Updates from: 08/19/2021 03:05:44
Service Microsoft Docs article Related commit history on GitHub Change details
v1.0 Appmanagementpolicy Post https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/appManagementPolicy-post.md
The following is an example of the request. This request created an app manageme
- Enables the policy. - Blocks creating of new passwords for apps and service principals after 2019-10-19 at 10:37 AM UTC time.-- Limits password secrets for apps and service principals created after 2019-10-19 at 10:37 AM UTC time to less than XX days.
+- Limits password secrets for apps and service principals created after 2019-10-19 at 10:37 AM UTC time to less than 4 days, 12 hours, 30 minutes and 5 seconds.
# [HTTP](#tab/http)
v1.0 Tenantappmanagementpolicy Get https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/tenantAppManagementPolicy-get.md
One of the following permissions is required to call this API. To learn more, in
<!-- { "blockType": "ignored" } --> ```http
-GET /policies/tenantAppManagementPolicy
+GET /policies/defaultAppManagementPolicy
``` ## Request headers
Do not supply a request body for this method.
## Response
-If successful, this method returns a `200 OK` response code and the requested [tenantAppManagementPolicy](../resources/tenantAppManagementPolicy.md) object in the response body.
+If successful, this method returns a `200 OK` response code and the requested [defaultAppManagementPolicy](../resources/tenantAppManagementPolicy.md) object in the response body.
## Examples
The following is an example of the request.
}--> ```msgraph-interactive
-GET https://graph.microsoft.com/beta/policies/tenantAppManagementPolicy
+GET https://graph.microsoft.com/beta/policies/defaultAppManagementPolicy
``` ### Response
HTTP/1.1 200 OK
Content-type: application/json {
- "@odata.context": "https://graph.microsoft.com/beta/$metadata#policies/tenantAppManagementPolicy/$entity",
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#policies/defaultAppManagementPolicy/$entity",
"@odata.id": "https://graph.microsoft.com/v2/927c6607-8060-4f4a-a5f8-34964ac78d70/defaultAppManagementPolicy/00000000-0000-0000-0000-000000000000", "id": "00000000-0000-0000-0000-000000000000", "displayName": "Default app management tenant policy",
v1.0 Tenantappmanagementpolicy Update https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/api/tenantAppManagementPolicy-update.md
One of the following permissions is required to call this API. To learn more, in
<!-- { "blockType": "ignored" } --> ```http
-PATCH /policies/tenantAppManagementPolicy
+PATCH /policies/defaultAppManagementPolicy
``` ## Request headers
The following is an example of the request.
}--> ```msgraph-interactive
-PATCH https://graph.microsoft.com/beta/policies/tenantAppManagementPolicy
+PATCH https://graph.microsoft.com/beta/policies/defaultAppManagementPolicy
Content-Type: application/json {
v1.0 Applicationauthenticationmethodpolicy https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/applicationAuthenticationMethodPolicy.md
+
+ Title: "Azure AD application authentication methods API overview"
+description: "Application authentication methods allow apps to acquire tokens to access data in Azure AD."
+localization_priority: Normal
+++
+# Azure AD application authentication methods API overview (preview)
+
+Namespace: microsoft.graph
++
+Application authentication methods such as certificates and password secrets allow apps to acquire tokens to access data in Azure Active Directory (Azure AD). The policies allow IT admins to enforce best practices for how apps in their organizations use these application authentication methods. For example, an admin might configure a policy to block the use or limit the lifetime of password secrets, and use the creation date of the object to enforce the policy.
+
+These policies allow organizations to take advantage of the new app security hardening features. By enforcing restrictions that are based on the application or service principal created date, an organization can review their current app security posture, inventory apps, and enforce controls per their resourcing schedules and needs. This approach using the created date allows the organization to enforce the policy for new applications and also apply it to existing applications.
+
+There are two types of policy controls:
+
+- Tenant default policy that applies to all applications or service principals.
+- App (application or service principal) management policies that allow inclusion or exclusion of individual applications from the tenant default policy.
+
+## Tenant default app management policy
+
+A tenant default policy is a single object that always exists and is disabled by default. It's defined by the [tenantAppManagementPolicy](tenantappmanagementpolicy.md) resource and enforces restrictions on application vs service principal objects. It contains the following two properties:
+
+- **applicationRestrictions** allows targeting applications owned by the tenant (application objects).
+- **servicePrincipalRestrictions** allows targeting provisioned from another tenant (service principal objects.
+
+These properties allow the organization to either lock down apps that originate within a tenant or raise the quality bar for apps that are provisioned from outside the tenant boundary.
+
+## App management policy for applications and service principals
+
+App management policies are defined in the [appManagementPolicy](appmanagementpolicy.md) resource, which contains a collection of policies with varying restrictions or different enforcement dates from what's defined in tenant default policy. One of these policies can be assigned to an application or service principal, excluding them from the tenant default policy.
+
+When both the tenant default policy and an app management policy exist, the app management policy takes precedence and the assigned application or service principal doesn't inherit from the tenant default policy. Only one policy can be assigned to an application or service principal.
+
+> [!Note]
+> Neither the tenant default policies nor the app management policies block token issuance for existing applications. An application that does not meet the policy requirements will continue to work until it tries to update the resource to add a new secret.
+
+## What restrictions can be managed in Microsoft Graph?
+
+The application authentication methods policy API offers the following restrictions:
+
+| Restriction name | Description | Examples |
+| : | :- | :- |
+| passwordAddition | Restrict password secrets on applications altogether. | Block new passwords on applications created on or after '01/01/2019'. |
+| passwordLifetime | Enforce a max lifetime range for a password secret. | Restrict all new password secrets to a maximum of 30 days for on applications created after '01/01/2019'. |
+
+### Single vs multi-tenant apps
+
+Depending on whether your app is a single tenant or multitenant app, you apply the policy on either an application or the service principal object as follows:
+
+- For single tenant apps, apply the policy to the application object.
+- To restrict multi-tenant apps homed in a customer tenant, apply the policy to the application object.
+- To restrict multi-tenant apps provisioned from another tenant, apply the policy to the service principal object.
+
+### Summary of key differences between the tenant default policy and app management policies
+
+| Tenant default policy | App management policy |
+| | |
+| Policy always exists. | Policy objects can be created or updated to override default policy. |
+| Restrictions are disabled by default for app/SP. | Allows customization for single tenant or multi tenant(backing app in home tenant or provisioned apps). |
+| Allows only single restriction object definition for all resources.| Allows multiple policy objects to be defined, but only one can be applied to a resource. |
+|Allows distinction of restrictions for application objects vs. service principals. | Policy can be applied to either an application or service principal object. |
+| Applies all restrictions configured to all apps or service principals. | Applies only the restrictions configured in the resource policy to the specified app or service principal, and doesn't inherit from default policy. |
+
+## Next steps
+
+- [tenantAppManagementPolicy](tenantappmanagementpolicy.md) resource type.
+- [appManagementPolicy](appmanagementpolicy.md) resource type.
v1.0 Policy Overview https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/policy-overview.md
Azure Active Directory (Azure AD) uses policies to control Azure AD feature beha
| Policy type | Description | Examples | | :- | : | :- | | [activityBasedTimeoutPolicies](activityBasedTimeoutPolicy.md) | Represents a policy that controls automatic sign-out for web sessions after a period of inactivity, for applications that support activity-based timeout functionality. | Configure the Azure portal to have an inactivity timeout of 15 minutes. |
-| [applicationAuthMethodPolicies](applicationAuthMethodPolicy.md) | Represents a set of policies that restrict app management operations for applications and service principals. | Configure applications or service principals to not use password secrets or enforce lifetime on secrets. |
+| [applicationAuthenticationMethodPolicies](applicationAuthenticationMethodPolicy.md) | Represents a set of policies that restrict app management operations for applications and service principals. | Configure applications or service principals to not use password secrets or enforce lifetime on secrets. |
| [authenticationFlowsPolicies](authenticationflowspolicy.md) | Represents a policy that controls whether external users should be able to sign up and gain a guest account via an External Identities self-service sign-up user flow. | Enable your applications to support external users signing up via a self-service sign-up user flow. | | [authorizationPolicy](authorizationpolicy.md) | Represents a policy that can control authorization settings of Azure Active Directory. | Configure Azure AD to block MSOL PowerShell in the tenant. | | [claimsMappingPolicies](claimsMappingPolicy.md) | Represents the claim-mapping policies for WS-Fed, SAML, OAuth 2.0, and OpenID Connect protocols, for tokens issued to a specific application. | Create and assign a policy to omit the basic claims from tokens issued to a service principal. |
v1.0 Tenantappmanagementpolicy https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/beta/resources/tenantAppManagementPolicy.md
The following is a JSON representation of the resource.
```json {
- "@odata.context": "https://graph.microsoft.com/beta/$metadata#policies/tenantAppManagementPolicy",
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#policies/defaultAppManagementPolicy",
"id": "string (identifier)", "description": "string", "displayName": "string",
v1.0 User List Contacts https://github.com/microsoftgraph/microsoft-graph-docs/commits/master/api-reference/v1.0/api/user-list-contacts.md
For general information on the `$filter` query parameter, see [OData query param
| Header | Value | |:|:--| | Authorization | Bearer {token}. Required. |
-| Content-Type | application/json |
## Request body Do not supply a request body for this method.