Policies in Microsoft Entra ID

12/03/2025

Policies

The Microsoft Entra ID provides a set of policies that can be used to control the behavior of different aspects of your tenant. These policies can be used to enforce security, compliance, and other requirements.

It's quite hard to find the documentation for these policies, so I've tried to make an overview of the different types of policies that are available in Microsoft Entra ID.

Good news is that allow policies are available through the Microsoft Graph API.

Activity-based timeout policy

It can can control the idle timeout for web sessions for applications that support activity-based timeout functionality.

Applications enforce automatic sign out after a period of inactivity. This type of policy can only be applied at the organization level.

This policy allows to enable or disable the Microsoft Entra admin consent workflow for your tenant. The admin consent workflow allows users to request access for apps that they wish to use and that require admin authorization before users can use the apps to access organizational data.

App management policy

This policy allows to block the use or limit the lifetime of password secrets, and use the creation date of the object to enforce the policy.

These policies allow organizations to take advantage of the new app security hardening features.

By enforcing restrictions that are based on the application or service principal created date, an organization can review their current app security posture, inventory apps, and enforce controls per their resourcing schedules and needs. This approach using the created date allows the organization to enforce the policy for new applications and also apply it to existing applications.

Default tenant app management policy

Tenant-wide application authentication method policy to enforce app management restrictions for all applications and service principals.

This policy applies to all apps and service principals unless overridden when an app management policy is applied to the object.

Authentication flows policy

The policy allows to configure self-service sign-up experience at the tenant level and lets external users request to sign up for approval.

Configuration contains information, such as the identifier, display name, and description, and indicates whether self-service sign-up is enabled for the policy.

Authentication methods policy

The tenant-wide policy that controls which authentication methods are allowed in the tenant, authentication method registration requirements including MFS, and self-service password reset settings

Authentication strength policy

A collection of settings that define specific combinations of authentication methods and metadata.

The authentication strength policy, when applied to a given scenario using Microsoft Entra Conditional Access, defines which authentication methods must be used to authenticate in that scenario. An authentication strength may be built-in or custom (defined by the tenant) and may or may not fulfill the requirements to grant an MFA claim.

Authorization policy

This policy can control Microsoft Entra authorization settings at the tenant level.

Claims mapping policy

Represents the claim-mapping policies for WS-Fed, SAML, OAuth 2.0, and OpenID Connect protocols, for tokens issued to a specific application.

The policy allows to select which claims are included in tokens, create claim types that do not already exist, choose or change the source of data emitted in specific claims.

Conditional access policy

A Conditional Access policy is a security measure used in Microsoft Entra ID to enforce organizational policies based on specific conditions. It operates on an if-then logic, where if users want to access a resource, then they must complete certain actions.

This policy helps organizations protect their assets while empowering users to be productive wherever and whenever

Cross tenant access policy

The policy for cross-tenant access settings.

Device registration policy

Tenant-wide policy that manages initial provisioning controls using quota restrictions, additional authentication and authorization checks

Feature rollout policy

Feature rollout policy helps tenant administrators to pilot features of Microsoft Entra ID with a specific group before enabling features for entire organization. This minimizes the impact and helps administrators to test and rollout authentication related features gradually.

Home realm discovery policy

The policy controls Microsoft Entra authentication behavior for federated users, in particular for auto acceleration and user authentication restrictions in federated domains. You can set the policy for all service principals in your organization, or for specific service principals in your organization

Identity security defaults enforcement policy

Security defaults contain preconfigured security settings that protect against common attacks.

Permission grant policies

The permission grant policy consists of a list of includes condition sets, and a list of excludes condition sets. For an event to match a permission grant policy, it must match at least one of the includes conditions sets, and none of the excludes condition sets.

Role management policy

Specifies the various policies associated with scopes and roles

Token issuance policy

This policy specifies the characteristics of SAML tokens issued by Microsoft Entra ID. You can use token-issuance policies to set signing options, set signing algorithm and set SAML token version.

Token lifetime policy

This policy controls the lifetime of a JWT access token, an ID token or a SAML 1.1/2.0 token issued by Microsoft Entra ID. You can set token lifetimes for all apps in your organization, for a multitenant (multi-organization) application, or for a specific service principal in your organization.