ESC
Type to search...
Navigate Open ESC Close

Policy.ReadWrite.Authorization

Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated Read/Write User Scope

Allows the app to read and write your organization's authorization policy without a signed in user. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default.

Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access App-Only Access

Permission Details

Application Permission

Read and write your organization's authorization policy

Allows the app to read and write your organization's authorization policy without a signed in user. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default.

Permission ID: fb221be6-99f2-473f-bd32-01c6a0e9ca3b
Delegated Permission Admin consent required

Read and write your organization's authorization policy

Allows the app to read and write your organization's authorization policy on behalf of the signed-in user. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default.

User sees: Allows the app to read and write your organization's authorization policy on your behalf. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default.
Permission ID: edd3c878-b384-41fd-95ad-e7407dd775be

Properties

Microsoft Graph v1.0 mapped-docs

Properties is shown from stable Microsoft Graph v1.0 metadata.

Property Type Description
id String Unique identifier of the policy. Inherited from entity.
activityBasedTimeoutPolicies activityBasedTimeoutPolicy collection The policy that controls the idle time out for web sessions for applications.
adminConsentRequestPolicy object The policy by which consent requests are created and managed for the entire tenant.
appManagementPolicies appManagementPolicy collection The policies that enforce app management restrictions for specific applications and service principals, overriding the defaultAppManagementPolicy.
authenticationFlowsPolicy object The policy configuration of the self-service sign-up experience of external users.
authenticationMethodsPolicy object The authentication methods and the users that are allowed to use them to sign in and perform multifactor authentication (MFA) in Microsoft Entra ID.
authenticationStrengthPolicies authenticationStrengthPolicy collection The authentication method combinations that are to be used in scenarios defined by Microsoft Entra Conditional Access.
authorizationPolicy object The policy that controls Microsoft Entra authorization settings.
claimsMappingPolicies claimsMappingPolicy collection The claim-mapping policies for WS-Fed, SAML, OAuth 2.0, and OpenID Connect protocols, for tokens issued to a specific application.
conditionalAccessPolicies conditionalAccessPolicy collection The custom rules that define an access scenario.
crossTenantAccessPolicy object The custom rules that define an access scenario when interacting with external Microsoft Entra tenants.
defaultAppManagementPolicy object The tenant-wide policy that enforces app management restrictions for all applications and service principals.
deviceRegistrationPolicy object
featureRolloutPolicies featureRolloutPolicy collection The feature rollout policy associated with a directory object.
homeRealmDiscoveryPolicies homeRealmDiscoveryPolicy collection The policy to control Microsoft Entra authentication behavior for federated users.

Showing 15 of 21 properties.

JSON Representation

Microsoft Graph v1.0 mapped-docs

JSON representation is shown from stable Microsoft Graph v1.0 metadata.

JSON representation 
{
  "@odata.type": "#microsoft.graph.policyRoot",
  "id": "String (identifier)"
}

Relationships

Microsoft Graph v1.0 mapped-docs

Relationships is shown from stable Microsoft Graph v1.0 metadata.

Relationship Type Description
activityBasedTimeoutPolicies activityBasedTimeoutPolicy collection The policy that controls the idle time out for web sessions for applications.
adminConsentRequestPolicy adminConsentRequestPolicy The policy by which consent requests are created and managed for the entire tenant.
appManagementPolicies appManagementPolicy collection The policies that enforce app management restrictions for specific applications and service principals, overriding the defaultAppManagementPolicy.
authenticationFlowsPolicy authenticationFlowsPolicy The policy configuration of the self-service sign-up experience of external users.
authenticationMethodsPolicy authenticationMethodsPolicy The authentication methods and the users that are allowed to use them to sign in and perform multifactor authentication (MFA) in Microsoft Entra ID.
authenticationStrengthPolicies authenticationStrengthPolicy collection The authentication method combinations that are to be used in scenarios defined by Microsoft Entra Conditional Access.
authorizationPolicy authorizationPolicy collection The policy that controls Microsoft Entra authorization settings.
claimsMappingPolicies claimsMappingPolicy collection The claim-mapping policies for WS-Fed, SAML, OAuth 2.0, and OpenID Connect protocols, for tokens issued to a specific application.
conditionalAccessPolicies conditionalAccessPolicy The custom rules that define an access scenario.
crossTenantAccessPolicy crossTenantAccessPolicy The custom rules that define an access scenario when interacting with external Microsoft Entra tenants.
defaultAppManagementPolicy tenantAppManagementPolicy The tenant-wide policy that enforces app management restrictions for all applications and service principals.
featureRolloutPolicies featureRolloutPolicy collection The feature rollout policy associated with a directory object.
homeRealmDiscoveryPolicies homeRealmDiscoveryPolicy collection The policy to control Microsoft Entra authentication behavior for federated users.
identitySecurityDefaultsEnforcementPolicy identitySecurityDefaultsEnforcementPolicy The policy that represents the security defaults that protect against common attacks.
permissionGrantPolicies permissionGrantPolicy collection The policy that specifies the conditions under which consent can be granted.
roleManagementPolicies unifiedRoleManagementPolicy collection Specifies the various policies associated with scopes and roles.
roleManagementPolicyAssignments unifiedRoleManagementPolicyAssignment collection The assignment of a role management policy to a role definition object.
tokenIssuancePolicies tokenIssuancePolicy collection The policy that specifies the characteristics of SAML tokens issued by Microsoft Entra ID.
tokenLifetimePolicies tokenLifetimePolicy collection The policy that controls the lifetime of a JWT access token, an ID token, or a SAML 1.1/2.0 token issued by Microsoft Entra ID.
b2bManagementPolicies b2bManagementPolicy collection The policy to manage Microsoft Entra B2B features in Microsoft Entra External ID for workforce tenants.
mobileAppManagementPolicies mobileAppManagementPolicy collection The policy that defines autoenrollment configuration for a mobility management (MDM or MAM) application.
mobileDeviceManagementPolicies mobileDeviceManagementPolicy collection Related mobileDeviceManagementPolicies data exposed by this resource.
onPremAuthenticationPolicies onPremAuthenticationPolicy collection The policy that controls how authentication requests from on-premises environments are managed.
permissionGrantPreApprovalPolicies permissionGrantPreApprovalPolicy collection Policies that specify the conditions under which consent can be granted to a specific application.
servicePrincipalCreationPolicies servicePrincipalCreationPolicy collection Related servicePrincipalCreationPolicies data exposed by this resource.

Graph Methods

Delegated access App-only access
Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET /policies/authorizationPolicy
PATCH /groups/{groupId}/settings/{groupSettingId}
PATCH /groupSettings/{groupSettingId}
PATCH /policies/authorizationPolicy
DELETE /groups/{groupId}/settings/{groupSettingId}
DELETE /groupSettings/{groupSettingId}
Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET /policies/authorizationPolicy
PATCH /groups/{groupId}/settings/{directorySettingId}
PATCH /policies/authorizationPolicy/authorizationPolicy
PATCH /settings/{directorySettingId}
DELETE /groups/{groupId}/settings/{directorySettingId}
DELETE /settings/{directorySettingId}
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Get-MgPolicyAuthorizationPolicy /policies/authorizationPolicy
Get authorizationPolicy
Update-MgGroupSetting /groupSettings/{groupSettingId}
Update groupSetting
Update-MgPolicyAuthorizationPolicy /policies/authorizationPolicy
Update authorizationPolicy
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Get-MgBetaPolicyAuthorizationPolicy /policies/authorizationPolicy
Get authorizationPolicy
Remove-MgBetaDirectorySetting /settings/{directorySettingId}
Delete directorySetting
Update-MgBetaDirectorySetting /settings/{directorySettingId}
Update directorySetting
Update-MgBetaPolicyAuthorizationPolicy /policies/authorizationPolicy/authorizationPolicy
Update authorizationPolicy

Code Examples

C# / .NET SDK
Update authorizationPolicy
View official example on Microsoft Learn
// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new AuthorizationPolicy
{
	AllowEmailVerifiedUsersToJoinOrganization = false,
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Policies.AuthorizationPolicy.PatchAsync(requestBody);
JavaScript
Update authorizationPolicy
View official example on Microsoft Learn
const options = {
	authProvider,
};

const client = Client.init(options);

const authorizationPolicy = {
  allowEmailVerifiedUsersToJoinOrganization: false
};

await client.api('/policies/authorizationPolicy')
	.update(authorizationPolicy);
PowerShell
Update authorizationPolicy
View official example on Microsoft Learn
Import-Module Microsoft.Graph.Identity.SignIns

$params = @{
	allowEmailVerifiedUsersToJoinOrganization = $false
}

Update-MgPolicyAuthorizationPolicy -BodyParameter $params
Python
Update authorizationPolicy
View official example on Microsoft Learn
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.authorization_policy import AuthorizationPolicy
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AuthorizationPolicy(
	allow_email_verified_users_to_join_organization = False,
)

result = await graph_client.policies.authorization_policy.patch(request_body)

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions or delegated permissions and search for Policy.ReadWrite.Authorization

4

Grant Admin Consent

Application permissions always require admin consent.