authorizationPolicy resource type

Namespace: microsoft.graph

Represents a policy that can control Azure Active Directory authorization settings. It's a singleton that inherits from base policy type, and always exists for the tenant.


Method Return Type Description
Get authorizationPolicy authorizationPolicy Read the authorizationPolicy object.
Update authorizationPolicy None Update the authorizationPolicy object.


Property Type Description
allowEmailVerifiedUsersToJoinOrganization Boolean Indicates whether a user can join the tenant by email validation.
allowInvitesFrom allowInvitesFrom Indicates who can invite external users to the organization. Possible values are: none, adminsAndGuestInviters, adminsGuestInvitersAndAllMembers, everyone. everyone is the default setting for all cloud environments except US Government. For more details, see allowInvitesFrom values.
allowUserConsentForRiskyApps Boolean Indicates whether user consent for risky apps is allowed. We recommend to keep this as false. Default value is false.
allowedToSignUpEmailBasedSubscriptions Boolean Indicates whether users can sign up for email based subscriptions.
allowedToUseSSPR Boolean Indicates whether users can use the Self-Serve Password Reset feature on the tenant.
blockMsolPowerShell Boolean To disable the use of MSOL PowerShell, set this property to true. This also disables user-based access to the legacy service endpoint used by MSOL PowerShell. This does not affect Azure Active Directory Connect or Microsoft Graph.
defaultUserRolePermissions defaultUserRolePermissions Specifies certain customizable permissions for default user role.
description String Description of this policy.
displayName String Display name for this policy.
guestUserRoleId Guid Represents role templateId for the role that should be granted to guest user. Currently following roles are supported: User (a0b1b346-4d3e-4e8b-98f8-753987be4970), Guest User (10dae51f-b6af-4016-8d66-8c2a99b929b3), and Restricted Guest User (2af84b1e-32c8-42b7-82bc-daa82404023b).
id String ID of the authorization policy. Required. Read-only.

allowInvitesFrom values

Member Description
none Prevent everyone, including admins, from inviting external users. Default setting for US Government.
adminsAndGuestInviters Allow members of Global Administrators, User Administrators, and Guest Inviter roles to invite external users.
adminsGuestInvitersAndAllMembers Allow the above admin roles and all other User role members to invite external users.
everyone Allow everyone in the organization, including guest users, to invite external users. The default setting for all cloud environments except US Government.



JSON representation

The following is a JSON representation of the resource.

  "allowEmailVerifiedUsersToJoinOrganization": "Boolean",
  "allowInvitesFrom": "String",
  "allowUserConsentForRiskyApps": "Boolean",
  "allowedToSignUpEmailBasedSubscriptions": "Boolean",
  "allowedToUseSSPR": "Boolean",
  "blockMsolPowerShell": "Boolean",
  "defaultUserRolePermissions": {"@odata.type": "microsoft.graph.defaultUserRolePermissions"},
  "description": "String",
  "displayName": "String",
  "guestUserRoleId": "Guid",
  "id": "String (identifier)"