Acesso à Internet do Microsoft Entra fornece uma solução de Gateway Web Seguro (SWG) centrada em identidades para aplicações De Software como Serviço (SaaS) e outro tráfego de Internet. Os administradores utilizam Acesso à Internet do Microsoft Entra para proteger utilizadores, dispositivos e dados do panorama de ameaças da Internet com os melhores controlos de segurança e visibilidade através dos registos de tráfego. Profundamente integrado com o Acesso Condicional Microsoft Entra ID, o SWG da Microsoft é centrado em identidades, facilitando a gestão da política da sua organização num único motor.
Neste tutorial, vai aprender a configurar Acesso à Internet do Microsoft Entra programaticamente com as APIs de acesso à rede do Microsoft Graph. O utilizador:
- Crie políticas de filtragem de conteúdos Web para permitir ou bloquear o acesso a determinados destinos.
- Alinhe as políticas de filtragem de conteúdos Web com as políticas de Acesso Condicional através de um contentor de perfil de filtragem, também conhecido como perfil de segurança.
Importante
Algumas operações de API neste tutorial utilizam o beta ponto final.
Pré-requisitos
Para concluir este tutorial, precisa de:
- Um inquilino Microsoft Entra com a licença de Suíte do Microsoft Entra.
- Um cliente de API, como o Graph Explorer com uma conta que tenha as funções de administrador suportadas. As seguintes funções de Microsoft Entra são as menos privilegiadas para as operações neste tutorial:
- Administrador Global de Acesso Seguro para configurar as políticas de filtragem de conteúdo Web e perfis de filtragem.
- Administrador de Acesso Condicional para configurar políticas de Acesso Condicional.
- Permissões delegadas: NetworkAccess.Read.All, NetworkAccess.ReadWrite.All e Policy.ReadWrite.ConditionalAccess
- Um utilizador de teste para atribuir à política de Acesso Condicional.
- O cliente de Acesso Seguro Global (GSA) implementado nos dispositivos da sua organização.
Passo 1: Ativar o reencaminhamento de tráfego do Internet Access
Antes de configurar Acesso à Internet do Microsoft Entra políticas de filtragem, comece por implementar o cliente de Acesso Seguro Global (GSA) nos dispositivos da sua organização. Em seguida, comece a reencaminhar o tráfego para as localizações de limite GSA ao ativar o perfil de reencaminhamento do Internet Access.
Passo 1.1: Obter o perfil de reencaminhamento de tráfego do Internet Access
Registe o ID do perfil para utilização mais adiante neste tutorial.
Solicitação
GET https://graph.microsoft.com/beta/networkAccess/forwardingProfiles?$filter=trafficForwardingType eq 'internet'
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.NetworkAccess.ForwardingProfiles.GetAsync((requestConfiguration) =>
{
requestConfiguration.QueryParameters.Filter = "trafficForwardingType eq 'internet'";
});
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphnetworkaccess "github.com/microsoftgraph/msgraph-beta-sdk-go/networkaccess"
//other-imports
)
requestFilter := "trafficForwardingType eq 'internet'"
requestParameters := &graphnetworkaccess.NetworkAccessForwardingProfilesRequestBuilderGetQueryParameters{
Filter: &requestFilter,
}
configuration := &graphnetworkaccess.NetworkAccessForwardingProfilesRequestBuilderGetRequestConfiguration{
QueryParameters: requestParameters,
}
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
forwardingProfiles, err := graphClient.NetworkAccess().ForwardingProfiles().Get(context.Background(), configuration)
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
com.microsoft.graph.models.networkaccess.ForwardingProfileCollectionResponse result = graphClient.networkAccess().forwardingProfiles().get(requestConfiguration -> {
requestConfiguration.queryParameters.filter = "trafficForwardingType eq 'internet'";
});
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
const options = {
authProvider,
};
const client = Client.init(options);
let forwardingProfiles = await client.api('/networkAccess/forwardingProfiles')
.version('beta')
.filter('trafficForwardingType eq \'internet\'')
.get();
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\NetworkAccess\ForwardingProfiles\ForwardingProfilesRequestBuilderGetRequestConfiguration;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestConfiguration = new ForwardingProfilesRequestBuilderGetRequestConfiguration();
$queryParameters = ForwardingProfilesRequestBuilderGetRequestConfiguration::createQueryParameters();
$queryParameters->filter = "trafficForwardingType eq 'internet'";
$requestConfiguration->queryParameters = $queryParameters;
$result = $graphServiceClient->networkAccess()->forwardingProfiles()->get($requestConfiguration)->wait();
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.network_access.forwarding_profiles.forwarding_profiles_request_builder import ForwardingProfilesRequestBuilder
from kiota_abstractions.base_request_configuration import RequestConfiguration
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
query_params = ForwardingProfilesRequestBuilder.ForwardingProfilesRequestBuilderGetQueryParameters(
filter = "trafficForwardingType eq 'internet'",
)
request_configuration = RequestConfiguration(
query_parameters = query_params,
)
result = await graph_client.network_access.forwarding_profiles.get(request_configuration = request_configuration)
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
Resposta
HTTP/1.1 200 OK
Content-type: application/json
{
"trafficForwardingType": "internet",
"priority": 2,
"id": "bbbbbbbb-1111-2222-3333-cccccccccccc",
"name": "Internet traffic forwarding profile",
"description": "Default traffic forwarding profile for Internet traffic acquisition. Assign the profile to client or branch offices to acquire Internet traffic for Zero Trust Network Access.Internet traffic forwarding profile will exclude all endpoints defined in Microsoft 365 traffic forwarding profile.",
"state": "enabled",
"version": "1.0.0",
"lastModifiedDateTime": "2025-01-14T13:11:57.9295327Z",
"associations": [],
"servicePrincipal": {
"appId": "00001111-aaaa-2222-bbbb-3333cccc4444",
"id": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb"
}
}
Passo 1.2: Ativar o estado do perfil de reencaminhamento do Internet Access
O pedido devolve uma 204 No Content resposta.
Solicitação
PATCH https://graph.microsoft.com/beta/networkAccess/forwardingProfiles/bbbbbbbb-1111-2222-3333-cccccccccccc
Content-type: application/json
{
"state": "enabled"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models.Networkaccess;
var requestBody = new ForwardingProfile
{
State = Status.Enabled,
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.NetworkAccess.ForwardingProfiles["{forwardingProfile-id}"].PatchAsync(requestBody);
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodelsnetworkaccess "github.com/microsoftgraph/msgraph-beta-sdk-go/models/networkaccess"
//other-imports
)
requestBody := graphmodelsnetworkaccess.NewForwardingProfile()
state := graphmodels.ENABLED_STATUS
requestBody.SetState(&state)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
forwardingProfiles, err := graphClient.NetworkAccess().ForwardingProfiles().ByForwardingProfileId("forwardingProfile-id").Patch(context.Background(), requestBody, nil)
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
com.microsoft.graph.beta.models.networkaccess.ForwardingProfile forwardingProfile = new com.microsoft.graph.beta.models.networkaccess.ForwardingProfile();
forwardingProfile.setState(com.microsoft.graph.beta.models.networkaccess.Status.Enabled);
com.microsoft.graph.models.networkaccess.ForwardingProfile result = graphClient.networkAccess().forwardingProfiles().byForwardingProfileId("{forwardingProfile-id}").patch(forwardingProfile);
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
const options = {
authProvider,
};
const client = Client.init(options);
const forwardingProfile = {
state: 'enabled'
};
await client.api('/networkAccess/forwardingProfiles/bbbbbbbb-1111-2222-3333-cccccccccccc')
.version('beta')
.update(forwardingProfile);
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\ForwardingProfile;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\Status;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ForwardingProfile();
$requestBody->setState(new Status('enabled'));
$result = $graphServiceClient->networkAccess()->forwardingProfiles()->byForwardingProfileId('forwardingProfile-id')->patch($requestBody)->wait();
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.networkaccess.forwarding_profile import ForwardingProfile
from msgraph_beta.generated.models.status import Status
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ForwardingProfile(
state = Status.Enabled,
)
result = await graph_client.network_access.forwarding_profiles.by_forwarding_profile_id('forwardingProfile-id').patch(request_body)
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
Passo 2: Criar uma política de filtragem de conteúdo Web e um perfil de segurança
Para configurar políticas no Acesso à Internet do Microsoft Entra, primeiro tem de criar uma política de filtragem, que é uma coleção de regras que regem o acesso a destinos como categorias Web e Nomes de Domínio Completamente Qualificados (FQDNs). Por exemplo, pode criar uma política de filtragem com regras que bloqueiam o acesso à categoria Inteligência Artificial e FQDNs individuais. Em seguida, organiza as políticas de filtragem num perfil de segurança que pode direcionar com políticas de Acesso Condicional.
Passo 2.1: Criar uma política de filtragem de conteúdo Web
Neste exemplo, vai criar uma política de filtragem com regras que bloqueiam o acesso à categoria "Inteligência Artificial" e FQDNs para bing.com. Assim que esta política for criada, tome nota do ID da política de filtragem para ligar no perfil de filtragem.
Solicitação
POST https://graph.microsoft.com/beta/networkaccess/filteringPolicies
Content-type: application/json
{
"name": "AI and Bing",
"policyRules": [
{
"@odata.type": "#microsoft.graph.networkaccess.webCategoryFilteringRule",
"name": "AI",
"ruleType": "webCategory",
"destinations": [
{
"@odata.type": "#microsoft.graph.networkaccess.webCategory",
"name": "ArtificialIntelligence"
}
]
},
{
"@odata.type": "#microsoft.graph.networkaccess.fqdnFilteringRule",
"name": "bing FQDNs",
"ruleType": "fqdn",
"destinations": [
{
"@odata.type": "#microsoft.graph.networkaccess.fqdn",
"value": "bing.com"
},
{
"@odata.type": "#microsoft.graph.networkaccess.fqdn",
"value": "*.bing.com"
}
]
}
],
"action": "block"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models.Networkaccess;
var requestBody = new FilteringPolicy
{
Name = "AI and Bing",
PolicyRules = new List<PolicyRule>
{
new WebCategoryFilteringRule
{
OdataType = "#microsoft.graph.networkaccess.webCategoryFilteringRule",
Name = "AI",
RuleType = NetworkDestinationType.WebCategory,
Destinations = new List<RuleDestination>
{
new WebCategory
{
OdataType = "#microsoft.graph.networkaccess.webCategory",
Name = "ArtificialIntelligence",
},
},
},
new FqdnFilteringRule
{
OdataType = "#microsoft.graph.networkaccess.fqdnFilteringRule",
Name = "bing FQDNs",
RuleType = NetworkDestinationType.Fqdn,
Destinations = new List<RuleDestination>
{
new Fqdn
{
OdataType = "#microsoft.graph.networkaccess.fqdn",
Value = "bing.com",
},
new Fqdn
{
OdataType = "#microsoft.graph.networkaccess.fqdn",
Value = "*.bing.com",
},
},
},
},
Action = FilteringPolicyAction.Block,
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.NetworkAccess.FilteringPolicies.PostAsync(requestBody);
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodelsnetworkaccess "github.com/microsoftgraph/msgraph-beta-sdk-go/models/networkaccess"
//other-imports
)
requestBody := graphmodelsnetworkaccess.NewFilteringPolicy()
name := "AI and Bing"
requestBody.SetName(&name)
policyRule := graphmodelsnetworkaccess.NewWebCategoryFilteringRule()
name := "AI"
policyRule.SetName(&name)
ruleType := graphmodels.WEBCATEGORY_NETWORKDESTINATIONTYPE
policyRule.SetRuleType(&ruleType)
ruleDestination := graphmodelsnetworkaccess.NewWebCategory()
name := "ArtificialIntelligence"
ruleDestination.SetName(&name)
destinations := []graphmodelsnetworkaccess.RuleDestinationable {
ruleDestination,
}
policyRule.SetDestinations(destinations)
policyRule1 := graphmodelsnetworkaccess.NewFqdnFilteringRule()
name := "bing FQDNs"
policyRule1.SetName(&name)
ruleType := graphmodels.FQDN_NETWORKDESTINATIONTYPE
policyRule1.SetRuleType(&ruleType)
ruleDestination := graphmodelsnetworkaccess.NewFqdn()
value := "bing.com"
ruleDestination.SetValue(&value)
ruleDestination1 := graphmodelsnetworkaccess.NewFqdn()
value := "*.bing.com"
ruleDestination1.SetValue(&value)
destinations := []graphmodelsnetworkaccess.RuleDestinationable {
ruleDestination,
ruleDestination1,
}
policyRule1.SetDestinations(destinations)
policyRules := []graphmodelsnetworkaccess.PolicyRuleable {
policyRule,
policyRule1,
}
requestBody.SetPolicyRules(policyRules)
action := graphmodels.BLOCK_FILTERINGPOLICYACTION
requestBody.SetAction(&action)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
filteringPolicies, err := graphClient.NetworkAccess().FilteringPolicies().Post(context.Background(), requestBody, nil)
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
com.microsoft.graph.beta.models.networkaccess.FilteringPolicy filteringPolicy = new com.microsoft.graph.beta.models.networkaccess.FilteringPolicy();
filteringPolicy.setName("AI and Bing");
LinkedList<com.microsoft.graph.beta.models.networkaccess.PolicyRule> policyRules = new LinkedList<com.microsoft.graph.beta.models.networkaccess.PolicyRule>();
com.microsoft.graph.beta.models.networkaccess.WebCategoryFilteringRule policyRule = new com.microsoft.graph.beta.models.networkaccess.WebCategoryFilteringRule();
policyRule.setOdataType("#microsoft.graph.networkaccess.webCategoryFilteringRule");
policyRule.setName("AI");
policyRule.setRuleType(com.microsoft.graph.beta.models.networkaccess.NetworkDestinationType.WebCategory);
LinkedList<com.microsoft.graph.beta.models.networkaccess.RuleDestination> destinations = new LinkedList<com.microsoft.graph.beta.models.networkaccess.RuleDestination>();
com.microsoft.graph.beta.models.networkaccess.WebCategory ruleDestination = new com.microsoft.graph.beta.models.networkaccess.WebCategory();
ruleDestination.setOdataType("#microsoft.graph.networkaccess.webCategory");
ruleDestination.setName("ArtificialIntelligence");
destinations.add(ruleDestination);
policyRule.setDestinations(destinations);
policyRules.add(policyRule);
com.microsoft.graph.beta.models.networkaccess.FqdnFilteringRule policyRule1 = new com.microsoft.graph.beta.models.networkaccess.FqdnFilteringRule();
policyRule1.setOdataType("#microsoft.graph.networkaccess.fqdnFilteringRule");
policyRule1.setName("bing FQDNs");
policyRule1.setRuleType(com.microsoft.graph.beta.models.networkaccess.NetworkDestinationType.Fqdn);
LinkedList<com.microsoft.graph.beta.models.networkaccess.RuleDestination> destinations1 = new LinkedList<com.microsoft.graph.beta.models.networkaccess.RuleDestination>();
com.microsoft.graph.beta.models.networkaccess.Fqdn ruleDestination1 = new com.microsoft.graph.beta.models.networkaccess.Fqdn();
ruleDestination1.setOdataType("#microsoft.graph.networkaccess.fqdn");
ruleDestination1.setValue("bing.com");
destinations1.add(ruleDestination1);
com.microsoft.graph.beta.models.networkaccess.Fqdn ruleDestination2 = new com.microsoft.graph.beta.models.networkaccess.Fqdn();
ruleDestination2.setOdataType("#microsoft.graph.networkaccess.fqdn");
ruleDestination2.setValue("*.bing.com");
destinations1.add(ruleDestination2);
policyRule1.setDestinations(destinations1);
policyRules.add(policyRule1);
filteringPolicy.setPolicyRules(policyRules);
filteringPolicy.setAction(com.microsoft.graph.beta.models.networkaccess.FilteringPolicyAction.Block);
com.microsoft.graph.models.networkaccess.FilteringPolicy result = graphClient.networkAccess().filteringPolicies().post(filteringPolicy);
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
const options = {
authProvider,
};
const client = Client.init(options);
const filteringPolicy = {
name: 'AI and Bing',
policyRules: [
{
'@odata.type': '#microsoft.graph.networkaccess.webCategoryFilteringRule',
name: 'AI',
ruleType: 'webCategory',
destinations: [
{
'@odata.type': '#microsoft.graph.networkaccess.webCategory',
name: 'ArtificialIntelligence'
}
]
},
{
'@odata.type': '#microsoft.graph.networkaccess.fqdnFilteringRule',
name: 'bing FQDNs',
ruleType: 'fqdn',
destinations: [
{
'@odata.type': '#microsoft.graph.networkaccess.fqdn',
value: 'bing.com'
},
{
'@odata.type': '#microsoft.graph.networkaccess.fqdn',
value: '*.bing.com'
}
]
}
],
action: 'block'
};
await client.api('/networkaccess/filteringPolicies')
.version('beta')
.post(filteringPolicy);
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\FilteringPolicy;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\PolicyRule;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\WebCategoryFilteringRule;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\NetworkDestinationType;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\RuleDestination;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\WebCategory;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\FqdnFilteringRule;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\Fqdn;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\FilteringPolicyAction;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new FilteringPolicy();
$requestBody->setName('AI and Bing');
$policyRulesPolicyRule1 = new WebCategoryFilteringRule();
$policyRulesPolicyRule1->setOdataType('#microsoft.graph.networkaccess.webCategoryFilteringRule');
$policyRulesPolicyRule1->setName('AI');
$policyRulesPolicyRule1->setRuleType(new NetworkDestinationType('webCategory'));
$destinationsRuleDestination1 = new WebCategory();
$destinationsRuleDestination1->setOdataType('#microsoft.graph.networkaccess.webCategory');
$destinationsRuleDestination1->setName('ArtificialIntelligence');
$destinationsArray []= $destinationsRuleDestination1;
$policyRulesPolicyRule1->setDestinations($destinationsArray);
$policyRulesArray []= $policyRulesPolicyRule1;
$policyRulesPolicyRule2 = new FqdnFilteringRule();
$policyRulesPolicyRule2->setOdataType('#microsoft.graph.networkaccess.fqdnFilteringRule');
$policyRulesPolicyRule2->setName('bing FQDNs');
$policyRulesPolicyRule2->setRuleType(new NetworkDestinationType('fqdn'));
$destinationsRuleDestination1 = new Fqdn();
$destinationsRuleDestination1->setOdataType('#microsoft.graph.networkaccess.fqdn');
$destinationsRuleDestination1->setValue('bing.com');
$destinationsArray []= $destinationsRuleDestination1;
$destinationsRuleDestination2 = new Fqdn();
$destinationsRuleDestination2->setOdataType('#microsoft.graph.networkaccess.fqdn');
$destinationsRuleDestination2->setValue('*.bing.com');
$destinationsArray []= $destinationsRuleDestination2;
$policyRulesPolicyRule2->setDestinations($destinationsArray);
$policyRulesArray []= $policyRulesPolicyRule2;
$requestBody->setPolicyRules($policyRulesArray);
$requestBody->setAction(new FilteringPolicyAction('block'));
$result = $graphServiceClient->networkAccess()->filteringPolicies()->post($requestBody)->wait();
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
Import-Module Microsoft.Graph.Beta.NetworkAccess
$params = @{
name = "AI and Bing"
policyRules = @(
@{
"@odata.type" = "#microsoft.graph.networkaccess.webCategoryFilteringRule"
name = "AI"
ruleType = "webCategory"
destinations = @(
@{
"@odata.type" = "#microsoft.graph.networkaccess.webCategory"
name = "ArtificialIntelligence"
}
)
}
@{
"@odata.type" = "#microsoft.graph.networkaccess.fqdnFilteringRule"
name = "bing FQDNs"
ruleType = "fqdn"
destinations = @(
@{
"@odata.type" = "#microsoft.graph.networkaccess.fqdn"
value = "bing.com"
}
@{
"@odata.type" = "#microsoft.graph.networkaccess.fqdn"
value = "*.bing.com"
}
)
}
)
action = "block"
}
New-MgBetaNetworkAccessFilteringPolicy -BodyParameter $params
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.networkaccess.filtering_policy import FilteringPolicy
from msgraph_beta.generated.models.networkaccess.policy_rule import PolicyRule
from msgraph_beta.generated.models.networkaccess.web_category_filtering_rule import WebCategoryFilteringRule
from msgraph_beta.generated.models.network_destination_type import NetworkDestinationType
from msgraph_beta.generated.models.networkaccess.rule_destination import RuleDestination
from msgraph_beta.generated.models.networkaccess.web_category import WebCategory
from msgraph_beta.generated.models.networkaccess.fqdn_filtering_rule import FqdnFilteringRule
from msgraph_beta.generated.models.networkaccess.fqdn import Fqdn
from msgraph_beta.generated.models.filtering_policy_action import FilteringPolicyAction
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = FilteringPolicy(
name = "AI and Bing",
policy_rules = [
WebCategoryFilteringRule(
odata_type = "#microsoft.graph.networkaccess.webCategoryFilteringRule",
name = "AI",
rule_type = NetworkDestinationType.WebCategory,
destinations = [
WebCategory(
odata_type = "#microsoft.graph.networkaccess.webCategory",
name = "ArtificialIntelligence",
),
],
),
FqdnFilteringRule(
odata_type = "#microsoft.graph.networkaccess.fqdnFilteringRule",
name = "bing FQDNs",
rule_type = NetworkDestinationType.Fqdn,
destinations = [
Fqdn(
odata_type = "#microsoft.graph.networkaccess.fqdn",
value = "bing.com",
),
Fqdn(
odata_type = "#microsoft.graph.networkaccess.fqdn",
value = "*.bing.com",
),
],
),
],
action = FilteringPolicyAction.Block,
)
result = await graph_client.network_access.filtering_policies.post(request_body)
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
Resposta
HTTP/1.1 201 Created
Content-type: application/json
{
"id": "cccccccc-2222-3333-4444-dddddddddddd",
"name": "AI and Bing",
"description": null,
"version": "1.0.0",
"lastModifiedDateTime": "2025-02-05T18:10:28.9760687Z",
"createdDateTime": "2025-02-05T18:10:27Z",
"action": "block"
}
Passo 2.2: Editar ou atualizar a política de filtragem de conteúdos Web
Depois de criar uma política de filtragem, pode editá-la ou atualizá-la programaticamente. Pode adicionar novas regras à política ao enviar um pedido POST ou atualizar destinos em regras existentes através de um pedido PATCH. Qualquer uma destas alterações permite-lhe ajustar as políticas de filtragem à medida que as necessidades da sua organização mudam, como bloquear mais categorias ou domínios ou modificar regras existentes.
Neste exemplo, vai utilizar um pedido PATCH para adicionar um destino à regra criada no passo 2.1.
Solicitação
POST https://graph.microsoft.com/beta/networkaccess/filteringPolicies('cccccccc-2222-3333-4444-dddddddddddd')/policyRules('<policyRuleId>')
Content-type: application/json
{
"@odata.type": "#microsoft.graph.networkaccess.fqdnFilteringRule",
"destinations": [
{
"@odata.type": "#microsoft.graph.networkaccess.fqdn",
"value": "bing.com"
},
{
"@odata.type": "#microsoft.graph.networkaccess.fqdn",
"value": "*.bing.com"
},
{
"@odata.type": "#microsoft.graph.networkaccess.fqdn",
"value": "bing.co.uk"
}
]
}
const options = {
authProvider,
};
const client = Client.init(options);
const policyRule = {
'@odata.type': '#microsoft.graph.networkaccess.fqdnFilteringRule',
destinations: [
{
'@odata.type': '#microsoft.graph.networkaccess.fqdn',
value: 'bing.com'
},
{
'@odata.type': '#microsoft.graph.networkaccess.fqdn',
value: '*.bing.com'
},
{
'@odata.type': '#microsoft.graph.networkaccess.fqdn',
value: 'bing.co.uk'
}
]
};
await client.api('/networkaccess/filteringPolicies('cccccccc-2222-3333-4444-dddddddddddd')/policyRules('<policyRuleId>')')
.version('beta')
.post(policyRule);
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
Resposta
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.type": "#microsoft.graph.networkaccess.fqdnFilteringRule",
"id": "cccccccc-2222-3333-4444-dddddddddddd",
"name": "bing FQDNs",
"ruleType": "fqdn",
"destinations": [
{
"@odata.type": "#microsoft.graph.networkaccess.fqdn",
"value": "google.co.uk"
},
{
"@odata.type": "#microsoft.graph.networkaccess.fqdn",
"value": "google.com"
},
{
"@odata.type": "#microsoft.graph.networkaccess.fqdn",
"value": "bing.com"
}
]
}
Passo 2.3: Criar um perfil de filtragem ou perfil de segurança
Crie um perfil de filtragem ou segurança para manter as políticas e direcioná-lo para o controlo de sessão de Acesso Condicional. Depois de criar o perfil, tenha em atenção o ID do perfil de filtragem para utilização posterior na política de Acesso Condicional.
Solicitação
POST https://graph.microsoft.com/beta/networkaccess/filteringProfiles
Content-type: application/json
{
"name": "Security Profile for UserA",
"state": "enabled",
"priority": 100,
"policies": []
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models.Networkaccess;
var requestBody = new FilteringProfile
{
Name = "Security Profile for UserA",
State = Status.Enabled,
Priority = 100L,
Policies = new List<PolicyLink>
{
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.NetworkAccess.FilteringProfiles.PostAsync(requestBody);
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodelsnetworkaccess "github.com/microsoftgraph/msgraph-beta-sdk-go/models/networkaccess"
//other-imports
)
requestBody := graphmodelsnetworkaccess.NewFilteringProfile()
name := "Security Profile for UserA"
requestBody.SetName(&name)
state := graphmodels.ENABLED_STATUS
requestBody.SetState(&state)
priority := int64(100)
requestBody.SetPriority(&priority)
policies := []graphmodelsnetworkaccess.PolicyLinkable {
}
requestBody.SetPolicies(policies)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
filteringProfiles, err := graphClient.NetworkAccess().FilteringProfiles().Post(context.Background(), requestBody, nil)
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
com.microsoft.graph.beta.models.networkaccess.FilteringProfile filteringProfile = new com.microsoft.graph.beta.models.networkaccess.FilteringProfile();
filteringProfile.setName("Security Profile for UserA");
filteringProfile.setState(com.microsoft.graph.beta.models.networkaccess.Status.Enabled);
filteringProfile.setPriority(100L);
LinkedList<com.microsoft.graph.beta.models.networkaccess.PolicyLink> policies = new LinkedList<com.microsoft.graph.beta.models.networkaccess.PolicyLink>();
filteringProfile.setPolicies(policies);
com.microsoft.graph.models.networkaccess.FilteringProfile result = graphClient.networkAccess().filteringProfiles().post(filteringProfile);
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
const options = {
authProvider,
};
const client = Client.init(options);
const filteringProfile = {
name: 'Security Profile for UserA',
state: 'enabled',
priority: 100,
policies: []
};
await client.api('/networkaccess/filteringProfiles')
.version('beta')
.post(filteringProfile);
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\FilteringProfile;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\Status;
use Microsoft\Graph\Beta\Generated\Models\Networkaccess\PolicyLink;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new FilteringProfile();
$requestBody->setName('Security Profile for UserA');
$requestBody->setState(new Status('enabled'));
$requestBody->setPriority(100);
$requestBody->setPolicies([ ]);
$result = $graphServiceClient->networkAccess()->filteringProfiles()->post($requestBody)->wait();
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
Import-Module Microsoft.Graph.Beta.NetworkAccess
$params = @{
name = "Security Profile for UserA"
state = "enabled"
priority = 100
policies = @(
)
}
New-MgBetaNetworkAccessFilteringProfile -BodyParameter $params
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.networkaccess.filtering_profile import FilteringProfile
from msgraph_beta.generated.models.status import Status
from msgraph_beta.generated.models.networkaccess.policy_link import PolicyLink
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = FilteringProfile(
name = "Security Profile for UserA",
state = Status.Enabled,
priority = 100,
policies = [
],
)
result = await graph_client.network_access.filtering_profiles.post(request_body)
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
Resposta
HTTP/1.1 201 Created
Content-type: application/json
{
"priority": 100,
"createdDateTime": "2025-02-05T18:27:31Z",
"id": "dddddddd-3333-4444-5555-eeeeeeeeeeee",
"name": "Security Profile for UserA",
"description": null,
"state": "enabled",
"version": "1.0.0",
"lastModifiedDateTime": "2025-02-05T18:27:31.660891Z"
}
Passo 2.4: Ligar a política de filtragem ao perfil de filtragem ou perfil de segurança
Solicitação
POST https://graph.microsoft.com/beta/networkaccess/filteringProfiles/dddddddd-3333-4444-5555-eeeeeeeeeeee/policies
Content-type: application/json
{
"priority": 100,
"state": "enabled",
"@odata.type": "#microsoft.graph.networkaccess.filteringPolicyLink",
"loggingState": "enabled",
"policy": {
"id": "cccccccc-2222-3333-4444-dddddddddddd",
"@odata.type": "#microsoft.graph.networkaccess.filteringPolicy"
}
const options = {
authProvider,
};
const client = Client.init(options);
const policyLink = {
priority: 100,
state: 'enabled',
'@odata.type': '#microsoft.graph.networkaccess.filteringPolicyLink',
loggingState: 'enabled',
policy: {
id: 'cccccccc-2222-3333-4444-dddddddddddd',
'@odata.type': '#microsoft.graph.networkaccess.filteringPolicy'
};
await client.api('/networkaccess/filteringProfiles/dddddddd-3333-4444-5555-eeeeeeeeeeee/policies')
.version('beta')
.post(policyLink);
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
Resposta
HTTP/1.1 201 Created
Content-type: application/json
{
"id": "dddddddd-9999-0000-1111-eeeeeeeeeeee",
"priority": 100,
"state": "enabled",
"version": "1.0.0",
"loggingState": "enabled",
"lastModifiedDateTime": "2025-02-05T18:31:32Z",
"createdDateTime": "2025-02-05T18:31:32Z",
"policy": {
"@odata.type": "#microsoft.graph.networkaccess.filteringPolicy",
"id": "cccccccc-2222-3333-4444-dddddddddddd",
"name": "AI and Bing",
"description": null,
"version": "1.0.0",
"lastModifiedDateTime": "2025-02-05T18:15:17.0759384Z",
"createdDateTime": "2025-02-05T18:15:16Z",
"action": "block"
}
}
Passo 3: Associar uma política de Acesso Condicional
Para impor o seu perfil de filtragem, tem de o ligar a uma política de Acesso Condicional (AC). Ao fazê-lo, torna os conteúdos do seu perfil de filtragem de utilizador e de contexto conscientes. Neste passo, vai criar uma política de AC com as seguintes definições:
- Direcione-o para um utilizador com o ID
00aa00aa-bb11-cc22-dd33-44ee44ee44ee e a aplicação "Todos os recursos da Internet com Acesso Seguro Global" com appId5dc48733-b5df-475c-a49b-fa307ef00853.
- Configure um controlo de sessão com o ID globalSecureAccessFilteringProfile.
dddddddd-9999-0000-1111-eeeeeeeeeeee
Solicitação
POST https://graph.microsoft.com/beta/identity/conditionalAccess/policies
Content-type: application/json
{
"conditions": {
"applications": {
"includeApplications": [
"5dc48733-b5df-475c-a49b-fa307ef00853"
]
},
"users": {
"includeUsers": [
"00aa00aa-bb11-cc22-dd33-44ee44ee44ee"
]
}
},
"displayName": "UserA Access to AI and Bing",
"sessionControls": {
"globalSecureAccessFilteringProfile": {
"profileId": "dddddddd-9999-0000-1111-eeeeeeeeeeee",
"isEnabled": true
}
},
"state": "enabled"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new ConditionalAccessPolicy
{
Conditions = new ConditionalAccessConditionSet
{
Applications = new ConditionalAccessApplications
{
IncludeApplications = new List<string>
{
"5dc48733-b5df-475c-a49b-fa307ef00853",
},
},
Users = new ConditionalAccessUsers
{
IncludeUsers = new List<string>
{
"00aa00aa-bb11-cc22-dd33-44ee44ee44ee",
},
},
},
DisplayName = "UserA Access to AI and Bing",
SessionControls = new ConditionalAccessSessionControls
{
GlobalSecureAccessFilteringProfile = new GlobalSecureAccessFilteringProfileSessionControl
{
ProfileId = "dddddddd-9999-0000-1111-eeeeeeeeeeee",
IsEnabled = true,
},
},
State = ConditionalAccessPolicyState.Enabled,
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Identity.ConditionalAccess.Policies.PostAsync(requestBody);
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewConditionalAccessPolicy()
conditions := graphmodels.NewConditionalAccessConditionSet()
applications := graphmodels.NewConditionalAccessApplications()
includeApplications := []string {
"5dc48733-b5df-475c-a49b-fa307ef00853",
}
applications.SetIncludeApplications(includeApplications)
conditions.SetApplications(applications)
users := graphmodels.NewConditionalAccessUsers()
includeUsers := []string {
"00aa00aa-bb11-cc22-dd33-44ee44ee44ee",
}
users.SetIncludeUsers(includeUsers)
conditions.SetUsers(users)
requestBody.SetConditions(conditions)
displayName := "UserA Access to AI and Bing"
requestBody.SetDisplayName(&displayName)
sessionControls := graphmodels.NewConditionalAccessSessionControls()
globalSecureAccessFilteringProfile := graphmodels.NewGlobalSecureAccessFilteringProfileSessionControl()
profileId := "dddddddd-9999-0000-1111-eeeeeeeeeeee"
globalSecureAccessFilteringProfile.SetProfileId(&profileId)
isEnabled := true
globalSecureAccessFilteringProfile.SetIsEnabled(&isEnabled)
sessionControls.SetGlobalSecureAccessFilteringProfile(globalSecureAccessFilteringProfile)
requestBody.SetSessionControls(sessionControls)
state := graphmodels.ENABLED_CONDITIONALACCESSPOLICYSTATE
requestBody.SetState(&state)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
policies, err := graphClient.Identity().ConditionalAccess().Policies().Post(context.Background(), requestBody, nil)
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ConditionalAccessPolicy conditionalAccessPolicy = new ConditionalAccessPolicy();
ConditionalAccessConditionSet conditions = new ConditionalAccessConditionSet();
ConditionalAccessApplications applications = new ConditionalAccessApplications();
LinkedList<String> includeApplications = new LinkedList<String>();
includeApplications.add("5dc48733-b5df-475c-a49b-fa307ef00853");
applications.setIncludeApplications(includeApplications);
conditions.setApplications(applications);
ConditionalAccessUsers users = new ConditionalAccessUsers();
LinkedList<String> includeUsers = new LinkedList<String>();
includeUsers.add("00aa00aa-bb11-cc22-dd33-44ee44ee44ee");
users.setIncludeUsers(includeUsers);
conditions.setUsers(users);
conditionalAccessPolicy.setConditions(conditions);
conditionalAccessPolicy.setDisplayName("UserA Access to AI and Bing");
ConditionalAccessSessionControls sessionControls = new ConditionalAccessSessionControls();
GlobalSecureAccessFilteringProfileSessionControl globalSecureAccessFilteringProfile = new GlobalSecureAccessFilteringProfileSessionControl();
globalSecureAccessFilteringProfile.setProfileId("dddddddd-9999-0000-1111-eeeeeeeeeeee");
globalSecureAccessFilteringProfile.setIsEnabled(true);
sessionControls.setGlobalSecureAccessFilteringProfile(globalSecureAccessFilteringProfile);
conditionalAccessPolicy.setSessionControls(sessionControls);
conditionalAccessPolicy.setState(ConditionalAccessPolicyState.Enabled);
ConditionalAccessPolicy result = graphClient.identity().conditionalAccess().policies().post(conditionalAccessPolicy);
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
const options = {
authProvider,
};
const client = Client.init(options);
const conditionalAccessPolicy = {
conditions: {
applications: {
includeApplications: [
'5dc48733-b5df-475c-a49b-fa307ef00853'
]
},
users: {
includeUsers: [
'00aa00aa-bb11-cc22-dd33-44ee44ee44ee'
]
}
},
displayName: 'UserA Access to AI and Bing',
sessionControls: {
globalSecureAccessFilteringProfile: {
profileId: 'dddddddd-9999-0000-1111-eeeeeeeeeeee',
isEnabled: true
}
},
state: 'enabled'
};
await client.api('/identity/conditionalAccess/policies')
.version('beta')
.post(conditionalAccessPolicy);
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessPolicy;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessConditionSet;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessApplications;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessUsers;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessSessionControls;
use Microsoft\Graph\Beta\Generated\Models\GlobalSecureAccessFilteringProfileSessionControl;
use Microsoft\Graph\Beta\Generated\Models\ConditionalAccessPolicyState;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new ConditionalAccessPolicy();
$conditions = new ConditionalAccessConditionSet();
$conditionsApplications = new ConditionalAccessApplications();
$conditionsApplications->setIncludeApplications(['5dc48733-b5df-475c-a49b-fa307ef00853', ]);
$conditions->setApplications($conditionsApplications);
$conditionsUsers = new ConditionalAccessUsers();
$conditionsUsers->setIncludeUsers(['00aa00aa-bb11-cc22-dd33-44ee44ee44ee', ]);
$conditions->setUsers($conditionsUsers);
$requestBody->setConditions($conditions);
$requestBody->setDisplayName('UserA Access to AI and Bing');
$sessionControls = new ConditionalAccessSessionControls();
$sessionControlsGlobalSecureAccessFilteringProfile = new GlobalSecureAccessFilteringProfileSessionControl();
$sessionControlsGlobalSecureAccessFilteringProfile->setProfileId('dddddddd-9999-0000-1111-eeeeeeeeeeee');
$sessionControlsGlobalSecureAccessFilteringProfile->setIsEnabled(true);
$sessionControls->setGlobalSecureAccessFilteringProfile($sessionControlsGlobalSecureAccessFilteringProfile);
$requestBody->setSessionControls($sessionControls);
$requestBody->setState(new ConditionalAccessPolicyState('enabled'));
$result = $graphServiceClient->identity()->conditionalAccess()->policies()->post($requestBody)->wait();
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
Import-Module Microsoft.Graph.Beta.Identity.SignIns
$params = @{
conditions = @{
applications = @{
includeApplications = @(
"5dc48733-b5df-475c-a49b-fa307ef00853"
)
}
users = @{
includeUsers = @(
"00aa00aa-bb11-cc22-dd33-44ee44ee44ee"
)
}
}
displayName = "UserA Access to AI and Bing"
sessionControls = @{
globalSecureAccessFilteringProfile = @{
profileId = "dddddddd-9999-0000-1111-eeeeeeeeeeee"
isEnabled = $true
}
}
state = "enabled"
}
New-MgBetaIdentityConditionalAccessPolicy -BodyParameter $params
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.conditional_access_policy import ConditionalAccessPolicy
from msgraph_beta.generated.models.conditional_access_condition_set import ConditionalAccessConditionSet
from msgraph_beta.generated.models.conditional_access_applications import ConditionalAccessApplications
from msgraph_beta.generated.models.conditional_access_users import ConditionalAccessUsers
from msgraph_beta.generated.models.conditional_access_session_controls import ConditionalAccessSessionControls
from msgraph_beta.generated.models.global_secure_access_filtering_profile_session_control import GlobalSecureAccessFilteringProfileSessionControl
from msgraph_beta.generated.models.conditional_access_policy_state import ConditionalAccessPolicyState
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ConditionalAccessPolicy(
conditions = ConditionalAccessConditionSet(
applications = ConditionalAccessApplications(
include_applications = [
"5dc48733-b5df-475c-a49b-fa307ef00853",
],
),
users = ConditionalAccessUsers(
include_users = [
"00aa00aa-bb11-cc22-dd33-44ee44ee44ee",
],
),
),
display_name = "UserA Access to AI and Bing",
session_controls = ConditionalAccessSessionControls(
global_secure_access_filtering_profile = GlobalSecureAccessFilteringProfileSessionControl(
profile_id = "dddddddd-9999-0000-1111-eeeeeeeeeeee",
is_enabled = True,
),
),
state = ConditionalAccessPolicyState.Enabled,
)
result = await graph_client.identity.conditional_access.policies.post(request_body)
Leia a documentação do SDK para obter detalhes sobre como adicionar o SDK ao projeto e criar uma instância authProvider .
Resposta
HTTP/1.1 201 Created
Content-type: application/json
{
"id": "9c5fbb22-30ff-4a17-9b83-ea9fbf2912a9",
"templateId": null,
"displayName": "UserA Access to AI and Bing",
"createdDateTime": "2025-02-05T18:58:32.7622998Z",
"modifiedDateTime": null,
"state": "enabled",
"grantControls": null,
"partialEnablementStrategy": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"clientApplications": null,
"applications": {
"includeApplications": [
"5dc48733-b5df-475c-a49b-fa307ef00853"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null
},
"users": {
"includeUsers": [
"00aa00aa-bb11-cc22-dd33-44ee44ee44ee"
],
"excludeUsers": [],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
}
},
"sessionControls": {
"disableResilienceDefaults": null,
"applicationEnforcedRestrictions": null,
"cloudAppSecurity": null,
"signInFrequency": null,
"persistentBrowser": null,
"continuousAccessEvaluation": null,
"secureSignInSession": null,
"globalSecureAccessFilteringProfile": {
"profileId": "dddddddd-9999-0000-1111-eeeeeeeeeeee",
"isEnabled": true
}
}
}
Conclusão
Agora que configurou um perfil de segurança ou um perfil de filtragem a bloquear a Inteligência Artificial e bing.com para o utilizador de exemplo, esse utilizador está impedido de aceder a esses sites.
Conteúdo relacionado