authorizationPolicy resource type

Namespace: microsoft.graph

Represents a policy that can control Microsoft Entra authorization settings. It's a singleton that inherits from base policy type, and always exists for the tenant.


Method Return Type Description
Get authorizationPolicy authorizationPolicy Read the authorizationPolicy object.
Update authorizationPolicy None Update the authorizationPolicy object.


Property Type Description
allowEmailVerifiedUsersToJoinOrganization Boolean Indicates whether a user can join the tenant by email validation.
allowInvitesFrom allowInvitesFrom Indicates who can invite guests to the organization. Possible values are: none, adminsAndGuestInviters, adminsGuestInvitersAndAllMembers, everyone. everyone is the default setting for all cloud environments except US Government. For more information, see allowInvitesFrom values.
allowUserConsentForRiskyApps Boolean Indicates whether user consent for risky apps is allowed. We recommend keeping allowUserConsentForRiskyApps as false. Default value is false.
allowedToSignUpEmailBasedSubscriptions Boolean Indicates whether users can sign up for email based subscriptions.
allowedToUseSSPR Boolean Indicates whether administrators of the tenant can use the Self-Service Password Reset (SSPR). For more information, see Self-service password reset for administrators.
blockMsolPowerShell Boolean To disable the use of MSOL PowerShell, set this property to true. This also disables user-based access to the legacy service endpoint used by MSOL PowerShell. This doesn't affect Microsoft Entra Connect or Microsoft Graph.
defaultUserRolePermissions defaultUserRolePermissions Specifies certain customizable permissions for default user role.
description String Description of this policy.
displayName String Display name for this policy.
guestUserRoleId Guid Represents role templateId for the role that should be granted to guests. Currently following roles are supported: User (a0b1b346-4d3e-4e8b-98f8-753987be4970), Guest User (10dae51f-b6af-4016-8d66-8c2a99b929b3), and Restricted Guest User (2af84b1e-32c8-42b7-82bc-daa82404023b).
id String ID of the authorization policy. Required. Read-only.

allowInvitesFrom values

Member Description
none Prevent everyone, including admins, from inviting guests. Default setting for US Government.
adminsAndGuestInviters Allow members of Global Administrator, User Administrator, and Guest Inviter roles to invite guests.
adminsGuestInvitersAndAllMembers Allow the above admin roles and all other User role members to invite guests.
everyone Allow everyone in the organization, including guests, to invite guests. The default setting for all cloud environments except US Government.



JSON representation

The following JSON representation shows the resource type.

  "allowEmailVerifiedUsersToJoinOrganization": "Boolean",
  "allowInvitesFrom": "String",
  "allowUserConsentForRiskyApps": "Boolean",
  "allowedToSignUpEmailBasedSubscriptions": "Boolean",
  "allowedToUseSSPR": "Boolean",
  "blockMsolPowerShell": "Boolean",
  "defaultUserRolePermissions": {"@odata.type": "microsoft.graph.defaultUserRolePermissions"},
  "description": "String",
  "displayName": "String",
  "guestUserRoleId": "Guid",
  "id": "String (identifier)"