Criar conditionalAccessPolicy
Artigo
07/18/2022
22 minutos para o fim da leitura
3 colaboradores
Neste artigo
Namespace: microsoft.graph
Crie um novo conditionalAccessPolicy .
Permissões
Uma das seguintes permissões é obrigatória para chamar esta API. Para saber mais, incluindo como escolher permissões, confira Permissões .
Tipo de permissão
Permissões (da com menos para a com mais privilégios)
Delegado (conta corporativa ou de estudante)
Policy.Read.All, Policy.ReadWrite.ConditionalAccess e Application.Read.All
Delegado (conta pessoal da Microsoft)
Sem suporte.
Application
Policy.Read.All, Policy.ReadWrite.ConditionalAccess e Application.Read.All
Solicitação HTTP
POST /identity/conditionalAccess/policies
Nome
Descrição
Autorização
{token} de portador. Obrigatório.
Content-Type
application/json. Obrigatório.
Corpo da solicitação
No corpo da solicitação, fornece uma representação JSON de um objeto conditionalAccessPolicy.
Uma política válida deve conter pelo menos uma das seguintes:
Resposta
Se tiver êxito, este método retornará um código de resposta e um novo 201 Created objeto conditionalAccessPolicy no corpo da resposta.
Exemplos
Exemplo 1: Exigir que o MFA acesse Exchange Online fora de locais confiáveis
Solicitação
O exemplo a seguir mostra uma solicitação comum para exigir autenticação multifafação para acesso Exchange Online de clientes de autenticação moderna fora de locais confiáveis para um determinado grupo.
Observação: Você deve configurar seus locais confiáveis antes de usar essa operação.
POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Access to EXO requires MFA",
"state": "enabled",
"conditions": {
"clientAppTypes": [
"mobileAppsAndDesktopClients",
"browser"
],
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
]
},
"users": {
"includeGroups": ["ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"]
},
"locations": {
"includeLocations": [
"All"
],
"excludeLocations": [
"AllTrusted"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
]
}
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var conditionalAccessPolicy = new ConditionalAccessPolicy
{
DisplayName = "Access to EXO requires MFA",
State = ConditionalAccessPolicyState.Enabled,
Conditions = new ConditionalAccessConditionSet
{
ClientAppTypes = new List<ConditionalAccessClientApp>()
{
ConditionalAccessClientApp.MobileAppsAndDesktopClients,
ConditionalAccessClientApp.Browser
},
Applications = new ConditionalAccessApplications
{
IncludeApplications = new List<String>()
{
"00000002-0000-0ff1-ce00-000000000000"
}
},
Users = new ConditionalAccessUsers
{
IncludeGroups = new List<String>()
{
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
}
},
Locations = new ConditionalAccessLocations
{
IncludeLocations = new List<String>()
{
"All"
},
ExcludeLocations = new List<String>()
{
"AllTrusted"
}
}
},
GrantControls = new ConditionalAccessGrantControls
{
Operator = "OR",
BuiltInControls = new List<ConditionalAccessGrantControl>()
{
ConditionalAccessGrantControl.Mfa
}
}
};
await graphClient.Identity.ConditionalAccess.Policies
.Request()
.AddAsync(conditionalAccessPolicy);
Para obter detalhes sobre como adicionar o SDK ao seu projeto e criar uma instância authProvider , consulte a documentação do SDK .
const options = {
authProvider,
};
const client = Client.init(options);
const conditionalAccessPolicy = {
displayName: 'Access to EXO requires MFA',
state: 'enabled',
conditions: {
clientAppTypes: [
'mobileAppsAndDesktopClients',
'browser'
],
applications: {
includeApplications: [
'00000002-0000-0ff1-ce00-000000000000'
]
},
users: {
includeGroups: ['ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba']
},
locations: {
includeLocations: [
'All'
],
excludeLocations: [
'AllTrusted'
]
}
},
grantControls: {
operator: 'OR',
builtInControls: [
'mfa'
]
}
};
await client.api('/identity/conditionalAccess/policies')
.post(conditionalAccessPolicy);
Para obter detalhes sobre como adicionar o SDK ao seu projeto e criar uma instância authProvider , consulte a documentação do SDK .
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];
NSString *MSGraphBaseURL = @"https://graph.microsoft.com/v1.0/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/identity/conditionalAccess/policies"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
MSGraphConditionalAccessPolicy *conditionalAccessPolicy = [[MSGraphConditionalAccessPolicy alloc] init];
[conditionalAccessPolicy setDisplayName:@"Access to EXO requires MFA"];
[conditionalAccessPolicy setState: [MSGraphConditionalAccessPolicyState enabled]];
MSGraphConditionalAccessConditionSet *conditions = [[MSGraphConditionalAccessConditionSet alloc] init];
NSMutableArray *clientAppTypesList = [[NSMutableArray alloc] init];
[clientAppTypesList addObject: @"mobileAppsAndDesktopClients"];
[clientAppTypesList addObject: @"browser"];
[conditions setClientAppTypes:clientAppTypesList];
MSGraphConditionalAccessApplications *applications = [[MSGraphConditionalAccessApplications alloc] init];
NSMutableArray *includeApplicationsList = [[NSMutableArray alloc] init];
[includeApplicationsList addObject: @"00000002-0000-0ff1-ce00-000000000000"];
[applications setIncludeApplications:includeApplicationsList];
[conditions setApplications:applications];
MSGraphConditionalAccessUsers *users = [[MSGraphConditionalAccessUsers alloc] init];
NSMutableArray *includeGroupsList = [[NSMutableArray alloc] init];
[includeGroupsList addObject: @"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"];
[users setIncludeGroups:includeGroupsList];
[conditions setUsers:users];
MSGraphConditionalAccessLocations *locations = [[MSGraphConditionalAccessLocations alloc] init];
NSMutableArray *includeLocationsList = [[NSMutableArray alloc] init];
[includeLocationsList addObject: @"All"];
[locations setIncludeLocations:includeLocationsList];
NSMutableArray *excludeLocationsList = [[NSMutableArray alloc] init];
[excludeLocationsList addObject: @"AllTrusted"];
[locations setExcludeLocations:excludeLocationsList];
[conditions setLocations:locations];
[conditionalAccessPolicy setConditions:conditions];
MSGraphConditionalAccessGrantControls *grantControls = [[MSGraphConditionalAccessGrantControls alloc] init];
[grantControls setOperator:@"OR"];
NSMutableArray *builtInControlsList = [[NSMutableArray alloc] init];
[builtInControlsList addObject: @"mfa"];
[grantControls setBuiltInControls:builtInControlsList];
[conditionalAccessPolicy setGrantControls:grantControls];
NSError *error;
NSData *conditionalAccessPolicyData = [conditionalAccessPolicy getSerializedDataWithError:&error];
[urlRequest setHTTPBody:conditionalAccessPolicyData];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {
//Request Completed
}];
[meDataTask execute];
Para obter detalhes sobre como adicionar o SDK ao seu projeto e criar uma instância authProvider , consulte a documentação do SDK .
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
ConditionalAccessPolicy conditionalAccessPolicy = new ConditionalAccessPolicy();
conditionalAccessPolicy.displayName = "Access to EXO requires MFA";
conditionalAccessPolicy.state = ConditionalAccessPolicyState.ENABLED;
ConditionalAccessConditionSet conditions = new ConditionalAccessConditionSet();
LinkedList<ConditionalAccessClientApp> clientAppTypesList = new LinkedList<ConditionalAccessClientApp>();
clientAppTypesList.add(ConditionalAccessClientApp.MOBILE_APPS_AND_DESKTOP_CLIENTS);
clientAppTypesList.add(ConditionalAccessClientApp.BROWSER);
conditions.clientAppTypes = clientAppTypesList;
ConditionalAccessApplications applications = new ConditionalAccessApplications();
LinkedList<String> includeApplicationsList = new LinkedList<String>();
includeApplicationsList.add("00000002-0000-0ff1-ce00-000000000000");
applications.includeApplications = includeApplicationsList;
conditions.applications = applications;
ConditionalAccessUsers users = new ConditionalAccessUsers();
LinkedList<String> includeGroupsList = new LinkedList<String>();
includeGroupsList.add("ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba");
users.includeGroups = includeGroupsList;
conditions.users = users;
ConditionalAccessLocations locations = new ConditionalAccessLocations();
LinkedList<String> includeLocationsList = new LinkedList<String>();
includeLocationsList.add("All");
locations.includeLocations = includeLocationsList;
LinkedList<String> excludeLocationsList = new LinkedList<String>();
excludeLocationsList.add("AllTrusted");
locations.excludeLocations = excludeLocationsList;
conditions.locations = locations;
conditionalAccessPolicy.conditions = conditions;
ConditionalAccessGrantControls grantControls = new ConditionalAccessGrantControls();
grantControls.operator = "OR";
LinkedList<ConditionalAccessGrantControl> builtInControlsList = new LinkedList<ConditionalAccessGrantControl>();
builtInControlsList.add(ConditionalAccessGrantControl.MFA);
grantControls.builtInControls = builtInControlsList;
conditionalAccessPolicy.grantControls = grantControls;
graphClient.identity().conditionalAccess().policies()
.buildRequest()
.post(conditionalAccessPolicy);
Para obter detalhes sobre como adicionar o SDK ao seu projeto e criar uma instância authProvider , consulte a documentação do SDK .
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := msgraphsdk.NewConditionalAccessPolicy()
displayName := "Access to EXO requires MFA"
requestBody.SetDisplayName(&displayName)
state := "enabled"
requestBody.SetState(&state)
conditions := msgraphsdk.NewConditionalAccessConditionSet()
requestBody.SetConditions(conditions)
conditions.SetClientAppTypes( []ConditionalAccessClientApp {
"mobileAppsAndDesktopClients",
"browser",
}
applications := msgraphsdk.NewConditionalAccessApplications()
conditions.SetApplications(applications)
applications.SetIncludeApplications( []String {
"00000002-0000-0ff1-ce00-000000000000",
}
users := msgraphsdk.NewConditionalAccessUsers()
conditions.SetUsers(users)
users.SetIncludeGroups( []String {
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
}
locations := msgraphsdk.NewConditionalAccessLocations()
conditions.SetLocations(locations)
locations.SetIncludeLocations( []String {
"All",
}
locations.SetExcludeLocations( []String {
"AllTrusted",
}
grantControls := msgraphsdk.NewConditionalAccessGrantControls()
requestBody.SetGrantControls(grantControls)
operator := "OR"
grantControls.SetOperator(&operator)
grantControls.SetBuiltInControls( []ConditionalAccessGrantControl {
"mfa",
}
result, err := graphClient.Identity().ConditionalAccess().Policies().Post(requestBody)
Para obter detalhes sobre como adicionar o SDK ao seu projeto e criar uma instância authProvider , consulte a documentação do SDK .
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{
DisplayName = "Access to EXO requires MFA"
State = "enabled"
Conditions = @{
ClientAppTypes = @(
"mobileAppsAndDesktopClients"
"browser"
)
Applications = @{
IncludeApplications = @(
"00000002-0000-0ff1-ce00-000000000000"
)
}
Users = @{
IncludeGroups = @(
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
)
}
Locations = @{
IncludeLocations = @(
"All"
)
ExcludeLocations = @(
"AllTrusted"
)
}
}
GrantControls = @{
Operator = "OR"
BuiltInControls = @(
"mfa"
)
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $params
Para obter detalhes sobre como adicionar o SDK ao seu projeto e criar uma instância authProvider , consulte a documentação do SDK .
Resposta
Este é um exemplo de resposta.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#conditionalAccess/policies/$entity",
"id": "7359d0e0-d8a9-4afa-8a93-e23e099d7be8",
"displayName": "Access to EXO requires MFA",
"createdDateTime": "2019-10-14T19:52:00.050958Z",
"modifiedDateTime": null,
"state": "enabled",
"sessionControls": null,
"conditions": {
"signInRiskLevels": [],
"clientAppTypes": [
"mobileAppsAndDesktopClients",
"browser"
],
"platforms": null,
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
],
"excludeApplications": [],
"includeUserActions": []
},
"users": {
"includeUsers": [],
"excludeUsers": [],
"includeGroups": [
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": []
},
"locations": {
"includeLocations": [
"All"
],
"excludeLocations": [
"AllTrusted"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
],
"customAuthenticationFactors": [],
"termsOfUse": []
}
}
Exemplo 2: Bloquear o acesso a Exchange Online de regiões não confiáveis
Solicitação
O exemplo a seguir mostra uma solicitação para bloquear o acesso Exchange Online de regiões não confiáveis/desconhecidas.
Este exemplo supõe que o local nomeado com id = 198ad66e-87b3-4157-85a3-8a7b51794ee9 corresponde a uma lista de regiões não confiáveis/desconhecidas.
POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Block access to EXO non-trusted regions.",
"state": "enabled",
"conditions": {
"clientAppTypes": [
"all"
],
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
]
},
"users": {
"includeGroups": ["ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"]
},
"locations": {
"includeLocations": [
"198ad66e-87b3-4157-85a3-8a7b51794ee9"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
]
}
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var conditionalAccessPolicy = new ConditionalAccessPolicy
{
DisplayName = "Block access to EXO non-trusted regions.",
State = ConditionalAccessPolicyState.Enabled,
Conditions = new ConditionalAccessConditionSet
{
ClientAppTypes = new List<ConditionalAccessClientApp>()
{
ConditionalAccessClientApp.All
},
Applications = new ConditionalAccessApplications
{
IncludeApplications = new List<String>()
{
"00000002-0000-0ff1-ce00-000000000000"
}
},
Users = new ConditionalAccessUsers
{
IncludeGroups = new List<String>()
{
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
}
},
Locations = new ConditionalAccessLocations
{
IncludeLocations = new List<String>()
{
"198ad66e-87b3-4157-85a3-8a7b51794ee9"
}
}
},
GrantControls = new ConditionalAccessGrantControls
{
Operator = "OR",
BuiltInControls = new List<ConditionalAccessGrantControl>()
{
ConditionalAccessGrantControl.Block
}
}
};
await graphClient.Identity.ConditionalAccess.Policies
.Request()
.AddAsync(conditionalAccessPolicy);
Para obter detalhes sobre como adicionar o SDK ao seu projeto e criar uma instância authProvider , consulte a documentação do SDK .
const options = {
authProvider,
};
const client = Client.init(options);
const conditionalAccessPolicy = {
displayName: 'Block access to EXO non-trusted regions.',
state: 'enabled',
conditions: {
clientAppTypes: [
'all'
],
applications: {
includeApplications: [
'00000002-0000-0ff1-ce00-000000000000'
]
},
users: {
includeGroups: ['ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba']
},
locations: {
includeLocations: [
'198ad66e-87b3-4157-85a3-8a7b51794ee9'
]
}
},
grantControls: {
operator: 'OR',
builtInControls: [
'block'
]
}
};
await client.api('/identity/conditionalAccess/policies')
.post(conditionalAccessPolicy);
Para obter detalhes sobre como adicionar o SDK ao seu projeto e criar uma instância authProvider , consulte a documentação do SDK .
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];
NSString *MSGraphBaseURL = @"https://graph.microsoft.com/v1.0/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/identity/conditionalAccess/policies"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
MSGraphConditionalAccessPolicy *conditionalAccessPolicy = [[MSGraphConditionalAccessPolicy alloc] init];
[conditionalAccessPolicy setDisplayName:@"Block access to EXO non-trusted regions."];
[conditionalAccessPolicy setState: [MSGraphConditionalAccessPolicyState enabled]];
MSGraphConditionalAccessConditionSet *conditions = [[MSGraphConditionalAccessConditionSet alloc] init];
NSMutableArray *clientAppTypesList = [[NSMutableArray alloc] init];
[clientAppTypesList addObject: @"all"];
[conditions setClientAppTypes:clientAppTypesList];
MSGraphConditionalAccessApplications *applications = [[MSGraphConditionalAccessApplications alloc] init];
NSMutableArray *includeApplicationsList = [[NSMutableArray alloc] init];
[includeApplicationsList addObject: @"00000002-0000-0ff1-ce00-000000000000"];
[applications setIncludeApplications:includeApplicationsList];
[conditions setApplications:applications];
MSGraphConditionalAccessUsers *users = [[MSGraphConditionalAccessUsers alloc] init];
NSMutableArray *includeGroupsList = [[NSMutableArray alloc] init];
[includeGroupsList addObject: @"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"];
[users setIncludeGroups:includeGroupsList];
[conditions setUsers:users];
MSGraphConditionalAccessLocations *locations = [[MSGraphConditionalAccessLocations alloc] init];
NSMutableArray *includeLocationsList = [[NSMutableArray alloc] init];
[includeLocationsList addObject: @"198ad66e-87b3-4157-85a3-8a7b51794ee9"];
[locations setIncludeLocations:includeLocationsList];
[conditions setLocations:locations];
[conditionalAccessPolicy setConditions:conditions];
MSGraphConditionalAccessGrantControls *grantControls = [[MSGraphConditionalAccessGrantControls alloc] init];
[grantControls setOperator:@"OR"];
NSMutableArray *builtInControlsList = [[NSMutableArray alloc] init];
[builtInControlsList addObject: @"block"];
[grantControls setBuiltInControls:builtInControlsList];
[conditionalAccessPolicy setGrantControls:grantControls];
NSError *error;
NSData *conditionalAccessPolicyData = [conditionalAccessPolicy getSerializedDataWithError:&error];
[urlRequest setHTTPBody:conditionalAccessPolicyData];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {
//Request Completed
}];
[meDataTask execute];
Para obter detalhes sobre como adicionar o SDK ao seu projeto e criar uma instância authProvider , consulte a documentação do SDK .
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
ConditionalAccessPolicy conditionalAccessPolicy = new ConditionalAccessPolicy();
conditionalAccessPolicy.displayName = "Block access to EXO non-trusted regions.";
conditionalAccessPolicy.state = ConditionalAccessPolicyState.ENABLED;
ConditionalAccessConditionSet conditions = new ConditionalAccessConditionSet();
LinkedList<ConditionalAccessClientApp> clientAppTypesList = new LinkedList<ConditionalAccessClientApp>();
clientAppTypesList.add(ConditionalAccessClientApp.ALL);
conditions.clientAppTypes = clientAppTypesList;
ConditionalAccessApplications applications = new ConditionalAccessApplications();
LinkedList<String> includeApplicationsList = new LinkedList<String>();
includeApplicationsList.add("00000002-0000-0ff1-ce00-000000000000");
applications.includeApplications = includeApplicationsList;
conditions.applications = applications;
ConditionalAccessUsers users = new ConditionalAccessUsers();
LinkedList<String> includeGroupsList = new LinkedList<String>();
includeGroupsList.add("ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba");
users.includeGroups = includeGroupsList;
conditions.users = users;
ConditionalAccessLocations locations = new ConditionalAccessLocations();
LinkedList<String> includeLocationsList = new LinkedList<String>();
includeLocationsList.add("198ad66e-87b3-4157-85a3-8a7b51794ee9");
locations.includeLocations = includeLocationsList;
conditions.locations = locations;
conditionalAccessPolicy.conditions = conditions;
ConditionalAccessGrantControls grantControls = new ConditionalAccessGrantControls();
grantControls.operator = "OR";
LinkedList<ConditionalAccessGrantControl> builtInControlsList = new LinkedList<ConditionalAccessGrantControl>();
builtInControlsList.add(ConditionalAccessGrantControl.BLOCK);
grantControls.builtInControls = builtInControlsList;
conditionalAccessPolicy.grantControls = grantControls;
graphClient.identity().conditionalAccess().policies()
.buildRequest()
.post(conditionalAccessPolicy);
Para obter detalhes sobre como adicionar o SDK ao seu projeto e criar uma instância authProvider , consulte a documentação do SDK .
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := msgraphsdk.NewConditionalAccessPolicy()
displayName := "Block access to EXO non-trusted regions."
requestBody.SetDisplayName(&displayName)
state := "enabled"
requestBody.SetState(&state)
conditions := msgraphsdk.NewConditionalAccessConditionSet()
requestBody.SetConditions(conditions)
conditions.SetClientAppTypes( []ConditionalAccessClientApp {
"all",
}
applications := msgraphsdk.NewConditionalAccessApplications()
conditions.SetApplications(applications)
applications.SetIncludeApplications( []String {
"00000002-0000-0ff1-ce00-000000000000",
}
users := msgraphsdk.NewConditionalAccessUsers()
conditions.SetUsers(users)
users.SetIncludeGroups( []String {
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
}
locations := msgraphsdk.NewConditionalAccessLocations()
conditions.SetLocations(locations)
locations.SetIncludeLocations( []String {
"198ad66e-87b3-4157-85a3-8a7b51794ee9",
}
grantControls := msgraphsdk.NewConditionalAccessGrantControls()
requestBody.SetGrantControls(grantControls)
operator := "OR"
grantControls.SetOperator(&operator)
grantControls.SetBuiltInControls( []ConditionalAccessGrantControl {
"block",
}
result, err := graphClient.Identity().ConditionalAccess().Policies().Post(requestBody)
Para obter detalhes sobre como adicionar o SDK ao seu projeto e criar uma instância authProvider , consulte a documentação do SDK .
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{
DisplayName = "Block access to EXO non-trusted regions."
State = "enabled"
Conditions = @{
ClientAppTypes = @(
"all"
)
Applications = @{
IncludeApplications = @(
"00000002-0000-0ff1-ce00-000000000000"
)
}
Users = @{
IncludeGroups = @(
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
)
}
Locations = @{
IncludeLocations = @(
"198ad66e-87b3-4157-85a3-8a7b51794ee9"
)
}
}
GrantControls = @{
Operator = "OR"
BuiltInControls = @(
"block"
)
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $params
Para obter detalhes sobre como adicionar o SDK ao seu projeto e criar uma instância authProvider , consulte a documentação do SDK .
Resposta
Este é um exemplo de resposta.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#conditionalAccess/policies/$entity",
"id": "c98e6c3d-f6ca-42ea-a927-773b6f12a0c2",
"displayName": "Block access to EXO non-trusted regions.",
"createdDateTime": "2019-10-14T19:53:11.3705634Z",
"modifiedDateTime": null,
"state": "enabled",
"sessionControls": null,
"conditions": {
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"platforms": null,
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
],
"excludeApplications": [],
"includeUserActions": []
},
"users": {
"includeUsers": [],
"excludeUsers": [],
"includeGroups": [
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": []
},
"locations": {
"includeLocations": [
"198ad66e-87b3-4157-85a3-8a7b51794ee9"
],
"excludeLocations": []
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
],
"customAuthenticationFactors": [],
"termsOfUse": []
}
}
Exemplo 3: Usar todas as condições e controles
Solicitação
A seguir, um exemplo da solicitação para usar todas as condições e controles.
POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Demo app for documentation",
"state": "disabled",
"conditions": {
"signInRiskLevels": [
"high",
"medium"
],
"clientAppTypes": [
"mobileAppsAndDesktopClients",
"exchangeActiveSync",
"other"
],
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [
"499b84ac-1321-427f-aa17-267ca6975798",
"00000007-0000-0000-c000-000000000000",
"de8bc8b5-d9f9-48b1-a8ad-b748da725064",
"00000012-0000-0000-c000-000000000000",
"797f4846-ba00-4fd7-ba43-dac1f8f63013",
"05a65629-4c1b-48c1-a78b-804c4abdd4af",
"7df0a125-d3be-4c96-aa54-591f83ff541c"
],
"includeUserActions": []
},
"users": {
"includeUsers": [
"a702a13d-a437-4a07-8a7e-8c052de62dfd"
],
"excludeUsers": [
"124c5b6a-ffa5-483a-9b88-04c3fce5574a",
"GuestsOrExternalUsers"
],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"cf1c38e5-3621-4004-a7cb-879624dced7c",
"c4e39bd9-1100-46d3-8c65-fb160da0071f"
],
"excludeRoles": [
"b0f54661-2d74-4c50-afa3-1ec803f12efe"
]
},
"platforms": {
"includePlatforms": [
"all"
],
"excludePlatforms": [
"iOS",
"windowsPhone"
]
},
"locations": {
"includeLocations": [
"AllTrusted"
],
"excludeLocations": [
"00000000-0000-0000-0000-000000000000",
"d2136c9c-b049-47ae-b9cf-316e04ef7198"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa",
"compliantDevice",
"domainJoinedDevice",
"approvedApplication",
"compliantApplication"
],
"customAuthenticationFactors": [],
"termsOfUse": [
"ce580154-086a-40fd-91df-8a60abac81a0",
"7f29d675-caff-43e1-8a53-1b8516ed2075"
]
},
"sessionControls": {
"applicationEnforcedRestrictions": null,
"persistentBrowser": null,
"cloudAppSecurity": {
"cloudAppSecurityType": "blockDownloads",
"isEnabled": true
},
"signInFrequency": {
"value": 4,
"type": "hours",
"isEnabled": true
}
}
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var conditionalAccessPolicy = new ConditionalAccessPolicy
{
DisplayName = "Demo app for documentation",
State = ConditionalAccessPolicyState.Disabled,
Conditions = new ConditionalAccessConditionSet
{
SignInRiskLevels = new List<RiskLevel>()
{
RiskLevel.High,
RiskLevel.Medium
},
ClientAppTypes = new List<ConditionalAccessClientApp>()
{
ConditionalAccessClientApp.MobileAppsAndDesktopClients,
ConditionalAccessClientApp.ExchangeActiveSync,
ConditionalAccessClientApp.Other
},
Applications = new ConditionalAccessApplications
{
IncludeApplications = new List<String>()
{
"All"
},
ExcludeApplications = new List<String>()
{
"499b84ac-1321-427f-aa17-267ca6975798",
"00000007-0000-0000-c000-000000000000",
"de8bc8b5-d9f9-48b1-a8ad-b748da725064",
"00000012-0000-0000-c000-000000000000",
"797f4846-ba00-4fd7-ba43-dac1f8f63013",
"05a65629-4c1b-48c1-a78b-804c4abdd4af",
"7df0a125-d3be-4c96-aa54-591f83ff541c"
},
IncludeUserActions = new List<String>()
{
}
},
Users = new ConditionalAccessUsers
{
IncludeUsers = new List<String>()
{
"a702a13d-a437-4a07-8a7e-8c052de62dfd"
},
ExcludeUsers = new List<String>()
{
"124c5b6a-ffa5-483a-9b88-04c3fce5574a",
"GuestsOrExternalUsers"
},
IncludeGroups = new List<String>()
{
},
ExcludeGroups = new List<String>()
{
},
IncludeRoles = new List<String>()
{
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"cf1c38e5-3621-4004-a7cb-879624dced7c",
"c4e39bd9-1100-46d3-8c65-fb160da0071f"
},
ExcludeRoles = new List<String>()
{
"b0f54661-2d74-4c50-afa3-1ec803f12efe"
}
},
Platforms = new ConditionalAccessPlatforms
{
IncludePlatforms = new List<ConditionalAccessDevicePlatform>()
{
ConditionalAccessDevicePlatform.All
},
ExcludePlatforms = new List<ConditionalAccessDevicePlatform>()
{
ConditionalAccessDevicePlatform.IOS,
ConditionalAccessDevicePlatform.WindowsPhone
}
},
Locations = new ConditionalAccessLocations
{
IncludeLocations = new List<String>()
{
"AllTrusted"
},
ExcludeLocations = new List<String>()
{
"00000000-0000-0000-0000-000000000000",
"d2136c9c-b049-47ae-b9cf-316e04ef7198"
}
}
},
GrantControls = new ConditionalAccessGrantControls
{
Operator = "OR",
BuiltInControls = new List<ConditionalAccessGrantControl>()
{
ConditionalAccessGrantControl.Mfa,
ConditionalAccessGrantControl.CompliantDevice,
ConditionalAccessGrantControl.DomainJoinedDevice,
ConditionalAccessGrantControl.ApprovedApplication,
ConditionalAccessGrantControl.CompliantApplication
},
CustomAuthenticationFactors = new List<String>()
{
},
TermsOfUse = new List<String>()
{
"ce580154-086a-40fd-91df-8a60abac81a0",
"7f29d675-caff-43e1-8a53-1b8516ed2075"
}
},
SessionControls = new ConditionalAccessSessionControls
{
ApplicationEnforcedRestrictions = null,
PersistentBrowser = null,
CloudAppSecurity = new CloudAppSecuritySessionControl
{
CloudAppSecurityType = CloudAppSecuritySessionControlType.BlockDownloads,
IsEnabled = true
},
SignInFrequency = new SignInFrequencySessionControl
{
Value = 4,
Type = SigninFrequencyType.Hours,
IsEnabled = true
}
}
};
await graphClient.Identity.ConditionalAccess.Policies
.Request()
.AddAsync(conditionalAccessPolicy);
Para obter detalhes sobre como adicionar o SDK ao seu projeto e criar uma instância authProvider , consulte a documentação do SDK .
const options = {
authProvider,
};
const client = Client.init(options);
const conditionalAccessPolicy = {
displayName: 'Demo app for documentation',
state: 'disabled',
conditions: {
signInRiskLevels: [
'high',
'medium'
],
clientAppTypes: [
'mobileAppsAndDesktopClients',
'exchangeActiveSync',
'other'
],
applications: {
includeApplications: [
'All'
],
excludeApplications: [
'499b84ac-1321-427f-aa17-267ca6975798',
'00000007-0000-0000-c000-000000000000',
'de8bc8b5-d9f9-48b1-a8ad-b748da725064',
'00000012-0000-0000-c000-000000000000',
'797f4846-ba00-4fd7-ba43-dac1f8f63013',
'05a65629-4c1b-48c1-a78b-804c4abdd4af',
'7df0a125-d3be-4c96-aa54-591f83ff541c'
],
includeUserActions: []
},
users: {
includeUsers: [
'a702a13d-a437-4a07-8a7e-8c052de62dfd'
],
excludeUsers: [
'124c5b6a-ffa5-483a-9b88-04c3fce5574a',
'GuestsOrExternalUsers'
],
includeGroups: [],
excludeGroups: [],
includeRoles: [
'9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3',
'cf1c38e5-3621-4004-a7cb-879624dced7c',
'c4e39bd9-1100-46d3-8c65-fb160da0071f'
],
excludeRoles: [
'b0f54661-2d74-4c50-afa3-1ec803f12efe'
]
},
platforms: {
includePlatforms: [
'all'
],
excludePlatforms: [
'iOS',
'windowsPhone'
]
},
locations: {
includeLocations: [
'AllTrusted'
],
excludeLocations: [
'00000000-0000-0000-0000-000000000000',
'd2136c9c-b049-47ae-b9cf-316e04ef7198'
]
}
},
grantControls: {
operator: 'OR',
builtInControls: [
'mfa',
'compliantDevice',
'domainJoinedDevice',
'approvedApplication',
'compliantApplication'
],
customAuthenticationFactors: [],
termsOfUse: [
'ce580154-086a-40fd-91df-8a60abac81a0',
'7f29d675-caff-43e1-8a53-1b8516ed2075'
]
},
sessionControls: {
applicationEnforcedRestrictions: null,
persistentBrowser: null,
cloudAppSecurity: {
cloudAppSecurityType: 'blockDownloads',
isEnabled: true
},
signInFrequency: {
value: 4,
type: 'hours',
isEnabled: true
}
}
};
await client.api('/identity/conditionalAccess/policies')
.post(conditionalAccessPolicy);
Para obter detalhes sobre como adicionar o SDK ao seu projeto e criar uma instância authProvider , consulte a documentação do SDK .
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];
NSString *MSGraphBaseURL = @"https://graph.microsoft.com/v1.0/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/identity/conditionalAccess/policies"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
MSGraphConditionalAccessPolicy *conditionalAccessPolicy = [[MSGraphConditionalAccessPolicy alloc] init];
[conditionalAccessPolicy setDisplayName:@"Demo app for documentation"];
[conditionalAccessPolicy setState: [MSGraphConditionalAccessPolicyState disabled]];
MSGraphConditionalAccessConditionSet *conditions = [[MSGraphConditionalAccessConditionSet alloc] init];
NSMutableArray *signInRiskLevelsList = [[NSMutableArray alloc] init];
[signInRiskLevelsList addObject: @"high"];
[signInRiskLevelsList addObject: @"medium"];
[conditions setSignInRiskLevels:signInRiskLevelsList];
NSMutableArray *clientAppTypesList = [[NSMutableArray alloc] init];
[clientAppTypesList addObject: @"mobileAppsAndDesktopClients"];
[clientAppTypesList addObject: @"exchangeActiveSync"];
[clientAppTypesList addObject: @"other"];
[conditions setClientAppTypes:clientAppTypesList];
MSGraphConditionalAccessApplications *applications = [[MSGraphConditionalAccessApplications alloc] init];
NSMutableArray *includeApplicationsList = [[NSMutableArray alloc] init];
[includeApplicationsList addObject: @"All"];
[applications setIncludeApplications:includeApplicationsList];
NSMutableArray *excludeApplicationsList = [[NSMutableArray alloc] init];
[excludeApplicationsList addObject: @"499b84ac-1321-427f-aa17-267ca6975798"];
[excludeApplicationsList addObject: @"00000007-0000-0000-c000-000000000000"];
[excludeApplicationsList addObject: @"de8bc8b5-d9f9-48b1-a8ad-b748da725064"];
[excludeApplicationsList addObject: @"00000012-0000-0000-c000-000000000000"];
[excludeApplicationsList addObject: @"797f4846-ba00-4fd7-ba43-dac1f8f63013"];
[excludeApplicationsList addObject: @"05a65629-4c1b-48c1-a78b-804c4abdd4af"];
[excludeApplicationsList addObject: @"7df0a125-d3be-4c96-aa54-591f83ff541c"];
[applications setExcludeApplications:excludeApplicationsList];
NSMutableArray *includeUserActionsList = [[NSMutableArray alloc] init];
[applications setIncludeUserActions:includeUserActionsList];
[conditions setApplications:applications];
MSGraphConditionalAccessUsers *users = [[MSGraphConditionalAccessUsers alloc] init];
NSMutableArray *includeUsersList = [[NSMutableArray alloc] init];
[includeUsersList addObject: @"a702a13d-a437-4a07-8a7e-8c052de62dfd"];
[users setIncludeUsers:includeUsersList];
NSMutableArray *excludeUsersList = [[NSMutableArray alloc] init];
[excludeUsersList addObject: @"124c5b6a-ffa5-483a-9b88-04c3fce5574a"];
[excludeUsersList addObject: @"GuestsOrExternalUsers"];
[users setExcludeUsers:excludeUsersList];
NSMutableArray *includeGroupsList = [[NSMutableArray alloc] init];
[users setIncludeGroups:includeGroupsList];
NSMutableArray *excludeGroupsList = [[NSMutableArray alloc] init];
[users setExcludeGroups:excludeGroupsList];
NSMutableArray *includeRolesList = [[NSMutableArray alloc] init];
[includeRolesList addObject: @"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"];
[includeRolesList addObject: @"cf1c38e5-3621-4004-a7cb-879624dced7c"];
[includeRolesList addObject: @"c4e39bd9-1100-46d3-8c65-fb160da0071f"];
[users setIncludeRoles:includeRolesList];
NSMutableArray *excludeRolesList = [[NSMutableArray alloc] init];
[excludeRolesList addObject: @"b0f54661-2d74-4c50-afa3-1ec803f12efe"];
[users setExcludeRoles:excludeRolesList];
[conditions setUsers:users];
MSGraphConditionalAccessPlatforms *platforms = [[MSGraphConditionalAccessPlatforms alloc] init];
NSMutableArray *includePlatformsList = [[NSMutableArray alloc] init];
[includePlatformsList addObject: @"all"];
[platforms setIncludePlatforms:includePlatformsList];
NSMutableArray *excludePlatformsList = [[NSMutableArray alloc] init];
[excludePlatformsList addObject: @"iOS"];
[excludePlatformsList addObject: @"windowsPhone"];
[platforms setExcludePlatforms:excludePlatformsList];
[conditions setPlatforms:platforms];
MSGraphConditionalAccessLocations *locations = [[MSGraphConditionalAccessLocations alloc] init];
NSMutableArray *includeLocationsList = [[NSMutableArray alloc] init];
[includeLocationsList addObject: @"AllTrusted"];
[locations setIncludeLocations:includeLocationsList];
NSMutableArray *excludeLocationsList = [[NSMutableArray alloc] init];
[excludeLocationsList addObject: @"00000000-0000-0000-0000-000000000000"];
[excludeLocationsList addObject: @"d2136c9c-b049-47ae-b9cf-316e04ef7198"];
[locations setExcludeLocations:excludeLocationsList];
[conditions setLocations:locations];
[conditionalAccessPolicy setConditions:conditions];
MSGraphConditionalAccessGrantControls *grantControls = [[MSGraphConditionalAccessGrantControls alloc] init];
[grantControls setOperator:@"OR"];
NSMutableArray *builtInControlsList = [[NSMutableArray alloc] init];
[builtInControlsList addObject: @"mfa"];
[builtInControlsList addObject: @"compliantDevice"];
[builtInControlsList addObject: @"domainJoinedDevice"];
[builtInControlsList addObject: @"approvedApplication"];
[builtInControlsList addObject: @"compliantApplication"];
[grantControls setBuiltInControls:builtInControlsList];
NSMutableArray *customAuthenticationFactorsList = [[NSMutableArray alloc] init];
[grantControls setCustomAuthenticationFactors:customAuthenticationFactorsList];
NSMutableArray *termsOfUseList = [[NSMutableArray alloc] init];
[termsOfUseList addObject: @"ce580154-086a-40fd-91df-8a60abac81a0"];
[termsOfUseList addObject: @"7f29d675-caff-43e1-8a53-1b8516ed2075"];
[grantControls setTermsOfUse:termsOfUseList];
[conditionalAccessPolicy setGrantControls:grantControls];
MSGraphConditionalAccessSessionControls *sessionControls = [[MSGraphConditionalAccessSessionControls alloc] init];
[sessionControls setApplicationEnforcedRestrictions: null];
[sessionControls setPersistentBrowser: null];
MSGraphCloudAppSecuritySessionControl *cloudAppSecurity = [[MSGraphCloudAppSecuritySessionControl alloc] init];
[cloudAppSecurity setCloudAppSecurityType: [MSGraphCloudAppSecuritySessionControlType blockDownloads]];
[cloudAppSecurity setIsEnabled: true];
[sessionControls setCloudAppSecurity:cloudAppSecurity];
MSGraphSignInFrequencySessionControl *signInFrequency = [[MSGraphSignInFrequencySessionControl alloc] init];
[signInFrequency setValue: 4];
[signInFrequency setType: [MSGraphSigninFrequencyType hours]];
[signInFrequency setIsEnabled: true];
[sessionControls setSignInFrequency:signInFrequency];
[conditionalAccessPolicy setSessionControls:sessionControls];
NSError *error;
NSData *conditionalAccessPolicyData = [conditionalAccessPolicy getSerializedDataWithError:&error];
[urlRequest setHTTPBody:conditionalAccessPolicyData];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {
//Request Completed
}];
[meDataTask execute];
Para obter detalhes sobre como adicionar o SDK ao seu projeto e criar uma instância authProvider , consulte a documentação do SDK .
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
ConditionalAccessPolicy conditionalAccessPolicy = new ConditionalAccessPolicy();
conditionalAccessPolicy.displayName = "Demo app for documentation";
conditionalAccessPolicy.state = ConditionalAccessPolicyState.DISABLED;
ConditionalAccessConditionSet conditions = new ConditionalAccessConditionSet();
LinkedList<RiskLevel> signInRiskLevelsList = new LinkedList<RiskLevel>();
signInRiskLevelsList.add(RiskLevel.HIGH);
signInRiskLevelsList.add(RiskLevel.MEDIUM);
conditions.signInRiskLevels = signInRiskLevelsList;
LinkedList<ConditionalAccessClientApp> clientAppTypesList = new LinkedList<ConditionalAccessClientApp>();
clientAppTypesList.add(ConditionalAccessClientApp.MOBILE_APPS_AND_DESKTOP_CLIENTS);
clientAppTypesList.add(ConditionalAccessClientApp.EXCHANGE_ACTIVE_SYNC);
clientAppTypesList.add(ConditionalAccessClientApp.OTHER);
conditions.clientAppTypes = clientAppTypesList;
ConditionalAccessApplications applications = new ConditionalAccessApplications();
LinkedList<String> includeApplicationsList = new LinkedList<String>();
includeApplicationsList.add("All");
applications.includeApplications = includeApplicationsList;
LinkedList<String> excludeApplicationsList = new LinkedList<String>();
excludeApplicationsList.add("499b84ac-1321-427f-aa17-267ca6975798");
excludeApplicationsList.add("00000007-0000-0000-c000-000000000000");
excludeApplicationsList.add("de8bc8b5-d9f9-48b1-a8ad-b748da725064");
excludeApplicationsList.add("00000012-0000-0000-c000-000000000000");
excludeApplicationsList.add("797f4846-ba00-4fd7-ba43-dac1f8f63013");
excludeApplicationsList.add("05a65629-4c1b-48c1-a78b-804c4abdd4af");
excludeApplicationsList.add("7df0a125-d3be-4c96-aa54-591f83ff541c");
applications.excludeApplications = excludeApplicationsList;
LinkedList<String> includeUserActionsList = new LinkedList<String>();
applications.includeUserActions = includeUserActionsList;
conditions.applications = applications;
ConditionalAccessUsers users = new ConditionalAccessUsers();
LinkedList<String> includeUsersList = new LinkedList<String>();
includeUsersList.add("a702a13d-a437-4a07-8a7e-8c052de62dfd");
users.includeUsers = includeUsersList;
LinkedList<String> excludeUsersList = new LinkedList<String>();
excludeUsersList.add("124c5b6a-ffa5-483a-9b88-04c3fce5574a");
excludeUsersList.add("GuestsOrExternalUsers");
users.excludeUsers = excludeUsersList;
LinkedList<String> includeGroupsList = new LinkedList<String>();
users.includeGroups = includeGroupsList;
LinkedList<String> excludeGroupsList = new LinkedList<String>();
users.excludeGroups = excludeGroupsList;
LinkedList<String> includeRolesList = new LinkedList<String>();
includeRolesList.add("9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3");
includeRolesList.add("cf1c38e5-3621-4004-a7cb-879624dced7c");
includeRolesList.add("c4e39bd9-1100-46d3-8c65-fb160da0071f");
users.includeRoles = includeRolesList;
LinkedList<String> excludeRolesList = new LinkedList<String>();
excludeRolesList.add("b0f54661-2d74-4c50-afa3-1ec803f12efe");
users.excludeRoles = excludeRolesList;
conditions.users = users;
ConditionalAccessPlatforms platforms = new ConditionalAccessPlatforms();
LinkedList<ConditionalAccessDevicePlatform> includePlatformsList = new LinkedList<ConditionalAccessDevicePlatform>();
includePlatformsList.add(ConditionalAccessDevicePlatform.ALL);
platforms.includePlatforms = includePlatformsList;
LinkedList<ConditionalAccessDevicePlatform> excludePlatformsList = new LinkedList<ConditionalAccessDevicePlatform>();
excludePlatformsList.add(ConditionalAccessDevicePlatform.I_O_S);
excludePlatformsList.add(ConditionalAccessDevicePlatform.WINDOWS_PHONE);
platforms.excludePlatforms = excludePlatformsList;
conditions.platforms = platforms;
ConditionalAccessLocations locations = new ConditionalAccessLocations();
LinkedList<String> includeLocationsList = new LinkedList<String>();
includeLocationsList.add("AllTrusted");
locations.includeLocations = includeLocationsList;
LinkedList<String> excludeLocationsList = new LinkedList<String>();
excludeLocationsList.add("00000000-0000-0000-0000-000000000000");
excludeLocationsList.add("d2136c9c-b049-47ae-b9cf-316e04ef7198");
locations.excludeLocations = excludeLocationsList;
conditions.locations = locations;
conditionalAccessPolicy.conditions = conditions;
ConditionalAccessGrantControls grantControls = new ConditionalAccessGrantControls();
grantControls.operator = "OR";
LinkedList<ConditionalAccessGrantControl> builtInControlsList = new LinkedList<ConditionalAccessGrantControl>();
builtInControlsList.add(ConditionalAccessGrantControl.MFA);
builtInControlsList.add(ConditionalAccessGrantControl.COMPLIANT_DEVICE);
builtInControlsList.add(ConditionalAccessGrantControl.DOMAIN_JOINED_DEVICE);
builtInControlsList.add(ConditionalAccessGrantControl.APPROVED_APPLICATION);
builtInControlsList.add(ConditionalAccessGrantControl.COMPLIANT_APPLICATION);
grantControls.builtInControls = builtInControlsList;
LinkedList<String> customAuthenticationFactorsList = new LinkedList<String>();
grantControls.customAuthenticationFactors = customAuthenticationFactorsList;
LinkedList<String> termsOfUseList = new LinkedList<String>();
termsOfUseList.add("ce580154-086a-40fd-91df-8a60abac81a0");
termsOfUseList.add("7f29d675-caff-43e1-8a53-1b8516ed2075");
grantControls.termsOfUse = termsOfUseList;
conditionalAccessPolicy.grantControls = grantControls;
ConditionalAccessSessionControls sessionControls = new ConditionalAccessSessionControls();
sessionControls.applicationEnforcedRestrictions = null;
sessionControls.persistentBrowser = null;
CloudAppSecuritySessionControl cloudAppSecurity = new CloudAppSecuritySessionControl();
cloudAppSecurity.cloudAppSecurityType = CloudAppSecuritySessionControlType.BLOCK_DOWNLOADS;
cloudAppSecurity.isEnabled = true;
sessionControls.cloudAppSecurity = cloudAppSecurity;
SignInFrequencySessionControl signInFrequency = new SignInFrequencySessionControl();
signInFrequency.value = 4;
signInFrequency.type = SigninFrequencyType.HOURS;
signInFrequency.isEnabled = true;
sessionControls.signInFrequency = signInFrequency;
conditionalAccessPolicy.sessionControls = sessionControls;
graphClient.identity().conditionalAccess().policies()
.buildRequest()
.post(conditionalAccessPolicy);
Para obter detalhes sobre como adicionar o SDK ao seu projeto e criar uma instância authProvider , consulte a documentação do SDK .
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := msgraphsdk.NewConditionalAccessPolicy()
displayName := "Demo app for documentation"
requestBody.SetDisplayName(&displayName)
state := "disabled"
requestBody.SetState(&state)
conditions := msgraphsdk.NewConditionalAccessConditionSet()
requestBody.SetConditions(conditions)
conditions.SetSignInRiskLevels( []RiskLevel {
"high",
"medium",
}
conditions.SetClientAppTypes( []ConditionalAccessClientApp {
"mobileAppsAndDesktopClients",
"exchangeActiveSync",
"other",
}
applications := msgraphsdk.NewConditionalAccessApplications()
conditions.SetApplications(applications)
applications.SetIncludeApplications( []String {
"All",
}
applications.SetExcludeApplications( []String {
"499b84ac-1321-427f-aa17-267ca6975798",
"00000007-0000-0000-c000-000000000000",
"de8bc8b5-d9f9-48b1-a8ad-b748da725064",
"00000012-0000-0000-c000-000000000000",
"797f4846-ba00-4fd7-ba43-dac1f8f63013",
"05a65629-4c1b-48c1-a78b-804c4abdd4af",
"7df0a125-d3be-4c96-aa54-591f83ff541c",
}
applications.SetIncludeUserActions( []string {
}
users := msgraphsdk.NewConditionalAccessUsers()
conditions.SetUsers(users)
users.SetIncludeUsers( []String {
"a702a13d-a437-4a07-8a7e-8c052de62dfd",
}
users.SetExcludeUsers( []String {
"124c5b6a-ffa5-483a-9b88-04c3fce5574a",
"GuestsOrExternalUsers",
}
users.SetIncludeGroups( []string {
}
users.SetExcludeGroups( []string {
}
users.SetIncludeRoles( []String {
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"cf1c38e5-3621-4004-a7cb-879624dced7c",
"c4e39bd9-1100-46d3-8c65-fb160da0071f",
}
users.SetExcludeRoles( []String {
"b0f54661-2d74-4c50-afa3-1ec803f12efe",
}
platforms := msgraphsdk.NewConditionalAccessPlatforms()
conditions.SetPlatforms(platforms)
platforms.SetIncludePlatforms( []ConditionalAccessDevicePlatform {
"all",
}
platforms.SetExcludePlatforms( []ConditionalAccessDevicePlatform {
"iOS",
"windowsPhone",
}
locations := msgraphsdk.NewConditionalAccessLocations()
conditions.SetLocations(locations)
locations.SetIncludeLocations( []String {
"AllTrusted",
}
locations.SetExcludeLocations( []String {
"00000000-0000-0000-0000-000000000000",
"d2136c9c-b049-47ae-b9cf-316e04ef7198",
}
grantControls := msgraphsdk.NewConditionalAccessGrantControls()
requestBody.SetGrantControls(grantControls)
operator := "OR"
grantControls.SetOperator(&operator)
grantControls.SetBuiltInControls( []ConditionalAccessGrantControl {
"mfa",
"compliantDevice",
"domainJoinedDevice",
"approvedApplication",
"compliantApplication",
}
grantControls.SetCustomAuthenticationFactors( []string {
}
grantControls.SetTermsOfUse( []String {
"ce580154-086a-40fd-91df-8a60abac81a0",
"7f29d675-caff-43e1-8a53-1b8516ed2075",
}
sessionControls := msgraphsdk.NewConditionalAccessSessionControls()
requestBody.SetSessionControls(sessionControls)
sessionControls.SetApplicationEnforcedRestrictions(nil)
sessionControls.SetPersistentBrowser(nil)
cloudAppSecurity := msgraphsdk.NewCloudAppSecuritySessionControl()
sessionControls.SetCloudAppSecurity(cloudAppSecurity)
cloudAppSecurityType := "blockDownloads"
cloudAppSecurity.SetCloudAppSecurityType(&cloudAppSecurityType)
isEnabled := true
cloudAppSecurity.SetIsEnabled(&isEnabled)
signInFrequency := msgraphsdk.NewSignInFrequencySessionControl()
sessionControls.SetSignInFrequency(signInFrequency)
value := int32(4)
signInFrequency.SetValue(&value)
type := "hours"
signInFrequency.SetType(&type)
isEnabled := true
signInFrequency.SetIsEnabled(&isEnabled)
result, err := graphClient.Identity().ConditionalAccess().Policies().Post(requestBody)
Para obter detalhes sobre como adicionar o SDK ao seu projeto e criar uma instância authProvider , consulte a documentação do SDK .
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{
DisplayName = "Demo app for documentation"
State = "disabled"
Conditions = @{
SignInRiskLevels = @(
"high"
"medium"
)
ClientAppTypes = @(
"mobileAppsAndDesktopClients"
"exchangeActiveSync"
"other"
)
Applications = @{
IncludeApplications = @(
"All"
)
ExcludeApplications = @(
"499b84ac-1321-427f-aa17-267ca6975798"
"00000007-0000-0000-c000-000000000000"
"de8bc8b5-d9f9-48b1-a8ad-b748da725064"
"00000012-0000-0000-c000-000000000000"
"797f4846-ba00-4fd7-ba43-dac1f8f63013"
"05a65629-4c1b-48c1-a78b-804c4abdd4af"
"7df0a125-d3be-4c96-aa54-591f83ff541c"
)
IncludeUserActions = @(
)
}
Users = @{
IncludeUsers = @(
"a702a13d-a437-4a07-8a7e-8c052de62dfd"
)
ExcludeUsers = @(
"124c5b6a-ffa5-483a-9b88-04c3fce5574a"
"GuestsOrExternalUsers"
)
IncludeGroups = @(
)
ExcludeGroups = @(
)
IncludeRoles = @(
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"
"cf1c38e5-3621-4004-a7cb-879624dced7c"
"c4e39bd9-1100-46d3-8c65-fb160da0071f"
)
ExcludeRoles = @(
"b0f54661-2d74-4c50-afa3-1ec803f12efe"
)
}
Platforms = @{
IncludePlatforms = @(
"all"
)
ExcludePlatforms = @(
"iOS"
"windowsPhone"
)
}
Locations = @{
IncludeLocations = @(
"AllTrusted"
)
ExcludeLocations = @(
"00000000-0000-0000-0000-000000000000"
"d2136c9c-b049-47ae-b9cf-316e04ef7198"
)
}
}
GrantControls = @{
Operator = "OR"
BuiltInControls = @(
"mfa"
"compliantDevice"
"domainJoinedDevice"
"approvedApplication"
"compliantApplication"
)
CustomAuthenticationFactors = @(
)
TermsOfUse = @(
"ce580154-086a-40fd-91df-8a60abac81a0"
"7f29d675-caff-43e1-8a53-1b8516ed2075"
)
}
SessionControls = @{
ApplicationEnforcedRestrictions = $null
PersistentBrowser = $null
CloudAppSecurity = @{
CloudAppSecurityType = "blockDownloads"
IsEnabled = $true
}
SignInFrequency = @{
Value = 4
Type = "hours"
IsEnabled = $true
}
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $params
Para obter detalhes sobre como adicionar o SDK ao seu projeto e criar uma instância authProvider , consulte a documentação do SDK .
Resposta
Este é um exemplo de resposta.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#conditionalAccess/policies/$entity",
"id": "6b5e999b-0ba8-4186-a106-e0296c1c4358",
"displayName": "Demo app for documentation",
"createdDateTime": "2019-09-26T23:12:16.0792706Z",
"modifiedDateTime": null,
"state": "disabled",
"conditions": {
"signInRiskLevels": [
"high",
"medium"
],
"clientAppTypes": [
"mobileAppsAndDesktopClients",
"exchangeActiveSync",
"other"
],
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [
"499b84ac-1321-427f-aa17-267ca6975798",
"00000007-0000-0000-c000-000000000000",
"de8bc8b5-d9f9-48b1-a8ad-b748da725064",
"00000012-0000-0000-c000-000000000000",
"797f4846-ba00-4fd7-ba43-dac1f8f63013",
"05a65629-4c1b-48c1-a78b-804c4abdd4af",
"7df0a125-d3be-4c96-aa54-591f83ff541c"
],
"includeUserActions": []
},
"users": {
"includeUsers": [
"a702a13d-a437-4a07-8a7e-8c052de62dfd"
],
"excludeUsers": [
"124c5b6a-ffa5-483a-9b88-04c3fce5574a",
"GuestsOrExternalUsers"
],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"cf1c38e5-3621-4004-a7cb-879624dced7c",
"c4e39bd9-1100-46d3-8c65-fb160da0071f"
],
"excludeRoles": [
"b0f54661-2d74-4c50-afa3-1ec803f12efe"
]
},
"platforms": {
"includePlatforms": [
"all"
],
"excludePlatforms": [
"iOS",
"windowsPhone"
]
},
"locations": {
"includeLocations": [
"AllTrusted"
],
"excludeLocations": [
"00000000-0000-0000-0000-000000000000",
"d2136c9c-b049-47ae-b9cf-316e04ef7198"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa",
"compliantDevice",
"domainJoinedDevice",
"approvedApplication",
"compliantApplication"
],
"customAuthenticationFactors": [],
"termsOfUse": [
"ce580154-086a-40fd-91df-8a60abac81a0",
"7f29d675-caff-43e1-8a53-1b8516ed2075"
]
},
"sessionControls": {
"applicationEnforcedRestrictions": null,
"persistentBrowser": null,
"cloudAppSecurity": {
"cloudAppSecurityType": "blockDownloads",
"isEnabled": true
},
"signInFrequency": {
"value": 4,
"type": "hours",
"isEnabled": true
}
}
}
Exemplo 4: Exigir que o MFA Exchange Online de dispositivos não compatíveis
Solicitação
O exemplo a seguir mostra uma solicitação para exigir que o MFA Exchange Online de dispositivos não compatíveis.
POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Require MFA to EXO from non-compliant devices.",
"state": "enabled",
"conditions": {
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
]
},
"users": {
"includeGroups": ["ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
]
}
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var conditionalAccessPolicy = new ConditionalAccessPolicy
{
DisplayName = "Require MFA to EXO from non-compliant devices.",
State = ConditionalAccessPolicyState.Enabled,
Conditions = new ConditionalAccessConditionSet
{
Applications = new ConditionalAccessApplications
{
IncludeApplications = new List<String>()
{
"00000002-0000-0ff1-ce00-000000000000"
}
},
Users = new ConditionalAccessUsers
{
IncludeGroups = new List<String>()
{
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
}
}
},
GrantControls = new ConditionalAccessGrantControls
{
Operator = "OR",
BuiltInControls = new List<ConditionalAccessGrantControl>()
{
ConditionalAccessGrantControl.Mfa
}
}
};
await graphClient.Identity.ConditionalAccess.Policies
.Request()
.AddAsync(conditionalAccessPolicy);
Para obter detalhes sobre como adicionar o SDK ao seu projeto e criar uma instância authProvider , consulte a documentação do SDK .
const options = {
authProvider,
};
const client = Client.init(options);
const conditionalAccessPolicy = {
displayName: 'Require MFA to EXO from non-compliant devices.',
state: 'enabled',
conditions: {
applications: {
includeApplications: [
'00000002-0000-0ff1-ce00-000000000000'
]
},
users: {
includeGroups: ['ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba']
}
},
grantControls: {
operator: 'OR',
builtInControls: [
'mfa'
]
}
};
await client.api('/identity/conditionalAccess/policies')
.post(conditionalAccessPolicy);
Para obter detalhes sobre como adicionar o SDK ao seu projeto e criar uma instância authProvider , consulte a documentação do SDK .
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];
NSString *MSGraphBaseURL = @"https://graph.microsoft.com/v1.0/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/identity/conditionalAccess/policies"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
MSGraphConditionalAccessPolicy *conditionalAccessPolicy = [[MSGraphConditionalAccessPolicy alloc] init];
[conditionalAccessPolicy setDisplayName:@"Require MFA to EXO from non-compliant devices."];
[conditionalAccessPolicy setState: [MSGraphConditionalAccessPolicyState enabled]];
MSGraphConditionalAccessConditionSet *conditions = [[MSGraphConditionalAccessConditionSet alloc] init];
MSGraphConditionalAccessApplications *applications = [[MSGraphConditionalAccessApplications alloc] init];
NSMutableArray *includeApplicationsList = [[NSMutableArray alloc] init];
[includeApplicationsList addObject: @"00000002-0000-0ff1-ce00-000000000000"];
[applications setIncludeApplications:includeApplicationsList];
[conditions setApplications:applications];
MSGraphConditionalAccessUsers *users = [[MSGraphConditionalAccessUsers alloc] init];
NSMutableArray *includeGroupsList = [[NSMutableArray alloc] init];
[includeGroupsList addObject: @"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"];
[users setIncludeGroups:includeGroupsList];
[conditions setUsers:users];
[conditionalAccessPolicy setConditions:conditions];
MSGraphConditionalAccessGrantControls *grantControls = [[MSGraphConditionalAccessGrantControls alloc] init];
[grantControls setOperator:@"OR"];
NSMutableArray *builtInControlsList = [[NSMutableArray alloc] init];
[builtInControlsList addObject: @"mfa"];
[grantControls setBuiltInControls:builtInControlsList];
[conditionalAccessPolicy setGrantControls:grantControls];
NSError *error;
NSData *conditionalAccessPolicyData = [conditionalAccessPolicy getSerializedDataWithError:&error];
[urlRequest setHTTPBody:conditionalAccessPolicyData];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {
//Request Completed
}];
[meDataTask execute];
Para obter detalhes sobre como adicionar o SDK ao seu projeto e criar uma instância authProvider , consulte a documentação do SDK .
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
ConditionalAccessPolicy conditionalAccessPolicy = new ConditionalAccessPolicy();
conditionalAccessPolicy.displayName = "Require MFA to EXO from non-compliant devices.";
conditionalAccessPolicy.state = ConditionalAccessPolicyState.ENABLED;
ConditionalAccessConditionSet conditions = new ConditionalAccessConditionSet();
ConditionalAccessApplications applications = new ConditionalAccessApplications();
LinkedList<String> includeApplicationsList = new LinkedList<String>();
includeApplicationsList.add("00000002-0000-0ff1-ce00-000000000000");
applications.includeApplications = includeApplicationsList;
conditions.applications = applications;
ConditionalAccessUsers users = new ConditionalAccessUsers();
LinkedList<String> includeGroupsList = new LinkedList<String>();
includeGroupsList.add("ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba");
users.includeGroups = includeGroupsList;
conditions.users = users;
conditionalAccessPolicy.conditions = conditions;
ConditionalAccessGrantControls grantControls = new ConditionalAccessGrantControls();
grantControls.operator = "OR";
LinkedList<ConditionalAccessGrantControl> builtInControlsList = new LinkedList<ConditionalAccessGrantControl>();
builtInControlsList.add(ConditionalAccessGrantControl.MFA);
grantControls.builtInControls = builtInControlsList;
conditionalAccessPolicy.grantControls = grantControls;
graphClient.identity().conditionalAccess().policies()
.buildRequest()
.post(conditionalAccessPolicy);
Para obter detalhes sobre como adicionar o SDK ao seu projeto e criar uma instância authProvider , consulte a documentação do SDK .
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := msgraphsdk.NewConditionalAccessPolicy()
displayName := "Require MFA to EXO from non-compliant devices."
requestBody.SetDisplayName(&displayName)
state := "enabled"
requestBody.SetState(&state)
conditions := msgraphsdk.NewConditionalAccessConditionSet()
requestBody.SetConditions(conditions)
applications := msgraphsdk.NewConditionalAccessApplications()
conditions.SetApplications(applications)
applications.SetIncludeApplications( []String {
"00000002-0000-0ff1-ce00-000000000000",
}
users := msgraphsdk.NewConditionalAccessUsers()
conditions.SetUsers(users)
users.SetIncludeGroups( []String {
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba",
}
grantControls := msgraphsdk.NewConditionalAccessGrantControls()
requestBody.SetGrantControls(grantControls)
operator := "OR"
grantControls.SetOperator(&operator)
grantControls.SetBuiltInControls( []ConditionalAccessGrantControl {
"mfa",
}
result, err := graphClient.Identity().ConditionalAccess().Policies().Post(requestBody)
Para obter detalhes sobre como adicionar o SDK ao seu projeto e criar uma instância authProvider , consulte a documentação do SDK .
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{
DisplayName = "Require MFA to EXO from non-compliant devices."
State = "enabled"
Conditions = @{
Applications = @{
IncludeApplications = @(
"00000002-0000-0ff1-ce00-000000000000"
)
}
Users = @{
IncludeGroups = @(
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
)
}
}
GrantControls = @{
Operator = "OR"
BuiltInControls = @(
"mfa"
)
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $params
Para obter detalhes sobre como adicionar o SDK ao seu projeto e criar uma instância authProvider , consulte a documentação do SDK .
Resposta
Este é um exemplo de resposta.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#conditionalAccess/policies/$entity",
"id": "b3f1298e-8e93-49af-bdbf-94cf7d453ca3",
"displayName": "Require MFA to EXO from non-compliant devices.",
"createdDateTime": "2020-04-01T00:55:12.9571747Z",
"modifiedDateTime": null,
"state": "enabled",
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"platforms": null,
"locations": null,
"times": null,
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
],
"excludeApplications": [],
"includeUserActions": [],
"includeProtectionLevels": []
},
"users": {
"includeUsers": [],
"excludeUsers": [],
"includeGroups": [
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": []
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
],
"customAuthenticationFactors": [],
"termsOfUse": []
}
}