Update onPremisesConditionalAccessSettings
Namespace: microsoft.graph
Important: Microsoft Graph APIs under the /beta version are subject to change; production use is not supported.
Note: The Microsoft Graph API for Intune requires an active Intune license for the tenant.
Update the properties of a onPremisesConditionalAccessSettings object.
This API is available in the following national cloud deployments.
| Global service | US Government L4 | US Government L5 (DOD) | China operated by 21Vianet |
|---|---|---|---|
| ✅ | ✅ | ✅ | ✅ |
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
| Application | DeviceManagementServiceConfig.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All |
HTTP Request
PATCH /deviceManagement/conditionalAccessSettings
PATCH /deviceManagement/exchangeOnPremisesPolicy/conditionalAccessSettings
Request headers
| Header | Value |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Accept | application/json |
Request body
In the request body, supply a JSON representation for the onPremisesConditionalAccessSettings object.
The following table shows the properties that are required when you create the onPremisesConditionalAccessSettings.
| Property | Type | Description |
|---|---|---|
| id | String | |
| enabled | Boolean | Indicates if on premises conditional access is enabled for this organization |
| includedGroups | Guid collection | User groups that will be targeted by on premises conditional access. All users in these groups will be required to have mobile device managed and compliant for mail access. |
| excludedGroups | Guid collection | User groups that will be exempt by on premises conditional access. All users in these groups will be exempt from the conditional access policy. |
| overrideDefaultRule | Boolean | Override the default access rule when allowing a device to ensure access is granted. |
Response
If successful, this method returns a 200 OK response code and an updated onPremisesConditionalAccessSettings object in the response body.
Example
Request
Here is an example of the request.
PATCH https://graph.microsoft.com/beta/deviceManagement/conditionalAccessSettings
Content-type: application/json
Content-length: 275
{
"@odata.type": "#microsoft.graph.onPremisesConditionalAccessSettings",
"enabled": true,
"includedGroups": [
"77c9d466-d466-77c9-66d4-c97766d4c977"
],
"excludedGroups": [
"2a0afae4-fae4-2a0a-e4fa-0a2ae4fa0a2a"
],
"overrideDefaultRule": true
}
Response
Here is an example of the response. Note: The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 324
{
"@odata.type": "#microsoft.graph.onPremisesConditionalAccessSettings",
"id": "a0efde21-de21-a0ef-21de-efa021deefa0",
"enabled": true,
"includedGroups": [
"77c9d466-d466-77c9-66d4-c97766d4c977"
],
"excludedGroups": [
"2a0afae4-fae4-2a0a-e4fa-0a2ae4fa0a2a"
],
"overrideDefaultRule": true
}