
다음을 통해 공유


Gets an authorization policy.


   [-Property <String[]>]
   -Id <String>
   [-Property <String[]>]


The Get-EntraAuthorizationPolicy cmdlet gets a Microsoft Entra ID authorization policy.

In delegated scenarios with work or school accounts, the signed-in user must have a supported Microsoft Entra role or custom role with the required permissions. The least privileged roles for this operation are:

  • Global Reader
  • Security Reader
  • Security Operator
  • Security Administrator
  • Cloud Device Administrator
  • License Administrator
  • Privileged Role Administrator


Example 1: Get all policies

Connect-Entra -Scopes 'Policy.Read.All'

DeletedDateTime Description                                                       DisplayName          Id                  AllowEmailVerifiedUsersToJoinOrganization AllowI
--------------- -----------                                                       -----------          --                  ----------------------------------------- ------
                Used to manage authorization related settings across the company. Authorization Policy authorizationPolicy True                                      every…

This example gets the Microsoft Entra ID authorization policy.

Example 2: Get an authorization policy by ID

Connect-Entra -Scopes 'Policy.Read.All'
Get-EntraAuthorizationPolicy -Id 'authorizationPolicy' | Format-List

allowInvitesFrom                          : everyone
allowUserConsentForRiskyApps              :
id                                        : authorizationPolicy
defaultUserRolePermissions                : @{allowedToCreateSecurityGroups=True; allowedToReadBitlockerKeysForOwnedDevice=True; allowedToCreateTenants=True;
                                            allowedToReadOtherUsers=True; allowedToCreateApps=False; permissionGrantPoliciesAssigned=System.Object[]}
blockMsolPowerShell                       : False
guestUserRoleId                           : a0b1b346-4d3e-4e8b-98f8-753987be4970
displayName                               : Authorization Policy
@odata.context                            : https://graph.microsoft.com/v1.0/$metadata#policies/authorizationPolicy/$entity
allowedToSignUpEmailBasedSubscriptions    : True
description                               : Used to manage authorization related settings across the company.
allowEmailVerifiedUsersToJoinOrganization : True
allowedToUseSSPR                          : True
DeletedDateTime                           :
AdditionalProperties                      : {}

This example gets the Microsoft Entra ID authorization policy.

  • -Id parameter specifies the unique identifier of the authorization policy.

The response properties are:

  • allowedToSignUpEmailBasedSubscriptions - indicates whether users can sign up for email based subscriptions.
  • allowedToUseSSPR - indicates whether administrators of the tenant can use the Self-Service Password Reset (SSPR).
  • allowEmailVerifiedUsersToJoinOrganization - indicates whether a user can join the tenant by email validation.
  • allowInvitesFrom - indicates who can invite guests to the organization. Possible values are: none, adminsAndGuestInviters, adminsGuestInvitersAndAllMembers, everyone. everyone is the default setting for all cloud environments except US Government.
  • allowUserConsentForRiskyApps - indicates whether user consent for risky apps is allowed. Default value is false. We recommend that you keep the value set to false.
  • blockMsolPowerShell - to disable the use of the MSOnline PowerShell module set this property to true. This also disables user-based access to the legacy service endpoint used by the MSOnline PowerShell module. This doesn't affect Microsoft Entra Connect or Microsoft Graph.
  • defaultUserRolePermissions - specifies certain customizable permissions for default user role.
  • description - description of this policy.
  • displayName - display name for this policy.
  • enabledPreviewFeatures - list of features enabled for private preview on the tenant.
  • guestUserRoleId -represents role templateId for the role that should be granted to guests. Refer to List unifiedRoleDefinitions to find the list of available role templates. Currently following roles are supported: User (a0b1b346-4d3e-4e8b-98f8-753987be4970), Guest User (10dae51f-b6af-4016-8d66-8c2a99b929b3), and Restricted Guest User (2af84b1e-32c8-42b7-82bc-daa82404023b).
  • permissionGrantPolicyIdsAssignedToDefaultUserRole - indicates if user consent to apps is allowed, and if it is, the app consent policy that governs the permission for users to grant consent. Values should be in the format managePermissionGrantsForSelf.{id} for user consent policies or managePermissionGrantsForOwnedResource.{id} for resource-specific consent policies, where {id} is the id of a built-in or custom app consent policy. An empty list indicates user consent to apps is disabled.



Specifies the unique identifier of the authorization policy.

Default value:None
Accept pipeline input:True
Accept wildcard characters:False


Specifies properties to be returned.

Default value:None
Accept pipeline input:False
Accept wildcard characters:False