Create permissionGrantConditionSet in includes collection of permissionGrantPolicy

Namespace: microsoft.graph

Add conditions under which a permission grant event is included in a permission grant policy. You do this by adding a permissionGrantConditionSet to the includes collection of a permissionGrantPolicy.


One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permission type Permissions (from least to most privileged)
Delegated (work or school account) Policy.ReadWrite.PermissionGrant
Delegated (personal Microsoft account) Not supported.
Application Policy.ReadWrite.PermissionGrant

HTTP request

POST /policies/permissionGrantPolicies/{id}/includes

Request headers

Name Description
Authorization Bearer {token}. Required.
Content-type application/json. Required.

Request body

In the request body, supply a JSON representation of an permissionGrantConditionSet object.


If successful, this method returns a 201 Created response code and an permissionGrantConditionSet object in the response body.



In this example, all delegated permissions for client apps from verified publishers are included in the permission grant policy. Because all the other conditions from the permissionGrantConditionSet were omitted, they will take their default values, which in each case is the most-inclusive.

Content-Type: application/json

  "permissionType": "delegated",
  "clientApplicationsFromVerifiedPublisherOnly": true


The following is an example of the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

  "id": "75ffda85-9314-43bc-bf19-554a7d079e96",
  "permissionClassification": "all",
  "permissionType": "delegated",
  "resourceApplication": "any",
  "permissions": ["all"],
  "clientApplicationIds": ["all"],
  "clientApplicationTenantIds": ["all"],
  "clientApplicationPublisherIds": ["all"],
  "clientApplicationsFromVerifiedPublisherOnly": true