ESC
Type to search...
Navigate Open ESC Close

Policy.ReadWrite.PermissionGrant

Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated Read/Write User Scope

Allows the app to manage policies related to consent and permission grants for applications, without a signed-in user.

Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access App-Only Access

Permission Details

Application Permission

Manage consent and permission grant policies

Allows the app to manage policies related to consent and permission grants for applications, without a signed-in user.

Permission ID: a402ca1c-2696-4531-972d-6e5ee4aa11ea
Delegated Permission Admin consent required

Manage consent and permission grant policies

Allows the app to manage policies related to consent and permission grants for applications, on behalf of the signed-in user.

User sees: Allows the app to manage policies related to consent and permission grants for applications, on behalf of the signed-in user.
Permission ID: 2672f8bb-fd5e-42e0-85e1-ec764dd2614e

Properties

Microsoft Graph v1.0 mapped-docs

Properties is shown from stable Microsoft Graph v1.0 metadata.

Property Type Description
id String Unique identifier of the policy. Inherited from entity.
activityBasedTimeoutPolicies activityBasedTimeoutPolicy collection The policy that controls the idle time out for web sessions for applications.
adminConsentRequestPolicy object The policy by which consent requests are created and managed for the entire tenant.
appManagementPolicies appManagementPolicy collection The policies that enforce app management restrictions for specific applications and service principals, overriding the defaultAppManagementPolicy.
authenticationFlowsPolicy object The policy configuration of the self-service sign-up experience of external users.
authenticationMethodsPolicy object The authentication methods and the users that are allowed to use them to sign in and perform multifactor authentication (MFA) in Microsoft Entra ID.
authenticationStrengthPolicies authenticationStrengthPolicy collection The authentication method combinations that are to be used in scenarios defined by Microsoft Entra Conditional Access.
authorizationPolicy object The policy that controls Microsoft Entra authorization settings.
claimsMappingPolicies claimsMappingPolicy collection The claim-mapping policies for WS-Fed, SAML, OAuth 2.0, and OpenID Connect protocols, for tokens issued to a specific application.
conditionalAccessPolicies conditionalAccessPolicy collection The custom rules that define an access scenario.
crossTenantAccessPolicy object The custom rules that define an access scenario when interacting with external Microsoft Entra tenants.
defaultAppManagementPolicy object The tenant-wide policy that enforces app management restrictions for all applications and service principals.
deviceRegistrationPolicy object
featureRolloutPolicies featureRolloutPolicy collection The feature rollout policy associated with a directory object.
homeRealmDiscoveryPolicies homeRealmDiscoveryPolicy collection The policy to control Microsoft Entra authentication behavior for federated users.

Showing 15 of 21 properties.

JSON Representation

Microsoft Graph v1.0 mapped-docs

JSON representation is shown from stable Microsoft Graph v1.0 metadata.

JSON representation 
{
  "@odata.type": "#microsoft.graph.policyRoot",
  "id": "String (identifier)"
}

Relationships

Microsoft Graph v1.0 mapped-docs

Relationships is shown from stable Microsoft Graph v1.0 metadata.

Relationship Type Description
activityBasedTimeoutPolicies activityBasedTimeoutPolicy collection The policy that controls the idle time out for web sessions for applications.
adminConsentRequestPolicy adminConsentRequestPolicy The policy by which consent requests are created and managed for the entire tenant.
appManagementPolicies appManagementPolicy collection The policies that enforce app management restrictions for specific applications and service principals, overriding the defaultAppManagementPolicy.
authenticationFlowsPolicy authenticationFlowsPolicy The policy configuration of the self-service sign-up experience of external users.
authenticationMethodsPolicy authenticationMethodsPolicy The authentication methods and the users that are allowed to use them to sign in and perform multifactor authentication (MFA) in Microsoft Entra ID.
authenticationStrengthPolicies authenticationStrengthPolicy collection The authentication method combinations that are to be used in scenarios defined by Microsoft Entra Conditional Access.
authorizationPolicy authorizationPolicy collection The policy that controls Microsoft Entra authorization settings.
claimsMappingPolicies claimsMappingPolicy collection The claim-mapping policies for WS-Fed, SAML, OAuth 2.0, and OpenID Connect protocols, for tokens issued to a specific application.
conditionalAccessPolicies conditionalAccessPolicy The custom rules that define an access scenario.
crossTenantAccessPolicy crossTenantAccessPolicy The custom rules that define an access scenario when interacting with external Microsoft Entra tenants.
defaultAppManagementPolicy tenantAppManagementPolicy The tenant-wide policy that enforces app management restrictions for all applications and service principals.
featureRolloutPolicies featureRolloutPolicy collection The feature rollout policy associated with a directory object.
homeRealmDiscoveryPolicies homeRealmDiscoveryPolicy collection The policy to control Microsoft Entra authentication behavior for federated users.
identitySecurityDefaultsEnforcementPolicy identitySecurityDefaultsEnforcementPolicy The policy that represents the security defaults that protect against common attacks.
permissionGrantPolicies permissionGrantPolicy collection The policy that specifies the conditions under which consent can be granted.
roleManagementPolicies unifiedRoleManagementPolicy collection Specifies the various policies associated with scopes and roles.
roleManagementPolicyAssignments unifiedRoleManagementPolicyAssignment collection The assignment of a role management policy to a role definition object.
tokenIssuancePolicies tokenIssuancePolicy collection The policy that specifies the characteristics of SAML tokens issued by Microsoft Entra ID.
tokenLifetimePolicies tokenLifetimePolicy collection The policy that controls the lifetime of a JWT access token, an ID token, or a SAML 1.1/2.0 token issued by Microsoft Entra ID.
b2bManagementPolicies b2bManagementPolicy collection The policy to manage Microsoft Entra B2B features in Microsoft Entra External ID for workforce tenants.
mobileAppManagementPolicies mobileAppManagementPolicy collection The policy that defines autoenrollment configuration for a mobility management (MDM or MAM) application.
mobileDeviceManagementPolicies mobileDeviceManagementPolicy collection Related mobileDeviceManagementPolicies data exposed by this resource.
onPremAuthenticationPolicies onPremAuthenticationPolicy collection The policy that controls how authentication requests from on-premises environments are managed.
permissionGrantPreApprovalPolicies permissionGrantPreApprovalPolicy collection Policies that specify the conditions under which consent can be granted to a specific application.
servicePrincipalCreationPolicies servicePrincipalCreationPolicy collection Related servicePrincipalCreationPolicies data exposed by this resource.

Graph Methods

Delegated access App-only access
Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET /policies/permissionGrantPolicies
GET /policies/permissionGrantPolicies/{id}
POST /policies/permissionGrantPolicies
POST /policies/permissionGrantPolicies/{id}/excludes
POST /policies/permissionGrantPolicies/{id}/includes
POST /servicePrincipals(appId='{appId}')/delegatedPermissionClassifications
POST /servicePrincipals/{id}/delegatedPermissionClassifications
PATCH /policies/permissionGrantPolicies/{id}
DELETE /policies/permissionGrantPolicies/{id}
DELETE /policies/permissionGrantPolicies/{permissiongrantpolicy-id}/excludes/{exclude-id}
DELETE /policies/permissionGrantPolicies/{permissiongrantpolicy-id}/includes/{include-id}
DELETE /servicePrincipals/{id}/delegatedPermissionClassifications/{id}
Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET /policies/permissionGrantPolicies
GET /policies/permissionGrantPolicies/{id}
GET /policies/permissionGrantPreApprovalPolicies
GET /policies/permissionGrantPreApprovalPolicies/{id}
GET /servicePrincipals/{id}/permissionGrantPreApprovalPolicies
POST /policies/permissionGrantPolicies
POST /policies/permissionGrantPolicies/{id}/excludes
POST /policies/permissionGrantPolicies/{id}/includes
POST /policies/permissionGrantPreApprovalPolicies
POST /servicePrincipals(appId='{appId}')/delegatedPermissionClassifications
POST /servicePrincipals/{id}/delegatedPermissionClassifications
POST /servicePrincipals/{id}/permissionGrantPreApprovalPolicies/$ref
PATCH /policies/permissionGrantPolicies/{id}
PATCH /policies/permissionGrantPreApprovalPolicies/{id}
DELETE /policies/permissionGrantPolicies/{id}
DELETE /policies/permissionGrantPolicies/{permissiongrantpolicy-id}/excludes/{exclude-id}
DELETE /policies/permissionGrantPolicies/{permissiongrantpolicy-id}/includes/{include-id}
DELETE /policies/permissionGrantPreApprovalPolicies/{id}
DELETE /servicePrincipals(appId='{appId}')/delegatedPermissionClassifications/{id}
DELETE /servicePrincipals/{{ servicePrincipal id }}/permissionGrantPreApprovalPolicies/{{ policy id }}/$ref
DELETE /servicePrincipals/{id}/delegatedPermissionClassifications/{id}
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Get-MgPolicyPermissionGrantPolicy /policies/permissionGrantPolicies
List permissionGrantPolicies
Get-MgPolicyPermissionGrantPolicy /policies/permissionGrantPolicies/{id}
Get permissionGrantPolicy
New-MgPolicyPermissionGrantPolicy /policies/permissionGrantPolicies
Create permissionGrantPolicy
New-MgPolicyPermissionGrantPolicyExclude /policies/permissionGrantPolicies/{id}/excludes
Create permissionGrantConditionSet in excludes collection of permissionGrantPolicy
New-MgPolicyPermissionGrantPolicyInclude /policies/permissionGrantPolicies/{id}/includes
Create permissionGrantConditionSet in includes collection of permissionGrantPolicy
New-MgServicePrincipalDelegatedPermissionClassification /servicePrincipals/{id}/delegatedPermissionClassifications
Create delegatedPermissionClassification
Remove-MgPolicyPermissionGrantPolicy /policies/permissionGrantPolicies/{id}
Delete permissionGrantPolicy
Remove-MgPolicyPermissionGrantPolicyExclude /policies/permissionGrantPolicies/{permissiongrantpolicy-id}/excludes/{exclude-id}
Delete permissionGrantConditionSet from excludes collection of permissionGrantPolicy
Remove-MgPolicyPermissionGrantPolicyInclude /policies/permissionGrantPolicies/{permissiongrantpolicy-id}/includes/{include-id}
Delete permissionGrantConditionSet from includes collection of permissionGrantPolicy
Remove-MgServicePrincipalDelegatedPermissionClassification /servicePrincipals/{id}/delegatedPermissionClassifications/{id}
Delete delegatedPermissionClassification
Update-MgPolicyPermissionGrantPolicy /policies/permissionGrantPolicies/{id}
Update permissionGrantPolicy
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Get-MgBetaPolicyPermissionGrantPolicy /policies/permissionGrantPolicies
List permissionGrantPolicies
Get-MgBetaPolicyPermissionGrantPolicy /policies/permissionGrantPolicies/{id}
Get permissionGrantPolicy
Get-MgBetaPolicyPermissionGrantPreApprovalPolicy /policies/permissionGrantPreApprovalPolicies
List permissionGrantPreApprovalPolicies
Get-MgBetaPolicyPermissionGrantPreApprovalPolicy /policies/permissionGrantPreApprovalPolicies/{id}
Get permissionGrantPreApprovalPolicy
Get-MgBetaServicePrincipalPermissionGrantPreApprovalPolicy /servicePrincipals/{id}/permissionGrantPreApprovalPolicies
List permissionGrantPreApprovalPolicies for a servicePrincipal
New-MgBetaPolicyPermissionGrantPolicy /policies/permissionGrantPolicies
Create permissionGrantPolicy
New-MgBetaPolicyPermissionGrantPolicyExclude /policies/permissionGrantPolicies/{id}/excludes
Create permissionGrantConditionSet in excludes collection of permissionGrantPolicy
New-MgBetaPolicyPermissionGrantPolicyInclude /policies/permissionGrantPolicies/{id}/includes
Create permissionGrantConditionSet in includes collection of permissionGrantPolicy
New-MgBetaPolicyPermissionGrantPreApprovalPolicy /policies/permissionGrantPreApprovalPolicies
Create permissionGrantPreApprovalPolicy
New-MgBetaServicePrincipalDelegatedPermissionClassification /servicePrincipals/{id}/delegatedPermissionClassifications
Create delegatedPermissionClassification
Remove-MgBetaPolicyPermissionGrantPolicy /policies/permissionGrantPolicies/{id}
Delete permissionGrantPolicy
Remove-MgBetaPolicyPermissionGrantPolicyExclude /policies/permissionGrantPolicies/{permissiongrantpolicy-id}/excludes/{exclude-id}
Delete permissionGrantConditionSet from excludes collection of permissionGrantPolicy
Remove-MgBetaPolicyPermissionGrantPolicyInclude /policies/permissionGrantPolicies/{permissiongrantpolicy-id}/includes/{include-id}
Delete permissionGrantConditionSet from includes collection of permissionGrantPolicy
Remove-MgBetaPolicyPermissionGrantPreApprovalPolicy /policies/permissionGrantPreApprovalPolicies/{id}
Delete permissionGrantPreApprovalPolicy
Remove-MgBetaServicePrincipalDelegatedPermissionClassification /servicePrincipals/{id}/delegatedPermissionClassifications/{id}
Delete delegatedPermissionClassification
Update-MgBetaPolicyPermissionGrantPolicy /policies/permissionGrantPolicies/{id}
Update permissionGrantPolicy
Update-MgBetaPolicyPermissionGrantPreApprovalPolicy /policies/permissionGrantPreApprovalPolicies/{id}
Update permissionGrantPreApprovalPolicy

Code Examples

C# / .NET SDK
Create delegatedPermissionClassification
View official example on Microsoft Learn
// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new DelegatedPermissionClassification
{
	PermissionId = "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
	PermissionName = "User.Read",
	Classification = PermissionClassificationType.Low,
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].DelegatedPermissionClassifications.PostAsync(requestBody);
JavaScript
Create delegatedPermissionClassification
View official example on Microsoft Learn
const options = {
	authProvider,
};

const client = Client.init(options);

const delegatedPermissionClassification = {
  permissionId: 'e1fe6dd8-ba31-4d61-89e7-88639da4683d',
  permissionName: 'User.Read',
  classification: 'low'
};

await client.api('/servicePrincipals/{id}/delegatedPermissionClassifications')
	.post(delegatedPermissionClassification);
PowerShell
Create delegatedPermissionClassification
View official example on Microsoft Learn
Import-Module Microsoft.Graph.Applications

$params = @{
	permissionId = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"
	permissionName = "User.Read"
	classification = "low"
}

New-MgServicePrincipalDelegatedPermissionClassification -ServicePrincipalId $servicePrincipalId -BodyParameter $params
Python
Create delegatedPermissionClassification
View official example on Microsoft Learn
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.delegated_permission_classification import DelegatedPermissionClassification
from msgraph.generated.models.permission_classification_type import PermissionClassificationType
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = DelegatedPermissionClassification(
	permission_id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
	permission_name = "User.Read",
	classification = PermissionClassificationType.Low,
)

result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').delegated_permission_classifications.post(request_body)

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions or delegated permissions and search for Policy.ReadWrite.PermissionGrant

4

Grant Admin Consent

Application permissions always require admin consent.