命名空间:microsoft.graph
重要
Microsoft Graph /beta 版本下的 API 可能会发生更改。 不支持在生产应用程序中使用这些 API。 若要确定 API 是否在 v1.0 中可用,请使用 版本 选择器。
创建新的 conditionalAccessPolicy。
此 API 可用于以下国家级云部署。
| 全局服务 | 美国政府 L4 | 美国政府 L5 (DOD) | 由世纪互联运营的中国 |
|---|---|---|---|
| ✅ | ✅ | ✅ | ✅ |
权限
为此 API 选择标记为最低特权的权限。 只有在应用需要它时,才使用更高的特权权限。 有关委派权限和应用程序权限的详细信息,请参阅权限类型。 要了解有关这些权限的详细信息,请参阅 权限参考。
| 权限类型 | 最低特权权限 | 更高特权权限 |
|---|---|---|
| 委派(工作或学校帐户) | Policy.Read.All 和 Policy.ReadWrite.ConditionalAccess | Application.Read.All 和 Policy.ReadWrite.ConditionalAccess |
| 委派(个人 Microsoft 帐户) | 不支持。 | 不支持。 |
| 应用程序 | Policy.Read.All 和 Policy.ReadWrite.ConditionalAccess | Application.Read.All 和 Policy.ReadWrite.ConditionalAccess |
重要
在具有工作或学校帐户的委托方案中,如果已登录用户对其他用户进行作,则必须为他们分配受支持的Microsoft Entra角色或具有受支持角色权限的自定义角色。 此作支持以下最低特权角色。
- 安全管理员
- 条件访问管理
注意
此方法存在 已知权限问题 ,可能需要同意多个权限。
HTTP 请求
POST /identity/conditionalAccess/policies
请求标头
| 名称 | 说明 |
|---|---|
| Authorization | 持有者 {token}。 必填。 详细了解 身份验证和授权。 |
| Content-Type | application/json. 必需。 |
请求正文
在请求正文中,提供 conditionalAccessPolicy 对象的 JSON 表示形式。
有效策略应至少包含一个 应用程序 规则(例如 、 'includeApplications': 'none'一个 用户 规则) 'includeUsers': 'none'和至少一个 授予/会话 控制。
响应
如果成功,此方法在响应正文中返回响应 201 Created 代码和新的 conditionalAccessPolicy 对象。
示例
示例 1:要求 MFA 访问受信任位置之外的Exchange Online
请求
以下示例演示了一个常见请求,要求对特定组的受信任位置之外的新式身份验证客户端访问Exchange Online进行多重身份验证。
注意: 在使用此作之前,必须设置受信任位置。
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Access to EXO requires MFA",
"state": "enabled",
"conditions": {
"clientAppTypes": [
"mobileAppsAndDesktopClients",
"browser"
],
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
]
},
"users": {
"includeGroups": ["ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"]
},
"locations": {
"includeLocations": [
"All"
],
"excludeLocations": [
"AllTrusted"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
]
}
}
响应
以下示例显示了相应的响应。
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#conditionalAccess/policies/$entity",
"id": "7359d0e0-d8a9-4afa-8a93-e23e099d7be8",
"displayName": "Access to EXO requires MFA",
"createdDateTime": "2019-10-14T19:52:00.050958Z",
"modifiedDateTime": null,
"state": "enabled",
"sessionControls": null,
"conditions": {
"signInRiskLevels": [],
"clientAppTypes": [
"mobileAppsAndDesktopClients",
"browser"
],
"platforms": null,
"deviceStates": null,
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
],
"excludeApplications": [],
"includeUserActions": []
},
"users": {
"includeUsers": [],
"excludeUsers": [],
"includeGroups": [
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": []
},
"locations": {
"includeLocations": [
"All"
],
"excludeLocations": [
"AllTrusted"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
],
"customAuthenticationFactors": [],
"termsOfUse": []
}
}
示例 2:阻止从不受信任的区域访问Exchange Online
请求
以下示例演示了阻止从不受信任/未知区域访问Exchange Online的请求。 此示例假定 id = 198ad66e-87b3-4157-85a3-8a7b51794ee9 的命名位置对应于不受信任的/未知区域列表。
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Block access to EXO non-trusted regions.",
"state": "enabled",
"conditions": {
"clientAppTypes": [
"all"
],
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
]
},
"users": {
"includeGroups": ["ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"]
},
"locations": {
"includeLocations": [
"198ad66e-87b3-4157-85a3-8a7b51794ee9"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
]
}
}
响应
以下示例显示了相应的响应。
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#conditionalAccess/policies/$entity",
"id": "c98e6c3d-f6ca-42ea-a927-773b6f12a0c2",
"displayName": "Block access to EXO non-trusted regions.",
"createdDateTime": "2019-10-14T19:53:11.3705634Z",
"modifiedDateTime": null,
"state": "enabled",
"sessionControls": null,
"conditions": {
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"platforms": null,
"deviceStates": null,
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
],
"excludeApplications": [],
"includeUserActions": []
},
"users": {
"includeUsers": [],
"excludeUsers": [],
"includeGroups": [
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": []
},
"locations": {
"includeLocations": [
"198ad66e-87b3-4157-85a3-8a7b51794ee9"
],
"excludeLocations": []
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
],
"customAuthenticationFactors": [],
"termsOfUse": []
}
}
示例 3:使用所有条件/控件
请求
以下示例显示了使用所有条件/控件的请求。
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Demo app for documentation",
"state": "disabled",
"conditions": {
"signInRiskLevels": [
"high",
"medium"
],
"clientAppTypes": [
"mobileAppsAndDesktopClients",
"exchangeActiveSync",
"other"
],
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [
"499b84ac-1321-427f-aa17-267ca6975798",
"00000007-0000-0000-c000-000000000000",
"de8bc8b5-d9f9-48b1-a8ad-b748da725064",
"00000012-0000-0000-c000-000000000000",
"797f4846-ba00-4fd7-ba43-dac1f8f63013",
"05a65629-4c1b-48c1-a78b-804c4abdd4af",
"7df0a125-d3be-4c96-aa54-591f83ff541c"
],
"includeUserActions": []
},
"users": {
"includeUsers": [
"a702a13d-a437-4a07-8a7e-8c052de62dfd"
],
"excludeUsers": [
"124c5b6a-ffa5-483a-9b88-04c3fce5574a",
"GuestsOrExternalUsers"
],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"cf1c38e5-3621-4004-a7cb-879624dced7c",
"c4e39bd9-1100-46d3-8c65-fb160da0071f"
],
"excludeRoles": [
"b0f54661-2d74-4c50-afa3-1ec803f12efe"
]
},
"platforms": {
"includePlatforms": [
"all"
],
"excludePlatforms": [
"iOS",
"windowsPhone"
]
},
"locations": {
"includeLocations": [
"AllTrusted"
],
"excludeLocations": [
"00000000-0000-0000-0000-000000000000",
"d2136c9c-b049-47ae-b9cf-316e04ef7198"
]
},
"deviceStates": {
"includeStates": [
"All"
],
"excludeStates": [
"Compliant"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa",
"compliantDevice",
"domainJoinedDevice",
"approvedApplication",
"compliantApplication"
],
"customAuthenticationFactors": [],
"termsOfUse": [
"ce580154-086a-40fd-91df-8a60abac81a0",
"7f29d675-caff-43e1-8a53-1b8516ed2075"
]
},
"sessionControls": {
"applicationEnforcedRestrictions": null,
"persistentBrowser": null,
"cloudAppSecurity": {
"cloudAppSecurityType": "blockDownloads",
"isEnabled": true
},
"signInFrequency": {
"value": 4,
"type": "hours",
"isEnabled": true
}
}
}
响应
以下示例显示了相应的响应。
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#conditionalAccess/policies/$entity",
"id": "6b5e999b-0ba8-4186-a106-e0296c1c4358",
"displayName": "Demo app for documentation",
"createdDateTime": "2019-09-26T23:12:16.0792706Z",
"modifiedDateTime": null,
"state": "disabled",
"conditions": {
"signInRiskLevels": [
"high",
"medium"
],
"clientAppTypes": [
"mobileAppsAndDesktopClients",
"exchangeActiveSync",
"other"
],
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [
"499b84ac-1321-427f-aa17-267ca6975798",
"00000007-0000-0000-c000-000000000000",
"de8bc8b5-d9f9-48b1-a8ad-b748da725064",
"00000012-0000-0000-c000-000000000000",
"797f4846-ba00-4fd7-ba43-dac1f8f63013",
"05a65629-4c1b-48c1-a78b-804c4abdd4af",
"7df0a125-d3be-4c96-aa54-591f83ff541c"
],
"includeUserActions": []
},
"users": {
"includeUsers": [
"a702a13d-a437-4a07-8a7e-8c052de62dfd"
],
"excludeUsers": [
"124c5b6a-ffa5-483a-9b88-04c3fce5574a",
"GuestsOrExternalUsers"
],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"cf1c38e5-3621-4004-a7cb-879624dced7c",
"c4e39bd9-1100-46d3-8c65-fb160da0071f"
],
"excludeRoles": [
"b0f54661-2d74-4c50-afa3-1ec803f12efe"
]
},
"platforms": {
"includePlatforms": [
"all"
],
"excludePlatforms": [
"iOS",
"windowsPhone"
]
},
"locations": {
"includeLocations": [
"AllTrusted"
],
"excludeLocations": [
"00000000-0000-0000-0000-000000000000",
"d2136c9c-b049-47ae-b9cf-316e04ef7198"
]
},
"deviceStates": {
"includeStates": [
"All"
],
"excludeStates": [
"Compliant"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa",
"compliantDevice",
"domainJoinedDevice",
"approvedApplication",
"compliantApplication"
],
"customAuthenticationFactors": [],
"termsOfUse": [
"ce580154-086a-40fd-91df-8a60abac81a0",
"7f29d675-caff-43e1-8a53-1b8516ed2075"
]
},
"sessionControls": {
"applicationEnforcedRestrictions": null,
"persistentBrowser": null,
"cloudAppSecurity": {
"cloudAppSecurityType": "blockDownloads",
"isEnabled": true
},
"signInFrequency": {
"value": 4,
"type": "hours",
"isEnabled": true
}
}
}
示例 4:要求 MFA 从不合规的设备Exchange Online
注意: 我们正在弃用 deviceStates 条件,将来可能会将其删除。 今后,请使用 设备 条件。
请求
以下示例显示了一个请求,要求 MFA 从不合规的设备Exchange Online。
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Require MFA to EXO from non-complaint devices.",
"state": "enabled",
"conditions": {
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
]
},
"users": {
"includeGroups": ["ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"]
},
"devices": {
"includeDevices": [
"All"
],
"excludeDevices": [
"Compliant"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
]
}
}
响应
以下示例显示了相应的响应。
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#conditionalAccess/policies/$entity",
"id": "b3f1298e-8e93-49af-bdbf-94cf7d453ca3",
"displayName": "Require MFA to EXO from non-complaint devices.",
"createdDateTime": "2020-04-01T00:55:12.9571747Z",
"modifiedDateTime": null,
"state": "enabled",
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"applications": {
"includeApplications": [
"00000002-0000-0ff1-ce00-000000000000"
],
"excludeApplications": [],
"includeUserActions": [],
"includeProtectionLevels": []
},
"users": {
"includeUsers": [],
"excludeUsers": [],
"includeGroups": [
"ba8e7ded-8b0f-4836-ba06-8ff1ecc5c8ba"
],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": []
},
"devices": {
"includeDevices": [
"All"
],
"excludeDevices": [
"Compliant"
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
],
"customAuthenticationFactors": [],
"termsOfUse": []
}
}