Create permissionGrantConditionSet in includes collection of permissionGrantPolicy
Article
01/20/2022
2 minutes to read
6 contributors
In this article
Namespace: microsoft.graph
Add conditions under which a permission grant event is included in a permission grant policy. You do this by adding a permissionGrantConditionSet to the includes collection of a permissionGrantPolicy .
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions .
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
Policy.ReadWrite.PermissionGrant
Delegated (personal Microsoft account)
Not supported.
Application
Policy.ReadWrite.PermissionGrant
HTTP request
POST /policies/permissionGrantPolicies/{id}/includes
Name
Description
Authorization
Bearer {token}. Required.
Content-type
application/json. Required.
Request body
In the request body, supply a JSON representation of an permissionGrantConditionSet object.
Response
If successful, this method returns a 201 Created response code and an permissionGrantConditionSet object in the response body.
Examples
Request
In this example, all delegated permissions for client apps from verified publishers are included in the permission grant policy. Because all the other conditions from the permissionGrantConditionSet were omitted, they will take their default values, which in each case is the most-inclusive.
POST https://graph.microsoft.com/v1.0/policies/permissionGrantPolicies/{id}/includes
Content-Type: application/json
{
"permissionType": "delegated",
"clientApplicationsFromVerifiedPublisherOnly": true
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var permissionGrantConditionSet = new PermissionGrantConditionSet
{
PermissionType = PermissionType.Delegated,
ClientApplicationsFromVerifiedPublisherOnly = true
};
await graphClient.Policies.PermissionGrantPolicies["{permissionGrantPolicy-id}"].Includes
.Request()
.AddAsync(permissionGrantConditionSet);
Read the SDK documentation for details on how to add the SDK to your project and create an authProvider instance.
const options = {
authProvider,
};
const client = Client.init(options);
const permissionGrantConditionSet = {
permissionType: 'delegated',
clientApplicationsFromVerifiedPublisherOnly: true
};
await client.api('/policies/permissionGrantPolicies/{id}/includes')
.post(permissionGrantConditionSet);
Read the SDK documentation for details on how to add the SDK to your project and create an authProvider instance.
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];
NSString *MSGraphBaseURL = @"https://graph.microsoft.com/v1.0/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/policies/permissionGrantPolicies/{id}/includes"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
MSGraphPermissionGrantConditionSet *permissionGrantConditionSet = [[MSGraphPermissionGrantConditionSet alloc] init];
[permissionGrantConditionSet setPermissionType: [MSGraphPermissionType delegated]];
[permissionGrantConditionSet setClientApplicationsFromVerifiedPublisherOnly: true];
NSError *error;
NSData *permissionGrantConditionSetData = [permissionGrantConditionSet getSerializedDataWithError:&error];
[urlRequest setHTTPBody:permissionGrantConditionSetData];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {
//Request Completed
}];
[meDataTask execute];
Read the SDK documentation for details on how to add the SDK to your project and create an authProvider instance.
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
PermissionGrantConditionSet permissionGrantConditionSet = new PermissionGrantConditionSet();
permissionGrantConditionSet.permissionType = PermissionType.DELEGATED;
permissionGrantConditionSet.clientApplicationsFromVerifiedPublisherOnly = true;
graphClient.policies().permissionGrantPolicies("{id}").includes()
.buildRequest()
.post(permissionGrantConditionSet);
Read the SDK documentation for details on how to add the SDK to your project and create an authProvider instance.
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := msgraphsdk.NewPermissionGrantConditionSet()
permissionType := "delegated"
requestBody.SetPermissionType(&permissionType)
clientApplicationsFromVerifiedPublisherOnly := true
requestBody.SetClientApplicationsFromVerifiedPublisherOnly(&clientApplicationsFromVerifiedPublisherOnly)
permissionGrantPolicyId := "permissionGrantPolicy-id"
result, err := graphClient.Policies().PermissionGrantPoliciesById(&permissionGrantPolicyId).Includes().Post(requestBody)
Read the SDK documentation for details on how to add the SDK to your project and create an authProvider instance.
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{
PermissionType = "delegated"
ClientApplicationsFromVerifiedPublisherOnly = $true
}
New-MgPolicyPermissionGrantPolicyInclude -PermissionGrantPolicyId $permissionGrantPolicyId -BodyParameter $params
Read the SDK documentation for details on how to add the SDK to your project and create an authProvider instance.
Response
The following is an example of the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"id": "75ffda85-9314-43bc-bf19-554a7d079e96",
"permissionClassification": "all",
"permissionType": "delegated",
"resourceApplication": "any",
"permissions": ["all"],
"clientApplicationIds": ["all"],
"clientApplicationTenantIds": ["all"],
"clientApplicationPublisherIds": ["all"],
"clientApplicationsFromVerifiedPublisherOnly": true
}