

appliedConditionalAccessPolicy resource type

Namespace: microsoft.graph


Indicates the attributes related to applied conditional access policy or policies that are triggered by a sign-in activity.

The data in this object is returned only for callers with privileges to read conditional access data. For more information, see Viewing applied conditional access (CA) policies in sign-ins.


Property Type Description
authenticationStrength authenticationStrength The custom authentication strength enforced in a Conditional Access policy.
conditionsNotSatisfied conditionalAccessConditions Refers to the conditional access policy conditions that aren't satisfied. The possible values are: none, application, users, devicePlatform, location, clientType, signInRisk, userRisk, time, deviceState, client,ipAddressSeenByAzureAD,ipAddressSeenByResourceProvider,unknownFutureValue,servicePrincipals,servicePrincipalRisk, authenticationFlows, insiderRisk . You must use the Prefer: include-unknown-enum-members request header to get the following values in this evolvable enum: servicePrincipals,servicePrincipalRisk, authenticationFlows, insiderRisk. conditionalAccessConditions is a multi-valued enumeration and the property can contain multiple values in a comma-separated list.
conditionsSatisfied conditionalAccessConditions Refers to the conditional access policy conditions that are satisfied. The possible values are: none, application, users, devicePlatform, location, clientType, signInRisk, userRisk, time, deviceState, client,ipAddressSeenByAzureAD,ipAddressSeenByResourceProvider,unknownFutureValue,servicePrincipals,servicePrincipalRisk, authenticationFlows, insiderRisk. You must use the Prefer: include-unknown-enum-members request header to get the following values in this evolvable enum: servicePrincipals,servicePrincipalRisk, authenticationFlows, insiderRisk. conditionalAccessConditions is a multi-valued enumeration and the property can contain multiple values in a comma-separated list.
displayName String Name of the conditional access policy.
enforcedGrantControls String collection Refers to the grant controls enforced by the conditional access policy (example: "Require multifactor authentication").
enforcedSessionControls String collection Refers to the session controls enforced by the conditional access policy (example: "Require app enforced controls").
excludeRulesSatisfied conditionalAccessRuleSatisfied collection List of key-value pairs containing each matched exclude condition in the conditional access policy. Example: [{"devicePlatform" : "DevicePlatform"}] means the policy didn't apply, because the DevicePlatform condition was a match.
id String Identifier of the conditional access policy.
includeRulesSatisfied conditionalAccessRuleSatisfied collection List of key-value pairs containing each matched include condition in the conditional access policy. Example: [{ "application" : "AllApps"}, {"users": "Group"}], meaning Application condition was a match because AllApps are included and Users condition was a match because the user was part of the included Group rule.
result appliedConditionalAccessPolicyResult Indicates the result of the CA policy that was triggered. Possible values are: success, failure, notApplied (policy isn't applied because policy conditions weren't met), notEnabled (this is due to the policy in a disabled state), unknown, unknownFutureValue, reportOnlySuccess, reportOnlyFailure, reportOnlyNotApplied, reportOnlyInterrupted. You must use the Prefer: include-unknown-enum-members request header to get the following values in this evolvable enum: reportOnlySuccess, reportOnlyFailure, reportOnlyNotApplied, reportOnlyInterrupted.
sessionControlsNotSatisfied String collection Refers to the session controls that a sign-in activity didn't satisfy. (Example: Application enforced Restrictions).

JSON representation

The following JSON representation shows the resource type.

  "@odata.type": "#microsoft.graph.appliedConditionalAccessPolicy",
  "id": "String (identifier)",
  "authenticationStrength": {"@odata.type": "microsoft.graph.authenticationStrength"},
  "displayName": "String",
  "enforcedGrantControls": [
  "enforcedSessionControls": [
  "conditionsSatisfied": "String",
  "conditionsNotSatisfied": "String",
  "includeRulesSatisfied": [
      "@odata.type": "microsoft.graph.conditionalAccessRuleSatisfied"
  "excludeRulesSatisfied": [
      "@odata.type": "microsoft.graph.conditionalAccessRuleSatisfied"
  "result": "String"