Create permissionGrantConditionSet in includes collection of permissionGrantPolicy
命名空间:microsoft.graph
重要
Microsoft Graph版本下的 /beta API 可能会发生更改。 不支持在生产应用程序中使用这些 API。 若要确定 API 是否在 v1.0 中可用,请使用 版本 选择器。
添加权限授予策略中包含权限授予事件的条件。 为此,将permissionGrantConditionSet添加到permissionGrantPolicy 的 includes 集合。
权限
要调用此 API,需要以下权限之一。要了解详细信息,包括如何选择权限的信息,请参阅权限。
| 权限类型 |
权限(从最低特权到最高特权) |
| 委派(工作或学校帐户) |
Policy.ReadWrite.PermissionGrant |
| 委派(个人 Microsoft 帐户) |
不支持。 |
| 应用程序 |
Policy.ReadWrite.PermissionGrant |
HTTP 请求
POST /policies/permissionGrantPolicies/{id}/includes
| 名称 |
说明 |
| Authorization |
Bearer {token}。必需。 |
| Content-type |
application/json. Required. |
请求正文
在请求正文中,提供 permissionGrantConditionSet 对象的 JSON 表示形式。
响应
如果成功,此方法在响应 201 Created 正文中返回 响应 代码和 permissionGrantConditionSet 对象。
示例
示例 1:为来自已验证发布者的客户端应用创建权限授予策略
请求
本示例中 ,来自 已验证发布者的客户端应用的所有委派权限都包含在权限授予策略中。 由于 省略了 permissionGrantConditionSet 中的所有其他条件,因此它们都将使用其默认值,这在每种情况下都是最包含的。
POST https://graph.microsoft.com/beta/policies/permissionGrantPolicies/{id}/includes
Content-Type: application/json
{
"permissionType": "delegated",
"clientApplicationsFromVerifiedPublisherOnly": true
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var permissionGrantConditionSet = new PermissionGrantConditionSet
{
PermissionType = PermissionType.Delegated,
CertifiedClientApplicationsOnly = true
};
await graphClient.Policies.PermissionGrantPolicies["{permissionGrantPolicy-id}"].Includes
.Request()
.AddAsync(permissionGrantConditionSet);
const options = {
authProvider,
};
const client = Client.init(options);
const permissionGrantConditionSet = {
permissionType: 'delegated',
certifiedClientApplicationsOnly: true
};
await client.api('/policies/permissionGrantPolicies/{id}/includes')
.version('beta')
.post(permissionGrantConditionSet);
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];
NSString *MSGraphBaseURL = @"https://graph.microsoft.com/beta/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/policies/permissionGrantPolicies/{id}/includes"]]];
[urlRequest setHTTPMethod:@"POST"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
MSGraphPermissionGrantConditionSet *permissionGrantConditionSet = [[MSGraphPermissionGrantConditionSet alloc] init];
[permissionGrantConditionSet setPermissionType: [MSGraphPermissionType delegated]];
[permissionGrantConditionSet setCertifiedClientApplicationsOnly: true];
NSError *error;
NSData *permissionGrantConditionSetData = [permissionGrantConditionSet getSerializedDataWithError:&error];
[urlRequest setHTTPBody:permissionGrantConditionSetData];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {
//Request Completed
}];
[meDataTask execute];
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
PermissionGrantConditionSet permissionGrantConditionSet = new PermissionGrantConditionSet();
permissionGrantConditionSet.permissionType = PermissionType.DELEGATED;
permissionGrantConditionSet.certifiedClientApplicationsOnly = true;
graphClient.policies().permissionGrantPolicies("{id}").includes()
.buildRequest()
.post(permissionGrantConditionSet);
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := msgraphsdk.NewPermissionGrantConditionSet()
permissionType := "delegated"
requestBody.SetPermissionType(&permissionType)
certifiedClientApplicationsOnly := true
requestBody.SetCertifiedClientApplicationsOnly(&certifiedClientApplicationsOnly)
permissionGrantPolicyId := "permissionGrantPolicy-id"
result, err := graphClient.Policies().PermissionGrantPoliciesById(&permissionGrantPolicyId).Includes().Post(requestBody)
Import-Module Microsoft.Graph.Identity.SignIns
$params = @{
PermissionType = "delegated"
CertifiedClientApplicationsOnly = $true
}
New-MgPolicyPermissionGrantPolicyInclude -PermissionGrantPolicyId $permissionGrantPolicyId -BodyParameter $params
响应
下面展示了示例响应。
注意: 为了提高可读性,可能缩短了此处显示的响应对象。
HTTP/1.1 200 OK
Content-type: application/json
{
"id": "75ffda85-9314-43bc-bf19-554a7d079e96",
"permissionClassification": "all",
"permissionType": "delegated",
"resourceApplication": "any",
"permissions": ["all"],
"clientApplicationIds": ["all"],
"clientApplicationTenantIds": ["all"],
"clientApplicationPublisherIds": ["all"],
"clientApplicationsFromVerifiedPublisherOnly": true,
"certifiedClientApplicationsOnly": false
}
示例 2:为经过认证客户端应用创建Microsoft 365策略
请求
本示例中,所有 经过认证Microsoft 365客户端应用的所有委派权限都包含在权限授予策略中。 由于拥有经过验证的发布者是应用被视为经过认证Microsoft 365的先决条件,因此无需显式要求验证发布者。 由于 省略了 permissionGrantConditionSet 中的所有其他条件,因此它们都将使用其默认值,这在每种情况下都是最包含的。
POST https://graph.microsoft.com/beta/policies/permissionGrantPolicies/{id}/includes
Content-Type: application/json
{
"permissionType": "delegated",
"certifiedClientApplicationsOnly": true
}
响应
下面展示了示例响应。
注意: 为了提高可读性,可能缩短了此处显示的响应对象。
HTTP/1.1 200 OK
Content-type: application/json
{
"id": "75ffda85-9314-43bc-bf19-554a7d079e96",
"permissionClassification": "all",
"permissionType": "delegated",
"resourceApplication": "any",
"permissions": ["all"],
"clientApplicationIds": ["all"],
"clientApplicationTenantIds": ["all"],
"clientApplicationPublisherIds": ["all"],
"clientApplicationsFromVerifiedPublisherOnly": true,
"certifiedClientApplicationsOnly": true
}