获取 conditionalAccessPolicy
命名空间:microsoft.graph
检索 conditionalAccessPolicy 对象的属性和关系。
此 API 可用于以下国家级云部署。
全局服务 | 美国政府 L4 | 美国政府 L5 (DOD) | 由世纪互联运营的中国 |
---|---|---|---|
✅ | ✅ | ✅ | ✅ |
权限
为此 API 选择标记为最低特权的权限。 只有在应用需要它时,才使用更高的特权权限。 有关委派权限和应用程序权限的详细信息,请参阅权限类型。 要了解有关这些权限的详细信息,请参阅 权限参考。
权限类型 | 最低特权权限 | 更高特权权限 |
---|---|---|
委派(工作或学校帐户) | Policy.Read.All | 不可用。 |
委派(个人 Microsoft 帐户) | 不支持。 | 不支持。 |
应用程序 | Policy.Read.All | 不可用。 |
重要
在具有工作或学校帐户的委托方案中,如果已登录用户对其他用户进行操作,则必须为他们分配受支持的Microsoft Entra角色或具有受支持角色权限的自定义角色。 此操作支持以下最低特权角色。
- 全局安全访问管理员 - 读取标准属性
- 安全读取器 - 读取标准属性
- 安全管理员 - 读取标准属性
- 全局读取者
- 条件访问管理
HTTP 请求
GET /identity/conditionalAccess/policies/{id}
可选的查询参数
此方法支持 $select
OData 查询参数来帮助自定义响应。 若要了解一般信息,请参阅 OData 查询参数。
请求标头
名称 | 说明 |
---|---|
Authorization | 持有者 {token}。 必填。 详细了解 身份验证和授权。 |
请求正文
请勿提供此方法的请求正文。
响应
如果成功,此方法在响应正文中返回响应 200 OK
代码和请求的 conditionalAccessPolicy 对象。
示例
请求
以下示例显示了一个请求。
GET https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/10ef4fe6-5e51-4f5e-b5a2-8fed19d0be67
响应
以下示例显示了相应的响应。
注意:为了提高可读性,可能缩短了此处显示的响应对象。
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identity/conditionalAccess/policies/$entity",
"@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET identity/conditionalAccess/policies('<guid>')?$select=conditions,createdDateTime",
"id": "10ef4fe6-5e51-4f5e-b5a2-8fed19d0be67",
"templateId": null,
"displayName": "CA008: Require password change for high-risk users",
"createdDateTime": "2021-11-02T14:26:29.1005248Z",
"modifiedDateTime": "2024-01-30T23:11:08.549481Z",
"state": "enabled",
"conditions": {
"userRiskLevels": [
"high"
],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": [],
"insiderRiskLevels": null,
"platforms": null,
"locations": null,
"devices": null,
"clientApplications": null,
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null
},
"users": {
"includeUsers": [
"All"
],
"excludeUsers": [],
"includeGroups": [],
"excludeGroups": [
"eedad040-3722-4bcb-bde5-bc7c857f4983"
],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
}
},
"grantControls": {
"operator": "AND",
"builtInControls": [
"passwordChange"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identity/conditionalAccess/policies('10ef4fe6-5e51-4f5e-b5a2-8fed19d0be67')/grantControls/authenticationStrength/$entity",
"authenticationStrength": {
"id": "00000000-0000-0000-0000-000000000002",
"createdDateTime": "2021-12-01T08:00:00Z",
"modifiedDateTime": "2021-12-01T08:00:00Z",
"displayName": "Multifactor authentication",
"description": "Combinations of methods that satisfy strong authentication, such as a password + SMS",
"policyType": "builtIn",
"requirementsSatisfied": "mfa",
"allowedCombinations": [
"windowsHelloForBusiness",
"fido2",
"x509CertificateMultiFactor",
"deviceBasedPush",
"temporaryAccessPassOneTime",
"temporaryAccessPassMultiUse",
"password,microsoftAuthenticatorPush",
"password,softwareOath",
"password,hardwareOath",
"password,sms",
"password,voice",
"federatedMultiFactor",
"microsoftAuthenticatorPush,federatedSingleFactor",
"softwareOath,federatedSingleFactor",
"hardwareOath,federatedSingleFactor",
"sms,federatedSingleFactor",
"voice,federatedSingleFactor"
],
"combinationConfigurations@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identity/conditionalAccess/policies('10ef4fe6-5e51-4f5e-b5a2-8fed19d0be67')/grantControls/authenticationStrength/combinationConfigurations",
"combinationConfigurations": []
}
},
"sessionControls": {
"disableResilienceDefaults": null,
"applicationEnforcedRestrictions": null,
"cloudAppSecurity": null,
"persistentBrowser": null,
"signInFrequency": {
"value": null,
"type": null,
"authenticationType": "primaryAndSecondaryAuthentication",
"frequencyInterval": "everyTime",
"isEnabled": true
}
}
}