supply a JSON representation of an permissionGrantConditionSet object.
Response
If successful, this method returns a 201 Created response code and an permissionGrantConditionSet object in the response body.
Examples
Request
In this example, all delegated permissions for Microsoft Graph (appId 00000003-0000-0000-c000-000000000000) are excluded from the permission grant policy.
POST https://graph.microsoft.com/v1.0/policies/permissionGrantPolicies/my-custom-consent-policy/excludes
Content-Type: application/json
{
"permissionType": "delegated",
"resourceApplication": "00000003-0000-0000-c000-000000000000"
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var permissionGrantConditionSet = new PermissionGrantConditionSet
{
PermissionType = PermissionType.Delegated,
ResourceApplication = "00000003-0000-0000-c000-000000000000"
};
await graphClient.Policies.PermissionGrantPolicies["{permissionGrantPolicy-id}"].Excludes
.Request()
.AddAsync(permissionGrantConditionSet);
Read the SDK documentation for details on how to add the SDK to your project and create an authProvider instance.
const options = {
authProvider,
};
const client = Client.init(options);
const permissionGrantConditionSet = {
permissionType: 'delegated',
resourceApplication: '00000003-0000-0000-c000-000000000000'
};
await client.api('/policies/permissionGrantPolicies/my-custom-consent-policy/excludes')
.post(permissionGrantConditionSet);
Read the SDK documentation for details on how to add the SDK to your project and create an authProvider instance.
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];
NSString *MSGraphBaseURL = @"https://graph.microsoft.com/v1.0/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/policies/permissionGrantPolicies/my-custom-consent-policy/excludes"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
MSGraphPermissionGrantConditionSet *permissionGrantConditionSet = [[MSGraphPermissionGrantConditionSet alloc] init];
[permissionGrantConditionSet setPermissionType: [MSGraphPermissionType delegated]];
[permissionGrantConditionSet setResourceApplication:@"00000003-0000-0000-c000-000000000000"];
NSError *error;
NSData *permissionGrantConditionSetData = [permissionGrantConditionSet getSerializedDataWithError:&error];
[urlRequest setHTTPBody:permissionGrantConditionSetData];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {
//Request Completed
}];
[meDataTask execute];
Read the SDK documentation for details on how to add the SDK to your project and create an authProvider instance.
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
PermissionGrantConditionSet permissionGrantConditionSet = new PermissionGrantConditionSet();
permissionGrantConditionSet.permissionType = PermissionType.DELEGATED;
permissionGrantConditionSet.resourceApplication = "00000003-0000-0000-c000-000000000000";
graphClient.policies().permissionGrantPolicies("my-custom-consent-policy").excludes()
.buildRequest()
.post(permissionGrantConditionSet);
Read the SDK documentation for details on how to add the SDK to your project and create an authProvider instance.
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := msgraphsdk.NewPermissionGrantConditionSet()
permissionType := "delegated"
requestBody.SetPermissionType(&permissionType)
resourceApplication := "00000003-0000-0000-c000-000000000000"
requestBody.SetResourceApplication(&resourceApplication)
permissionGrantPolicyId := "permissionGrantPolicy-id"
result, err := graphClient.Policies().PermissionGrantPoliciesById(&permissionGrantPolicyId).Excludes().Post(requestBody)
Read the SDK documentation for details on how to add the SDK to your project and create an authProvider instance.
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{
PermissionType = "delegated"
ResourceApplication = "00000003-0000-0000-c000-000000000000"
}
New-MgPolicyPermissionGrantPolicyExclude -PermissionGrantPolicyId $permissionGrantPolicyId -BodyParameter $params
Read the SDK documentation for details on how to add the SDK to your project and create an authProvider instance.
Response
The following is an example of the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"id": "9a532f49-e646-405d-8c7c-d4c8e8a4d294",
"permissionClassification": "all",
"permissionType": "delegated",
"resourceApplication": "00000003-0000-0000-c000-000000000000",
"permissions": ["all"],
"clientApplicationIds": ["all"],
"clientApplicationTenantIds": ["all"],
"clientApplicationPublisherIds": ["all"],
"clientApplicationsFromVerifiedPublisherOnly": false
}