Policies
The Microsoft Entra ID provides a set of policies that can be used to control the behavior of different aspects of your tenant. These policies can be used to enforce security, compliance, and other requirements.
It's quite hard to find the documentation for these policies, so I've tried to make an overview of the different types of policies that are available in Microsoft Entra ID.
Good news is that allow policies are available through the Microsoft Graph API.
Activity-based timeout policy
It can can control the idle timeout for web sessions for applications that support activity-based timeout functionality.
Applications enforce automatic sign out after a period of inactivity. This type of policy can only be applied at the organization level.
Admin consent request policy
This policy allows to enable or disable the Microsoft Entra admin consent workflow for your tenant. The admin consent workflow allows users to request access for apps that they wish to use and that require admin authorization before users can use the apps to access organizational data.
App management policy
This policy allows to block the use or limit the lifetime of password secrets, and use the creation date of the object to enforce the policy.
These policies allow organizations to take advantage of the new app security hardening features.
By enforcing restrictions that are based on the application or service principal created date, an organization can review their current app security posture, inventory apps, and enforce controls per their resourcing schedules and needs. This approach using the created date allows the organization to enforce the policy for new applications and also apply it to existing applications.
Default tenant app management policy
Tenant-wide application authentication method policy to enforce app management restrictions for all applications and service principals.
This policy applies to all apps and service principals unless overridden when an app management policy is applied to the object.
Authentication flows policy
The policy allows to configure self-service sign-up experience at the tenant level and lets external users request to sign up for approval.
Configuration contains information, such as the identifier, display name, and description, and indicates whether self-service sign-up is enabled for the policy.
Authentication methods policy
The tenant-wide policy that controls which authentication methods are allowed in the tenant, authentication method registration requirements including MFS, and self-service password reset settings
Authentication strength policy
A collection of settings that define specific combinations of authentication methods and metadata.
The authentication strength policy, when applied to a given scenario using Microsoft Entra Conditional Access, defines which authentication methods must be used to authenticate in that scenario. An authentication strength may be built-in or custom (defined by the tenant) and may or may not fulfill the requirements to grant an MFA claim.
Authorization policy
This policy can control Microsoft Entra authorization settings at the tenant level.
Claims mapping policy
Represents the claim-mapping policies for WS-Fed, SAML, OAuth 2.0, and OpenID Connect protocols, for tokens issued to a specific application.
The policy allows to select which claims are included in tokens, create claim types that do not already exist, choose or change the source of data emitted in specific claims.
Conditional access policy
A Conditional Access policy is a security measure used in Microsoft Entra ID to enforce organizational policies based on specific conditions. It operates on an if-then logic, where if users want to access a resource, then they must complete certain actions.
This policy helps organizations protect their assets while empowering users to be productive wherever and whenever
Cross tenant access policy
The policy for cross-tenant access settings.
Device registration policy
Tenant-wide policy that manages initial provisioning controls using quota restrictions, additional authentication and authorization checks
Feature rollout policy
Feature rollout policy helps tenant administrators to pilot features of Microsoft Entra ID with a specific group before enabling features for entire organization. This minimizes the impact and helps administrators to test and rollout authentication related features gradually.
Home realm discovery policy
The policy controls Microsoft Entra authentication behavior for federated users, in particular for auto acceleration and user authentication restrictions in federated domains. You can set the policy for all service principals in your organization, or for specific service principals in your organization
Identity security defaults enforcement policy
Security defaults contain preconfigured security settings that protect against common attacks.
Permission grant policies
The permission grant policy consists of a list of includes condition sets, and a list of excludes condition sets. For an event to match a permission grant policy, it must match at least one of the includes conditions sets, and none of the excludes condition sets.
Role management policy
Specifies the various policies associated with scopes and roles
Token issuance policy
This policy specifies the characteristics of SAML tokens issued by Microsoft Entra ID. You can use token-issuance policies to set signing options, set signing algorithm and set SAML token version.
Token lifetime policy
This policy controls the lifetime of a JWT access token, an ID token or a SAML 1.1/2.0 token issued by Microsoft Entra ID. You can set token lifetimes for all apps in your organization, for a multitenant (multi-organization) application, or for a specific service principal in your organization.
Resources
- https://learn.microsoft.com/graph/api/resources/policy-overview
- https://learn.microsoft.com/graph/api/resources/activitybasedtimeoutpolicy
- https://learn.microsoft.com/graph/api/resources/adminconsentrequestpolicy
- https://learn.microsoft.com/graph/api/resources/appmanagementpolicy
- https://learn.microsoft.com/graph/api/resources/tenantappmanagementpolicy
- https://learn.microsoft.com/graph/api/resources/authorizationpolicy
- https://learn.microsoft.com/graph/api/resources/authenticationflowspolicy
- https://learn.microsoft.com/graph/api/resources/authenticationstrengthpolicy
- https://learn.microsoft.com/graph/api/resources/claimsmappingpolicy
- https://learn.microsoft.com/graph/api/resources/deviceregistrationpolicy
- https://learn.microsoft.com/graph/api/resources/featurerolloutpolicy
- https://learn.microsoft.com/graph/api/resources/homerealmdiscoverypolicy
- https://learn.microsoft.com/graph/api/resources/identitysecuritydefaultsenforcementpolicy
- https://learn.microsoft.com/graph/api/resources/permissiongrantpolicy
- https://learn.microsoft.com/graph/api/resources/tokenissuancepolicy
- https://learn.microsoft.com/graph/api/resources/tokenlifetimepolicy
- https://learn.microsoft.com/graph/api/resources/unifiedrolemanagementpolicy