How to obtain conditional access policies with a Global reader user via Graph Explorer

Steven Paredes 20 Reputation points
2024-03-20T13:36:17.1866667+00:00

Hi everyone,

I`ve tried to resolve it by myself, but I don't get a solution.

I want to execute this query https://graph.microsoft.com/beta/policies/conditionalAccessPolicies in Graph Explorer with a Global Reader user, but I receive a error message "You cannot perform the requested operation, required scopes are missing in the token". After this message, I've decoded my token and, obviously, I didn't have this scope.

Therefore, my question is, if I have the Global Reader role assigned in my IT user, I should be able to get the information about conditional access policies, right?

If not, what other actions do I have to do?

Thanks in advance.
Best Regards.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,019 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,759 questions
0 comments No comments
{count} votes

Accepted answer
  1. Navya 10,870 Reputation points Microsoft Vendor
    2024-03-26T08:21:44.5+00:00

    Hi @Steven Paredes

    Thank you for posting this in Microsoft Q&A.

    I understand you are trying to execute a query to obtain conditional access policies in Graph Explorer with a Global Reader user, but you have received an error message "You cannot perform the requested operation, required scopes are missing in the token".

    Conditional access policies can be acquired using a Global reader user through Microsoft Entra. However, in order to utilize Graph Explorer, the "Policy.Read.All" scope is necessary.

    To obtain conditional access policies via Graph Explorer use below HTTP request.

    GET https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
    

    Prior to making the request, ensure that you have granted permission for the "Policy.Read.All" scope_._

    User's image

    For your reference: https://learn.microsoft.com/en-us/graph/api/conditionalaccessroot-list-policies?view=graph-rest-1.0&tabs=http#code-try-1

    Hope this helps. Do let us know if you any further queries.

    Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions.

    Thanks,

    Navya.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Andy David - MVP 147.9K Reputation points MVP
    2024-03-20T13:59:33.26+00:00

    Works here as Global Reader. Did you sign to Graph Explorer before elevating to Global reader?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.