permissionGrantConditionSet resource type

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

A permission grant condition set is used to specify a matching rule in a permission grant policy to include or exclude a permission grant event.

A permission grant condition set contains several conditions. For an event to match a permission grant condition set, all conditions must be met.

Properties

Property Type Description
id String The unique identifier for the permission grant condition set. Key. Read-only.
permissionClassification String The permission classification for the permission being granted, or all to match with any permission classification (including permissions which are not classified). Default is all.
permissionType permissionType The permission type of the permission being granted. Possible values: application for application permissions (e.g. app roles), or delegated for delegated permissions. The value delegatedUserConsentable indicates delegated permissions which have not been configured by the API publisher to require admin consent—this value may be used in built-in permission grant policies, but cannot be used in custom permission grant policies. Required.
resourceApplication String The appId of the resource application (e.g. the API) for which a permission is being granted, or any to match with any resource application or API. Default is any.
permissions String collection The list of id values for the specific permissions to match with, or a list with the single value all to match with any permission. The id of delegated permissions can be found in the publishedPermissionScopes property of the API's servicePrincipal object. The id of application permissions can be found in the appRoles property of the API's servicePrincipal object. The id of resource-specific application permissions can be found in the resourceSpecificApplicationPermissions property of the API's servicePrincipal object. Default is the single value all.
clientApplicationIds String collection A list of appId values for the client applications to match with, or a list with the single value all to match any client application. Default is the single value all.
clientApplicationTenantIds String collection A list of Microsoft Entra tenant IDs in which the client application is registered, or a list with the single value all to match with client apps registered in any tenant. Default is the single value all.
clientApplicationPublisherIds String collection A list of Microsoft Partner Network (MPN) IDs for verified publishers of the client application, or a list with the single value all to match with client apps from any publisher. Default is the single value all.
clientApplicationsFromVerifiedPublisherOnly Boolean Set to true to only match on client applications with a verified publisher. Set to false to match on any client app, even if it does not have a verified publisher. Default is false.
certifiedClientApplicationsOnly Boolean Set to true to only match on client applications that are Microsoft 365 certified. Set to false to match on any other client app. Default is false.
scopeSensitivityLabels scopeSensitivityLabels Defines the sensitivity labels for groups that are included in a permissionGrantPreApprovalPolicy.

JSON representation

{
    "id": "string (identifier)",
    "permissionClassification": "string",
    "permissionType": "string",
    "resourceApplication": "string",
    "permissions": [ "string" ],
    "clientApplicationIds": [ "string" ],
    "clientApplicationTenantIds": [ "string" ],
    "clientApplicationPublisherIds": [ "string" ],
    "clientApplicationsFromVerifiedPublisherOnly": false,
    "certifiedClientApplicationsOnly": false,
    "scopeSensitivityLabels": {
        "@odata.type": "#microsoft.graph.allScopeSensitivityLabels",
        "labelKind": "all"
    }
}