Elija el permiso o los permisos marcados como con privilegios mínimos para esta API. Use un permiso o permisos con privilegios superiores solo si la aplicación lo requiere. Para obtener más información sobre los permisos delegados y de aplicación, consulte Tipos de permisos. Para obtener más información sobre estos permisos, consulte la referencia de permisos.
Tipo de permiso
Permisos con privilegios mínimos
Permisos con privilegios más altos
Delegado (cuenta profesional o educativa)
Policy.ReadWrite.Authorization
No disponible.
Delegado (cuenta personal de Microsoft)
No admitida.
No admitida.
Aplicación
Policy.ReadWrite.Authorization
No disponible.
Importante
En escenarios delegados con cuentas profesionales o educativas, al usuario que ha iniciado sesión se le debe asignar un rol de Microsoft Entra compatible o un rol personalizado con un permiso de rol admitido. Se admite el siguiente rol con privilegios mínimos para esta operación.
En el cuerpo de la solicitud, proporcione solo los valores de las propiedades que se van a actualizar. Las propiedades existentes que no se incluyen en el cuerpo de la solicitud mantienen sus valores anteriores o se recalculan en función de los cambios realizados en otros valores de propiedad.
En la tabla siguiente se especifican las propiedades que se pueden actualizar.
Propiedad
Tipo
Descripción
allowEmailVerifiedUsersToJoinOrganization
Booleano
Indica si un usuario puede unirse al inquilino mediante la validación por correo electrónico.
allowInvitesFrom
allowInvitesFrom
Indica quién puede invitar a usuarios externos a la organización. Los valores posibles son: none, adminsAndGuestInviters, adminsGuestInvitersAndAllMembers y everyone.
everyone es la configuración predeterminada para todos los entornos en la nube excepto el gobierno de EE. UU. Para obtener más información, vea allowInvitesFrom values.
Para deshabilitar el uso de PowerShell de MSOL, establezca esta propiedad trueen . Esto también deshabilita el acceso basado en el usuario al punto de conexión de servicio heredado usado por PowerShell de MSOL. Esto no afecta a Microsoft Entra Connect o Microsoft Graph.
Especifica determinados permisos personalizables para el rol de usuario predeterminado.
description
Cadena
Descripción de esta directiva.
displayName
Cadena
Nombre para mostrar de esta directiva.
guestUserRoleId
Guid
Representa el valor templateId del rol que se debe conceder al usuario invitado. Actualmente se admiten los siguientes roles: Usuario (a0b1b346-4d3e-4e8b-98f8-753987be4970), Usuario invitado (10dae51f-b6af-4016-8d66-8c2a99b929b3) y Usuario invitado restringido (2af84b1e-32c8-42b7-82bc-daa82404023b).
Respuesta
Si se ejecuta correctamente, este método devuelve un código de respuesta 204 No Content. No devuelve nada en el cuerpo de la respuesta.
Ejemplos
Ejemplo 1: Actualización o establecimiento del nivel de acceso de usuario invitado para el inquilino
Solicitud
En el ejemplo siguiente se muestra la solicitud. En este ejemplo, el nivel de acceso de invitado se modifica a Usuario invitado restringido.
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new AuthorizationPolicy
{
AllowEmailVerifiedUsersToJoinOrganization = false,
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Policies.AuthorizationPolicy.PatchAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewAuthorizationPolicy()
allowEmailVerifiedUsersToJoinOrganization := false
requestBody.SetAllowEmailVerifiedUsersToJoinOrganization(&allowEmailVerifiedUsersToJoinOrganization)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
authorizationPolicy, err := graphClient.Policies().AuthorizationPolicy().Patch(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AuthorizationPolicy authorizationPolicy = new AuthorizationPolicy();
authorizationPolicy.setAllowEmailVerifiedUsersToJoinOrganization(false);
AuthorizationPolicy result = graphClient.policies().authorizationPolicy().patch(authorizationPolicy);
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\AuthorizationPolicy;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new AuthorizationPolicy();
$requestBody->setAllowEmailVerifiedUsersToJoinOrganization(false);
$result = $graphServiceClient->policies()->authorizationPolicy()->patch($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.authorization_policy import AuthorizationPolicy
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AuthorizationPolicy(
allow_email_verified_users_to_join_organization = False,
)
result = await graph_client.policies.authorization_policy.patch(request_body)
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new AuthorizationPolicy
{
BlockMsolPowerShell = true,
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Policies.AuthorizationPolicy.PatchAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewAuthorizationPolicy()
blockMsolPowerShell := true
requestBody.SetBlockMsolPowerShell(&blockMsolPowerShell)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
authorizationPolicy, err := graphClient.Policies().AuthorizationPolicy().Patch(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AuthorizationPolicy authorizationPolicy = new AuthorizationPolicy();
authorizationPolicy.setBlockMsolPowerShell(true);
AuthorizationPolicy result = graphClient.policies().authorizationPolicy().patch(authorizationPolicy);
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\AuthorizationPolicy;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new AuthorizationPolicy();
$requestBody->setBlockMsolPowerShell(true);
$result = $graphServiceClient->policies()->authorizationPolicy()->patch($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.authorization_policy import AuthorizationPolicy
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AuthorizationPolicy(
block_msol_power_shell = True,
)
result = await graph_client.policies.authorization_policy.patch(request_body)
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new AuthorizationPolicy
{
DefaultUserRolePermissions = new DefaultUserRolePermissions
{
AllowedToCreateApps = false,
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Policies.AuthorizationPolicy.PatchAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewAuthorizationPolicy()
defaultUserRolePermissions := graphmodels.NewDefaultUserRolePermissions()
allowedToCreateApps := false
defaultUserRolePermissions.SetAllowedToCreateApps(&allowedToCreateApps)
requestBody.SetDefaultUserRolePermissions(defaultUserRolePermissions)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
authorizationPolicy, err := graphClient.Policies().AuthorizationPolicy().Patch(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AuthorizationPolicy authorizationPolicy = new AuthorizationPolicy();
DefaultUserRolePermissions defaultUserRolePermissions = new DefaultUserRolePermissions();
defaultUserRolePermissions.setAllowedToCreateApps(false);
authorizationPolicy.setDefaultUserRolePermissions(defaultUserRolePermissions);
AuthorizationPolicy result = graphClient.policies().authorizationPolicy().patch(authorizationPolicy);
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\AuthorizationPolicy;
use Microsoft\Graph\Generated\Models\DefaultUserRolePermissions;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new AuthorizationPolicy();
$defaultUserRolePermissions = new DefaultUserRolePermissions();
$defaultUserRolePermissions->setAllowedToCreateApps(false);
$requestBody->setDefaultUserRolePermissions($defaultUserRolePermissions);
$result = $graphServiceClient->policies()->authorizationPolicy()->patch($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.authorization_policy import AuthorizationPolicy
from msgraph.generated.models.default_user_role_permissions import DefaultUserRolePermissions
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AuthorizationPolicy(
default_user_role_permissions = DefaultUserRolePermissions(
allowed_to_create_apps = False,
),
)
result = await graph_client.policies.authorization_policy.patch(request_body)
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new AuthorizationPolicy
{
AllowedToUseSSPR = true,
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Policies.AuthorizationPolicy.PatchAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewAuthorizationPolicy()
allowedToUseSSPR := true
requestBody.SetAllowedToUseSSPR(&allowedToUseSSPR)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
authorizationPolicy, err := graphClient.Policies().AuthorizationPolicy().Patch(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AuthorizationPolicy authorizationPolicy = new AuthorizationPolicy();
authorizationPolicy.setAllowedToUseSSPR(true);
AuthorizationPolicy result = graphClient.policies().authorizationPolicy().patch(authorizationPolicy);
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\AuthorizationPolicy;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new AuthorizationPolicy();
$requestBody->setAllowedToUseSSPR(true);
$result = $graphServiceClient->policies()->authorizationPolicy()->patch($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.authorization_policy import AuthorizationPolicy
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AuthorizationPolicy(
allowed_to_use_s_s_p_r = True,
)
result = await graph_client.policies.authorization_policy.patch(request_body)
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new AuthorizationPolicy
{
DefaultUserRolePermissions = new DefaultUserRolePermissions
{
PermissionGrantPoliciesAssigned = new List<string>
{
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Policies.AuthorizationPolicy.PatchAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewAuthorizationPolicy()
defaultUserRolePermissions := graphmodels.NewDefaultUserRolePermissions()
permissionGrantPoliciesAssigned := []string {
}
defaultUserRolePermissions.SetPermissionGrantPoliciesAssigned(permissionGrantPoliciesAssigned)
requestBody.SetDefaultUserRolePermissions(defaultUserRolePermissions)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
authorizationPolicy, err := graphClient.Policies().AuthorizationPolicy().Patch(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AuthorizationPolicy authorizationPolicy = new AuthorizationPolicy();
DefaultUserRolePermissions defaultUserRolePermissions = new DefaultUserRolePermissions();
LinkedList<String> permissionGrantPoliciesAssigned = new LinkedList<String>();
defaultUserRolePermissions.setPermissionGrantPoliciesAssigned(permissionGrantPoliciesAssigned);
authorizationPolicy.setDefaultUserRolePermissions(defaultUserRolePermissions);
AuthorizationPolicy result = graphClient.policies().authorizationPolicy().patch(authorizationPolicy);
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\AuthorizationPolicy;
use Microsoft\Graph\Generated\Models\DefaultUserRolePermissions;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new AuthorizationPolicy();
$defaultUserRolePermissions = new DefaultUserRolePermissions();
$defaultUserRolePermissions->setPermissionGrantPoliciesAssigned([ ]);
$requestBody->setDefaultUserRolePermissions($defaultUserRolePermissions);
$result = $graphServiceClient->policies()->authorizationPolicy()->patch($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.authorization_policy import AuthorizationPolicy
from msgraph.generated.models.default_user_role_permissions import DefaultUserRolePermissions
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AuthorizationPolicy(
default_user_role_permissions = DefaultUserRolePermissions(
permission_grant_policies_assigned = [
],
),
)
result = await graph_client.policies.authorization_policy.patch(request_body)
Ejemplo 6: Habilitar el consentimiento del usuario a las aplicaciones, sujeto a la directiva de consentimiento de la aplicación
Solicitud
Este es el ejemplo de la solicitud que permite al usuario dar su consentimiento a las aplicaciones, sujeto a la directivamicrosoft-user-default-low de consentimiento de aplicaciones integrada, que permite permisos delegados clasificados como "bajo" para las aplicaciones cliente de publicadores comprobados o registrados en el mismo inquilino.
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new AuthorizationPolicy
{
DefaultUserRolePermissions = new DefaultUserRolePermissions
{
PermissionGrantPoliciesAssigned = new List<string>
{
"managePermissionGrantsForSelf.microsoft-user-default-low",
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Policies.AuthorizationPolicy.PatchAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewAuthorizationPolicy()
defaultUserRolePermissions := graphmodels.NewDefaultUserRolePermissions()
permissionGrantPoliciesAssigned := []string {
"managePermissionGrantsForSelf.microsoft-user-default-low",
}
defaultUserRolePermissions.SetPermissionGrantPoliciesAssigned(permissionGrantPoliciesAssigned)
requestBody.SetDefaultUserRolePermissions(defaultUserRolePermissions)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
authorizationPolicy, err := graphClient.Policies().AuthorizationPolicy().Patch(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AuthorizationPolicy authorizationPolicy = new AuthorizationPolicy();
DefaultUserRolePermissions defaultUserRolePermissions = new DefaultUserRolePermissions();
LinkedList<String> permissionGrantPoliciesAssigned = new LinkedList<String>();
permissionGrantPoliciesAssigned.add("managePermissionGrantsForSelf.microsoft-user-default-low");
defaultUserRolePermissions.setPermissionGrantPoliciesAssigned(permissionGrantPoliciesAssigned);
authorizationPolicy.setDefaultUserRolePermissions(defaultUserRolePermissions);
AuthorizationPolicy result = graphClient.policies().authorizationPolicy().patch(authorizationPolicy);
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\AuthorizationPolicy;
use Microsoft\Graph\Generated\Models\DefaultUserRolePermissions;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new AuthorizationPolicy();
$defaultUserRolePermissions = new DefaultUserRolePermissions();
$defaultUserRolePermissions->setPermissionGrantPoliciesAssigned(['managePermissionGrantsForSelf.microsoft-user-default-low', ]);
$requestBody->setDefaultUserRolePermissions($defaultUserRolePermissions);
$result = $graphServiceClient->policies()->authorizationPolicy()->patch($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.authorization_policy import AuthorizationPolicy
from msgraph.generated.models.default_user_role_permissions import DefaultUserRolePermissions
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AuthorizationPolicy(
default_user_role_permissions = DefaultUserRolePermissions(
permission_grant_policies_assigned = [
"managePermissionGrantsForSelf.microsoft-user-default-low",
],
),
)
result = await graph_client.policies.authorization_policy.patch(request_body)