Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Namespace: microsoft.graph
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Update the properties of a tenantAppManagementPolicy object.
This API is available in the following national cloud deployments.
| Global service | US Government L4 | US Government L5 (DOD) | China operated by 21Vianet |
|---|---|---|---|
| ✅ | ✅ | ✅ | ✅ |
Permissions
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | Policy.ReadWrite.ApplicationConfiguration | Not available. |
| Delegated (personal Microsoft account) | Not supported. | Not supported. |
| Application | Policy.ReadWrite.ApplicationConfiguration | Not available. |
Important
For delegated access using work or school accounts, the signed-in user must be assigned a supported Microsoft Entra role or a custom role that grants the permissions required for this operation. This operation supports the following built-in roles, which provide only the least privilege necessary:
- Cloud Application Administrator
- Application Administrator
HTTP request
PATCH /policies/defaultAppManagementPolicy
Request headers
| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Content-Type | application/json. Required. |
Important
Service principals with a createdDateTime null are treated as having being created on 01/01/2019.
Request body
In the request body, supply the values for relevant fields from the tenantAppManagementPolicy that should be updated. Existing properties that are not included in the request body will maintain their previous values. For best performance, don't include unchanged values in the request payload.
| Property | Type | Description |
|---|---|---|
| applicationRestrictions | appManagementApplicationConfiguration | Restrictions that apply as default to all application objects in the tenant. |
| displayName | String | The display name of the default policy. Inherited from policyBase. |
| description | String | The description of the default policy. Inherited from policyBase. |
| isEnabled | Boolean | Denotes if the policy is enabled. Default value is false. |
| servicePrincipalRestrictions | appManagementConfiguration | Restrictions that apply as default to all service principal objects in the tenant. |
Important
Service principals with a createdDateTime null are treated as having being created on 01/01/2019.
Response
If successful, this method returns a 204 No Content response code. It doesn't return anything in the response body.
Examples
Request
The following example shows a request that configures password credentials, key credentials, identifier URIs, and redirect URI restrictions.
PATCH https://graph.microsoft.com/beta/policies/defaultAppManagementPolicy
Content-Type: application/json
{
"isEnabled": true,
"applicationRestrictions": {
"passwordCredentials": [
{
"restrictionType": "passwordAddition",
"maxLifetime": null,
"restrictForAppsCreatedAfterDateTime": "2021-01-01T10:37:00Z"
},
{
"restrictionType": "passwordLifetime",
"maxLifetime": "P90D",
"restrictForAppsCreatedAfterDateTime": "2017-01-01T10:37:00Z"
},
{
"restrictionType": "symmetricKeyAddition",
"maxLifetime": null,
"restrictForAppsCreatedAfterDateTime": "2021-01-01T10:37:00Z"
},
{
"restrictionType": "customPasswordAddition",
"maxLifetime": null,
"restrictForAppsCreatedAfterDateTime": "2015-01-01T10:37:00Z"
},
{
"restrictionType": "symmetricKeyLifetime",
"maxLifetime": "P30D",
"restrictForAppsCreatedAfterDateTime": "2015-01-01T10:37:00Z"
}
],
"keyCredentials": [
{
"restrictionType": "asymmetricKeyLifetime",
"maxLifetime": "P30D",
"restrictForAppsCreatedAfterDateTime": "2015-01-01T10:37:00Z"
},
{
"restrictionType": "trustedCertificateAuthority",
"restrictForAppsCreatedAfterDateTime": "2019-10-19T10:37:00Z",
"certificateBasedApplicationConfigurationIds": [
"eec5ba11-2fc0-4113-83a2-ed986ed13743",
"bb8e164b-f9ed-4b98-bc45-65eddc14f4c1"
],
"maxLifetime": null
}
],
"identifierUris": {
"nonDefaultUriAddition": {
"restrictForAppsCreatedAfterDateTime": "2024-01-01T10:37:00Z",
"excludeAppsReceivingV2Tokens": true,
"excludeSaml": true,
"excludeActors": {
"customSecurityAttributes": [
{
"@odata.type": "microsoft.graph.customSecurityAttributeStringValueExemption",
"id": "PolicyExemptions_AppManagementExemption",
"operator": "equals",
"value": "ExemptFromIdentifierUriAdditionRestriction"
}
]
}
}
},
"redirectUris": {
"uriWithBlockedScheme": {
"state": "enabled",
"blockedSchemes": [
"http",
"ftp"
],
"exemptFormats": [
"http://example.com/login"
],
"web": {
"blockedSchemes": [
"custom-ftps"
]
},
"spa": {
"blockedSchemes": [
"myapp"
],
"exemptFormats": [
"https://spa.example.com/auth"
]
},
"publicClient": {
"blockedSchemes": [
"msauth"
],
"exemptFormats": [
"https://public.example.com/auth"
]
}
},
"uriWithoutAllowedScheme": {
"state": "enabled",
"allowedSchemes": [
"https"
],
"web": {
"allowedSchemes": [
"https"
]
},
"spa": {
"allowedSchemes": [
"https",
"msal"
]
},
"publicClient": {
"allowedSchemes": [
"myapp"
]
}
},
"uriWithBlockedDomain": {
"state": "enabled",
"blockedDomains": [
"contoso-short.com",
"tempuri.org"
],
"web": {
"blockedDomains": [
"short.contoso.com"
]
},
"spa": {
"blockedDomains": [
"contoso.dev"
]
},
"publicClient": {
"blockedDomains": [
"mspreview.contoso.com"
]
}
},
"uriWithoutAllowedDomain": {
"state": "enabled",
"allowedDomains": [
"contoso.com",
"login.microsoftonline.com"
],
"web": {
"allowedDomains": [
"app.contoso.com"
]
},
"spa": {
"allowedDomains": [
"spa.contoso.com"
]
},
"publicClient": {
"allowedDomains": [
"app://contoso"
]
}
},
"uriWithWildcard": {
"state": "enabled",
"excludeFormats": {
"excludeWildcardsInPath": true,
"excludeWildcardsInPathWithDomains": [
"contoso.com",
"fabrikam.com"
]
}
}
}
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new TenantAppManagementPolicy
{
IsEnabled = true,
ApplicationRestrictions = new AppManagementApplicationConfiguration
{
PasswordCredentials = new List<PasswordCredentialConfiguration>
{
new PasswordCredentialConfiguration
{
RestrictionType = AppCredentialRestrictionType.PasswordAddition,
MaxLifetime = null,
RestrictForAppsCreatedAfterDateTime = DateTimeOffset.Parse("2021-01-01T10:37:00Z"),
},
new PasswordCredentialConfiguration
{
RestrictionType = AppCredentialRestrictionType.PasswordLifetime,
MaxLifetime = TimeSpan.Parse("P90D"),
RestrictForAppsCreatedAfterDateTime = DateTimeOffset.Parse("2017-01-01T10:37:00Z"),
},
new PasswordCredentialConfiguration
{
RestrictionType = AppCredentialRestrictionType.SymmetricKeyAddition,
MaxLifetime = null,
RestrictForAppsCreatedAfterDateTime = DateTimeOffset.Parse("2021-01-01T10:37:00Z"),
},
new PasswordCredentialConfiguration
{
RestrictionType = AppCredentialRestrictionType.CustomPasswordAddition,
MaxLifetime = null,
RestrictForAppsCreatedAfterDateTime = DateTimeOffset.Parse("2015-01-01T10:37:00Z"),
},
new PasswordCredentialConfiguration
{
RestrictionType = AppCredentialRestrictionType.SymmetricKeyLifetime,
MaxLifetime = TimeSpan.Parse("P30D"),
RestrictForAppsCreatedAfterDateTime = DateTimeOffset.Parse("2015-01-01T10:37:00Z"),
},
},
KeyCredentials = new List<KeyCredentialConfiguration>
{
new KeyCredentialConfiguration
{
RestrictionType = AppKeyCredentialRestrictionType.AsymmetricKeyLifetime,
MaxLifetime = TimeSpan.Parse("P30D"),
RestrictForAppsCreatedAfterDateTime = DateTimeOffset.Parse("2015-01-01T10:37:00Z"),
},
new KeyCredentialConfiguration
{
RestrictionType = AppKeyCredentialRestrictionType.TrustedCertificateAuthority,
RestrictForAppsCreatedAfterDateTime = DateTimeOffset.Parse("2019-10-19T10:37:00Z"),
CertificateBasedApplicationConfigurationIds = new List<string>
{
"eec5ba11-2fc0-4113-83a2-ed986ed13743",
"bb8e164b-f9ed-4b98-bc45-65eddc14f4c1",
},
MaxLifetime = null,
},
},
IdentifierUris = new IdentifierUriConfiguration
{
NonDefaultUriAddition = new IdentifierUriRestriction
{
RestrictForAppsCreatedAfterDateTime = DateTimeOffset.Parse("2024-01-01T10:37:00Z"),
ExcludeAppsReceivingV2Tokens = true,
ExcludeSaml = true,
ExcludeActors = new AppManagementPolicyActorExemptions
{
CustomSecurityAttributes = new List<CustomSecurityAttributeExemption>
{
new CustomSecurityAttributeStringValueExemption
{
OdataType = "microsoft.graph.customSecurityAttributeStringValueExemption",
Id = "PolicyExemptions_AppManagementExemption",
Operator = CustomSecurityAttributeComparisonOperator.Equals,
Value = "ExemptFromIdentifierUriAdditionRestriction",
},
},
},
},
},
RedirectUris = new RedirectUriConfiguration
{
UriWithBlockedScheme = new RedirectUriBlockedSchemeConfiguration
{
State = AppManagementRestrictionState.Enabled,
BlockedSchemes = new List<string>
{
"http",
"ftp",
},
ExemptFormats = new List<string>
{
"http://example.com/login",
},
Web = new RedirectUriPlatformBlockedSchemeConfiguration
{
BlockedSchemes = new List<string>
{
"custom-ftps",
},
},
Spa = new RedirectUriPlatformBlockedSchemeConfiguration
{
BlockedSchemes = new List<string>
{
"myapp",
},
ExemptFormats = new List<string>
{
"https://spa.example.com/auth",
},
},
PublicClient = new RedirectUriPlatformBlockedSchemeConfiguration
{
BlockedSchemes = new List<string>
{
"msauth",
},
ExemptFormats = new List<string>
{
"https://public.example.com/auth",
},
},
},
UriWithoutAllowedScheme = new RedirectUriAllowedSchemeConfiguration
{
State = AppManagementRestrictionState.Enabled,
AllowedSchemes = new List<string>
{
"https",
},
Web = new RedirectUriPlatformAllowedSchemeConfiguration
{
AllowedSchemes = new List<string>
{
"https",
},
},
Spa = new RedirectUriPlatformAllowedSchemeConfiguration
{
AllowedSchemes = new List<string>
{
"https",
"msal",
},
},
PublicClient = new RedirectUriPlatformAllowedSchemeConfiguration
{
AllowedSchemes = new List<string>
{
"myapp",
},
},
},
UriWithBlockedDomain = new RedirectUriBlockedDomainConfiguration
{
State = AppManagementRestrictionState.Enabled,
BlockedDomains = new List<string>
{
"contoso-short.com",
"tempuri.org",
},
Web = new RedirectUriPlatformBlockedDomainConfiguration
{
BlockedDomains = new List<string>
{
"short.contoso.com",
},
},
Spa = new RedirectUriPlatformBlockedDomainConfiguration
{
BlockedDomains = new List<string>
{
"contoso.dev",
},
},
PublicClient = new RedirectUriPlatformBlockedDomainConfiguration
{
BlockedDomains = new List<string>
{
"mspreview.contoso.com",
},
},
},
UriWithoutAllowedDomain = new RedirectUriAllowedDomainConfiguration
{
State = AppManagementRestrictionState.Enabled,
AllowedDomains = new List<string>
{
"contoso.com",
"login.microsoftonline.com",
},
Web = new RedirectUriPlatformAllowedDomainConfiguration
{
AllowedDomains = new List<string>
{
"app.contoso.com",
},
},
Spa = new RedirectUriPlatformAllowedDomainConfiguration
{
AllowedDomains = new List<string>
{
"spa.contoso.com",
},
},
PublicClient = new RedirectUriPlatformAllowedDomainConfiguration
{
AllowedDomains = new List<string>
{
"app://contoso",
},
},
},
UriWithWildcard = new RedirectUriWildcardConfiguration
{
State = AppManagementRestrictionState.Enabled,
ExcludeFormats = new RedirectUriWildcardExcludeFormats
{
ExcludeWildcardsInPath = true,
ExcludeWildcardsInPathWithDomains = new List<string>
{
"contoso.com",
"fabrikam.com",
},
},
},
},
},
};
// To initialize your graphClient, see https://mms.heiai.top/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Policies.DefaultAppManagementPolicy.PatchAsync(requestBody);
Important
Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewTenantAppManagementPolicy()
isEnabled := true
requestBody.SetIsEnabled(&isEnabled)
applicationRestrictions := graphmodels.NewAppManagementApplicationConfiguration()
passwordCredentialConfiguration := graphmodels.NewPasswordCredentialConfiguration()
restrictionType := graphmodels.PASSWORDADDITION_APPCREDENTIALRESTRICTIONTYPE
passwordCredentialConfiguration.SetRestrictionType(&restrictionType)
maxLifetime := null
passwordCredentialConfiguration.SetMaxLifetime(&maxLifetime)
restrictForAppsCreatedAfterDateTime , err := time.Parse(time.RFC3339, "2021-01-01T10:37:00Z")
passwordCredentialConfiguration.SetRestrictForAppsCreatedAfterDateTime(&restrictForAppsCreatedAfterDateTime)
passwordCredentialConfiguration1 := graphmodels.NewPasswordCredentialConfiguration()
restrictionType := graphmodels.PASSWORDLIFETIME_APPCREDENTIALRESTRICTIONTYPE
passwordCredentialConfiguration1.SetRestrictionType(&restrictionType)
maxLifetime , err := abstractions.ParseISODuration("P90D")
passwordCredentialConfiguration1.SetMaxLifetime(&maxLifetime)
restrictForAppsCreatedAfterDateTime , err := time.Parse(time.RFC3339, "2017-01-01T10:37:00Z")
passwordCredentialConfiguration1.SetRestrictForAppsCreatedAfterDateTime(&restrictForAppsCreatedAfterDateTime)
passwordCredentialConfiguration2 := graphmodels.NewPasswordCredentialConfiguration()
restrictionType := graphmodels.SYMMETRICKEYADDITION_APPCREDENTIALRESTRICTIONTYPE
passwordCredentialConfiguration2.SetRestrictionType(&restrictionType)
maxLifetime := null
passwordCredentialConfiguration2.SetMaxLifetime(&maxLifetime)
restrictForAppsCreatedAfterDateTime , err := time.Parse(time.RFC3339, "2021-01-01T10:37:00Z")
passwordCredentialConfiguration2.SetRestrictForAppsCreatedAfterDateTime(&restrictForAppsCreatedAfterDateTime)
passwordCredentialConfiguration3 := graphmodels.NewPasswordCredentialConfiguration()
restrictionType := graphmodels.CUSTOMPASSWORDADDITION_APPCREDENTIALRESTRICTIONTYPE
passwordCredentialConfiguration3.SetRestrictionType(&restrictionType)
maxLifetime := null
passwordCredentialConfiguration3.SetMaxLifetime(&maxLifetime)
restrictForAppsCreatedAfterDateTime , err := time.Parse(time.RFC3339, "2015-01-01T10:37:00Z")
passwordCredentialConfiguration3.SetRestrictForAppsCreatedAfterDateTime(&restrictForAppsCreatedAfterDateTime)
passwordCredentialConfiguration4 := graphmodels.NewPasswordCredentialConfiguration()
restrictionType := graphmodels.SYMMETRICKEYLIFETIME_APPCREDENTIALRESTRICTIONTYPE
passwordCredentialConfiguration4.SetRestrictionType(&restrictionType)
maxLifetime , err := abstractions.ParseISODuration("P30D")
passwordCredentialConfiguration4.SetMaxLifetime(&maxLifetime)
restrictForAppsCreatedAfterDateTime , err := time.Parse(time.RFC3339, "2015-01-01T10:37:00Z")
passwordCredentialConfiguration4.SetRestrictForAppsCreatedAfterDateTime(&restrictForAppsCreatedAfterDateTime)
passwordCredentials := []graphmodels.PasswordCredentialConfigurationable {
passwordCredentialConfiguration,
passwordCredentialConfiguration1,
passwordCredentialConfiguration2,
passwordCredentialConfiguration3,
passwordCredentialConfiguration4,
}
applicationRestrictions.SetPasswordCredentials(passwordCredentials)
keyCredentialConfiguration := graphmodels.NewKeyCredentialConfiguration()
restrictionType := graphmodels.ASYMMETRICKEYLIFETIME_APPKEYCREDENTIALRESTRICTIONTYPE
keyCredentialConfiguration.SetRestrictionType(&restrictionType)
maxLifetime , err := abstractions.ParseISODuration("P30D")
keyCredentialConfiguration.SetMaxLifetime(&maxLifetime)
restrictForAppsCreatedAfterDateTime , err := time.Parse(time.RFC3339, "2015-01-01T10:37:00Z")
keyCredentialConfiguration.SetRestrictForAppsCreatedAfterDateTime(&restrictForAppsCreatedAfterDateTime)
keyCredentialConfiguration1 := graphmodels.NewKeyCredentialConfiguration()
restrictionType := graphmodels.TRUSTEDCERTIFICATEAUTHORITY_APPKEYCREDENTIALRESTRICTIONTYPE
keyCredentialConfiguration1.SetRestrictionType(&restrictionType)
restrictForAppsCreatedAfterDateTime , err := time.Parse(time.RFC3339, "2019-10-19T10:37:00Z")
keyCredentialConfiguration1.SetRestrictForAppsCreatedAfterDateTime(&restrictForAppsCreatedAfterDateTime)
certificateBasedApplicationConfigurationIds := []string {
"eec5ba11-2fc0-4113-83a2-ed986ed13743",
"bb8e164b-f9ed-4b98-bc45-65eddc14f4c1",
}
keyCredentialConfiguration1.SetCertificateBasedApplicationConfigurationIds(certificateBasedApplicationConfigurationIds)
maxLifetime := null
keyCredentialConfiguration1.SetMaxLifetime(&maxLifetime)
keyCredentials := []graphmodels.KeyCredentialConfigurationable {
keyCredentialConfiguration,
keyCredentialConfiguration1,
}
applicationRestrictions.SetKeyCredentials(keyCredentials)
identifierUris := graphmodels.NewIdentifierUriConfiguration()
nonDefaultUriAddition := graphmodels.NewIdentifierUriRestriction()
restrictForAppsCreatedAfterDateTime , err := time.Parse(time.RFC3339, "2024-01-01T10:37:00Z")
nonDefaultUriAddition.SetRestrictForAppsCreatedAfterDateTime(&restrictForAppsCreatedAfterDateTime)
excludeAppsReceivingV2Tokens := true
nonDefaultUriAddition.SetExcludeAppsReceivingV2Tokens(&excludeAppsReceivingV2Tokens)
excludeSaml := true
nonDefaultUriAddition.SetExcludeSaml(&excludeSaml)
excludeActors := graphmodels.NewAppManagementPolicyActorExemptions()
customSecurityAttributeExemption := graphmodels.NewCustomSecurityAttributeStringValueExemption()
id := "PolicyExemptions_AppManagementExemption"
customSecurityAttributeExemption.SetId(&id)
operator := graphmodels.EQUALS_CUSTOMSECURITYATTRIBUTECOMPARISONOPERATOR
customSecurityAttributeExemption.SetOperator(&operator)
value := "ExemptFromIdentifierUriAdditionRestriction"
customSecurityAttributeExemption.SetValue(&value)
customSecurityAttributes := []graphmodels.CustomSecurityAttributeExemptionable {
customSecurityAttributeExemption,
}
excludeActors.SetCustomSecurityAttributes(customSecurityAttributes)
nonDefaultUriAddition.SetExcludeActors(excludeActors)
identifierUris.SetNonDefaultUriAddition(nonDefaultUriAddition)
applicationRestrictions.SetIdentifierUris(identifierUris)
redirectUris := graphmodels.NewRedirectUriConfiguration()
uriWithBlockedScheme := graphmodels.NewRedirectUriBlockedSchemeConfiguration()
state := graphmodels.ENABLED_APPMANAGEMENTRESTRICTIONSTATE
uriWithBlockedScheme.SetState(&state)
blockedSchemes := []string {
"http",
"ftp",
}
uriWithBlockedScheme.SetBlockedSchemes(blockedSchemes)
exemptFormats := []string {
"http://example.com/login",
}
uriWithBlockedScheme.SetExemptFormats(exemptFormats)
web := graphmodels.NewRedirectUriPlatformBlockedSchemeConfiguration()
blockedSchemes := []string {
"custom-ftps",
}
web.SetBlockedSchemes(blockedSchemes)
uriWithBlockedScheme.SetWeb(web)
spa := graphmodels.NewRedirectUriPlatformBlockedSchemeConfiguration()
blockedSchemes := []string {
"myapp",
}
spa.SetBlockedSchemes(blockedSchemes)
exemptFormats := []string {
"https://spa.example.com/auth",
}
spa.SetExemptFormats(exemptFormats)
uriWithBlockedScheme.SetSpa(spa)
publicClient := graphmodels.NewRedirectUriPlatformBlockedSchemeConfiguration()
blockedSchemes := []string {
"msauth",
}
publicClient.SetBlockedSchemes(blockedSchemes)
exemptFormats := []string {
"https://public.example.com/auth",
}
publicClient.SetExemptFormats(exemptFormats)
uriWithBlockedScheme.SetPublicClient(publicClient)
redirectUris.SetUriWithBlockedScheme(uriWithBlockedScheme)
uriWithoutAllowedScheme := graphmodels.NewRedirectUriAllowedSchemeConfiguration()
state := graphmodels.ENABLED_APPMANAGEMENTRESTRICTIONSTATE
uriWithoutAllowedScheme.SetState(&state)
allowedSchemes := []string {
"https",
}
uriWithoutAllowedScheme.SetAllowedSchemes(allowedSchemes)
web := graphmodels.NewRedirectUriPlatformAllowedSchemeConfiguration()
allowedSchemes := []string {
"https",
}
web.SetAllowedSchemes(allowedSchemes)
uriWithoutAllowedScheme.SetWeb(web)
spa := graphmodels.NewRedirectUriPlatformAllowedSchemeConfiguration()
allowedSchemes := []string {
"https",
"msal",
}
spa.SetAllowedSchemes(allowedSchemes)
uriWithoutAllowedScheme.SetSpa(spa)
publicClient := graphmodels.NewRedirectUriPlatformAllowedSchemeConfiguration()
allowedSchemes := []string {
"myapp",
}
publicClient.SetAllowedSchemes(allowedSchemes)
uriWithoutAllowedScheme.SetPublicClient(publicClient)
redirectUris.SetUriWithoutAllowedScheme(uriWithoutAllowedScheme)
uriWithBlockedDomain := graphmodels.NewRedirectUriBlockedDomainConfiguration()
state := graphmodels.ENABLED_APPMANAGEMENTRESTRICTIONSTATE
uriWithBlockedDomain.SetState(&state)
blockedDomains := []string {
"contoso-short.com",
"tempuri.org",
}
uriWithBlockedDomain.SetBlockedDomains(blockedDomains)
web := graphmodels.NewRedirectUriPlatformBlockedDomainConfiguration()
blockedDomains := []string {
"short.contoso.com",
}
web.SetBlockedDomains(blockedDomains)
uriWithBlockedDomain.SetWeb(web)
spa := graphmodels.NewRedirectUriPlatformBlockedDomainConfiguration()
blockedDomains := []string {
"contoso.dev",
}
spa.SetBlockedDomains(blockedDomains)
uriWithBlockedDomain.SetSpa(spa)
publicClient := graphmodels.NewRedirectUriPlatformBlockedDomainConfiguration()
blockedDomains := []string {
"mspreview.contoso.com",
}
publicClient.SetBlockedDomains(blockedDomains)
uriWithBlockedDomain.SetPublicClient(publicClient)
redirectUris.SetUriWithBlockedDomain(uriWithBlockedDomain)
uriWithoutAllowedDomain := graphmodels.NewRedirectUriAllowedDomainConfiguration()
state := graphmodels.ENABLED_APPMANAGEMENTRESTRICTIONSTATE
uriWithoutAllowedDomain.SetState(&state)
allowedDomains := []string {
"contoso.com",
"login.microsoftonline.com",
}
uriWithoutAllowedDomain.SetAllowedDomains(allowedDomains)
web := graphmodels.NewRedirectUriPlatformAllowedDomainConfiguration()
allowedDomains := []string {
"app.contoso.com",
}
web.SetAllowedDomains(allowedDomains)
uriWithoutAllowedDomain.SetWeb(web)
spa := graphmodels.NewRedirectUriPlatformAllowedDomainConfiguration()
allowedDomains := []string {
"spa.contoso.com",
}
spa.SetAllowedDomains(allowedDomains)
uriWithoutAllowedDomain.SetSpa(spa)
publicClient := graphmodels.NewRedirectUriPlatformAllowedDomainConfiguration()
allowedDomains := []string {
"app://contoso",
}
publicClient.SetAllowedDomains(allowedDomains)
uriWithoutAllowedDomain.SetPublicClient(publicClient)
redirectUris.SetUriWithoutAllowedDomain(uriWithoutAllowedDomain)
uriWithWildcard := graphmodels.NewRedirectUriWildcardConfiguration()
state := graphmodels.ENABLED_APPMANAGEMENTRESTRICTIONSTATE
uriWithWildcard.SetState(&state)
excludeFormats := graphmodels.NewRedirectUriWildcardExcludeFormats()
excludeWildcardsInPath := true
excludeFormats.SetExcludeWildcardsInPath(&excludeWildcardsInPath)
excludeWildcardsInPathWithDomains := []string {
"contoso.com",
"fabrikam.com",
}
excludeFormats.SetExcludeWildcardsInPathWithDomains(excludeWildcardsInPathWithDomains)
uriWithWildcard.SetExcludeFormats(excludeFormats)
redirectUris.SetUriWithWildcard(uriWithWildcard)
applicationRestrictions.SetRedirectUris(redirectUris)
requestBody.SetApplicationRestrictions(applicationRestrictions)
// To initialize your graphClient, see https://mms.heiai.top/en-us/graph/sdks/create-client?from=snippets&tabs=go
defaultAppManagementPolicy, err := graphClient.Policies().DefaultAppManagementPolicy().Patch(context.Background(), requestBody, nil)
Important
Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
TenantAppManagementPolicy tenantAppManagementPolicy = new TenantAppManagementPolicy();
tenantAppManagementPolicy.setIsEnabled(true);
AppManagementApplicationConfiguration applicationRestrictions = new AppManagementApplicationConfiguration();
LinkedList<PasswordCredentialConfiguration> passwordCredentials = new LinkedList<PasswordCredentialConfiguration>();
PasswordCredentialConfiguration passwordCredentialConfiguration = new PasswordCredentialConfiguration();
passwordCredentialConfiguration.setRestrictionType(AppCredentialRestrictionType.PasswordAddition);
passwordCredentialConfiguration.setMaxLifetime(null);
OffsetDateTime restrictForAppsCreatedAfterDateTime = OffsetDateTime.parse("2021-01-01T10:37:00Z");
passwordCredentialConfiguration.setRestrictForAppsCreatedAfterDateTime(restrictForAppsCreatedAfterDateTime);
passwordCredentials.add(passwordCredentialConfiguration);
PasswordCredentialConfiguration passwordCredentialConfiguration1 = new PasswordCredentialConfiguration();
passwordCredentialConfiguration1.setRestrictionType(AppCredentialRestrictionType.PasswordLifetime);
PeriodAndDuration maxLifetime1 = PeriodAndDuration.ofDuration(Duration.parse("P90D"));
passwordCredentialConfiguration1.setMaxLifetime(maxLifetime1);
OffsetDateTime restrictForAppsCreatedAfterDateTime1 = OffsetDateTime.parse("2017-01-01T10:37:00Z");
passwordCredentialConfiguration1.setRestrictForAppsCreatedAfterDateTime(restrictForAppsCreatedAfterDateTime1);
passwordCredentials.add(passwordCredentialConfiguration1);
PasswordCredentialConfiguration passwordCredentialConfiguration2 = new PasswordCredentialConfiguration();
passwordCredentialConfiguration2.setRestrictionType(AppCredentialRestrictionType.SymmetricKeyAddition);
passwordCredentialConfiguration2.setMaxLifetime(null);
OffsetDateTime restrictForAppsCreatedAfterDateTime2 = OffsetDateTime.parse("2021-01-01T10:37:00Z");
passwordCredentialConfiguration2.setRestrictForAppsCreatedAfterDateTime(restrictForAppsCreatedAfterDateTime2);
passwordCredentials.add(passwordCredentialConfiguration2);
PasswordCredentialConfiguration passwordCredentialConfiguration3 = new PasswordCredentialConfiguration();
passwordCredentialConfiguration3.setRestrictionType(AppCredentialRestrictionType.CustomPasswordAddition);
passwordCredentialConfiguration3.setMaxLifetime(null);
OffsetDateTime restrictForAppsCreatedAfterDateTime3 = OffsetDateTime.parse("2015-01-01T10:37:00Z");
passwordCredentialConfiguration3.setRestrictForAppsCreatedAfterDateTime(restrictForAppsCreatedAfterDateTime3);
passwordCredentials.add(passwordCredentialConfiguration3);
PasswordCredentialConfiguration passwordCredentialConfiguration4 = new PasswordCredentialConfiguration();
passwordCredentialConfiguration4.setRestrictionType(AppCredentialRestrictionType.SymmetricKeyLifetime);
PeriodAndDuration maxLifetime4 = PeriodAndDuration.ofDuration(Duration.parse("P30D"));
passwordCredentialConfiguration4.setMaxLifetime(maxLifetime4);
OffsetDateTime restrictForAppsCreatedAfterDateTime4 = OffsetDateTime.parse("2015-01-01T10:37:00Z");
passwordCredentialConfiguration4.setRestrictForAppsCreatedAfterDateTime(restrictForAppsCreatedAfterDateTime4);
passwordCredentials.add(passwordCredentialConfiguration4);
applicationRestrictions.setPasswordCredentials(passwordCredentials);
LinkedList<KeyCredentialConfiguration> keyCredentials = new LinkedList<KeyCredentialConfiguration>();
KeyCredentialConfiguration keyCredentialConfiguration = new KeyCredentialConfiguration();
keyCredentialConfiguration.setRestrictionType(AppKeyCredentialRestrictionType.AsymmetricKeyLifetime);
PeriodAndDuration maxLifetime5 = PeriodAndDuration.ofDuration(Duration.parse("P30D"));
keyCredentialConfiguration.setMaxLifetime(maxLifetime5);
OffsetDateTime restrictForAppsCreatedAfterDateTime5 = OffsetDateTime.parse("2015-01-01T10:37:00Z");
keyCredentialConfiguration.setRestrictForAppsCreatedAfterDateTime(restrictForAppsCreatedAfterDateTime5);
keyCredentials.add(keyCredentialConfiguration);
KeyCredentialConfiguration keyCredentialConfiguration1 = new KeyCredentialConfiguration();
keyCredentialConfiguration1.setRestrictionType(AppKeyCredentialRestrictionType.TrustedCertificateAuthority);
OffsetDateTime restrictForAppsCreatedAfterDateTime6 = OffsetDateTime.parse("2019-10-19T10:37:00Z");
keyCredentialConfiguration1.setRestrictForAppsCreatedAfterDateTime(restrictForAppsCreatedAfterDateTime6);
LinkedList<String> certificateBasedApplicationConfigurationIds = new LinkedList<String>();
certificateBasedApplicationConfigurationIds.add("eec5ba11-2fc0-4113-83a2-ed986ed13743");
certificateBasedApplicationConfigurationIds.add("bb8e164b-f9ed-4b98-bc45-65eddc14f4c1");
keyCredentialConfiguration1.setCertificateBasedApplicationConfigurationIds(certificateBasedApplicationConfigurationIds);
keyCredentialConfiguration1.setMaxLifetime(null);
keyCredentials.add(keyCredentialConfiguration1);
applicationRestrictions.setKeyCredentials(keyCredentials);
IdentifierUriConfiguration identifierUris = new IdentifierUriConfiguration();
IdentifierUriRestriction nonDefaultUriAddition = new IdentifierUriRestriction();
OffsetDateTime restrictForAppsCreatedAfterDateTime7 = OffsetDateTime.parse("2024-01-01T10:37:00Z");
nonDefaultUriAddition.setRestrictForAppsCreatedAfterDateTime(restrictForAppsCreatedAfterDateTime7);
nonDefaultUriAddition.setExcludeAppsReceivingV2Tokens(true);
nonDefaultUriAddition.setExcludeSaml(true);
AppManagementPolicyActorExemptions excludeActors = new AppManagementPolicyActorExemptions();
LinkedList<CustomSecurityAttributeExemption> customSecurityAttributes = new LinkedList<CustomSecurityAttributeExemption>();
CustomSecurityAttributeStringValueExemption customSecurityAttributeExemption = new CustomSecurityAttributeStringValueExemption();
customSecurityAttributeExemption.setOdataType("microsoft.graph.customSecurityAttributeStringValueExemption");
customSecurityAttributeExemption.setId("PolicyExemptions_AppManagementExemption");
customSecurityAttributeExemption.setOperator(CustomSecurityAttributeComparisonOperator.Equals);
customSecurityAttributeExemption.setValue("ExemptFromIdentifierUriAdditionRestriction");
customSecurityAttributes.add(customSecurityAttributeExemption);
excludeActors.setCustomSecurityAttributes(customSecurityAttributes);
nonDefaultUriAddition.setExcludeActors(excludeActors);
identifierUris.setNonDefaultUriAddition(nonDefaultUriAddition);
applicationRestrictions.setIdentifierUris(identifierUris);
RedirectUriConfiguration redirectUris = new RedirectUriConfiguration();
RedirectUriBlockedSchemeConfiguration uriWithBlockedScheme = new RedirectUriBlockedSchemeConfiguration();
uriWithBlockedScheme.setState(AppManagementRestrictionState.Enabled);
LinkedList<String> blockedSchemes = new LinkedList<String>();
blockedSchemes.add("http");
blockedSchemes.add("ftp");
uriWithBlockedScheme.setBlockedSchemes(blockedSchemes);
LinkedList<String> exemptFormats = new LinkedList<String>();
exemptFormats.add("http://example.com/login");
uriWithBlockedScheme.setExemptFormats(exemptFormats);
RedirectUriPlatformBlockedSchemeConfiguration web = new RedirectUriPlatformBlockedSchemeConfiguration();
LinkedList<String> blockedSchemes1 = new LinkedList<String>();
blockedSchemes1.add("custom-ftps");
web.setBlockedSchemes(blockedSchemes1);
uriWithBlockedScheme.setWeb(web);
RedirectUriPlatformBlockedSchemeConfiguration spa = new RedirectUriPlatformBlockedSchemeConfiguration();
LinkedList<String> blockedSchemes2 = new LinkedList<String>();
blockedSchemes2.add("myapp");
spa.setBlockedSchemes(blockedSchemes2);
LinkedList<String> exemptFormats1 = new LinkedList<String>();
exemptFormats1.add("https://spa.example.com/auth");
spa.setExemptFormats(exemptFormats1);
uriWithBlockedScheme.setSpa(spa);
RedirectUriPlatformBlockedSchemeConfiguration publicClient = new RedirectUriPlatformBlockedSchemeConfiguration();
LinkedList<String> blockedSchemes3 = new LinkedList<String>();
blockedSchemes3.add("msauth");
publicClient.setBlockedSchemes(blockedSchemes3);
LinkedList<String> exemptFormats2 = new LinkedList<String>();
exemptFormats2.add("https://public.example.com/auth");
publicClient.setExemptFormats(exemptFormats2);
uriWithBlockedScheme.setPublicClient(publicClient);
redirectUris.setUriWithBlockedScheme(uriWithBlockedScheme);
RedirectUriAllowedSchemeConfiguration uriWithoutAllowedScheme = new RedirectUriAllowedSchemeConfiguration();
uriWithoutAllowedScheme.setState(AppManagementRestrictionState.Enabled);
LinkedList<String> allowedSchemes = new LinkedList<String>();
allowedSchemes.add("https");
uriWithoutAllowedScheme.setAllowedSchemes(allowedSchemes);
RedirectUriPlatformAllowedSchemeConfiguration web1 = new RedirectUriPlatformAllowedSchemeConfiguration();
LinkedList<String> allowedSchemes1 = new LinkedList<String>();
allowedSchemes1.add("https");
web1.setAllowedSchemes(allowedSchemes1);
uriWithoutAllowedScheme.setWeb(web1);
RedirectUriPlatformAllowedSchemeConfiguration spa1 = new RedirectUriPlatformAllowedSchemeConfiguration();
LinkedList<String> allowedSchemes2 = new LinkedList<String>();
allowedSchemes2.add("https");
allowedSchemes2.add("msal");
spa1.setAllowedSchemes(allowedSchemes2);
uriWithoutAllowedScheme.setSpa(spa1);
RedirectUriPlatformAllowedSchemeConfiguration publicClient1 = new RedirectUriPlatformAllowedSchemeConfiguration();
LinkedList<String> allowedSchemes3 = new LinkedList<String>();
allowedSchemes3.add("myapp");
publicClient1.setAllowedSchemes(allowedSchemes3);
uriWithoutAllowedScheme.setPublicClient(publicClient1);
redirectUris.setUriWithoutAllowedScheme(uriWithoutAllowedScheme);
RedirectUriBlockedDomainConfiguration uriWithBlockedDomain = new RedirectUriBlockedDomainConfiguration();
uriWithBlockedDomain.setState(AppManagementRestrictionState.Enabled);
LinkedList<String> blockedDomains = new LinkedList<String>();
blockedDomains.add("contoso-short.com");
blockedDomains.add("tempuri.org");
uriWithBlockedDomain.setBlockedDomains(blockedDomains);
RedirectUriPlatformBlockedDomainConfiguration web2 = new RedirectUriPlatformBlockedDomainConfiguration();
LinkedList<String> blockedDomains1 = new LinkedList<String>();
blockedDomains1.add("short.contoso.com");
web2.setBlockedDomains(blockedDomains1);
uriWithBlockedDomain.setWeb(web2);
RedirectUriPlatformBlockedDomainConfiguration spa2 = new RedirectUriPlatformBlockedDomainConfiguration();
LinkedList<String> blockedDomains2 = new LinkedList<String>();
blockedDomains2.add("contoso.dev");
spa2.setBlockedDomains(blockedDomains2);
uriWithBlockedDomain.setSpa(spa2);
RedirectUriPlatformBlockedDomainConfiguration publicClient2 = new RedirectUriPlatformBlockedDomainConfiguration();
LinkedList<String> blockedDomains3 = new LinkedList<String>();
blockedDomains3.add("mspreview.contoso.com");
publicClient2.setBlockedDomains(blockedDomains3);
uriWithBlockedDomain.setPublicClient(publicClient2);
redirectUris.setUriWithBlockedDomain(uriWithBlockedDomain);
RedirectUriAllowedDomainConfiguration uriWithoutAllowedDomain = new RedirectUriAllowedDomainConfiguration();
uriWithoutAllowedDomain.setState(AppManagementRestrictionState.Enabled);
LinkedList<String> allowedDomains = new LinkedList<String>();
allowedDomains.add("contoso.com");
allowedDomains.add("login.microsoftonline.com");
uriWithoutAllowedDomain.setAllowedDomains(allowedDomains);
RedirectUriPlatformAllowedDomainConfiguration web3 = new RedirectUriPlatformAllowedDomainConfiguration();
LinkedList<String> allowedDomains1 = new LinkedList<String>();
allowedDomains1.add("app.contoso.com");
web3.setAllowedDomains(allowedDomains1);
uriWithoutAllowedDomain.setWeb(web3);
RedirectUriPlatformAllowedDomainConfiguration spa3 = new RedirectUriPlatformAllowedDomainConfiguration();
LinkedList<String> allowedDomains2 = new LinkedList<String>();
allowedDomains2.add("spa.contoso.com");
spa3.setAllowedDomains(allowedDomains2);
uriWithoutAllowedDomain.setSpa(spa3);
RedirectUriPlatformAllowedDomainConfiguration publicClient3 = new RedirectUriPlatformAllowedDomainConfiguration();
LinkedList<String> allowedDomains3 = new LinkedList<String>();
allowedDomains3.add("app://contoso");
publicClient3.setAllowedDomains(allowedDomains3);
uriWithoutAllowedDomain.setPublicClient(publicClient3);
redirectUris.setUriWithoutAllowedDomain(uriWithoutAllowedDomain);
RedirectUriWildcardConfiguration uriWithWildcard = new RedirectUriWildcardConfiguration();
uriWithWildcard.setState(AppManagementRestrictionState.Enabled);
RedirectUriWildcardExcludeFormats excludeFormats = new RedirectUriWildcardExcludeFormats();
excludeFormats.setExcludeWildcardsInPath(true);
LinkedList<String> excludeWildcardsInPathWithDomains = new LinkedList<String>();
excludeWildcardsInPathWithDomains.add("contoso.com");
excludeWildcardsInPathWithDomains.add("fabrikam.com");
excludeFormats.setExcludeWildcardsInPathWithDomains(excludeWildcardsInPathWithDomains);
uriWithWildcard.setExcludeFormats(excludeFormats);
redirectUris.setUriWithWildcard(uriWithWildcard);
applicationRestrictions.setRedirectUris(redirectUris);
tenantAppManagementPolicy.setApplicationRestrictions(applicationRestrictions);
TenantAppManagementPolicy result = graphClient.policies().defaultAppManagementPolicy().patch(tenantAppManagementPolicy);
Important
Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.
const options = {
authProvider,
};
const client = Client.init(options);
const tenantAppManagementPolicy = {
isEnabled: true,
applicationRestrictions: {
passwordCredentials: [
{
restrictionType: 'passwordAddition',
maxLifetime: null,
restrictForAppsCreatedAfterDateTime: '2021-01-01T10:37:00Z'
},
{
restrictionType: 'passwordLifetime',
maxLifetime: 'P90D',
restrictForAppsCreatedAfterDateTime: '2017-01-01T10:37:00Z'
},
{
restrictionType: 'symmetricKeyAddition',
maxLifetime: null,
restrictForAppsCreatedAfterDateTime: '2021-01-01T10:37:00Z'
},
{
restrictionType: 'customPasswordAddition',
maxLifetime: null,
restrictForAppsCreatedAfterDateTime: '2015-01-01T10:37:00Z'
},
{
restrictionType: 'symmetricKeyLifetime',
maxLifetime: 'P30D',
restrictForAppsCreatedAfterDateTime: '2015-01-01T10:37:00Z'
}
],
keyCredentials: [
{
restrictionType: 'asymmetricKeyLifetime',
maxLifetime: 'P30D',
restrictForAppsCreatedAfterDateTime: '2015-01-01T10:37:00Z'
},
{
restrictionType: 'trustedCertificateAuthority',
restrictForAppsCreatedAfterDateTime: '2019-10-19T10:37:00Z',
certificateBasedApplicationConfigurationIds: [
'eec5ba11-2fc0-4113-83a2-ed986ed13743',
'bb8e164b-f9ed-4b98-bc45-65eddc14f4c1'
],
maxLifetime: null
}
],
identifierUris: {
nonDefaultUriAddition: {
restrictForAppsCreatedAfterDateTime: '2024-01-01T10:37:00Z',
excludeAppsReceivingV2Tokens: true,
excludeSaml: true,
excludeActors: {
customSecurityAttributes: [
{
'@odata.type': 'microsoft.graph.customSecurityAttributeStringValueExemption',
id: 'PolicyExemptions_AppManagementExemption',
operator: 'equals',
value: 'ExemptFromIdentifierUriAdditionRestriction'
}
]
}
}
},
redirectUris: {
uriWithBlockedScheme: {
state: 'enabled',
blockedSchemes: [
'http',
'ftp'
],
exemptFormats: [
'http://example.com/login'
],
web: {
blockedSchemes: [
'custom-ftps'
]
},
spa: {
blockedSchemes: [
'myapp'
],
exemptFormats: [
'https://spa.example.com/auth'
]
},
publicClient: {
blockedSchemes: [
'msauth'
],
exemptFormats: [
'https://public.example.com/auth'
]
}
},
uriWithoutAllowedScheme: {
state: 'enabled',
allowedSchemes: [
'https'
],
web: {
allowedSchemes: [
'https'
]
},
spa: {
allowedSchemes: [
'https',
'msal'
]
},
publicClient: {
allowedSchemes: [
'myapp'
]
}
},
uriWithBlockedDomain: {
state: 'enabled',
blockedDomains: [
'contoso-short.com',
'tempuri.org'
],
web: {
blockedDomains: [
'short.contoso.com'
]
},
spa: {
blockedDomains: [
'contoso.dev'
]
},
publicClient: {
blockedDomains: [
'mspreview.contoso.com'
]
}
},
uriWithoutAllowedDomain: {
state: 'enabled',
allowedDomains: [
'contoso.com',
'login.microsoftonline.com'
],
web: {
allowedDomains: [
'app.contoso.com'
]
},
spa: {
allowedDomains: [
'spa.contoso.com'
]
},
publicClient: {
allowedDomains: [
'app://contoso'
]
}
},
uriWithWildcard: {
state: 'enabled',
excludeFormats: {
excludeWildcardsInPath: true,
excludeWildcardsInPathWithDomains: [
'contoso.com',
'fabrikam.com'
]
}
}
}
}
};
await client.api('/policies/defaultAppManagementPolicy')
.version('beta')
.update(tenantAppManagementPolicy);
Important
Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\TenantAppManagementPolicy;
use Microsoft\Graph\Beta\Generated\Models\AppManagementApplicationConfiguration;
use Microsoft\Graph\Beta\Generated\Models\PasswordCredentialConfiguration;
use Microsoft\Graph\Beta\Generated\Models\AppCredentialRestrictionType;
use Microsoft\Graph\Beta\Generated\Models\KeyCredentialConfiguration;
use Microsoft\Graph\Beta\Generated\Models\AppKeyCredentialRestrictionType;
use Microsoft\Graph\Beta\Generated\Models\IdentifierUriConfiguration;
use Microsoft\Graph\Beta\Generated\Models\IdentifierUriRestriction;
use Microsoft\Graph\Beta\Generated\Models\AppManagementPolicyActorExemptions;
use Microsoft\Graph\Beta\Generated\Models\CustomSecurityAttributeExemption;
use Microsoft\Graph\Beta\Generated\Models\CustomSecurityAttributeStringValueExemption;
use Microsoft\Graph\Beta\Generated\Models\CustomSecurityAttributeComparisonOperator;
use Microsoft\Graph\Beta\Generated\Models\RedirectUriConfiguration;
use Microsoft\Graph\Beta\Generated\Models\RedirectUriBlockedSchemeConfiguration;
use Microsoft\Graph\Beta\Generated\Models\AppManagementRestrictionState;
use Microsoft\Graph\Beta\Generated\Models\RedirectUriPlatformBlockedSchemeConfiguration;
use Microsoft\Graph\Beta\Generated\Models\RedirectUriAllowedSchemeConfiguration;
use Microsoft\Graph\Beta\Generated\Models\RedirectUriPlatformAllowedSchemeConfiguration;
use Microsoft\Graph\Beta\Generated\Models\RedirectUriBlockedDomainConfiguration;
use Microsoft\Graph\Beta\Generated\Models\RedirectUriPlatformBlockedDomainConfiguration;
use Microsoft\Graph\Beta\Generated\Models\RedirectUriAllowedDomainConfiguration;
use Microsoft\Graph\Beta\Generated\Models\RedirectUriPlatformAllowedDomainConfiguration;
use Microsoft\Graph\Beta\Generated\Models\RedirectUriWildcardConfiguration;
use Microsoft\Graph\Beta\Generated\Models\RedirectUriWildcardExcludeFormats;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new TenantAppManagementPolicy();
$requestBody->setIsEnabled(true);
$applicationRestrictions = new AppManagementApplicationConfiguration();
$passwordCredentialsPasswordCredentialConfiguration1 = new PasswordCredentialConfiguration();
$passwordCredentialsPasswordCredentialConfiguration1->setRestrictionType(new AppCredentialRestrictionType('passwordAddition'));
$passwordCredentialsPasswordCredentialConfiguration1->setMaxLifetime(null);
$passwordCredentialsPasswordCredentialConfiguration1->setRestrictForAppsCreatedAfterDateTime(new \DateTime('2021-01-01T10:37:00Z'));
$passwordCredentialsArray []= $passwordCredentialsPasswordCredentialConfiguration1;
$passwordCredentialsPasswordCredentialConfiguration2 = new PasswordCredentialConfiguration();
$passwordCredentialsPasswordCredentialConfiguration2->setRestrictionType(new AppCredentialRestrictionType('passwordLifetime'));
$passwordCredentialsPasswordCredentialConfiguration2->setMaxLifetime(new \DateInterval('P90D'));
$passwordCredentialsPasswordCredentialConfiguration2->setRestrictForAppsCreatedAfterDateTime(new \DateTime('2017-01-01T10:37:00Z'));
$passwordCredentialsArray []= $passwordCredentialsPasswordCredentialConfiguration2;
$passwordCredentialsPasswordCredentialConfiguration3 = new PasswordCredentialConfiguration();
$passwordCredentialsPasswordCredentialConfiguration3->setRestrictionType(new AppCredentialRestrictionType('symmetricKeyAddition'));
$passwordCredentialsPasswordCredentialConfiguration3->setMaxLifetime(null);
$passwordCredentialsPasswordCredentialConfiguration3->setRestrictForAppsCreatedAfterDateTime(new \DateTime('2021-01-01T10:37:00Z'));
$passwordCredentialsArray []= $passwordCredentialsPasswordCredentialConfiguration3;
$passwordCredentialsPasswordCredentialConfiguration4 = new PasswordCredentialConfiguration();
$passwordCredentialsPasswordCredentialConfiguration4->setRestrictionType(new AppCredentialRestrictionType('customPasswordAddition'));
$passwordCredentialsPasswordCredentialConfiguration4->setMaxLifetime(null);
$passwordCredentialsPasswordCredentialConfiguration4->setRestrictForAppsCreatedAfterDateTime(new \DateTime('2015-01-01T10:37:00Z'));
$passwordCredentialsArray []= $passwordCredentialsPasswordCredentialConfiguration4;
$passwordCredentialsPasswordCredentialConfiguration5 = new PasswordCredentialConfiguration();
$passwordCredentialsPasswordCredentialConfiguration5->setRestrictionType(new AppCredentialRestrictionType('symmetricKeyLifetime'));
$passwordCredentialsPasswordCredentialConfiguration5->setMaxLifetime(new \DateInterval('P30D'));
$passwordCredentialsPasswordCredentialConfiguration5->setRestrictForAppsCreatedAfterDateTime(new \DateTime('2015-01-01T10:37:00Z'));
$passwordCredentialsArray []= $passwordCredentialsPasswordCredentialConfiguration5;
$applicationRestrictions->setPasswordCredentials($passwordCredentialsArray);
$keyCredentialsKeyCredentialConfiguration1 = new KeyCredentialConfiguration();
$keyCredentialsKeyCredentialConfiguration1->setRestrictionType(new AppKeyCredentialRestrictionType('asymmetricKeyLifetime'));
$keyCredentialsKeyCredentialConfiguration1->setMaxLifetime(new \DateInterval('P30D'));
$keyCredentialsKeyCredentialConfiguration1->setRestrictForAppsCreatedAfterDateTime(new \DateTime('2015-01-01T10:37:00Z'));
$keyCredentialsArray []= $keyCredentialsKeyCredentialConfiguration1;
$keyCredentialsKeyCredentialConfiguration2 = new KeyCredentialConfiguration();
$keyCredentialsKeyCredentialConfiguration2->setRestrictionType(new AppKeyCredentialRestrictionType('trustedCertificateAuthority'));
$keyCredentialsKeyCredentialConfiguration2->setRestrictForAppsCreatedAfterDateTime(new \DateTime('2019-10-19T10:37:00Z'));
$keyCredentialsKeyCredentialConfiguration2->setCertificateBasedApplicationConfigurationIds(['eec5ba11-2fc0-4113-83a2-ed986ed13743', 'bb8e164b-f9ed-4b98-bc45-65eddc14f4c1', ]);
$keyCredentialsKeyCredentialConfiguration2->setMaxLifetime(null);
$keyCredentialsArray []= $keyCredentialsKeyCredentialConfiguration2;
$applicationRestrictions->setKeyCredentials($keyCredentialsArray);
$applicationRestrictionsIdentifierUris = new IdentifierUriConfiguration();
$applicationRestrictionsIdentifierUrisNonDefaultUriAddition = new IdentifierUriRestriction();
$applicationRestrictionsIdentifierUrisNonDefaultUriAddition->setRestrictForAppsCreatedAfterDateTime(new \DateTime('2024-01-01T10:37:00Z'));
$applicationRestrictionsIdentifierUrisNonDefaultUriAddition->setExcludeAppsReceivingV2Tokens(true);
$applicationRestrictionsIdentifierUrisNonDefaultUriAddition->setExcludeSaml(true);
$applicationRestrictionsIdentifierUrisNonDefaultUriAdditionExcludeActors = new AppManagementPolicyActorExemptions();
$customSecurityAttributesCustomSecurityAttributeExemption1 = new CustomSecurityAttributeStringValueExemption();
$customSecurityAttributesCustomSecurityAttributeExemption1->setOdataType('microsoft.graph.customSecurityAttributeStringValueExemption');
$customSecurityAttributesCustomSecurityAttributeExemption1->setId('PolicyExemptions_AppManagementExemption');
$customSecurityAttributesCustomSecurityAttributeExemption1->setOperator(new CustomSecurityAttributeComparisonOperator('equals'));
$customSecurityAttributesCustomSecurityAttributeExemption1->setValue('ExemptFromIdentifierUriAdditionRestriction');
$customSecurityAttributesArray []= $customSecurityAttributesCustomSecurityAttributeExemption1;
$applicationRestrictionsIdentifierUrisNonDefaultUriAdditionExcludeActors->setCustomSecurityAttributes($customSecurityAttributesArray);
$applicationRestrictionsIdentifierUrisNonDefaultUriAddition->setExcludeActors($applicationRestrictionsIdentifierUrisNonDefaultUriAdditionExcludeActors);
$applicationRestrictionsIdentifierUris->setNonDefaultUriAddition($applicationRestrictionsIdentifierUrisNonDefaultUriAddition);
$applicationRestrictions->setIdentifierUris($applicationRestrictionsIdentifierUris);
$applicationRestrictionsRedirectUris = new RedirectUriConfiguration();
$applicationRestrictionsRedirectUrisUriWithBlockedScheme = new RedirectUriBlockedSchemeConfiguration();
$applicationRestrictionsRedirectUrisUriWithBlockedScheme->setState(new AppManagementRestrictionState('enabled'));
$applicationRestrictionsRedirectUrisUriWithBlockedScheme->setBlockedSchemes(['http', 'ftp', ]);
$applicationRestrictionsRedirectUrisUriWithBlockedScheme->setExemptFormats(['http://example.com/login', ]);
$applicationRestrictionsRedirectUrisUriWithBlockedSchemeWeb = new RedirectUriPlatformBlockedSchemeConfiguration();
$applicationRestrictionsRedirectUrisUriWithBlockedSchemeWeb->setBlockedSchemes(['custom-ftps', ]);
$applicationRestrictionsRedirectUrisUriWithBlockedScheme->setWeb($applicationRestrictionsRedirectUrisUriWithBlockedSchemeWeb);
$applicationRestrictionsRedirectUrisUriWithBlockedSchemeSpa = new RedirectUriPlatformBlockedSchemeConfiguration();
$applicationRestrictionsRedirectUrisUriWithBlockedSchemeSpa->setBlockedSchemes(['myapp', ]);
$applicationRestrictionsRedirectUrisUriWithBlockedSchemeSpa->setExemptFormats(['https://spa.example.com/auth', ]);
$applicationRestrictionsRedirectUrisUriWithBlockedScheme->setSpa($applicationRestrictionsRedirectUrisUriWithBlockedSchemeSpa);
$applicationRestrictionsRedirectUrisUriWithBlockedSchemePublicClient = new RedirectUriPlatformBlockedSchemeConfiguration();
$applicationRestrictionsRedirectUrisUriWithBlockedSchemePublicClient->setBlockedSchemes(['msauth', ]);
$applicationRestrictionsRedirectUrisUriWithBlockedSchemePublicClient->setExemptFormats(['https://public.example.com/auth', ]);
$applicationRestrictionsRedirectUrisUriWithBlockedScheme->setPublicClient($applicationRestrictionsRedirectUrisUriWithBlockedSchemePublicClient);
$applicationRestrictionsRedirectUris->setUriWithBlockedScheme($applicationRestrictionsRedirectUrisUriWithBlockedScheme);
$applicationRestrictionsRedirectUrisUriWithoutAllowedScheme = new RedirectUriAllowedSchemeConfiguration();
$applicationRestrictionsRedirectUrisUriWithoutAllowedScheme->setState(new AppManagementRestrictionState('enabled'));
$applicationRestrictionsRedirectUrisUriWithoutAllowedScheme->setAllowedSchemes(['https', ]);
$applicationRestrictionsRedirectUrisUriWithoutAllowedSchemeWeb = new RedirectUriPlatformAllowedSchemeConfiguration();
$applicationRestrictionsRedirectUrisUriWithoutAllowedSchemeWeb->setAllowedSchemes(['https', ]);
$applicationRestrictionsRedirectUrisUriWithoutAllowedScheme->setWeb($applicationRestrictionsRedirectUrisUriWithoutAllowedSchemeWeb);
$applicationRestrictionsRedirectUrisUriWithoutAllowedSchemeSpa = new RedirectUriPlatformAllowedSchemeConfiguration();
$applicationRestrictionsRedirectUrisUriWithoutAllowedSchemeSpa->setAllowedSchemes(['https', 'msal', ]);
$applicationRestrictionsRedirectUrisUriWithoutAllowedScheme->setSpa($applicationRestrictionsRedirectUrisUriWithoutAllowedSchemeSpa);
$applicationRestrictionsRedirectUrisUriWithoutAllowedSchemePublicClient = new RedirectUriPlatformAllowedSchemeConfiguration();
$applicationRestrictionsRedirectUrisUriWithoutAllowedSchemePublicClient->setAllowedSchemes(['myapp', ]);
$applicationRestrictionsRedirectUrisUriWithoutAllowedScheme->setPublicClient($applicationRestrictionsRedirectUrisUriWithoutAllowedSchemePublicClient);
$applicationRestrictionsRedirectUris->setUriWithoutAllowedScheme($applicationRestrictionsRedirectUrisUriWithoutAllowedScheme);
$applicationRestrictionsRedirectUrisUriWithBlockedDomain = new RedirectUriBlockedDomainConfiguration();
$applicationRestrictionsRedirectUrisUriWithBlockedDomain->setState(new AppManagementRestrictionState('enabled'));
$applicationRestrictionsRedirectUrisUriWithBlockedDomain->setBlockedDomains(['contoso-short.com', 'tempuri.org', ]);
$applicationRestrictionsRedirectUrisUriWithBlockedDomainWeb = new RedirectUriPlatformBlockedDomainConfiguration();
$applicationRestrictionsRedirectUrisUriWithBlockedDomainWeb->setBlockedDomains(['short.contoso.com', ]);
$applicationRestrictionsRedirectUrisUriWithBlockedDomain->setWeb($applicationRestrictionsRedirectUrisUriWithBlockedDomainWeb);
$applicationRestrictionsRedirectUrisUriWithBlockedDomainSpa = new RedirectUriPlatformBlockedDomainConfiguration();
$applicationRestrictionsRedirectUrisUriWithBlockedDomainSpa->setBlockedDomains(['contoso.dev', ]);
$applicationRestrictionsRedirectUrisUriWithBlockedDomain->setSpa($applicationRestrictionsRedirectUrisUriWithBlockedDomainSpa);
$applicationRestrictionsRedirectUrisUriWithBlockedDomainPublicClient = new RedirectUriPlatformBlockedDomainConfiguration();
$applicationRestrictionsRedirectUrisUriWithBlockedDomainPublicClient->setBlockedDomains(['mspreview.contoso.com', ]);
$applicationRestrictionsRedirectUrisUriWithBlockedDomain->setPublicClient($applicationRestrictionsRedirectUrisUriWithBlockedDomainPublicClient);
$applicationRestrictionsRedirectUris->setUriWithBlockedDomain($applicationRestrictionsRedirectUrisUriWithBlockedDomain);
$applicationRestrictionsRedirectUrisUriWithoutAllowedDomain = new RedirectUriAllowedDomainConfiguration();
$applicationRestrictionsRedirectUrisUriWithoutAllowedDomain->setState(new AppManagementRestrictionState('enabled'));
$applicationRestrictionsRedirectUrisUriWithoutAllowedDomain->setAllowedDomains(['contoso.com', 'login.microsoftonline.com', ]);
$applicationRestrictionsRedirectUrisUriWithoutAllowedDomainWeb = new RedirectUriPlatformAllowedDomainConfiguration();
$applicationRestrictionsRedirectUrisUriWithoutAllowedDomainWeb->setAllowedDomains(['app.contoso.com', ]);
$applicationRestrictionsRedirectUrisUriWithoutAllowedDomain->setWeb($applicationRestrictionsRedirectUrisUriWithoutAllowedDomainWeb);
$applicationRestrictionsRedirectUrisUriWithoutAllowedDomainSpa = new RedirectUriPlatformAllowedDomainConfiguration();
$applicationRestrictionsRedirectUrisUriWithoutAllowedDomainSpa->setAllowedDomains(['spa.contoso.com', ]);
$applicationRestrictionsRedirectUrisUriWithoutAllowedDomain->setSpa($applicationRestrictionsRedirectUrisUriWithoutAllowedDomainSpa);
$applicationRestrictionsRedirectUrisUriWithoutAllowedDomainPublicClient = new RedirectUriPlatformAllowedDomainConfiguration();
$applicationRestrictionsRedirectUrisUriWithoutAllowedDomainPublicClient->setAllowedDomains(['app://contoso', ]);
$applicationRestrictionsRedirectUrisUriWithoutAllowedDomain->setPublicClient($applicationRestrictionsRedirectUrisUriWithoutAllowedDomainPublicClient);
$applicationRestrictionsRedirectUris->setUriWithoutAllowedDomain($applicationRestrictionsRedirectUrisUriWithoutAllowedDomain);
$applicationRestrictionsRedirectUrisUriWithWildcard = new RedirectUriWildcardConfiguration();
$applicationRestrictionsRedirectUrisUriWithWildcard->setState(new AppManagementRestrictionState('enabled'));
$applicationRestrictionsRedirectUrisUriWithWildcardExcludeFormats = new RedirectUriWildcardExcludeFormats();
$applicationRestrictionsRedirectUrisUriWithWildcardExcludeFormats->setExcludeWildcardsInPath(true);
$applicationRestrictionsRedirectUrisUriWithWildcardExcludeFormats->setExcludeWildcardsInPathWithDomains(['contoso.com', 'fabrikam.com', ]);
$applicationRestrictionsRedirectUrisUriWithWildcard->setExcludeFormats($applicationRestrictionsRedirectUrisUriWithWildcardExcludeFormats);
$applicationRestrictionsRedirectUris->setUriWithWildcard($applicationRestrictionsRedirectUrisUriWithWildcard);
$applicationRestrictions->setRedirectUris($applicationRestrictionsRedirectUris);
$requestBody->setApplicationRestrictions($applicationRestrictions);
$result = $graphServiceClient->policies()->defaultAppManagementPolicy()->patch($requestBody)->wait();
Important
Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.
Import-Module Microsoft.Graph.Beta.Identity.SignIns
$params = @{
isEnabled = $true
applicationRestrictions = @{
passwordCredentials = @(
@{
restrictionType = "passwordAddition"
maxLifetime = $null
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2021-01-01T10:37:00Z")
}
@{
restrictionType = "passwordLifetime"
maxLifetime = "P90D"
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2017-01-01T10:37:00Z")
}
@{
restrictionType = "symmetricKeyAddition"
maxLifetime = $null
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2021-01-01T10:37:00Z")
}
@{
restrictionType = "customPasswordAddition"
maxLifetime = $null
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2015-01-01T10:37:00Z")
}
@{
restrictionType = "symmetricKeyLifetime"
maxLifetime = "P30D"
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2015-01-01T10:37:00Z")
}
)
keyCredentials = @(
@{
restrictionType = "asymmetricKeyLifetime"
maxLifetime = "P30D"
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2015-01-01T10:37:00Z")
}
@{
restrictionType = "trustedCertificateAuthority"
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2019-10-19T10:37:00Z")
certificateBasedApplicationConfigurationIds = @(
"eec5ba11-2fc0-4113-83a2-ed986ed13743"
"bb8e164b-f9ed-4b98-bc45-65eddc14f4c1"
)
maxLifetime = $null
}
)
identifierUris = @{
nonDefaultUriAddition = @{
restrictForAppsCreatedAfterDateTime = [System.DateTime]::Parse("2024-01-01T10:37:00Z")
excludeAppsReceivingV2Tokens = $true
excludeSaml = $true
excludeActors = @{
customSecurityAttributes = @(
@{
"@odata.type" = "microsoft.graph.customSecurityAttributeStringValueExemption"
id = "PolicyExemptions_AppManagementExemption"
operator = "equals"
value = "ExemptFromIdentifierUriAdditionRestriction"
}
)
}
}
}
redirectUris = @{
uriWithBlockedScheme = @{
state = "enabled"
blockedSchemes = @(
"http"
"ftp"
)
exemptFormats = @(
"http://example.com/login"
)
web = @{
blockedSchemes = @(
"custom-ftps"
)
}
spa = @{
blockedSchemes = @(
"myapp"
)
exemptFormats = @(
"https://spa.example.com/auth"
)
}
publicClient = @{
blockedSchemes = @(
"msauth"
)
exemptFormats = @(
"https://public.example.com/auth"
)
}
}
uriWithoutAllowedScheme = @{
state = "enabled"
allowedSchemes = @(
"https"
)
web = @{
allowedSchemes = @(
"https"
)
}
spa = @{
allowedSchemes = @(
"https"
"msal"
)
}
publicClient = @{
allowedSchemes = @(
"myapp"
)
}
}
uriWithBlockedDomain = @{
state = "enabled"
blockedDomains = @(
"contoso-short.com"
"tempuri.org"
)
web = @{
blockedDomains = @(
"short.contoso.com"
)
}
spa = @{
blockedDomains = @(
"contoso.dev"
)
}
publicClient = @{
blockedDomains = @(
"mspreview.contoso.com"
)
}
}
uriWithoutAllowedDomain = @{
state = "enabled"
allowedDomains = @(
"contoso.com"
"login.microsoftonline.com"
)
web = @{
allowedDomains = @(
"app.contoso.com"
)
}
spa = @{
allowedDomains = @(
"spa.contoso.com"
)
}
publicClient = @{
allowedDomains = @(
"app://contoso"
)
}
}
uriWithWildcard = @{
state = "enabled"
excludeFormats = @{
excludeWildcardsInPath = $true
excludeWildcardsInPathWithDomains = @(
"contoso.com"
"fabrikam.com"
)
}
}
}
}
}
Update-MgBetaPolicyDefaultAppManagementPolicy -BodyParameter $params
Important
Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.tenant_app_management_policy import TenantAppManagementPolicy
from msgraph_beta.generated.models.app_management_application_configuration import AppManagementApplicationConfiguration
from msgraph_beta.generated.models.password_credential_configuration import PasswordCredentialConfiguration
from msgraph_beta.generated.models.app_credential_restriction_type import AppCredentialRestrictionType
from msgraph_beta.generated.models.key_credential_configuration import KeyCredentialConfiguration
from msgraph_beta.generated.models.app_key_credential_restriction_type import AppKeyCredentialRestrictionType
from msgraph_beta.generated.models.identifier_uri_configuration import IdentifierUriConfiguration
from msgraph_beta.generated.models.identifier_uri_restriction import IdentifierUriRestriction
from msgraph_beta.generated.models.app_management_policy_actor_exemptions import AppManagementPolicyActorExemptions
from msgraph_beta.generated.models.custom_security_attribute_exemption import CustomSecurityAttributeExemption
from msgraph_beta.generated.models.custom_security_attribute_string_value_exemption import CustomSecurityAttributeStringValueExemption
from msgraph_beta.generated.models.custom_security_attribute_comparison_operator import CustomSecurityAttributeComparisonOperator
from msgraph_beta.generated.models.redirect_uri_configuration import RedirectUriConfiguration
from msgraph_beta.generated.models.redirect_uri_blocked_scheme_configuration import RedirectUriBlockedSchemeConfiguration
from msgraph_beta.generated.models.app_management_restriction_state import AppManagementRestrictionState
from msgraph_beta.generated.models.redirect_uri_platform_blocked_scheme_configuration import RedirectUriPlatformBlockedSchemeConfiguration
from msgraph_beta.generated.models.redirect_uri_allowed_scheme_configuration import RedirectUriAllowedSchemeConfiguration
from msgraph_beta.generated.models.redirect_uri_platform_allowed_scheme_configuration import RedirectUriPlatformAllowedSchemeConfiguration
from msgraph_beta.generated.models.redirect_uri_blocked_domain_configuration import RedirectUriBlockedDomainConfiguration
from msgraph_beta.generated.models.redirect_uri_platform_blocked_domain_configuration import RedirectUriPlatformBlockedDomainConfiguration
from msgraph_beta.generated.models.redirect_uri_allowed_domain_configuration import RedirectUriAllowedDomainConfiguration
from msgraph_beta.generated.models.redirect_uri_platform_allowed_domain_configuration import RedirectUriPlatformAllowedDomainConfiguration
from msgraph_beta.generated.models.redirect_uri_wildcard_configuration import RedirectUriWildcardConfiguration
from msgraph_beta.generated.models.redirect_uri_wildcard_exclude_formats import RedirectUriWildcardExcludeFormats
# To initialize your graph_client, see https://mms.heiai.top/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = TenantAppManagementPolicy(
is_enabled = True,
application_restrictions = AppManagementApplicationConfiguration(
password_credentials = [
PasswordCredentialConfiguration(
restriction_type = AppCredentialRestrictionType.PasswordAddition,
max_lifetime = None,
restrict_for_apps_created_after_date_time = "2021-01-01T10:37:00Z",
),
PasswordCredentialConfiguration(
restriction_type = AppCredentialRestrictionType.PasswordLifetime,
max_lifetime = "P90D",
restrict_for_apps_created_after_date_time = "2017-01-01T10:37:00Z",
),
PasswordCredentialConfiguration(
restriction_type = AppCredentialRestrictionType.SymmetricKeyAddition,
max_lifetime = None,
restrict_for_apps_created_after_date_time = "2021-01-01T10:37:00Z",
),
PasswordCredentialConfiguration(
restriction_type = AppCredentialRestrictionType.CustomPasswordAddition,
max_lifetime = None,
restrict_for_apps_created_after_date_time = "2015-01-01T10:37:00Z",
),
PasswordCredentialConfiguration(
restriction_type = AppCredentialRestrictionType.SymmetricKeyLifetime,
max_lifetime = "P30D",
restrict_for_apps_created_after_date_time = "2015-01-01T10:37:00Z",
),
],
key_credentials = [
KeyCredentialConfiguration(
restriction_type = AppKeyCredentialRestrictionType.AsymmetricKeyLifetime,
max_lifetime = "P30D",
restrict_for_apps_created_after_date_time = "2015-01-01T10:37:00Z",
),
KeyCredentialConfiguration(
restriction_type = AppKeyCredentialRestrictionType.TrustedCertificateAuthority,
restrict_for_apps_created_after_date_time = "2019-10-19T10:37:00Z",
certificate_based_application_configuration_ids = [
"eec5ba11-2fc0-4113-83a2-ed986ed13743",
"bb8e164b-f9ed-4b98-bc45-65eddc14f4c1",
],
max_lifetime = None,
),
],
identifier_uris = IdentifierUriConfiguration(
non_default_uri_addition = IdentifierUriRestriction(
restrict_for_apps_created_after_date_time = "2024-01-01T10:37:00Z",
exclude_apps_receiving_v2_tokens = True,
exclude_saml = True,
exclude_actors = AppManagementPolicyActorExemptions(
custom_security_attributes = [
CustomSecurityAttributeStringValueExemption(
odata_type = "microsoft.graph.customSecurityAttributeStringValueExemption",
id = "PolicyExemptions_AppManagementExemption",
operator = CustomSecurityAttributeComparisonOperator.Equals,
value = "ExemptFromIdentifierUriAdditionRestriction",
),
],
),
),
),
redirect_uris = RedirectUriConfiguration(
uri_with_blocked_scheme = RedirectUriBlockedSchemeConfiguration(
state = AppManagementRestrictionState.Enabled,
blocked_schemes = [
"http",
"ftp",
],
exempt_formats = [
"http://example.com/login",
],
web = RedirectUriPlatformBlockedSchemeConfiguration(
blocked_schemes = [
"custom-ftps",
],
),
spa = RedirectUriPlatformBlockedSchemeConfiguration(
blocked_schemes = [
"myapp",
],
exempt_formats = [
"https://spa.example.com/auth",
],
),
public_client = RedirectUriPlatformBlockedSchemeConfiguration(
blocked_schemes = [
"msauth",
],
exempt_formats = [
"https://public.example.com/auth",
],
),
),
uri_without_allowed_scheme = RedirectUriAllowedSchemeConfiguration(
state = AppManagementRestrictionState.Enabled,
allowed_schemes = [
"https",
],
web = RedirectUriPlatformAllowedSchemeConfiguration(
allowed_schemes = [
"https",
],
),
spa = RedirectUriPlatformAllowedSchemeConfiguration(
allowed_schemes = [
"https",
"msal",
],
),
public_client = RedirectUriPlatformAllowedSchemeConfiguration(
allowed_schemes = [
"myapp",
],
),
),
uri_with_blocked_domain = RedirectUriBlockedDomainConfiguration(
state = AppManagementRestrictionState.Enabled,
blocked_domains = [
"contoso-short.com",
"tempuri.org",
],
web = RedirectUriPlatformBlockedDomainConfiguration(
blocked_domains = [
"short.contoso.com",
],
),
spa = RedirectUriPlatformBlockedDomainConfiguration(
blocked_domains = [
"contoso.dev",
],
),
public_client = RedirectUriPlatformBlockedDomainConfiguration(
blocked_domains = [
"mspreview.contoso.com",
],
),
),
uri_without_allowed_domain = RedirectUriAllowedDomainConfiguration(
state = AppManagementRestrictionState.Enabled,
allowed_domains = [
"contoso.com",
"login.microsoftonline.com",
],
web = RedirectUriPlatformAllowedDomainConfiguration(
allowed_domains = [
"app.contoso.com",
],
),
spa = RedirectUriPlatformAllowedDomainConfiguration(
allowed_domains = [
"spa.contoso.com",
],
),
public_client = RedirectUriPlatformAllowedDomainConfiguration(
allowed_domains = [
"app://contoso",
],
),
),
uri_with_wildcard = RedirectUriWildcardConfiguration(
state = AppManagementRestrictionState.Enabled,
exclude_formats = RedirectUriWildcardExcludeFormats(
exclude_wildcards_in_path = True,
exclude_wildcards_in_path_with_domains = [
"contoso.com",
"fabrikam.com",
],
),
),
),
),
)
result = await graph_client.policies.default_app_management_policy.patch(request_body)
Important
Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.
For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.
Response
The following example shows the response.
HTTP/1.1 204 No Content
Related content
Feedback
Was this page helpful?
No
Need help with this topic?
Want to try using Ask Learn to clarify or guide you through this topic?
Additional resources
-
Last updated on
2025-09-10