Update authorizationPolicy

Namespace: microsoft.graph

Update the properties of an authorizationPolicy object.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) Policy.ReadWrite.Authorization Not available.
Delegated (personal Microsoft account) Not supported. Not supported.
Application Policy.ReadWrite.Authorization Not available.

Important

In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported Microsoft Entra role or a custom role with a supported role permission. The following least privileged role is supported for this operation.

  • Privileged Role Administrator

HTTP request

PATCH /policies/authorizationPolicy

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Content-type application/json. Required.

Request body

In the request body, supply only the values for properties to update. Existing properties that aren't included in the request body maintain their previous values or are recalculated based on changes to other property values.

The following table specifies the properties that can be updated.

Property Type Description
allowEmailVerifiedUsersToJoinOrganization Boolean Indicates whether a user can join the tenant by email validation.
allowInvitesFrom allowInvitesFrom Indicates who can invite external users to the organization. Possible values are: none, adminsAndGuestInviters, adminsGuestInvitersAndAllMembers, everyone. everyone is the default setting for all cloud environments except US Government. For more information, see allowInvitesFrom values.
allowUserConsentForRiskyApps Boolean Indicates whether user consent for risky apps is allowed. Default value is false. We recommend that you keep the value set to false.
allowedToSignUpEmailBasedSubscriptions Boolean Indicates whether users can sign up for email-based subscriptions.
allowedToUseSSPR Boolean Indicates whether administrators of the tenant can use the Self-Service Password Reset (SSPR). For more information, see Self-service password reset for administrators.
blockMsolPowerShell Boolean To disable the use of MSOL PowerShell, set this property to true. This also disables user-based access to the legacy service endpoint used by MSOL PowerShell. This doesn't affect Microsoft Entra Connect or Microsoft Graph.
defaultUserRolePermissions defaultUserRolePermissions Specifies certain customizable permissions for default user role.
description String Description of this policy.
displayName String Display name for this policy.
guestUserRoleId Guid Represents role templateId for the role that should be granted to guest user. Currently following roles are supported: User (a0b1b346-4d3e-4e8b-98f8-753987be4970), Guest User (10dae51f-b6af-4016-8d66-8c2a99b929b3), and Restricted Guest User (2af84b1e-32c8-42b7-82bc-daa82404023b).

Response

If successful, this method returns a 204 No Content response code. It doesn't return anything in the response body.

Examples

Example 1: Update or set Guest user access level for the tenant

Request

The following example shows a request. In this example, guest access level is modified to Restricted Guest User.

PATCH https://graph.microsoft.com/v1.0/policies/authorizationPolicy

{
  "allowEmailVerifiedUsersToJoinOrganization":false
}

Response

The following example shows the response.

HTTP/1.1 204 No Content

Example 2: Block MSOL PowerShell in tenant

Request

The following example shows a request.

PATCH https://graph.microsoft.com/v1.0/policies/authorizationPolicy

{
   "blockMsolPowerShell":true
}

Response

The following example shows the response.

HTTP/1.1 204 No Content

Example 3: Disable default user role's permission to create applications

Request

The following example shows a request.

PATCH https://graph.microsoft.com/v1.0/policies/authorizationPolicy

{
   "defaultUserRolePermissions":{
      "allowedToCreateApps":false
   }
}

Response

The following example shows the response.

HTTP/1.1 204 No Content

Example 4: Enable default user role to use Self-Serve Password Reset feature

Request

The following example shows a request.

PATCH https://graph.microsoft.com/v1.0/policies/authorizationPolicy

{
   "allowedToUseSSPR":true
}

Response

The following example shows the response.

HTTP/1.1 204 No Content

Request

The following example shows a request.

PATCH https://graph.microsoft.com/v1.0/policies/authorizationPolicy

{
   "defaultUserRolePermissions": {
      "permissionGrantPoliciesAssigned": []
   }
}

Response

The following example shows the response.

HTTP/1.1 204 No Content

Request

Here's example of the request that allows user consent to apps, subject to the built-in app consent policy microsoft-user-default-low, which allows delegated permissions classified "low", for client apps from verified publishers or registered in the same tenant.

PATCH https://graph.microsoft.com/v1.0/policies/authorizationPolicy

{
   "defaultUserRolePermissions": {
      "permissionGrantPoliciesAssigned": [
         "managePermissionGrantsForSelf.microsoft-user-default-low"
      ]
   }
}

Response

The following example shows the response.

HTTP/1.1 204 No Content