Does Policy.ReadWrite.AuthenticationFlows require admin consent?

Yes, Application permissions always require admin consent. An administrator must grant consent in the Azure portal.

How do I add Policy.ReadWrite.AuthenticationFlows to my app registration?

Go to Azure Portal > App registrations > Your app > API permissions > Add permission > Microsoft Graph, then search for Policy.ReadWrite.AuthenticationFlows and select it.

Policy.ReadWrite.AuthenticationFlows Permission - Microsoft Graph API

Permission Details

Application Permission

Read and write authentication flow policies

Allows the app to read and write all authentication flow policies for the tenant, without a signed-in user.

Permission ID: 25f85f3c-f66c-4205-8cd5-de92dd7f0cec

Delegated Permission

Read and write authentication flow policies

Allows the app to read and write the authentication flow policies, on behalf of the signed-in user.

Permission ID: edb72de9-4252-4d03-a925-451deef99db7

Properties

Property	Type	Description
`id`	`string`	The unique identifier for an entity. Read-only.
`status`	`microsoft.graph.policyFileStatus`
`fileType`	`microsoft.graph.policyFileType`
`content`	`base64url`Nullable
`version`	`string`

Relationships

Relationship	Type	Description
`activityBasedTimeoutPolicies`	`activityBasedTimeoutPolicy collection`	The policy that controls the idle time out for web sessions for applications.
`adminConsentRequestPolicy`	`adminConsentRequestPolicy`	The policy by which consent requests are created and managed for the entire tenant.
`appManagementPolicies`	`appManagementPolicy collection`	The policies that enforce app management restrictions for specific applications and service principals, overriding the defaultAppManagementPolicy.
`authenticationFlowsPolicy`	`authenticationFlowsPolicy`	The policy configuration of the self-service sign-up experience of external users.
`authenticationMethodsPolicy`	`authenticationMethodsPolicy`	The authentication methods and the users that are allowed to use them to sign in and perform multi-factor authentication (MFA) in Azure Active Directory (Azure AD).
`authenticationStrengthPolicies`	`authenticationStrengthPolicy collection`	The authentication method combinations that are to be used in scenarios defined by Azure AD Conditional Access.
`authorizationPolicy`	`authorizationPolicy collection`	The policy that controls Azure AD authorization settings.
`claimsMappingPolicies`	`claimsMappingPolicy collection`	The claim-mapping policies for WS-Fed, SAML, OAuth 2.0, and OpenID Connect protocols, for tokens issued to a specific application.
`conditionalAccessPolicies`	`conditionalAccessPolicy collection`	The custom rules that define an access scenario.
`crossTenantAccessPolicy`	`crossTenantAccessPolicy`	The custom rules that define an access scenario when interacting with external Azure AD tenants.
`defaultAppManagementPolicy`	`tenantAppManagementPolicy`	The tenant-wide policy that enforces app management restrictions for all applications and service principals.
`featureRolloutPolicies`	`featureRolloutPolicy collection`	The feature rollout policy associated with a directory object.
`homeRealmDiscoveryPolicies`	`homeRealmDiscoveryPolicy collection`	The policy to control Azure AD authentication behavior for federated users.
`identitySecurityDefaultsEnforcementPolicy`	`identitySecurityDefaultsEnforcementPolicy`	The policy that represents the security defaults that protect against common attacks.
`permissionGrantPolicies`	`permissionGrantPolicy collection`	The policy that specifies the conditions under which consent can be granted.
`roleManagementPolicies`	`unifiedRoleManagementPolicy collection`	Specifies the various policies associated with scopes and roles.
`roleManagementPolicyAssignments`	`unifiedRoleManagementPolicyAssignment collection`	The assignment of a role management policy to a role definition object.
`tokenIssuancePolicies`	`tokenIssuancePolicy collection`	The policy that specifies the characteristics of SAML tokens issued by Azure AD.
`tokenLifetimePolicies`	`tokenLifetimePolicy collection`	The policy that controls the lifetime of a JWT access token, an ID token, or a SAML 1.1/2.0 token issued by Azure AD.

Graph Methods

Delegated access App-only access

Methods
GET `/policies/authenticationFlowsPolicy`
PATCH `/policies/authenticationFlowsPolicy`

Methods
GET `/policies/authenticationFlowsPolicy`
PATCH `/policies/authenticationFlowsPolicy`

Commands
`Get-MgPolicyAuthenticationFlowPolicy`
`Update-MgPolicyAuthenticationFlowPolicy`

Commands
`Get-MgBetaPolicyAuthenticationFlowPolicy`
`Update-MgBetaPolicyAuthenticationFlowPolicy`

Code Examples

C# / .NET SDK

// Install: dotnet add package Microsoft.Graph
// Install: dotnet add package Azure.Identity
using Microsoft.Graph;
using Azure.Identity;

// Delegated permissions - interactive user sign-in
var scopes = new[] { "Policy.ReadWrite.AuthenticationFlows" };
var options = new InteractiveBrowserCredentialOptions
{
    ClientId = "YOUR_CLIENT_ID",
    TenantId = "YOUR_TENANT_ID",
    RedirectUri = new Uri("http://localhost")
};
var credential = new InteractiveBrowserCredential(options);
var graphClient = new GraphServiceClient(credential, scopes);

// Example: GET /me
var result = await graphClient.Me.GetAsync();
Console.WriteLine($"User: {result?.DisplayName}");

// Application permissions - daemon/service app
var tenantId = "YOUR_TENANT_ID";
var clientId = "YOUR_CLIENT_ID";
var clientSecret = "YOUR_CLIENT_SECRET";

var credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
var graphClient = new GraphServiceClient(credential);

// Example: GET /users/{user-id}
var users = await graphClient.Users.GetAsync();
foreach (var user in users?.Value ?? [])
{
    Console.WriteLine($"User: {user.DisplayName}");
}

JavaScript / TypeScript

// npm install @azure/msal-browser @microsoft/microsoft-graph-client
import { PublicClientApplication } from "@azure/msal-browser";
import { Client } from "@microsoft/microsoft-graph-client";
import { AuthCodeMSALBrowserAuthenticationProvider } from 
    "@microsoft/microsoft-graph-client/authProviders/authCodeMsalBrowser";

const msalConfig = {
    auth: {
        clientId: "YOUR_CLIENT_ID",
        authority: "https://login.microsoftonline.com/YOUR_TENANT_ID"
    }
};

const pca = new PublicClientApplication(msalConfig);
await pca.initialize();

// Delegated: Login with required scope
const loginResponse = await pca.loginPopup({
    scopes: ["Policy.ReadWrite.AuthenticationFlows"]
});

const authProvider = new AuthCodeMSALBrowserAuthenticationProvider(pca, {
    account: loginResponse.account,
    scopes: ["Policy.ReadWrite.AuthenticationFlows"],
    interactionType: "popup"
});

const graphClient = Client.initWithMiddleware({ authProvider });

// Example: GET /me
const result = await graphClient.api("/me").get();
console.log(result);

// Application: Use client credentials (Node.js backend only)
// npm install @azure/identity @microsoft/microsoft-graph-client
import { ClientSecretCredential } from "@azure/identity";
import { TokenCredentialAuthenticationProvider } from 
    "@microsoft/microsoft-graph-client/authProviders/azureTokenCredentials";

const credential = new ClientSecretCredential(
    "YOUR_TENANT_ID",
    "YOUR_CLIENT_ID", 
    "YOUR_CLIENT_SECRET"
);

const authProvider = new TokenCredentialAuthenticationProvider(credential, {
    scopes: ["https://graph.microsoft.com/.default"]
});

const graphClient = Client.initWithMiddleware({ authProvider });
const result = await graphClient.api("/users").get();
console.log(result);

PowerShell

# Install Microsoft Graph PowerShell module
Install-Module Microsoft.Graph -Scope CurrentUser

# Delegated access - interactive sign-in
Connect-MgGraph -Scopes "Policy.ReadWrite.AuthenticationFlows"

# Verify connection
Get-MgContext | Select-Object Account, TenantId, Scopes

# Example: GET /me
$result = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/me"
$result | ConvertTo-Json -Depth 5

# Application access with certificate
$params = @{
    ClientId = "YOUR_CLIENT_ID"
    TenantId = "YOUR_TENANT_ID"
    CertificateThumbprint = "YOUR_CERT_THUMBPRINT"
}
Connect-MgGraph @params

# Or with client secret (not recommended for production)
# Connect-MgGraph -ClientSecretCredential $credential

# Example: GET /users
$result = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/users"
$result | ConvertTo-Json -Depth 5

# Always disconnect when done
Disconnect-MgGraph

Python

# pip install msgraph-sdk azure-identity
from azure.identity import InteractiveBrowserCredential, ClientSecretCredential
from msgraph import GraphServiceClient
import asyncio

# Delegated permissions - interactive browser sign-in
credential = InteractiveBrowserCredential(
    client_id="YOUR_CLIENT_ID",
    tenant_id="YOUR_TENANT_ID"
)
scopes = ["Policy.ReadWrite.AuthenticationFlows"]
client = GraphServiceClient(credential, scopes)

async def get_data():
    # Example: GET /me
    result = await client.me.get()
    print(f"User: {result.display_name}")
    return result

asyncio.run(get_data())

# Application permissions - client credentials
credential = ClientSecretCredential(
    tenant_id="YOUR_TENANT_ID",
    client_id="YOUR_CLIENT_ID",
    client_secret="YOUR_CLIENT_SECRET"
)
scopes = ["https://graph.microsoft.com/.default"]
client = GraphServiceClient(credential, scopes)

async def get_users():
    # Example: GET /users
    result = await client.users.get()
    for user in result.value:
        print(f"User: {user.display_name}")
    return result

asyncio.run(get_users())

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions or Delegated permissions and search for Policy.ReadWrite.AuthenticationFlows

4

Grant Admin Consent

Application permissions always require admin consent. Click "Grant admin consent" in the Azure portal.