Partilhar via


Operations on policy | Graph API reference

Applies to: Graph API | Azure Active Directory

Policies are custom rules that can be enforced on applications, service principals, groups, or the entire organization they are assigned to. There are currently only two types of policies available:

  • Token Lifetime Policy: specifies the lifetime duration of tokens issued for applications and service principals.
  • Token Issuance Policy: specifies characteristics of SAML tokens issued by Azure AD.

This article applies to Azure AD Graph API. For similar info related to Microsoft Graph API, see policy resource type.

Importante

We strongly recommend that you use Microsoft Graph instead of Azure AD Graph API to access Azure Active Directory resources. Our development efforts are now concentrated on Microsoft Graph and no further enhancements are planned for Azure AD Graph API. There are a very limited number of scenarios for which Azure AD Graph API might still be appropriate; for more information, see the Microsoft Graph or the Azure AD Graph blog post in the Office Dev Center.

Performing REST operations on policy

To perform operations on organizational policy with the Graph API, you send HTTP requests with a supported method (GET, POST, PATCH, PUT, or DELETE) to an endpoint that targets the policies resource collection, a specific policy, a navigation property of a policy, or a function or action that can be called on a policy.

Graph API requests use the following basic URL:

https://graph.windows.net/{tenant_id}/{resource_path}?{api_version}[odata_query_parameters]

Importante

Requests sent to the Graph API must be well-formed, target a valid endpoint and version of the Graph API, and carry a valid access token obtained from Azure AD in their Authorization header. For more detailed information about creating requests and receiving responses with the Graph API, see Operations Overview.

You specify the {resource_path} differently depending on whether you are targeting the collection of all policies in your tenant, an individual policy, or a navigation property of a specific policy.

  • /policies targets the policy resource collection. You can use this resource path to read all policy or a filtered list of policies in your tenant.
  • /policies/{object_id} targets an individual policy in your tenant. You specify the target policy with its object ID (GUID). You can use this resource path to get the declared properties of a policy. For policies that are not synced from an on-premises directory, you can use this resource path to modify the declared properties of a policy, or to delete a policy.
  • /policies/{object_id}/{nav_property} targets the specified navigation property of a policy. You can use it to return the object or objects referenced by the target navigation property of the specified policy. Note: This form of addressing is only available for reads.
  • /policies/{object_id}/$links/{nav_property} targets the specified navigation property of a policy. You can use this form of addressing to both read and modify a navigation property. On reads, the objects referenced by the property are returned as one or more links in the response body.

Get policy

Retrieve the properties of a policy.

On success, returns the details of the policy; otherwise, the response body contains error details. For more information about errors, see Error Codes and Error Handling.

GET https://graph.windows.net/myorganization/policies/{object_id}?api-version

Parameters

Parameter Type Value Notes
URL
object_id string 85d03130-ed36-49ae-ac48-ad23dded599e The policy object ID.
Query
api-version string 1.6 Specifies the version of the Graph API to target. Required.
GET https://graph.windows.net/myorganization/policies/85d03130-ed36-49ae-ac48-ad23dded599e?api-version=1.6

Response

Status Code:200

Content-Type: application/json

{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.Policy/@Element",
  "value": [
    {
      "alternativeIdentifier": null,
      "definition": [
        "{\"TokenLifetimePolicy\":{\"Version\":1,\"AccessTokenLifetime\":\"8:00:00\"}}"
      ],
      "deletionTimestamp": null,
      "displayName": "CustomTokenLifetimePolicy",
      "isTenantDefault": false,
      "objectId": "67efc1a7-5774-4ad4-bda4-672fffdb4d40",
      "objectType": "Policy",
      "keyCredentials": [],
      "odata.type": "Microsoft.DirectoryServices.Policy",
      "type": "TokenLifetimePolicy"
    }
  ]
}

Response List

Status Code Description
200 OK. Indicates success. The policy is returned in the response body.

Create a policy

Create a new policy object by specifying display name, policy type, and policy description.

On success, returns the policy object in the response body; otherwise, a code and associated message is returned with the error. For more information about errors, see Error Codes and Error Handling.

POST https://graph.windows.net/myorganization/policies?api-version

Parameters

Parameter Type Value Notes
Query ----- ----- ------
api-version string 1.6 The version of the Graph API to target. Required.
Body ----- ----- ------
Content-Type: application/json ----- ----- ------
{
  "displayName": "CustomTokenLifetimePolicy",
  "definition": [
    "{\"TokenLifetimePolicy\":{\"Version\":1,\"AccessTokenLifetime\":\"8:00:00\"}}"
  ],
  "type": "TokenLifetimePolicy"
}

Response

Status Code:201

Content-Type: application/json

{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.Policy",
  "value": [
    {
      "alternativeIdentifier": null,
      "definition": [
        "{\"TokenLifetimePolicy\":{\"Version\":1,\"AccessTokenLifetime\":\"8:00:00\"}}"
      ],
      "deletionTimestamp": null,
      "displayName": "CustomTokenLifetimePolicy",
      "isTenantDefault": false,
      "objectId": "67efc1a7-5774-4ad4-bda4-672fffdb4d40",
      "objectType": "Policy",
      "keyCredentials": [],
      "odata.type": "Microsoft.DirectoryServices.Policy",
      "type": "TokenLifetimePolicy"
    }
  ]
}

Response List

Status Code Description
201 Created. Indicates success. Returns policy object in the response body.
POST https://graph.windows.net/myorganization/policies?api-version

Parameters

Parameter Type Value Notes
Query ----- ----- ------
api-version string 1.6 The version of the Graph API to target. Required.
Body ----- ----- ------
Content-Type: application/json ----- ----- ------
{
  "displayName": "CustomTokenIssuancePolicy",
  "definition": [
    "{ \"TokenIssuancePolicy\":{\"TokenResponseSigningPolicy\":\"TokenOnly\",\"SamlTokenVersion\":\"1.1\",\"SigningAlgorithm\":\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\",\"Version\":1}}"
  ],
  "type": "TokenIssuancePolicy"
}

Response

Status Code:201

Content-Type: application/json

{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.Policy",
  "value": [
    {
      "alternativeIdentifier": null,
      "definition": [
        "{ \"TokenIssuancePolicy\":{\"TokenResponseSigningPolicy\":\"TokenOnly\",\"SamlTokenVersion\":\"1.1\",\"SigningAlgorithm\":\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\",\"Version\":1}}"
      ],
      "deletionTimestamp": null,
      "displayName": "CustomTokenIssuancePolicy",
      "isTenantDefault": false,
      "objectId": "76c1a417-c023-49fa-9893-1db93e2672a4",
      "objectType": "Policy",
      "keyCredentials": [],
      "odata.type": "Microsoft.DirectoryServices.Policy",
      "type": "TokenIssuancePolicy"
    }
  ]
}

Response List

Status Code Description
201 Created. Indicates success. Returns policy object in the response body.

List policies

Retrieve all policy objects in the directory.

On success, returns a collection of policy objects; otherwise, a code and associated message is returned with the error. For more information about errors, see Error Codes and Error Handling.

GET https://graph.windows.net/myorganization/policies?api-version

Parameters

Parameter Type Value Notes
Query ----- ----- ------
api-version string 1.6 Specifies the version of the Graph API to target. Required.

Response

Status Code:200

Content-Type: application/json

{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.Policy",
  "value": [
    {
      "alternativeIdentifier": null,
      "definition": [
        "{\"TokenLifetimePolicy\":{\"Version\":1,\"AccessTokenLifetime\":\"8:00:00\"}}"
      ],
      "deletionTimestamp": null,
      "displayName": "CustomTokenLifetimePolicy",
      "isTenantDefault": false,
      "objectId": "67efc1a7-5774-4ad4-bda4-672fffdb4d40",
      "objectType": "Policy",
      "keyCredentials": [],
      "odata.type": "Microsoft.DirectoryServices.Policy",
      "type": "TokenLifetimePolicy"
    },
    {
      "alternativeIdentifier": null,
      "definition": [
        "{ \"TokenIssuancePolicy\":{\"TokenResponseSigningPolicy\":\"TokenOnly\",\"SamlTokenVersion\":\"1.1\",\"SigningAlgorithm\":\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\",\"Version\":1}}"
      ],
      "deletionTimestamp": null,
      "displayName": "CustomTokenIssuancePolicy",
      "isTenantDefault": false,
      "objectId": "76c1a417-c023-49fa-9893-1db93e2672a4",
      "objectType": "Policy",
      "keyCredentials": [],
      "odata.type": "Microsoft.DirectoryServices.Policy",
      "type": "TokenIssuancePolicy"
    }
  ]
}

Response List

Status Code Description
200 OK. Indicates success. The results are returned in the response body.

Update policy

Update properties in a preexisting policy.

On success, no content is returned; otherwise, a code and associated message is returned with the error. For more information about errors, see Error Codes and Error Handling.

PATCH https://graph.windows.net/myorganization/policies/{object_id}?api-version

Parameters

Parameter Type Value Notes
URL ----- ----- ------
policy_id string 85d03130-ed36-49ae-ac48-ad23dded599e The policy object ID.
Query ----- ----- ------
api-version string 1.6 The version of the Graph API to target. Required.
Body ----- ----- ------
Content-Type: application/json ----- ----- ------
{
  "displayName": "MyTokenLifetimePolicy"
}
PATCH https://graph.windows.net/myorganization/policies/{object_id}?api-version=1.6

Response

Status Code:204

Content-Type: application/json

none

Response List

Status Code Description
204 No Content. Indicates success. No response body is returned.

Delete policy

Delete a policy.

On success, no content is returned; otherwise, a code and associated message is returned with the error. For more information about errors, see Error Codes and Error Handling.

DELETE https://graph.windows.net/myorganization/policies/{object_id}?api-version

Parameters

Parameter Type Value Notes
URL ----- ----- ------
policy_id string 85d03130-ed36-49ae-ac48-ad23dded599e The policy object ID.
Query ----- ----- ------
api-version string 1.6 The version of the Graph API to target. Required.
DELETE https://graph.windows.net/myorganization/policies/{object_id}?api-version=1.6

Response

Status Code:204

Content-Type: application/json

none

Response List

Status Code Description
204 No Content. Indicates success.

Operations on policy navigation properties

Relationships between a policy and other objects in the directory such as applications or service principals are exposed through navigation properties. You can read and, in some cases, modify these relationships by targeting these navigation properties in your requests.

Assign a policy

Assigns a policy to an application or service principal.

On success, returns the policy object for the new policy; otherwise, a code and associated message is returned with the error. For more information about errors, see Error Codes and Error Handling.

POST https://graph.windows.net/myorganization/applications/{object_id}/$links/policies?api-version

Parameters

Parameter Type Value Notes
URL ----- ----- ------
object_id string 9bf0e152-cb65-4740-807f-0f9068b1e274 The object id of the application or service principal (not the appid property).
Query ----- ----- ------
api-version string 1.6 The version of the Graph API to target. Required.
Body ----- ----- ------
Content-Type: application/json ----- ----- ------
{
  "url": "https://graph.windows.net/myorganization/policies/092a6e8a-e25d-42b8-8151-c105445150ee"
}
POST https://graph.windows.net/myorganization/applications/9bf0e152-cb65-4740-807f-0f9068b1e274/$links/policies?api-version=1.6

Response

Status Code:204

Content-Type: application/json

none

Response List

Status Code Description
204 No Content. Indicates success.
POST https://graph.windows.net/myorganization/serviceprincipals/{object_id}/$links/policies?api-version

Parameters

Parameter Type Value Notes
URL ----- ----- ------
object_id string 9bf0e152-cb65-4740-807f-0f9068b1e274 The object id of the service principal.
Query ----- ----- ------
api-version string 1.6 The version of the Graph API to target. Required.
Body ----- ----- ------
Content-Type: application/json ----- ----- ------
{
  "url": "https://graph.windows.net/myorganization/policies/092a6e8a-e25d-42b8-8151-c105445150ee"
}
POST https://graph.windows.net/myorganization/serviceprincipals/9bf0e152-cb65-4740-807f-0f9068b1e274/$links/policies?api-version=1.6

Response

Status Code:204

Content-Type: application/json

none

Response List

Status Code Description
204 No Content. Indicates success.

List applications and service principals with specific policy assigned

Retrieve the application and service principal objects with the specified policy assigned.

On success, returns the application and service principal objects for the policy in the response body; otherwise, a code and associated message is returned with the error. For more information about errors, see Error Codes and Error Handling.

GET https://graph.windows.net/myorganization/policies/{policy_id}/appliesTo?api-version

Parameters

Parameter Type Value Notes
URL ----- ----- ------
policy_id string 85d03130-ed36-49ae-ac48-ad23dded599e The policy object ID.
Query ----- ----- ------
api-version string 1.6 Specifies the version of the Graph API to target. Required.
GET https://graph.windows.net/myorganization/policies/85d03130-ed36-49ae-ac48-ad23dded599e/appliesTo?api-version=1.6

Response

Status Code:200

Content-Type: application/json

{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects",
  "value": [
    {
      "odata.type": "Microsoft.DirectoryServices.Application",
      "objectType": "Application",
      "objectId": "ee24265c-66f8-49d2-a27d-51682f341034",
      "deletionTimestamp": null,
      "addIns": [],
      "appId": "d36c7e02-000d-4649-b711-6f3f3d17fc69",
      "appRoles": [],
      "availableToOtherTenants": true,
      "displayName": "My App",
      "errorUrl": null,
      "groupMembershipClaims": null,
      "homepage": null,
      "identifierUris": [],
      "keyCredentials": [],
      "knownClientApplications": [],
      "logoutUrl": null,
      "oauth2AllowImplicitFlow": false,
      "oauth2AllowUrlPathMatching": false,
      "oauth2Permissions": [],
      "oauth2RequirePostResponse": false,
      "passwordCredentials": [],
      "publicClient": true,
      "recordConsentConditions": null,
      "replyUrls": [],
      "requiredResourceAccess": [],
      "samlMetadataUrl": null
    }
  ]
}

Response List

Status Code Description
200 OK. Indicates success. Object IDs are returned in the response body for which the policy applies to.

List policies assigned to application or service principal

Retrieve the policy objects assigned to an application or service principal.

On success, returns the application or service principal objects for the policy in the response body; otherwise, a code and associated message is returned with the error. For more information about errors, see Error Codes and Error Handling.

GET https://graph.windows.net/myorganization/applications/{object_id}/policies?api-version

Parameters

Parameter Type Value Notes
URL ----- ----- ------
object_id string 08e89827-27e1-4b28-af9d-748e228c5c2f The object id of the application or service principal (not the appid property).
Query ----- ----- ------
api-version string 1.6 The version of the Graph API to target. Required.
GET https://graph.windows.net/myorganization/applications/08e89827-27e1-4b28-af9d-748e228c5c2f/policies?api-version=1.6

Response

Status Code:200

Content-Type: application/json

{
  "odata.metadata": "https://graph.windows.net/AltimoreBreweryNSausageCo.onmicrosoft.com/$metadata#directoryObjects",
  "value": [
    {
      "odata.type": "Microsoft.DirectoryServices.Policy",
      "objectType": "Policy",
      "objectId": "85d03130-ed36-49ae-ac48-ad23dded599f",
      "deletionTimestamp": null,
      "alternativeIdentifier": null,
      "definition": [
        "{\"TokenLifetimePolicy\":{\"Version\":1,\"AccessTokenLifetime\":\"8:00:00\"}}"
      ],
      "displayName": "CustomTokenLifetimePolicy",
      "isTenantDefault": false,
      "keyCredentials": [],
      "type": "TokenLifetimePolicy"
    }
  ]
}

Response List

Status Code Description
200 OK. Indicates success. Policy assigned to the application is returned in the response body.
GET https://graph.windows.net/myorganization/serviceprincipals/{object_id}/policies?api-version

Parameters

Parameter Type Value Notes
URL ----- ----- ------
object_id string 9bf0e152-cb65-4740-807f-0f9068b1e274 The object id of the application or service principal (not the appid property).
Query ----- ----- ------
api-version string 1.6 The version of the Graph API to target. Required.
GET https://graph.windows.net/myorganization/serviceprincipals/9bf0e152-cb65-4740-807f-0f9068b1e274/policies?api-version=1.6

Response

Status Code:200

Content-Type: application/json

{
  "odata.metadata": "https://graph.windows.net/AltimoreBreweryNSausageCo.onmicrosoft.com/$metadata#directoryObjects",
  "value": [
    {
      "odata.type": "Microsoft.DirectoryServices.Policy",
      "objectType": "Policy",
      "objectId": "85d03130-ed36-49ae-ac48-ad23dded599f",
      "deletionTimestamp": null,
      "alternativeIdentifier": null,
      "definition": [
        "{\"TokenLifetimePolicy\":{\"Version\":1,\"AccessTokenLifetime\":\"8:00:00\"}}"
      ],
      "displayName": "CustomTokenLifetimePolicy",
      "isTenantDefault": false,
      "keyCredentials": [],
      "type": "TokenLifetimePolicy"
    }
  ]
}

Response List

Status Code Description
200 OK. Indicates success. Policy assigned to the application is returned in the response body.

Additional Resources

  • Learn more about Graph API supported features, capabilities, and preview features in Graph API concepts
{
    "swagger": "2.0",
    "info": {
        "title": "Policies",
        "version": "1.6"
    },
    "paths": {
        "/policies": {
            "get": {
                "x-powershell-verb": "Get",
                "x-powershell-noun": "AzureADPolicys",
                "x-powershell-isList": true,
                "description": "Retrieve all policy objects in the directory.",
                "summary": "Retrieve all policy objects in the directory.",
                "operationId": "GetPolicys",
                "tags": [
                    "Policy"
                ],
                "produces": [
                    "application/json"
                ],
                "parameters": [
                    {
                        "in": "query",
                        "description": "Specifies the version of the Graph API to target. Required.",
                        "name": "api-version",
                        "required": true,
                        "type": "string",
                        "default": "1.6",
                        "x-powershell-hide": true,
                        "x-powershell-required": false
                    }
                ],
                "responses": {
                    "200": {
                        "description": "OK. Indicates success. The results are returned in the response body.",
                        "schema": {
                            "$ref": "#/definitions/PoliciesResponse"
                        },
                        "examples": {
                            "application/json": {
                                "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.Policy",
                                "value": [
                                    {
                                        "alternativeIdentifier": null,
                                        "definition": [ "{\"TokenLifetimePolicy\":{\"Version\":1,\"AccessTokenLifetime\":\"8:00:00\"}}" ],
                                        "deletionTimestamp": null,
                                        "displayName": "CustomTokenLifetimePolicy",
                                        "isTenantDefault": false,
                                        "objectId": "67efc1a7-5774-4ad4-bda4-672fffdb4d40",
                                        "objectType": "Policy",
                                        "keyCredentials": [],
                                        "odata.type": "Microsoft.DirectoryServices.Policy",
                                        "type": "TokenLifetimePolicy"
                                    },
                                    {
                                        "alternativeIdentifier": null,
                                        "definition": [ "{ \"TokenIssuancePolicy\":{\"TokenResponseSigningPolicy\":\"TokenOnly\",\"SamlTokenVersion\":\"1.1\",\"SigningAlgorithm\":\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\",\"Version\":1}}" ],
                                        "deletionTimestamp": null,
                                        "displayName": "CustomTokenIssuancePolicy",
                                        "isTenantDefault": false,
                                        "objectId": "76c1a417-c023-49fa-9893-1db93e2672a4",
                                        "objectType": "Policy",
                                        "keyCredentials": [],
                                        "odata.type": "Microsoft.DirectoryServices.Policy",
                                        "type": "TokenIssuancePolicy"
                                    }
                                ]
                            }
                        }
                    }
                }
            },
            "post": {
                "x-powershell-verb": "New",
                "x-powershell-noun": "AzureADPolicy",
                "x-powershell-cmdlet": true,
                "x-powershell-dynamic": true,
                "description": "Create a new policy object by specifying display name, policy type, and policy description.",
                "summary": "Create a new policy object by specifying display name, policy type, and policy description.",
                "operationId": "NewTokenLifetimePolicy",
                "tags": [
                    "Policy"
                ],
                "produces": [
                    "application/json"
                ],
                "parameters": [
                    {
                        "in": "query",
                        "description": "The version of the Graph API to target. Required.",
                        "name": "api-version",
                        "required": true,
                        "type": "string",
                        "default": "1.6",
                        "x-powershell-hide": true,
                        "x-powershell-required": false
                    },
                    {
                        "in": "body",
                        "description": "In the request body, provide a JSON representation of policy object.",
                        "name": "bodyparam",
                        "required": true,
                        "schema": {
                            "$ref": "#/definitions/policy",
                            "example": {
                                "displayName": "CustomTokenLifetimePolicy",
                                "definition": [ "{\"TokenLifetimePolicy\":{\"Version\":1,\"AccessTokenLifetime\":\"8:00:00\"}}" ],
                                "type": "TokenLifetimePolicy"
                            }
                        }
                    }
                ],
                "responses": {
                    "201": {
                        "description": "Created. Indicates success. Returns policy object in the response body.",
                        "schema": {
                            "$ref": "#/definitions/getPoliciesResponse"
                        },
                        "examples": {
                            "application/json": {
                                "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.Policy",
                                "value": [
                                    {
                                        "alternativeIdentifier": null,
                                        "definition": [ "{\"TokenLifetimePolicy\":{\"Version\":1,\"AccessTokenLifetime\":\"8:00:00\"}}" ],
                                        "deletionTimestamp": null,
                                        "displayName": "CustomTokenLifetimePolicy",
                                        "isTenantDefault": false,
                                        "objectId": "67efc1a7-5774-4ad4-bda4-672fffdb4d40",
                                        "objectType": "Policy",
                                        "keyCredentials": [],
                                        "odata.type": "Microsoft.DirectoryServices.Policy",
                                        "type": "TokenLifetimePolicy"
                                    }
                                ]
                            }
                        }
                    }
                }
            }
        },
        "/policies/{object_id}": {
            "get": {
                "x-powershell-verb": "Get",
                "x-powershell-noun": "AzureADPolicy",
                "x-powershell-cmdlet": true,
                "x-powershell-hasPlural": true,
                "description": "Retrieve the properties of a policy.",
                "summary": "Retrieve the properties of a policy.",
                "operationId": "GetPolicy",
                "tags": [
                    "Policy"
                ],
                "produces": [
                    "application/json"
                ],
                "parameters": [
                    {
                        "in": "path",
                        "description": "The policy object ID.",
                        "name": "object_id",
                        "required": true,
                        "type": "string",
                        "default": "85d03130-ed36-49ae-ac48-ad23dded599e",
                        "x-powershell-hide": true,
                        "x-powershell-required": false
                    },
                    {
                        "in": "query",
                        "description": "Specifies the version of the Graph API to target. Required.",
                        "name": "api-version",
                        "required": true,
                        "type": "string",
                        "default": "1.6",
                        "x-powershell-hide": true,
                        "x-powershell-required": false
                    }
                ],
                "responses": {
                    "200": {
                        "description": "OK. Indicates success. The policy is returned in the response body.",
                        "schema": {
                            "$ref": "#/definitions/policy"
                        },
                        "examples": {
                            "application/json": {
                                "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.Policy/@Element",
                                "value": [
                                    {
                                        "alternativeIdentifier": null,
                                        "definition": [ "{\"TokenLifetimePolicy\":{\"Version\":1,\"AccessTokenLifetime\":\"8:00:00\"}}" ],
                                        "deletionTimestamp": null,
                                        "displayName": "CustomTokenLifetimePolicy",
                                        "isTenantDefault": false,
                                        "objectId": "67efc1a7-5774-4ad4-bda4-672fffdb4d40",
                                        "objectType": "Policy",
                                        "keyCredentials": [],
                                        "odata.type": "Microsoft.DirectoryServices.Policy",
                                        "type": "TokenLifetimePolicy"
                                    }
                                ]
                            }
                        }
                    }
                }
            },
            "patch": {
                "x-powershell-verb": "Set",
                "x-powershell-noun": "AzureADPolicy",
                "x-powershell-cmdlet": true,
                "x-powershell-dynamic": true,
                "description": "Update properties in a preexisting policy.",
                "summary": "Update properties in a preexisting policy.",
                "operationId": "SetPolicy",
                "tags": [
                    "Policy"
                ],
                "produces": [
                    "application/json"
                ],
                "parameters": [
                    {
                        "in": "path",
                        "description": "The policy object ID.",
                        "name": "policy_id",
                        "required": true,
                        "type": "string",
                        "default": "85d03130-ed36-49ae-ac48-ad23dded599e",
                        "x-powershell-hide": true,
                        "x-powershell-required": false
                    },
                    {
                        "in": "query",
                        "description": "The version of the Graph API to target. Required.",
                        "name": "api-version",
                        "required": true,
                        "type": "string",
                        "default": "1.6",
                        "x-powershell-hide": true,
                        "x-powershell-required": false
                    },

                    {
                        "in": "body",
                        "description": "In the request body, provide a JSON representation of policy object.",
                        "name": "bodyparam",
                        "required": true,
                        "schema": {
                            "$ref": "#/definitions/policy",
                            "example": {
                                "displayName": "MyTokenLifetimePolicy"
                            }
                        }
                    }
                ],
                "responses": {
                    "204": {
                        "description": "No Content. Indicates success. No response body is returned.",
                        "examples": {
                            "application/json": "none"

                        }
                    }
                }
            },
            "delete": {
                "x-powershell-verb": "Remove",
                "x-powershell-noun": "AzureADPolicy",
                "x-powershell-cmdlet": true,
                "description": "Delete a policy.",
                "summary": "Delete a policy.",
                "operationId": "RemovePolicy",
                "tags": [
                    "Policy"
                ],
                "produces": [
                    "application/json"
                ],
                "parameters": [
                    {
                        "in": "path",
                        "description": "The policy object ID.",
                        "name": "policy_id",
                        "required": true,
                        "type": "string",
                        "default": "85d03130-ed36-49ae-ac48-ad23dded599e",
                        "x-powershell-hide": true,
                        "x-powershell-required": false
                    },
                    {
                        "in": "query",
                        "description": "The version of the Graph API to target. Required.",
                        "name": "api-version",
                        "required": true,
                        "type": "string",
                        "default": "1.6",
                        "x-powershell-hide": true,
                        "x-powershell-required": false
                    }
                ],
                "responses": {
                    "204": {
                        "description": "No Content. Indicates success.",
                        "examples": {
                            "application/json": "none"
                        }
                    }
                }
            }
        },
        "/policies/{policy_id}/appliesTo": {
            "get": {
                "x-powershell-verb": "Get",
                "x-powershell-noun": "AzureADAssignedPolicy",
                "x-powershell-isList": true,
                "x-powershell-cmdlet": true,
                "description": "Retrieve the application and service principal objects with the specified policy assigned.",
                "summary": "Retrieve the application and service principal objects with the specified policy assigned.",
                "operationId": "GetAssignedPolicies",
                "tags": [
                    "Policy"
                ],
                "produces": [
                    "application/json"
                ],
                "parameters": [
                    {
                        "in": "path",
                        "description": "The policy object ID.",
                        "name": "policy_id",
                        "required": true,
                        "type": "string",
                        "default": "85d03130-ed36-49ae-ac48-ad23dded599e",
                        "x-powershell-hide": true,
                        "x-powershell-required": false
                    },
                    {
                        "in": "query",
                        "description": "Specifies the version of the Graph API to target. Required.",
                        "name": "api-version",
                        "required": true,
                        "type": "string",
                        "default": "1.6",
                        "x-powershell-hide": true,
                        "x-powershell-required": false
                    }
                ],
                "responses": {
                    "200": {
                        "description": "OK. Indicates success. Object IDs are returned in the response body for which the policy applies to.",
                        "schema": {
                            "$ref": "#/definitions/getDirectoryObjectsResponse"
                        },
                        "examples": {
                            "application/json": {
                                "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects",
                                "value": [
                                    {
                                        "odata.type": "Microsoft.DirectoryServices.Application",
                                        "objectType": "Application",
                                        "objectId": "ee24265c-66f8-49d2-a27d-51682f341034",
                                        "deletionTimestamp": null,
                                        "addIns": [],
                                        "appId": "d36c7e02-000d-4649-b711-6f3f3d17fc69",
                                        "appRoles": [],
                                        "availableToOtherTenants": true,
                                        "displayName": "My App",
                                        "errorUrl": null,
                                        "groupMembershipClaims": null,
                                        "homepage": null,
                                        "identifierUris": [],
                                        "keyCredentials": [],
                                        "knownClientApplications": [],
                                        "logoutUrl": null,
                                        "oauth2AllowImplicitFlow": false,
                                        "oauth2AllowUrlPathMatching": false,
                                        "oauth2Permissions": [],
                                        "oauth2RequirePostResponse": false,
                                        "passwordCredentials": [],
                                        "publicClient": true,
                                        "recordConsentConditions": null,
                                        "replyUrls": [],
                                        "requiredResourceAccess": [],
                                        "samlMetadataUrl": null
                                    }
                                ]
                            }
                        }
                    }
                }
            }
        },
        "/applications/{object_id}/policies": {
            "get": {
                "x-powershell-verb": "Get",
                "x-powershell-noun": "AzureADAssignedApplicationPolicies",
                "x-powershell-isList": true,
                "x-powershell-cmdlet": true,
                "description": "Retreive the policy objects assigned to an application.",
                "summary": "Retreive the policy objects assigned to an application.",
                "operationId": "GetAssignedApplicationPolicies",
                "tags": [
                    "Policy"
                ],
                "produces": [
                    "application/json"
                ],
                "parameters": [
                    {
                        "in": "path",
                        "description": "The object id of the application or service principal (not the appid property).",
                        "name": "object_id",
                        "required": true,
                        "type": "string",
                        "default": "08e89827-27e1-4b28-af9d-748e228c5c2f",
                        "x-powershell-hide": true,
                        "x-powershell-required": false
                    },
                    {
                        "in": "query",
                        "description": "The version of the Graph API to target. Required.",
                        "name": "api-version",
                        "required": true,
                        "type": "string",
                        "default": "1.6",
                        "x-powershell-hide": true,
                        "x-powershell-required": false
                    }

                ],
                "responses": {
                    "200": {
                        "description": "OK. Indicates success. Policy assigned to the application is returned in the response body.",
                        "schema": {
                            "$ref": "#/definitions/PoliciesResponse"
                        },
                        "examples": {
                            "application/json": {
                                "odata.metadata": "https://graph.windows.net/AltimoreBreweryNSausageCo.onmicrosoft.com/$metadata#directoryObjects",
                                "value": [
                                    {
                                        "odata.type": "Microsoft.DirectoryServices.Policy",
                                        "objectType": "Policy",
                                        "objectId": "85d03130-ed36-49ae-ac48-ad23dded599f",
                                        "deletionTimestamp": null,
                                        "alternativeIdentifier": null,
                                        "definition": [ "{\"TokenLifetimePolicy\":{\"Version\":1,\"AccessTokenLifetime\":\"8:00:00\"}}" ],
                                        "displayName": "CustomTokenLifetimePolicy",
                                        "isTenantDefault": false,
                                        "keyCredentials": [],
                                        "type": "TokenLifetimePolicy"
                                    }
                                ]
                            }
                        }
                    }
                }
            }
        },
        "/applications/{object_id}/$links/policies": {
            "post": {
                "x-powershell-verb": "Assign",
                "x-powershell-noun": "AzureADAssignApplicationPolicy",
                "x-powershell-cmdlet": true,
                "x-powershell-dynamic": true,
                "description": "Assigns a policy to an application",
                "summary": "Assigns a policy to an application",
                "operationId": "AssignApplicationPolicy",
                "tags": [
                    "Policy"
                ],
                "produces": [
                    "application/json"
                ],
                "parameters": [
                    {
                        "in": "query",
                        "description": "The version of the Graph API to target. Required.",
                        "name": "api-version",
                        "required": true,
                        "type": "string",
                        "default": "1.6",
                        "x-powershell-hide": true,
                        "x-powershell-required": false
                    },
                    {
                        "in": "path",
                        "description": "The object id of the application or service principal (not the appid property).",
                        "name": "object_id",
                        "required": true,
                        "type": "string",
                        "default": "9bf0e152-cb65-4740-807f-0f9068b1e274",
                        "x-powershell-hide": true,
                        "x-powershell-required": false
                    },
                    {
                        "in": "body",
                        "description": "In the request body, provide a JSON representation of a URL to a policy object.",
                        "name": "bodyparam",
                        "required": true,
                        "schema": {
                            "$ref": "#/definitions/link",
                            "example": {
                                "url": "https://graph.windows.net/myorganization/policies/092a6e8a-e25d-42b8-8151-c105445150ee"
                            }
                        }
                    }
                ],
                "responses": {
                    "204": {
                        "description": "No Content. Indicates success.",
                        "examples": {
                            "application/json": "none"
                        }
                    }
                }
            }
        },
        "/serviceprincipals/{object_id}/policies": {
            "get": {
                "x-powershell-verb": "Get",
                "x-powershell-noun": "AzureADServicePrincipalPolicies",
                "x-powershell-isList": true,
                "x-powershell-cmdlet": true,
                "description": "Retreive the policy objects assigned to a service principal.",
                "summary": "Retreive the policy objects assigned to a service principal.",
                "operationId": "GetAssignedServicePrincipalPolicies",
                "tags": [
                    "Policy"
                ],
                "produces": [
                    "application/json"
                ],
                "parameters": [
                    {
                        "in": "path",
                        "description": "The object id of the application or service principal (not the appid property).",
                        "name": "object_id",
                        "required": true,
                        "type": "string",
                        "default": "9bf0e152-cb65-4740-807f-0f9068b1e274",
                        "x-powershell-hide": true,
                        "x-powershell-required": false
                    },
                    {
                        "in": "query",
                        "description": "The version of the Graph API to target. Required.",
                        "name": "api-version",
                        "required": true,
                        "type": "string",
                        "default": "1.6",
                        "x-powershell-hide": true,
                        "x-powershell-required": false
                    }

                ],
                "responses": {
                    "200": {
                        "description": "OK. Indicates success. Policy assigned to the application is returned in the response body.",
                        "schema": {
                            "$ref": "#/definitions/policy"
                        },
                        "examples": {
                            "application/json": {
                                "odata.metadata": "https://graph.windows.net/AltimoreBreweryNSausageCo.onmicrosoft.com/$metadata#directoryObjects",
                                "value": [
                                    {
                                        "odata.type": "Microsoft.DirectoryServices.Policy",
                                        "objectType": "Policy",
                                        "objectId": "85d03130-ed36-49ae-ac48-ad23dded599f",
                                        "deletionTimestamp": null,
                                        "alternativeIdentifier": null,
                                        "definition": [ "{\"TokenLifetimePolicy\":{\"Version\":1,\"AccessTokenLifetime\":\"8:00:00\"}}" ],
                                        "displayName": "CustomTokenLifetimePolicy",
                                        "isTenantDefault": false,
                                        "keyCredentials": [],
                                        "type": "TokenLifetimePolicy"
                                    }
                                ]
                            }
                        }
                    }
                }
            }
        },
        "/serviceprincipals/{object_id}/$links/policies": {
            "post": {
                "x-powershell-verb": "Assign",
                "x-powershell-noun": "AzureADServicePrincipalPolicy",
                "x-powershell-cmdlet": true,
                "x-powershell-dynamic": true,
                "description": "Assigns a policy to a service principal.",
                "summary": "Assigns a policy to a service principal.",
                "operationId": "AssignServicePrincipalPolicy",
                "tags": [
                    "Policy"
                ],
                "produces": [
                    "application/json"
                ],
                "parameters": [
                    {
                        "in": "query",
                        "description": "The version of the Graph API to target. Required.",
                        "name": "api-version",
                        "required": true,
                        "type": "string",
                        "default": "1.6",
                        "x-powershell-hide": true,
                        "x-powershell-required": false
                    },
                    {
                        "in": "path",
                        "description": "The object id of the service principal.",
                        "name": "object_id",
                        "required": true,
                        "type": "string",
                        "default": "9bf0e152-cb65-4740-807f-0f9068b1e274",
                        "x-powershell-hide": true,
                        "x-powershell-required": false
                    },
                    {
                        "in": "body",
                        "description": "In the request body, provide a JSON representation of a URL to a policy object.",
                        "name": "bodyparam",
                        "required": true,
                        "schema": {
                            "$ref": "#/definitions/link",
                            "example": {
                                "url": "https://graph.windows.net/myorganization/policies/092a6e8a-e25d-42b8-8151-c105445150ee"
                            }
                        }
                    }
                ],
                "responses": {
                    "204": {
                        "description": "No Content. Indicates success.",
                        "examples": {
                            "application/json": "none"
                        }
                    }
                }
            }
        }
    },
    "host": "graph.windows.net",
    "basePath": "/myorganization",
    "schemes": [ "https" ],
    "definitions": {
        "PoliciesResponse": {
            "description": "A list of policies.",
            "allOf": [
                {
                    "$ref": "#/definitions/odataResponse"
                },
                {
                    "properties": {
                        "value": {
                            "type": "array",
                            "items": {
                                "$ref": "#/definitions/policy"
                            }
                        }
                    }
                }
            ]
        },    
         
        "policy": {
            "required": [
                "definition",
                "displayName",
                "type"
            ],
            "properties": {
                "alternativeIdentifier": {
                    "type": "string"
                },
                "definition": {
                    "type": "string",
                    "x-mandatory": true
                },
                "displayName": {
                    "type": "string",
                    "x-mandatory": true
                },
                "isTenantDefault": {
                    "type": "boolean"
                },
                "KeyCredentials": {
                    "type": "array"
                },
                "type": {
                    "type": "string",
                    "x-mandatory": true
                }
            }
        },
        "link": {
            "required": [
                "url"
            ],
            "properties": {
                "url": {
                    "type": "string"
                }
            }
        },
        "odataResponse": {
            "discriminator": "odata.metadata",
            "properties": {
                "odata.nextLink": {
                    "description": "Gets or sets the next link for the OData response. Getter returns null if no next link should be sent back to the client.",
                    "type": "string"
                },
                "odata.metadata": {
                    "type": "string"
                }
            }
        }
    }
}
{
    "swagger": "2.0",
    "info": {
        "title": "Policies2",
        "version": "1.6"
    },
    "paths": {
        "/policies": {
            "post": {
                "x-powershell-verb": "New",
                "x-powershell-noun": "AzureADPolicy",
                "x-powershell-cmdlet": true,
                "x-powershell-dynamic": true,
                "description": "Create a new policy object by specifying display name, policy type, and policy description.",
                "summary": "Create a new policy object by specifying display name, policy type, and policy description.",
                "operationId": "NewTokenIssuancePolicy",
                "tags": [
                    "Policy"
                ],
                "produces": [
                    "application/json"
                ],
                "parameters": [
                    {
                        "in": "query",
                        "description": "The version of the Graph API to target. Required.",
                        "name": "api-version",
                        "required": true,
                        "type": "string",
                        "default": "1.6",
                        "x-powershell-hide": true,
                        "x-powershell-required": false
                    },
                    {
                        "in": "body",
                        "description": "In the request body, provide a JSON representation of policy object.",
                        "name": "bodyparam",
                        "required": true,
                        "schema": {
                            "$ref": "#/definitions/policy",
                            "example": {
                                "displayName": "CustomTokenIssuancePolicy",
                                "definition": [ "{ \"TokenIssuancePolicy\":{\"TokenResponseSigningPolicy\":\"TokenOnly\",\"SamlTokenVersion\":\"1.1\",\"SigningAlgorithm\":\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\",\"Version\":1}}" ],
                                "type": "TokenIssuancePolicy"
                            }
                        }
                    }
                ],
                "responses": {
                    "201": {
                        "description": "Created. Indicates success. Returns policy object in the response body.",
                        "schema": {
                            "$ref": "#/definitions/getPoliciesResponse"
                        },
                        "examples": {
                            "application/json": {
                                "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.Policy",
                                "value": [
                                    {
                                        "alternativeIdentifier": null,
                                        "definition": [ "{ \"TokenIssuancePolicy\":{\"TokenResponseSigningPolicy\":\"TokenOnly\",\"SamlTokenVersion\":\"1.1\",\"SigningAlgorithm\":\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\",\"Version\":1}}" ],
                                        "deletionTimestamp": null,
                                        "displayName": "CustomTokenIssuancePolicy",
                                        "isTenantDefault": false,
                                        "objectId": "76c1a417-c023-49fa-9893-1db93e2672a4",
                                        "objectType": "Policy",
                                        "keyCredentials": [],
                                        "odata.type": "Microsoft.DirectoryServices.Policy",
                                        "type": "TokenIssuancePolicy"
                                    }
                                ]
                            }
                        }
                    }
                }
            }
        }
    },
    "host": "graph.windows.net",
    "basePath": "/myorganization",
    "schemes": [ "https" ],
    "definitions": {
        "PoliciesResponse": {
            "description": "A list of policies.",
            "allOf": [
                {
                    "$ref": "#/definitions/odataResponse"
                },
                {
                    "properties": {
                        "value": {
                            "type": "array",
                            "items": {
                                "$ref": "#/definitions/policy"
                            }
                        }
                    }
                }
            ]
        },    
         
        "policy": {
            "required": [
                "definition",
                "displayName",
                "type"
            ],
            "properties": {
                "alternativeIdentifier": {
                    "type": "string"
                },
                "definition": {
                    "type": "string",
                    "x-mandatory": true
                },
                "displayName": {
                    "type": "string",
                    "x-mandatory": true
                },
                "isTenantDefault": {
                    "type": "boolean"
                },
                "KeyCredentials": {
                    "type": "array"
                },
                "type": {
                    "type": "string",
                    "x-mandatory": true
                }
            }
        },
        "link": {
            "required": [
                "url"
            ],
            "properties": {
                "url": {
                    "type": "string"
                }
            }
        },
        "odataResponse": {
            "discriminator": "odata.metadata",
            "properties": {
                "odata.nextLink": {
                    "description": "Gets or sets the next link for the OData response. Getter returns null if no next link should be sent back to the client.",
                    "type": "string"
                },
                "odata.metadata": {
                    "type": "string"
                }
            }
        }
    }
}