You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| displayName | String | The display name of the policy. Required. |
55
56
| description | String | The description of the policy. Required. |
56
-
| isEnabled | Boolean | Denotes whether the policy is enabled. Optional. |
57
+
| isEnabled | Boolean | Denotes whether the policy is enabled. Optional. |
57
58
| restrictions |[appManagementConfiguration](../resources/appManagementConfiguration.md)| Restrictions that apply to an application or service principal object. Optional. |
58
59
59
60
## Response
@@ -67,9 +68,10 @@ If successful, this method returns a `201 Created` response code with the new [a
67
68
The following example shows a request. This request created an app management policy with the following settings:
68
69
69
70
- Enables the policy.
70
-
- Blocks creating of new passwords for applications and service principals created on or after 2019-10-19 at 10:37 AM UTC time.
71
-
- Enforces lifetime on password secrets and key credentials for applications created on or after 2014-10-19 at 10:37 AM UTC time.
72
-
- Limits password secrets for apps and service principals created after 2019-10-19 at 10:37 AM UTC time to less than 4 days, 12 hours, 30 minutes and 5 seconds.
71
+
- Blocks creating of new passwords for applications and service principals created on or after October 19th 2019 at 10:37 AM UTC time.
72
+
- Limits password secrets for apps and service principals created after October 19th 2014 at 10:37 AM UTC time to less than 90 days.
73
+
- Disables the nonDefaultUriAddition restriction. This means that apps with this policy applied to them can add new nondefault identifier URIs to their apps, even if the tenant default policy typically blocks it.
74
+
- Doesn't specify any other restrictions. This means that the behavior for those restrictions on apps/service principals with this policy applied falls back to however the tenant default policy is configured.
73
75
74
76
75
77
# [HTTP](#tab/http)
@@ -89,45 +91,35 @@ POST https://graph.microsoft.com/beta/policies/appManagementPolicies
Copy file name to clipboardExpand all lines: api-reference/beta/resources/applicationauthenticationmethodpolicy.md
+11-13Lines changed: 11 additions & 13 deletions
Original file line number
Diff line number
Diff line change
@@ -20,25 +20,25 @@ These policies allow organizations to take advantage of the new app security har
20
20
There are two types of policy controls:
21
21
22
22
- Tenant default policy that applies to all applications or service principals.
23
-
- App (application or service principal) management policies that allow inclusion or exclusion of individual applications from the tenant default policy.
23
+
- App (application or service principal) management policies that allow individual applications to be included or excluded from the tenant default policy.
24
24
25
25
## Tenant default app management policy
26
26
27
27
A tenant default policy is a single object that always exists and is disabled by default. It's defined by the [tenantAppManagementPolicy](tenantappmanagementpolicy.md) resource and enforces restrictions on application vs service principal objects. It contains the following two properties:
28
28
29
29
-**applicationRestrictions** allows targeting applications owned by the tenant (application objects).
30
-
-**servicePrincipalRestrictions** allows targeting provisioned from another tenant (service principal objects.
30
+
-**servicePrincipalRestrictions** allows targeting provisioned from another tenant (service principal objects).
31
31
32
-
These properties enable an organization to lock down credential usage in apps that originate from their tenant and provide a mechanism to control credential addition in externally provisioned applications to protect them from credential abuse. The application owner of a multi-tenant app could still use any type of credentials in their application object, but the policy only protects the service principal from credential abuse.
32
+
These properties enable an organization to separately control the configuration of apps that originate from their tenant vs. their tenant's instance of an externally owned application.
33
33
34
34
## App management policy for applications and service principals
35
35
36
-
App management policies are defined in the [appManagementPolicy](appmanagementpolicy.md) resource, which contains a collection of policies with varying restrictions or different enforcement dates from what's defined in tenant default policy. One of these policies can be assigned to an application or service principal, excluding them from the tenant default policy.
36
+
App management policies are defined in the [appManagementPolicy](appmanagementpolicy.md) resource, which contains a collection of policies with varying restrictions or different enforcement dates from what's defined in tenant default policy. One of these policies can be assigned to an application or service principal to override the tenant default policy.
37
37
38
-
When both the tenant default policy and an app management policy exist, the app management policy takes precedence and the assigned application or service principal doesn't inherit from the tenant default policy. Only one policy can be assigned to an application or service principal.
38
+
When the tenant default policy and an app management policy define the same restriction, the app management policy takes precedence. If a restriction is set on an app management policy in a `disabled` state, that restriction won't apply to apps with that policy linked to them, regardless of what the tenant default policy would normally enforce. Similarly, if a restriction is set on an app management policy in an `enabled` state, that restriction will apply to apps with that policy linked to them. However, if the app management policy doesn't define any behavior for a certain restriction, it falls back to the tenant default policy's behavior. Only one app management policy can be assigned to an application or service principal.
39
39
40
40
> [!Note]
41
-
> Neither the tenant default policies nor the app management policies block token issuance for existing applications. An application that does not meet the policy requirements will continue to work until it tries to update the resource to add a new secret.
41
+
> Neither the tenant default nor the app management policies block token issuance for existing applications. An application that doesn't meet the policy requirements continues to work; only the app creation/update operation that violates the policy is blocked.
42
42
43
43
## What restrictions can be managed in Microsoft Graph?
44
44
@@ -53,7 +53,7 @@ The application authentication methods policy API offers the following restricti
53
53
| symmetricKeyLifetime | Enforce a max lifetime range for a symmetric key. | Restrict all new symmetric keys to a maximum of 30 days for applications created after 01/01/2019. |
54
54
| asymmetricKeyLifetime | Enforce a max lifetime range for an asymmetric key (certificate). | Restrict all new asymmetric key credentials to a maximum of 30 days for applications created after 01/01/2019. |
55
55
| trustedCertificateAuthority | Enforce the list of trusted certificate authorities. | Block all new asymmetric key credentials if the issuer is not listed in the trusted certificate authority list. |
56
-
| nonDefaultUriAddition | Block new identifier URIs for apps except the "default" URI format. | Block new identifier URIs for apps unless they are of the format `api://{appId}`. |
56
+
| nonDefaultUriAddition | Block new identifier URIs for apps except the "default" URI format. | Block new identifier URIs for apps unless they are of the format `api://{appId}` or `api://{tenantId}/{appId}`. |
57
57
58
58
> [!Note]
59
59
> All lifetime restrictions are expressed in ISO-8601 duration format (For example: P4DT12H30M5S).
@@ -73,17 +73,15 @@ Depending on whether your app is a single tenant or multitenant app, you apply t
| Policy always exists. | Policy objects can be created or updated to override default policy. |
76
-
| Restrictions are disabled by default for app/SP. | Allows customization for single tenant or multi tenant(backing app in home tenant or provisioned apps). |
77
76
| Allows only single restriction object definition for all resources. | Allows multiple policy objects to be defined, but only one can be applied to a resource. |
78
77
| Allows distinction of restrictions for application objects vs. service principals. | Policy can be applied to either an application or service principal object. |
79
-
| Applies all restrictions configured to all apps or service principals. | Applies only the restrictions configured in the resource policy to the specified app or service principal, and doesn't inherit from default policy. |
78
+
| Applies all restrictions configured to all apps or service principals. | Applies the restrictions configured in the resource policy to the specified app or service principal. Anything not defined inherits from the default policy. |
80
79
81
80
## Requirements
82
81
83
82
- The least privileged [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) for management of application authentication method policies are Application Administrator and Cloud Application Administrator.
84
-
- All app policy management operations require a [Microsoft Entra Workload ID Premium license](/azure/active-directory/workload-identities/workload-identities-faqs#what-is-the-cost-of-workload-identities-premium-plan).
0 commit comments