名前空間: microsoft.graph
重要
Microsoft Graph の /beta バージョンの API は変更される可能性があります。 実稼働アプリケーションでこれらの API を使用することは、サポートされていません。 v1.0 で API を使用できるかどうかを確認するには、Version セレクターを使用します。
指定されたサインイン プロパティに基づいて、テナント内の条件付きアクセス ポリシーの適用性を評価します。
この API は、次の国内クラウド展開で使用できます。
| グローバル サービス | 米国政府機関 L4 | 米国政府機関 L5 (DOD) | 21Vianet が運営する中国 |
|---|---|---|---|
| ✅ | ✅ | ✅ | ✅ |
アクセス許可
この API の最小特権としてマークされているアクセス許可またはアクセス許可を選択します。 アプリで必要な場合にのみ、より高い特権のアクセス許可またはアクセス許可を使用します。 委任されたアクセス許可とアプリケーションのアクセス許可の詳細については、「アクセス許可の種類」を参照してください。 これらのアクセス許可の詳細については、「アクセス許可のリファレンス」を参照してください。
| アクセス許可の種類 | 最小特権アクセス許可 | より高い特権のアクセス許可 |
|---|---|---|
| 委任 (職場または学校のアカウント) | Policy.Read.ConditionalAccess | Policy.Read.All、Policy.ReadWrite.ConditionalAccess |
| 委任 (個人用 Microsoft アカウント) | サポートされていません。 | サポートされていません。 |
| アプリケーション | Policy.Read.ConditionalAccess | Policy.Read.All、Policy.ReadWrite.ConditionalAccess |
HTTP 要求
POST /identity/conditionalAccess/evaluate
要求ヘッダー
| 名前 | 説明 |
|---|---|
| Authorization | ベアラー {token}。 必須です。 認証と認可についての詳細をご覧ください。 |
| Content-Type | application/json. 必須です。 |
要求本文
要求本文で、パラメーターの JSON 表現を指定します。 評価で最も正確な結果を得るには、サインインに関する詳細をできるだけ多く含めます。 テナントに特定の条件を持つポリシーがあり、それらの条件のサインインの詳細が要求に含まれていない場合、"What If" ツールはそれらの条件を評価できません。
次の表に、このアクションを呼び出すときに必要なパラメーターを示します。
| パラメーター | 型 | 説明 |
|---|---|---|
| signInIdentity | signInIdentity | 認証する ID を表します。 これは、ユーザー、外部ユーザー、またはシングル テナント サービス プリンシパルのいずれかです。 必須です。 |
| signInContext | signInContext | 認証のコンテキストを表します。 これには、アプリケーションへのアクセス、特定のユーザー アクションの実行、または認証コンテキストによって保護されたデータへのアクセスが含まれる場合があります。 必須です。 |
| signInConditions | signInConditions | 認証 ID のサインイン パラメーターを表します。 これには、場所、デバイス情報、リスク情報などの詳細が含まれます。必須。 |
| appliedPoliciesOnly | ブール型 | このプロパティは、すべてのポリシーを応答に含めるか、認証イベントに適用されるポリシーのみを含めるかを制御します。 省略可能。 |
応答
成功した場合、このアクションは応答コード 200 OK と、応答本文に whatIfAnalysisResult コレクションを返します。 応答は、テナント内の各ポリシーが、要求本文で提供されるサインイン プロパティに基づいて適用されるかどうかを示します。
例
例 1: アプリケーションにアクセスするユーザーに適用される条件付きアクセス ポリシーを特定する
要求
次の例は要求を示しています。
POST https://graph.microsoft.com/beta/identity/conditionalAccess/evaluate
Content-Type: application/json
{
"signInIdentity": {
"@odata.type": "#microsoft.graph.userSignIn",
"userId": "15dc174b-f34c-4588-ac45-61d6e05dce93"
},
"signInContext": {
"@odata.type": "#microsoft.graph.applicationContext",
"includeApplications": [
"00000003-0000-0ff1-ce00-000000000000"
]
},
"signInConditions": {
"devicePlatform": "android",
"clientAppType": "browser",
"signInRiskLevel": "high",
"userRiskLevel": "high",
"country": "US",
"ipAddress": "40.77.182.32",
"insiderRiskLevel": "elevated",
"authenticationFlow": {
"transferMethod": "deviceCodeFlow"
},
"deviceInfo": {
"isCompliant": true
}
},
"appliedPoliciesOnly": true
}
応答
次の例は応答を示しています。
注: ここに示す応答オブジェクトは、読みやすさのために短縮されている場合があります。
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(microsoft.graph.whatIfAnalysisResult)",
"value": [
{
"id": "df9e6f15-2b60-4e78-b990-b2da33a10886",
"templateId": null,
"displayName": "All users except au1_Office 365_No conditions_Session control application enforced restrictions",
"createdDateTime": "2022-04-01T18:55:43.1454565Z",
"modifiedDateTime": "2025-03-27T21:42:26.951558Z",
"state": "enabledForReportingButNotEnforced",
"policyApplies": true,
"analysisReasons": "notSet",
"grantControls": null,
"partialEnablementStrategy": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": [],
"insiderRiskLevels": null,
"clients": null,
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"clientApplications": null,
"authenticationFlows": null,
"applications": {
"includeApplications": [
"Office365"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null,
"networkAccess": null,
"globalSecureAccess": null
},
"users": {
"includeUsers": [
"All"
],
"excludeUsers": [
"f7ca74b0-8562-4083-b66c-0476f942cfd0"
],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
}
},
"sessionControls": {
"disableResilienceDefaults": null,
"cloudAppSecurity": null,
"signInFrequency": null,
"persistentBrowser": null,
"continuousAccessEvaluation": null,
"secureSignInSession": null,
"networkAccessSecurity": null,
"globalSecureAccessFilteringProfile": null,
"applicationEnforcedRestrictions": {
"isEnabled": true
}
}
},
{
"id": "37d51c45-8c60-4f82-98e0-6e1451cecf7c",
"templateId": null,
"displayName": "All Users except au1_All resources_user risk H_Password change",
"createdDateTime": "2022-03-31T22:59:59.6688974Z",
"modifiedDateTime": "2025-03-27T19:55:43.5390544Z",
"state": "enabledForReportingButNotEnforced",
"policyApplies": true,
"analysisReasons": "notSet",
"partialEnablementStrategy": null,
"sessionControls": null,
"conditions": {
"userRiskLevels": [
"high"
],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": [],
"insiderRiskLevels": null,
"clients": null,
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"clientApplications": null,
"authenticationFlows": null,
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null,
"networkAccess": null,
"globalSecureAccess": null
},
"users": {
"includeUsers": [
"All"
],
"excludeUsers": [
"f7ca74b0-8562-4083-b66c-0476f942cfd0"
],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
}
},
"grantControls": {
"operator": "AND",
"builtInControls": [
"mfa",
"passwordChange"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength": null
}
}
]
}
例 2: 認証コンテキストによって保護された機密ファイルにアクセスするユーザーに適用される条件付きアクセス ポリシーを特定する
要求
次の例は要求を示しています。
POST https://graph.microsoft.com/beta/identity/conditionalAccess/evaluate
Content-Type: application/json
{
"signInIdentity": {
"@odata.type": "#microsoft.graph.userSignIn",
"userId": "15dc174b-f34c-4588-ac45-61d6e05dce93"
},
"signInContext": {
"@odata.type": "#microsoft.graph.authContext",
"authenticationContextValue": "c37"
},
"signInConditions": {
"devicePlatform": "windows",
"clientAppType": "mobileAppsAndDesktopClients",
"signInRiskLevel": "medium",
"userRiskLevel": "none",
"country": "US",
"ipAddress": "40.77.182.32",
"insiderRiskLevel": "moderate",
"authenticationFlow": {
"transferMethod": "authenticationTransfer"
},
"deviceInfo": {
"profileType": "Standard"
}
},
"appliedPoliciesOnly": true
}
応答
次の例は応答を示しています。
注: ここに示す応答オブジェクトは、読みやすさのために短縮されている場合があります。
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(microsoft.graph.whatIfAnalysisResult)",
"value": [
{
"id": "e897c693-c0e6-4386-abc3-f46dee5940fb",
"templateId": null,
"displayName": "All users_auth context_No conditions_Auth strength MFA",
"createdDateTime": "2023-07-10T17:27:37.9735926Z",
"modifiedDateTime": "2025-03-27T20:03:41.92628Z",
"state": "enabledForReportingButNotEnforced",
"policyApplies": true,
"analysisReasons": "notSet",
"partialEnablementStrategy": null,
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": [],
"insiderRiskLevels": null,
"clients": null,
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"clientApplications": null,
"authenticationFlows": null,
"applications": {
"includeApplications": [],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [
"c1",
"c37"
],
"applicationFilter": null,
"networkAccess": null,
"globalSecureAccess": null
},
"users": {
"includeUsers": [
"All"
],
"excludeUsers": [],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength": {
"id": "00000000-0000-0000-0000-000000000002",
"createdDateTime": "2021-12-01T08:00:00Z",
"modifiedDateTime": "2021-12-01T08:00:00Z",
"displayName": "Multifactor authentication",
"description": "Combinations of methods that satisfy strong authentication, such as a password + SMS",
"policyType": "builtIn",
"requirementsSatisfied": "mfa",
"allowedCombinations": [
"windowsHelloForBusiness",
"fido2",
"x509CertificateMultiFactor",
"deviceBasedPush",
"temporaryAccessPassOneTime",
"temporaryAccessPassMultiUse",
"password,microsoftAuthenticatorPush",
"password,softwareOath",
"password,hardwareOath",
"password,x509CertificateSingleFactor",
"password,x509CertificateMultiFactor",
"password,sms",
"password,voice",
"federatedMultiFactor",
"microsoftAuthenticatorPush,federatedSingleFactor",
"softwareOath,federatedSingleFactor",
"hardwareOath,federatedSingleFactor",
"sms,federatedSingleFactor",
"voice,federatedSingleFactor"
],
"combinationConfigurations": []
}
}
}
]
}
例 3: ユーザー アクションを実行しているユーザーに適用される条件付きアクセス ポリシーを特定する
要求
次の例は要求を示しています。
POST https://graph.microsoft.com/beta/identity/conditionalAccess/evaluate
Content-Type: application/json
{
"signInIdentity": {
"@odata.type": "#microsoft.graph.userSignIn",
"userId": "15dc174b-f34c-4588-ac45-61d6e05dce93"
},
"signInContext": {
"@odata.type": "#microsoft.graph.userActionContext",
"userAction": "registerSecurityInformation"
},
"signInConditions": {
"devicePlatform": "macOS",
"clientAppType": "browser",
"signInRiskLevel": "low",
"userRiskLevel": "high",
"servicePrincipalRiskLevel": "none",
"country": "CA",
"ipAddress": "40.77.182.32",
"insiderRiskLevel": "minor",
"authenticationFlow": {
"transferMethod": "deviceCodeFlow"
},
"deviceInfo": {
"trustType": "EntraID"
}
},
"appliedPoliciesOnly": true
}
応答
次の例は応答を示しています。
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(microsoft.graph.whatIfAnalysisResult)",
"value": [
{
"id": "37d51c45-8c60-4f82-98e0-6e1451cecf7c",
"templateId": null,
"displayName": "All Users except au1_All resources_user risk H_Password change",
"createdDateTime": "2022-03-31T22:59:59.6688974Z",
"modifiedDateTime": "2025-03-27T19:55:43.5390544Z",
"state": "enabledForReportingButNotEnforced",
"policyApplies": true,
"analysisReasons": "notSet",
"partialEnablementStrategy": null,
"sessionControls": null,
"conditions": {
"userRiskLevels": [
"high"
],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": [],
"insiderRiskLevels": null,
"clients": null,
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"clientApplications": null,
"authenticationFlows": null,
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null,
"networkAccess": null,
"globalSecureAccess": null
},
"users": {
"includeUsers": [
"All"
],
"excludeUsers": [
"f7ca74b0-8562-4083-b66c-0476f942cfd0"
],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
}
},
"grantControls": {
"operator": "AND",
"builtInControls": [
"mfa",
"passwordChange"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength": null
}
},
{
"id": "4aa7d105-d92b-4c07-9834-0e810ddb89ac",
"templateId": null,
"displayName": "All admin roles except au1_All resources_No conditions_MFA",
"createdDateTime": "2022-03-29T20:39:24.3899939Z",
"modifiedDateTime": "2025-03-27T21:40:19.6686701Z",
"state": "enabledForReportingButNotEnforced",
"policyApplies": true,
"analysisReasons": "notSet",
"partialEnablementStrategy": null,
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": [],
"insiderRiskLevels": null,
"clients": null,
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"clientApplications": null,
"authenticationFlows": null,
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null,
"networkAccess": null,
"globalSecureAccess": null
},
"users": {
"includeUsers": [],
"excludeUsers": [
"f7ca74b0-8562-4083-b66c-0476f942cfd0"
],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [
"62e90394-69f5-4237-9190-012177145e10",
"194ae4cb-b126-40b2-bd5b-6091b380977d",
"f28a1f50-f6e7-4571-818b-6a12f2af6b6c",
"29232cdf-9323-42fd-ade2-1d097af3e4de",
"b1be1c3e-b65d-4f19-8427-f6fa0d97feb9",
"729827e3-9c14-49f7-bb1b-9608f156bbb8",
"b0f54661-2d74-4c50-afa3-1ec803f12efe",
"fe930be7-5e62-47db-91af-98c3a49a38b1",
"c4e39bd9-1100-46d3-8c65-fb160da0071f",
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"158c047a-c907-4556-b7ef-446551a6b5f7",
"966707d0-3269-4727-9be2-8c3a10f19b9d",
"7be44c8a-adaf-4e2a-84d6-ab2649e08a13",
"e8611ab8-c189-46e8-94e1-60213ab1f814"
],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength": null
}
},
{
"id": "11083471-5a50-43ad-90c0-23f1af0869e1",
"templateId": null,
"displayName": "All users except au1_User action RS info_No conditions_Auth strenfth MFA",
"createdDateTime": "2024-10-16T15:06:45.0788027Z",
"modifiedDateTime": "2025-03-27T20:08:22.6064571Z",
"state": "enabledForReportingButNotEnforced",
"policyApplies": true,
"analysisReasons": "notSet",
"partialEnablementStrategy": null,
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": [],
"insiderRiskLevels": null,
"clients": null,
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"clientApplications": null,
"authenticationFlows": null,
"applications": {
"includeApplications": [],
"excludeApplications": [],
"includeUserActions": [
"urn:user:registersecurityinfo"
],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null,
"networkAccess": null,
"globalSecureAccess": null
},
"users": {
"includeUsers": [
"All"
],
"excludeUsers": [
"f7ca74b0-8562-4083-b66c-0476f942cfd0"
],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength": {
"id": "00000000-0000-0000-0000-000000000002",
"createdDateTime": "2021-12-01T08:00:00Z",
"modifiedDateTime": "2021-12-01T08:00:00Z",
"displayName": "Multifactor authentication",
"description": "Combinations of methods that satisfy strong authentication, such as a password + SMS",
"policyType": "builtIn",
"requirementsSatisfied": "mfa",
"allowedCombinations": [
"windowsHelloForBusiness",
"fido2",
"x509CertificateMultiFactor",
"deviceBasedPush",
"temporaryAccessPassOneTime",
"temporaryAccessPassMultiUse",
"password,microsoftAuthenticatorPush",
"password,softwareOath",
"password,hardwareOath",
"password,x509CertificateSingleFactor",
"password,x509CertificateMultiFactor",
"password,sms",
"password,voice",
"federatedMultiFactor",
"microsoftAuthenticatorPush,federatedSingleFactor",
"softwareOath,federatedSingleFactor",
"hardwareOath,federatedSingleFactor",
"sms,federatedSingleFactor",
"voice,federatedSingleFactor"
],
"combinationConfigurations": []
}
}
}
]
}
例 4: サービス プリンシパルに適用される条件付きアクセス ポリシーを特定する
要求
次の例は要求を示しています。
POST https://graph.microsoft.com/beta/identity/conditionalAccess/evaluate
Content-Type: application/json
{
"signInIdentity": {
"@odata.type": "#microsoft.graph.servicePrincipalSignIn",
"servicePrincipalId": "c65b94a5-0049-439a-a6fd-bce307077730"
},
"signInContext": {
"@odata.type": "#microsoft.graph.applicationContext",
"includeApplications": [
"00000003-0000-0ff1-ce00-000000000000"
]
},
"signInConditions": {
"servicePrincipalRiskLevel": "high",
"country": "CA",
"ipAddress": "40.77.182.32"
},
"appliedPoliciesOnly": true
}
応答
次の例は応答を示しています。
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#Collection(microsoft.graph.whatIfAnalysisResult)",
"value": [
{
"id": "461478d2-5896-4761-84ba-4d241c396a29",
"templateId": null,
"displayName": "All ST SPs_All resources_Any location_Block",
"createdDateTime": "2022-04-08T19:31:15.6087842Z",
"modifiedDateTime": "2025-03-27T20:08:54.0912734Z",
"state": "enabledForReportingButNotEnforced",
"policyApplies": true,
"analysisReasons": "notSet",
"partialEnablementStrategy": null,
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": [],
"insiderRiskLevels": null,
"clients": null,
"platforms": null,
"times": null,
"deviceStates": null,
"devices": null,
"authenticationFlows": null,
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null,
"networkAccess": null,
"globalSecureAccess": null
},
"users": {
"includeUsers": [
"None"
],
"excludeUsers": [],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
},
"locations": {
"includeLocations": [
"All"
],
"excludeLocations": []
},
"clientApplications": {
"includeServicePrincipals": [
"ServicePrincipalsInMyTenant"
],
"excludeServicePrincipals": [],
"servicePrincipalFilter": null
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength": null
}
},
{
"id": "4f1d2ff3-50db-4299-bbdd-0a114c98e97e",
"templateId": null,
"displayName": "All ST SPs_All resources_No conditions_Block",
"createdDateTime": "2025-02-21T07:04:44.777856Z",
"modifiedDateTime": "2025-03-28T06:15:41.2376665Z",
"state": "enabledForReportingButNotEnforced",
"policyApplies": true,
"analysisReasons": "notSet",
"partialEnablementStrategy": null,
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": [],
"insiderRiskLevels": null,
"clients": null,
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"authenticationFlows": null,
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null,
"networkAccess": null,
"globalSecureAccess": null
},
"users": {
"includeUsers": [
"None"
],
"excludeUsers": [],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
},
"clientApplications": {
"includeServicePrincipals": [
"ServicePrincipalsInMyTenant"
],
"excludeServicePrincipals": [],
"servicePrincipalFilter": null
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength": null
}
}
]
}