conditionalAccessConditionSet resource type

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Represents the type of conditions that govern when the policy applies.

Properties

Property Type Description
applications conditionalAccessApplications Applications and user actions included in and excluded from the policy. Required.
users conditionalAccessUsers Users, groups, and roles included in and excluded from the policy. Either users or clientApplications is required.
clientApplications conditionalAccessClientApplications Client applications (service principals and workload identities) included in and excluded from the policy. Either users or clientApplications is required.
clientAppTypes conditionalAccessClientApp collection Client application types included in the policy. Possible values are: all, browser, mobileAppsAndDesktopClients, exchangeActiveSync, easSupported, other. Required.
deviceStates conditionalAccessDeviceStates Device states in the policy.
devices conditionalAccessDevices Devices in the policy.
locations conditionalAccessLocations Locations included in and excluded from the policy.
platforms conditionalAccessPlatforms Platforms included in and excluded from the policy.
servicePrincipalRiskLevels riskLevel collection Service principal risk levels included in the policy. Possible values are: low, medium, high, none, unknownFutureValue.
signInRiskLevels riskLevel collection Sign-in risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue. Required.
userRiskLevels riskLevel collection User risk levels included in the policy. Possible values are: low, medium, high, hidden, none, unknownFutureValue. Required.

Note:

  • clientAppType modern is going to be deprecated and replaced by mobileAppsAndDesktopClients.
  • clientAppType easUnsupported is going to be deprecated in favor of exchangeActiveSync which includes EAS supported and unsupported platforms.
  • We are deprecating the deviceStates condition, and it may be removed in the future. Going forward, use devices condition.

Relationships

None.

JSON representation

The following is a JSON representation of the resource.

{
  "@odata.type": "#microsoft.graph.conditionalAccessConditionSet",
  "applications": {"@odata.type": "microsoft.graph.conditionalAccessApplications"},
  "users": {"@odata.type": "microsoft.graph.conditionalAccessUsers"},
  "clientApplications": {"@odata.type": "microsoft.graph.conditionalAccessClientApplications"},
  "clientAppTypes": ["String"],
  "deviceStates": {"@odata.type": "microsoft.graph.conditionalAccessDeviceStates"},
  "devices": {"@odata.type": "microsoft.graph.conditionalAccessDevices"},
  "locations": {"@odata.type": "microsoft.graph.conditionalAccessLocations"},
  "platforms": {"@odata.type": "microsoft.graph.conditionalAccessPlatforms"},
  "servicePrincipalRiskLevels": ["String"],
  "signInRiskLevels": ["String"]
}