Microsoft Graph APIs: conditional access policies

0
votes

A follow up on my earlier question - Are there any APIs available to manage conditional access policies for a tenant?

I'm using the API (https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/policy_list) to retrieve the list of policies created for my tenant and have been running into permissions issues.

According to the documentation this API requires a scope of Directory.AccessAsUser.All. On the Azure AD portal, I set the permissions for my test App to include "Read and write directory data" and "Access the directory as a signed-in user". I set these permissions on both Windows Azure Active Directory and Microsoft Graph APIs. When I make a call to https://graph.microsoft.com/beta/policies, I keep getting 403 Forbidden with the error message "Insufficient privileges to complete the operation.". The other operations like getting the users in the directory, getting identityRiskEvents, etc all work fine.

Am I missing anything here?

Thanks in advance!

3
azure-active-directorymicrosoft-graph-apiazure-ad-graph-api

3 Answers

2
votes

Actually the answer is no. The GRAPH REST API List Policies does not return conditional access policies yet. The REST API doc states:

Currently only one type of policy is available:

Token Lifetime Policy - Specifies the lifetime duration of tokens 
issued for applications and service principals.

Check the microsoft faq documentation on configuring conditional access.

Are Graph APIs available for configuring conditional access policies?

Currently, no.

FAQ Link

1
votes

No, There is a REST API List policies of Operations on policy described in Graph API reference, which you can use it to list all policies for your tenant.

Edit: This article lists only Token Policy's are being returned at this moment: https://docs.microsoft.com/nl-nl/graph/api/resources/policy?view=graph-rest-beta

0
votes

Microsoft have recently released access to conditional access policies in their Graph API beta (https://docs.microsoft.com/en-gb/graph/api/resources/conditionalaccesspolicy?view=graph-rest-beta). The current methods they support for the conditional access policy resource type are:

  • List
  • Create
  • Get
  • Update
  • Delete

Similar methods are available for named locations included in a policy.