命名空间:microsoft.graph
根据提供的登录属性评估租户中条件访问策略的适用性。
此 API 可用于以下国家级云部署。
| 全局服务 |
美国政府 L4 |
美国政府 L5 (DOD) |
由世纪互联运营的中国 |
| ✅ |
✅ |
✅ |
✅ |
权限
为此 API 选择标记为最低特权的权限。
只有在应用需要它时,才使用更高的特权权限。 有关委派权限和应用程序权限的详细信息,请参阅权限类型。 要了解有关这些权限的详细信息,请参阅 权限参考。
| 权限类型 |
最低特权权限 |
更高特权权限 |
| 委派(工作或学校帐户) |
Policy.Read.ConditionalAccess |
Policy.Read.All、Policy.ReadWrite.ConditionalAccess |
| 委派(个人 Microsoft 帐户) |
不支持。 |
不支持。 |
| 应用程序 |
Policy.Read.ConditionalAccess |
Policy.Read.All、Policy.ReadWrite.ConditionalAccess |
HTTP 请求
POST /identity/conditionalAccess/evaluate
| 名称 |
说明 |
| Authorization |
持有者 {token}。 必填。 详细了解 身份验证和授权。 |
| Content-Type |
application/json. 必需。 |
请求正文
在请求正文中,提供参数的 JSON 表示形式。 为使评估提供最准确的结果,请尽可能多地包含有关登录的详细信息。 如果租户具有具有特定条件的策略,并且请求中缺少这些条件的登录详细信息,则“What If”工具无法评估这些条件。
下表列出了调用此作时所需的参数。
| 参数 |
类型 |
说明 |
| signInIdentity |
signInIdentity |
表示正在进行身份验证的标识。 这可以是用户、外部用户或单租户服务主体。 必填。 |
| signInContext |
signInContext |
表示身份验证的上下文。 这可能涉及访问应用程序、执行特定用户作或访问受身份验证上下文保护的数据。 必填。 |
| signInConditions |
signInConditions |
表示身份验证标识的登录参数。 这包括位置、设备信息、风险信息等详细信息。必需。 |
| appliedPoliciesOnly |
布尔值 |
此属性控制是在响应中包含所有策略,还是仅包含将应用于身份验证事件的策略。 可选。 |
响应
如果成功,此作将在 200 OK 响应正文中返回响应代码和 whatIfAnalysisResult 集合。 响应指示租户中的每个策略是否会根据请求正文中提供的登录属性应用。
示例
示例 1:确定将应用于访问应用程序的用户的条件访问策略
请求
以下示例显示了一个请求。
POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/evaluate
Content-Type: application/json
{
"signInIdentity": {
"@odata.type": "#microsoft.graph.userSignIn",
"userId": "15dc174b-f34c-4588-ac45-61d6e05dce93"
},
"signInContext": {
"@odata.type": "#microsoft.graph.applicationContext",
"includeApplications": [
"00000003-0000-0ff1-ce00-000000000000"
]
},
"signInConditions": {
"devicePlatform": "android",
"clientAppType": "browser",
"signInRiskLevel": "high",
"userRiskLevel": "high",
"country": "US",
"ipAddress": "40.77.182.32",
"insiderRiskLevel": "elevated",
"authenticationFlow": {
"transferMethod": "deviceCodeFlow"
},
"deviceInfo": {
"isCompliant": true
}
},
"appliedPoliciesOnly": true
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Identity.ConditionalAccess.Evaluate;
using Microsoft.Graph.Models;
var requestBody = new EvaluatePostRequestBody
{
SignInIdentity = new UserSignIn
{
OdataType = "#microsoft.graph.userSignIn",
UserId = "15dc174b-f34c-4588-ac45-61d6e05dce93",
},
SignInContext = new ApplicationContext
{
OdataType = "#microsoft.graph.applicationContext",
IncludeApplications = new List<string>
{
"00000003-0000-0ff1-ce00-000000000000",
},
},
SignInConditions = new SignInConditions
{
DevicePlatform = ConditionalAccessDevicePlatform.Android,
ClientAppType = ConditionalAccessClientApp.Browser,
SignInRiskLevel = RiskLevel.High,
UserRiskLevel = RiskLevel.High,
Country = "US",
IpAddress = "40.77.182.32",
InsiderRiskLevel = InsiderRiskLevel.Elevated,
AuthenticationFlow = new AuthenticationFlow
{
TransferMethod = ConditionalAccessTransferMethods.DeviceCodeFlow,
},
DeviceInfo = new DeviceInfo
{
IsCompliant = true,
},
},
AppliedPoliciesOnly = true,
};
// To initialize your graphClient, see https://free.blessedness.top/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Identity.ConditionalAccess.Evaluate.PostAsEvaluatePostResponseAsync(requestBody);
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphidentity "github.com/microsoftgraph/msgraph-sdk-go/identity"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphidentity.NewEvaluatePostRequestBody()
signInIdentity := graphmodels.NewUserSignIn()
userId := "15dc174b-f34c-4588-ac45-61d6e05dce93"
signInIdentity.SetUserId(&userId)
requestBody.SetSignInIdentity(signInIdentity)
signInContext := graphmodels.NewApplicationContext()
includeApplications := []string {
"00000003-0000-0ff1-ce00-000000000000",
}
signInContext.SetIncludeApplications(includeApplications)
requestBody.SetSignInContext(signInContext)
signInConditions := graphmodels.NewSignInConditions()
devicePlatform := graphmodels.ANDROID_CONDITIONALACCESSDEVICEPLATFORM
signInConditions.SetDevicePlatform(&devicePlatform)
clientAppType := graphmodels.BROWSER_CONDITIONALACCESSCLIENTAPP
signInConditions.SetClientAppType(&clientAppType)
signInRiskLevel := graphmodels.HIGH_RISKLEVEL
signInConditions.SetSignInRiskLevel(&signInRiskLevel)
userRiskLevel := graphmodels.HIGH_RISKLEVEL
signInConditions.SetUserRiskLevel(&userRiskLevel)
country := "US"
signInConditions.SetCountry(&country)
ipAddress := "40.77.182.32"
signInConditions.SetIpAddress(&ipAddress)
insiderRiskLevel := graphmodels.ELEVATED_INSIDERRISKLEVEL
signInConditions.SetInsiderRiskLevel(&insiderRiskLevel)
authenticationFlow := graphmodels.NewAuthenticationFlow()
transferMethod := graphmodels.DEVICECODEFLOW_CONDITIONALACCESSTRANSFERMETHODS
authenticationFlow.SetTransferMethod(&transferMethod)
signInConditions.SetAuthenticationFlow(authenticationFlow)
deviceInfo := graphmodels.NewDeviceInfo()
isCompliant := true
deviceInfo.SetIsCompliant(&isCompliant)
signInConditions.SetDeviceInfo(deviceInfo)
requestBody.SetSignInConditions(signInConditions)
appliedPoliciesOnly := true
requestBody.SetAppliedPoliciesOnly(&appliedPoliciesOnly)
// To initialize your graphClient, see https://free.blessedness.top/en-us/graph/sdks/create-client?from=snippets&tabs=go
evaluate, err := graphClient.Identity().ConditionalAccess().Evaluate().PostAsEvaluatePostResponse(context.Background(), requestBody, nil)
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
com.microsoft.graph.identity.conditionalaccess.evaluate.EvaluatePostRequestBody evaluatePostRequestBody = new com.microsoft.graph.identity.conditionalaccess.evaluate.EvaluatePostRequestBody();
UserSignIn signInIdentity = new UserSignIn();
signInIdentity.setOdataType("#microsoft.graph.userSignIn");
signInIdentity.setUserId("15dc174b-f34c-4588-ac45-61d6e05dce93");
evaluatePostRequestBody.setSignInIdentity(signInIdentity);
ApplicationContext signInContext = new ApplicationContext();
signInContext.setOdataType("#microsoft.graph.applicationContext");
LinkedList<String> includeApplications = new LinkedList<String>();
includeApplications.add("00000003-0000-0ff1-ce00-000000000000");
signInContext.setIncludeApplications(includeApplications);
evaluatePostRequestBody.setSignInContext(signInContext);
SignInConditions signInConditions = new SignInConditions();
signInConditions.setDevicePlatform(ConditionalAccessDevicePlatform.Android);
signInConditions.setClientAppType(ConditionalAccessClientApp.Browser);
signInConditions.setSignInRiskLevel(RiskLevel.High);
signInConditions.setUserRiskLevel(RiskLevel.High);
signInConditions.setCountry("US");
signInConditions.setIpAddress("40.77.182.32");
signInConditions.setInsiderRiskLevel(InsiderRiskLevel.Elevated);
AuthenticationFlow authenticationFlow = new AuthenticationFlow();
authenticationFlow.setTransferMethod(EnumSet.of(ConditionalAccessTransferMethods.DeviceCodeFlow));
signInConditions.setAuthenticationFlow(authenticationFlow);
DeviceInfo deviceInfo = new DeviceInfo();
deviceInfo.setIsCompliant(true);
signInConditions.setDeviceInfo(deviceInfo);
evaluatePostRequestBody.setSignInConditions(signInConditions);
evaluatePostRequestBody.setAppliedPoliciesOnly(true);
var result = graphClient.identity().conditionalAccess().evaluate().post(evaluatePostRequestBody);
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
const options = {
authProvider,
};
const client = Client.init(options);
const whatIfAnalysisResult = {
signInIdentity: {
'@odata.type': '#microsoft.graph.userSignIn',
userId: '15dc174b-f34c-4588-ac45-61d6e05dce93'
},
signInContext: {
'@odata.type': '#microsoft.graph.applicationContext',
includeApplications: [
'00000003-0000-0ff1-ce00-000000000000'
]
},
signInConditions: {
devicePlatform: 'android',
clientAppType: 'browser',
signInRiskLevel: 'high',
userRiskLevel: 'high',
country: 'US',
ipAddress: '40.77.182.32',
insiderRiskLevel: 'elevated',
authenticationFlow: {
transferMethod: 'deviceCodeFlow'
},
deviceInfo: {
isCompliant: true
}
},
appliedPoliciesOnly: true
};
await client.api('/identity/conditionalAccess/evaluate')
.post(whatIfAnalysisResult);
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Identity\ConditionalAccess\Evaluate\EvaluatePostRequestBody;
use Microsoft\Graph\Generated\Models\UserSignIn;
use Microsoft\Graph\Generated\Models\ApplicationContext;
use Microsoft\Graph\Generated\Models\SignInConditions;
use Microsoft\Graph\Generated\Models\ConditionalAccessDevicePlatform;
use Microsoft\Graph\Generated\Models\ConditionalAccessClientApp;
use Microsoft\Graph\Generated\Models\RiskLevel;
use Microsoft\Graph\Generated\Models\InsiderRiskLevel;
use Microsoft\Graph\Generated\Models\AuthenticationFlow;
use Microsoft\Graph\Generated\Models\ConditionalAccessTransferMethods;
use Microsoft\Graph\Generated\Models\DeviceInfo;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new EvaluatePostRequestBody();
$signInIdentity = new UserSignIn();
$signInIdentity->setOdataType('#microsoft.graph.userSignIn');
$signInIdentity->setUserId('15dc174b-f34c-4588-ac45-61d6e05dce93');
$requestBody->setSignInIdentity($signInIdentity);
$signInContext = new ApplicationContext();
$signInContext->setOdataType('#microsoft.graph.applicationContext');
$signInContext->setIncludeApplications(['00000003-0000-0ff1-ce00-000000000000', ]);
$requestBody->setSignInContext($signInContext);
$signInConditions = new SignInConditions();
$signInConditions->setDevicePlatform(new ConditionalAccessDevicePlatform('android'));
$signInConditions->setClientAppType(new ConditionalAccessClientApp('browser'));
$signInConditions->setSignInRiskLevel(new RiskLevel('high'));
$signInConditions->setUserRiskLevel(new RiskLevel('high'));
$signInConditions->setCountry('US');
$signInConditions->setIpAddress('40.77.182.32');
$signInConditions->setInsiderRiskLevel(new InsiderRiskLevel('elevated'));
$signInConditionsAuthenticationFlow = new AuthenticationFlow();
$signInConditionsAuthenticationFlow->setTransferMethod(new ConditionalAccessTransferMethods('deviceCodeFlow'));
$signInConditions->setAuthenticationFlow($signInConditionsAuthenticationFlow);
$signInConditionsDeviceInfo = new DeviceInfo();
$signInConditionsDeviceInfo->setIsCompliant(true);
$signInConditions->setDeviceInfo($signInConditionsDeviceInfo);
$requestBody->setSignInConditions($signInConditions);
$requestBody->setAppliedPoliciesOnly(true);
$result = $graphServiceClient->identity()->conditionalAccess()->evaluate()->post($requestBody)->wait();
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.identity.conditionalaccess.evaluate.evaluate_post_request_body import EvaluatePostRequestBody
from msgraph.generated.models.user_sign_in import UserSignIn
from msgraph.generated.models.application_context import ApplicationContext
from msgraph.generated.models.sign_in_conditions import SignInConditions
from msgraph.generated.models.conditional_access_device_platform import ConditionalAccessDevicePlatform
from msgraph.generated.models.conditional_access_client_app import ConditionalAccessClientApp
from msgraph.generated.models.risk_level import RiskLevel
from msgraph.generated.models.insider_risk_level import InsiderRiskLevel
from msgraph.generated.models.authentication_flow import AuthenticationFlow
from msgraph.generated.models.conditional_access_transfer_methods import ConditionalAccessTransferMethods
from msgraph.generated.models.device_info import DeviceInfo
# To initialize your graph_client, see https://free.blessedness.top/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = EvaluatePostRequestBody(
sign_in_identity = UserSignIn(
odata_type = "#microsoft.graph.userSignIn",
user_id = "15dc174b-f34c-4588-ac45-61d6e05dce93",
),
sign_in_context = ApplicationContext(
odata_type = "#microsoft.graph.applicationContext",
include_applications = [
"00000003-0000-0ff1-ce00-000000000000",
],
),
sign_in_conditions = SignInConditions(
device_platform = ConditionalAccessDevicePlatform.Android,
client_app_type = ConditionalAccessClientApp.Browser,
sign_in_risk_level = RiskLevel.High,
user_risk_level = RiskLevel.High,
country = "US",
ip_address = "40.77.182.32",
insider_risk_level = InsiderRiskLevel.Elevated,
authentication_flow = AuthenticationFlow(
transfer_method = ConditionalAccessTransferMethods.DeviceCodeFlow,
),
device_info = DeviceInfo(
is_compliant = True,
),
),
applied_policies_only = True,
)
result = await graph_client.identity.conditional_access.evaluate.post(request_body)
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
响应
以下示例显示了相应的响应。
注意:为了提高可读性,可能缩短了此处显示的响应对象。
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(microsoft.graph.whatIfAnalysisResult)",
"value": [
{
"id": "df9e6f15-2b60-4e78-b990-b2da33a10886",
"templateId": null,
"displayName": "All users except au1_Office 365_No conditions_Session control application enforced restrictions",
"createdDateTime": "2022-04-01T18:55:43.1454565Z",
"modifiedDateTime": "2025-03-27T21:42:26.951558Z",
"state": "enabledForReportingButNotEnforced",
"policyApplies": true,
"analysisReasons": "notSet",
"grantControls": null,
"partialEnablementStrategy": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": [],
"insiderRiskLevels": null,
"clients": null,
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"clientApplications": null,
"authenticationFlows": null,
"applications": {
"includeApplications": [
"Office365"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null,
"networkAccess": null,
"globalSecureAccess": null
},
"users": {
"includeUsers": [
"All"
],
"excludeUsers": [
"f7ca74b0-8562-4083-b66c-0476f942cfd0"
],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
}
},
"sessionControls": {
"disableResilienceDefaults": null,
"cloudAppSecurity": null,
"signInFrequency": null,
"persistentBrowser": null,
"continuousAccessEvaluation": null,
"secureSignInSession": null,
"networkAccessSecurity": null,
"globalSecureAccessFilteringProfile": null,
"applicationEnforcedRestrictions": {
"isEnabled": true
}
}
},
{
"id": "37d51c45-8c60-4f82-98e0-6e1451cecf7c",
"templateId": null,
"displayName": "All Users except au1_All resources_user risk H_Password change",
"createdDateTime": "2022-03-31T22:59:59.6688974Z",
"modifiedDateTime": "2025-03-27T19:55:43.5390544Z",
"state": "enabledForReportingButNotEnforced",
"policyApplies": true,
"analysisReasons": "notSet",
"partialEnablementStrategy": null,
"sessionControls": null,
"conditions": {
"userRiskLevels": [
"high"
],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": [],
"insiderRiskLevels": null,
"clients": null,
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"clientApplications": null,
"authenticationFlows": null,
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null,
"networkAccess": null,
"globalSecureAccess": null
},
"users": {
"includeUsers": [
"All"
],
"excludeUsers": [
"f7ca74b0-8562-4083-b66c-0476f942cfd0"
],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
}
},
"grantControls": {
"operator": "AND",
"builtInControls": [
"mfa",
"passwordChange"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength": null
}
}
]
}
示例 2:确定将应用于访问受身份验证上下文保护的敏感文件的用户的条件访问策略
请求
以下示例显示了一个请求。
POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/evaluate
Content-Type: application/json
{
"signInIdentity": {
"@odata.type": "#microsoft.graph.userSignIn",
"userId": "15dc174b-f34c-4588-ac45-61d6e05dce93"
},
"signInContext": {
"@odata.type": "#microsoft.graph.authContext",
"authenticationContextValue": "c37"
},
"signInConditions": {
"devicePlatform": "windows",
"clientAppType": "mobileAppsAndDesktopClients",
"signInRiskLevel": "medium",
"userRiskLevel": "none",
"country": "US",
"ipAddress": "40.77.182.32",
"insiderRiskLevel": "moderate",
"authenticationFlow": {
"transferMethod": "authenticationTransfer"
},
"deviceInfo": {
"profileType": "Standard"
}
},
"appliedPoliciesOnly": true
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Identity.ConditionalAccess.Evaluate;
using Microsoft.Graph.Models;
var requestBody = new EvaluatePostRequestBody
{
SignInIdentity = new UserSignIn
{
OdataType = "#microsoft.graph.userSignIn",
UserId = "15dc174b-f34c-4588-ac45-61d6e05dce93",
},
SignInContext = new AuthContext
{
OdataType = "#microsoft.graph.authContext",
AuthenticationContextValue = "c37",
},
SignInConditions = new SignInConditions
{
DevicePlatform = ConditionalAccessDevicePlatform.Windows,
ClientAppType = ConditionalAccessClientApp.MobileAppsAndDesktopClients,
SignInRiskLevel = RiskLevel.Medium,
UserRiskLevel = RiskLevel.None,
Country = "US",
IpAddress = "40.77.182.32",
InsiderRiskLevel = InsiderRiskLevel.Moderate,
AuthenticationFlow = new AuthenticationFlow
{
TransferMethod = ConditionalAccessTransferMethods.AuthenticationTransfer,
},
DeviceInfo = new DeviceInfo
{
ProfileType = "Standard",
},
},
AppliedPoliciesOnly = true,
};
// To initialize your graphClient, see https://free.blessedness.top/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Identity.ConditionalAccess.Evaluate.PostAsEvaluatePostResponseAsync(requestBody);
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphidentity "github.com/microsoftgraph/msgraph-sdk-go/identity"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphidentity.NewEvaluatePostRequestBody()
signInIdentity := graphmodels.NewUserSignIn()
userId := "15dc174b-f34c-4588-ac45-61d6e05dce93"
signInIdentity.SetUserId(&userId)
requestBody.SetSignInIdentity(signInIdentity)
signInContext := graphmodels.NewAuthContext()
authenticationContextValue := "c37"
signInContext.SetAuthenticationContextValue(&authenticationContextValue)
requestBody.SetSignInContext(signInContext)
signInConditions := graphmodels.NewSignInConditions()
devicePlatform := graphmodels.WINDOWS_CONDITIONALACCESSDEVICEPLATFORM
signInConditions.SetDevicePlatform(&devicePlatform)
clientAppType := graphmodels.MOBILEAPPSANDDESKTOPCLIENTS_CONDITIONALACCESSCLIENTAPP
signInConditions.SetClientAppType(&clientAppType)
signInRiskLevel := graphmodels.MEDIUM_RISKLEVEL
signInConditions.SetSignInRiskLevel(&signInRiskLevel)
userRiskLevel := graphmodels.NONE_RISKLEVEL
signInConditions.SetUserRiskLevel(&userRiskLevel)
country := "US"
signInConditions.SetCountry(&country)
ipAddress := "40.77.182.32"
signInConditions.SetIpAddress(&ipAddress)
insiderRiskLevel := graphmodels.MODERATE_INSIDERRISKLEVEL
signInConditions.SetInsiderRiskLevel(&insiderRiskLevel)
authenticationFlow := graphmodels.NewAuthenticationFlow()
transferMethod := graphmodels.AUTHENTICATIONTRANSFER_CONDITIONALACCESSTRANSFERMETHODS
authenticationFlow.SetTransferMethod(&transferMethod)
signInConditions.SetAuthenticationFlow(authenticationFlow)
deviceInfo := graphmodels.NewDeviceInfo()
profileType := "Standard"
deviceInfo.SetProfileType(&profileType)
signInConditions.SetDeviceInfo(deviceInfo)
requestBody.SetSignInConditions(signInConditions)
appliedPoliciesOnly := true
requestBody.SetAppliedPoliciesOnly(&appliedPoliciesOnly)
// To initialize your graphClient, see https://free.blessedness.top/en-us/graph/sdks/create-client?from=snippets&tabs=go
evaluate, err := graphClient.Identity().ConditionalAccess().Evaluate().PostAsEvaluatePostResponse(context.Background(), requestBody, nil)
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
com.microsoft.graph.identity.conditionalaccess.evaluate.EvaluatePostRequestBody evaluatePostRequestBody = new com.microsoft.graph.identity.conditionalaccess.evaluate.EvaluatePostRequestBody();
UserSignIn signInIdentity = new UserSignIn();
signInIdentity.setOdataType("#microsoft.graph.userSignIn");
signInIdentity.setUserId("15dc174b-f34c-4588-ac45-61d6e05dce93");
evaluatePostRequestBody.setSignInIdentity(signInIdentity);
AuthContext signInContext = new AuthContext();
signInContext.setOdataType("#microsoft.graph.authContext");
signInContext.setAuthenticationContextValue("c37");
evaluatePostRequestBody.setSignInContext(signInContext);
SignInConditions signInConditions = new SignInConditions();
signInConditions.setDevicePlatform(ConditionalAccessDevicePlatform.Windows);
signInConditions.setClientAppType(ConditionalAccessClientApp.MobileAppsAndDesktopClients);
signInConditions.setSignInRiskLevel(RiskLevel.Medium);
signInConditions.setUserRiskLevel(RiskLevel.None);
signInConditions.setCountry("US");
signInConditions.setIpAddress("40.77.182.32");
signInConditions.setInsiderRiskLevel(InsiderRiskLevel.Moderate);
AuthenticationFlow authenticationFlow = new AuthenticationFlow();
authenticationFlow.setTransferMethod(EnumSet.of(ConditionalAccessTransferMethods.AuthenticationTransfer));
signInConditions.setAuthenticationFlow(authenticationFlow);
DeviceInfo deviceInfo = new DeviceInfo();
deviceInfo.setProfileType("Standard");
signInConditions.setDeviceInfo(deviceInfo);
evaluatePostRequestBody.setSignInConditions(signInConditions);
evaluatePostRequestBody.setAppliedPoliciesOnly(true);
var result = graphClient.identity().conditionalAccess().evaluate().post(evaluatePostRequestBody);
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
const options = {
authProvider,
};
const client = Client.init(options);
const whatIfAnalysisResult = {
signInIdentity: {
'@odata.type': '#microsoft.graph.userSignIn',
userId: '15dc174b-f34c-4588-ac45-61d6e05dce93'
},
signInContext: {
'@odata.type': '#microsoft.graph.authContext',
authenticationContextValue: 'c37'
},
signInConditions: {
devicePlatform: 'windows',
clientAppType: 'mobileAppsAndDesktopClients',
signInRiskLevel: 'medium',
userRiskLevel: 'none',
country: 'US',
ipAddress: '40.77.182.32',
insiderRiskLevel: 'moderate',
authenticationFlow: {
transferMethod: 'authenticationTransfer'
},
deviceInfo: {
profileType: 'Standard'
}
},
appliedPoliciesOnly: true
};
await client.api('/identity/conditionalAccess/evaluate')
.post(whatIfAnalysisResult);
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Identity\ConditionalAccess\Evaluate\EvaluatePostRequestBody;
use Microsoft\Graph\Generated\Models\UserSignIn;
use Microsoft\Graph\Generated\Models\AuthContext;
use Microsoft\Graph\Generated\Models\SignInConditions;
use Microsoft\Graph\Generated\Models\ConditionalAccessDevicePlatform;
use Microsoft\Graph\Generated\Models\ConditionalAccessClientApp;
use Microsoft\Graph\Generated\Models\RiskLevel;
use Microsoft\Graph\Generated\Models\InsiderRiskLevel;
use Microsoft\Graph\Generated\Models\AuthenticationFlow;
use Microsoft\Graph\Generated\Models\ConditionalAccessTransferMethods;
use Microsoft\Graph\Generated\Models\DeviceInfo;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new EvaluatePostRequestBody();
$signInIdentity = new UserSignIn();
$signInIdentity->setOdataType('#microsoft.graph.userSignIn');
$signInIdentity->setUserId('15dc174b-f34c-4588-ac45-61d6e05dce93');
$requestBody->setSignInIdentity($signInIdentity);
$signInContext = new AuthContext();
$signInContext->setOdataType('#microsoft.graph.authContext');
$signInContext->setAuthenticationContextValue('c37');
$requestBody->setSignInContext($signInContext);
$signInConditions = new SignInConditions();
$signInConditions->setDevicePlatform(new ConditionalAccessDevicePlatform('windows'));
$signInConditions->setClientAppType(new ConditionalAccessClientApp('mobileAppsAndDesktopClients'));
$signInConditions->setSignInRiskLevel(new RiskLevel('medium'));
$signInConditions->setUserRiskLevel(new RiskLevel('none'));
$signInConditions->setCountry('US');
$signInConditions->setIpAddress('40.77.182.32');
$signInConditions->setInsiderRiskLevel(new InsiderRiskLevel('moderate'));
$signInConditionsAuthenticationFlow = new AuthenticationFlow();
$signInConditionsAuthenticationFlow->setTransferMethod(new ConditionalAccessTransferMethods('authenticationTransfer'));
$signInConditions->setAuthenticationFlow($signInConditionsAuthenticationFlow);
$signInConditionsDeviceInfo = new DeviceInfo();
$signInConditionsDeviceInfo->setProfileType('Standard');
$signInConditions->setDeviceInfo($signInConditionsDeviceInfo);
$requestBody->setSignInConditions($signInConditions);
$requestBody->setAppliedPoliciesOnly(true);
$result = $graphServiceClient->identity()->conditionalAccess()->evaluate()->post($requestBody)->wait();
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.identity.conditionalaccess.evaluate.evaluate_post_request_body import EvaluatePostRequestBody
from msgraph.generated.models.user_sign_in import UserSignIn
from msgraph.generated.models.auth_context import AuthContext
from msgraph.generated.models.sign_in_conditions import SignInConditions
from msgraph.generated.models.conditional_access_device_platform import ConditionalAccessDevicePlatform
from msgraph.generated.models.conditional_access_client_app import ConditionalAccessClientApp
from msgraph.generated.models.risk_level import RiskLevel
from msgraph.generated.models.insider_risk_level import InsiderRiskLevel
from msgraph.generated.models.authentication_flow import AuthenticationFlow
from msgraph.generated.models.conditional_access_transfer_methods import ConditionalAccessTransferMethods
from msgraph.generated.models.device_info import DeviceInfo
# To initialize your graph_client, see https://free.blessedness.top/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = EvaluatePostRequestBody(
sign_in_identity = UserSignIn(
odata_type = "#microsoft.graph.userSignIn",
user_id = "15dc174b-f34c-4588-ac45-61d6e05dce93",
),
sign_in_context = AuthContext(
odata_type = "#microsoft.graph.authContext",
authentication_context_value = "c37",
),
sign_in_conditions = SignInConditions(
device_platform = ConditionalAccessDevicePlatform.Windows,
client_app_type = ConditionalAccessClientApp.MobileAppsAndDesktopClients,
sign_in_risk_level = RiskLevel.Medium,
user_risk_level = RiskLevel.None,
country = "US",
ip_address = "40.77.182.32",
insider_risk_level = InsiderRiskLevel.Moderate,
authentication_flow = AuthenticationFlow(
transfer_method = ConditionalAccessTransferMethods.AuthenticationTransfer,
),
device_info = DeviceInfo(
profile_type = "Standard",
),
),
applied_policies_only = True,
)
result = await graph_client.identity.conditional_access.evaluate.post(request_body)
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
响应
以下示例显示了相应的响应。
注意:为了提高可读性,可能缩短了此处显示的响应对象。
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(microsoft.graph.whatIfAnalysisResult)",
"value": [
{
"id": "e897c693-c0e6-4386-abc3-f46dee5940fb",
"templateId": null,
"displayName": "All users_auth context_No conditions_Auth strength MFA",
"createdDateTime": "2023-07-10T17:27:37.9735926Z",
"modifiedDateTime": "2025-03-27T20:03:41.92628Z",
"state": "enabledForReportingButNotEnforced",
"policyApplies": true,
"analysisReasons": "notSet",
"partialEnablementStrategy": null,
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": [],
"insiderRiskLevels": null,
"clients": null,
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"clientApplications": null,
"authenticationFlows": null,
"applications": {
"includeApplications": [],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [
"c1",
"c37"
],
"applicationFilter": null,
"networkAccess": null,
"globalSecureAccess": null
},
"users": {
"includeUsers": [
"All"
],
"excludeUsers": [],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength": {
"id": "00000000-0000-0000-0000-000000000002",
"createdDateTime": "2021-12-01T08:00:00Z",
"modifiedDateTime": "2021-12-01T08:00:00Z",
"displayName": "Multifactor authentication",
"description": "Combinations of methods that satisfy strong authentication, such as a password + SMS",
"policyType": "builtIn",
"requirementsSatisfied": "mfa",
"allowedCombinations": [
"windowsHelloForBusiness",
"fido2",
"x509CertificateMultiFactor",
"deviceBasedPush",
"temporaryAccessPassOneTime",
"temporaryAccessPassMultiUse",
"password,microsoftAuthenticatorPush",
"password,softwareOath",
"password,hardwareOath",
"password,x509CertificateSingleFactor",
"password,x509CertificateMultiFactor",
"password,sms",
"password,voice",
"federatedMultiFactor",
"microsoftAuthenticatorPush,federatedSingleFactor",
"softwareOath,federatedSingleFactor",
"hardwareOath,federatedSingleFactor",
"sms,federatedSingleFactor",
"voice,federatedSingleFactor"
],
"combinationConfigurations": []
}
}
}
]
}
请求
以下示例显示了一个请求。
POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/evaluate
Content-Type: application/json
{
"signInIdentity": {
"@odata.type": "#microsoft.graph.userSignIn",
"userId": "15dc174b-f34c-4588-ac45-61d6e05dce93"
},
"signInContext": {
"@odata.type": "#microsoft.graph.userActionContext",
"userAction": "registerSecurityInformation"
},
"signInConditions": {
"devicePlatform": "macOS",
"clientAppType": "browser",
"signInRiskLevel": "low",
"userRiskLevel": "high",
"servicePrincipalRiskLevel": "none",
"country": "CA",
"ipAddress": "40.77.182.32",
"insiderRiskLevel": "minor",
"authenticationFlow": {
"transferMethod": "deviceCodeFlow"
},
"deviceInfo": {
"trustType": "EntraID"
}
},
"appliedPoliciesOnly": true
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Identity.ConditionalAccess.Evaluate;
using Microsoft.Graph.Models;
var requestBody = new EvaluatePostRequestBody
{
SignInIdentity = new UserSignIn
{
OdataType = "#microsoft.graph.userSignIn",
UserId = "15dc174b-f34c-4588-ac45-61d6e05dce93",
},
SignInContext = new UserActionContext
{
OdataType = "#microsoft.graph.userActionContext",
UserAction = UserAction.RegisterSecurityInformation,
},
SignInConditions = new SignInConditions
{
DevicePlatform = ConditionalAccessDevicePlatform.MacOS,
ClientAppType = ConditionalAccessClientApp.Browser,
SignInRiskLevel = RiskLevel.Low,
UserRiskLevel = RiskLevel.High,
ServicePrincipalRiskLevel = RiskLevel.None,
Country = "CA",
IpAddress = "40.77.182.32",
InsiderRiskLevel = InsiderRiskLevel.Minor,
AuthenticationFlow = new AuthenticationFlow
{
TransferMethod = ConditionalAccessTransferMethods.DeviceCodeFlow,
},
DeviceInfo = new DeviceInfo
{
TrustType = "EntraID",
},
},
AppliedPoliciesOnly = true,
};
// To initialize your graphClient, see https://free.blessedness.top/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Identity.ConditionalAccess.Evaluate.PostAsEvaluatePostResponseAsync(requestBody);
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphidentity "github.com/microsoftgraph/msgraph-sdk-go/identity"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphidentity.NewEvaluatePostRequestBody()
signInIdentity := graphmodels.NewUserSignIn()
userId := "15dc174b-f34c-4588-ac45-61d6e05dce93"
signInIdentity.SetUserId(&userId)
requestBody.SetSignInIdentity(signInIdentity)
signInContext := graphmodels.NewUserActionContext()
userAction := graphmodels.REGISTERSECURITYINFORMATION_USERACTION
signInContext.SetUserAction(&userAction)
requestBody.SetSignInContext(signInContext)
signInConditions := graphmodels.NewSignInConditions()
devicePlatform := graphmodels.MACOS_CONDITIONALACCESSDEVICEPLATFORM
signInConditions.SetDevicePlatform(&devicePlatform)
clientAppType := graphmodels.BROWSER_CONDITIONALACCESSCLIENTAPP
signInConditions.SetClientAppType(&clientAppType)
signInRiskLevel := graphmodels.LOW_RISKLEVEL
signInConditions.SetSignInRiskLevel(&signInRiskLevel)
userRiskLevel := graphmodels.HIGH_RISKLEVEL
signInConditions.SetUserRiskLevel(&userRiskLevel)
servicePrincipalRiskLevel := graphmodels.NONE_RISKLEVEL
signInConditions.SetServicePrincipalRiskLevel(&servicePrincipalRiskLevel)
country := "CA"
signInConditions.SetCountry(&country)
ipAddress := "40.77.182.32"
signInConditions.SetIpAddress(&ipAddress)
insiderRiskLevel := graphmodels.MINOR_INSIDERRISKLEVEL
signInConditions.SetInsiderRiskLevel(&insiderRiskLevel)
authenticationFlow := graphmodels.NewAuthenticationFlow()
transferMethod := graphmodels.DEVICECODEFLOW_CONDITIONALACCESSTRANSFERMETHODS
authenticationFlow.SetTransferMethod(&transferMethod)
signInConditions.SetAuthenticationFlow(authenticationFlow)
deviceInfo := graphmodels.NewDeviceInfo()
trustType := "EntraID"
deviceInfo.SetTrustType(&trustType)
signInConditions.SetDeviceInfo(deviceInfo)
requestBody.SetSignInConditions(signInConditions)
appliedPoliciesOnly := true
requestBody.SetAppliedPoliciesOnly(&appliedPoliciesOnly)
// To initialize your graphClient, see https://free.blessedness.top/en-us/graph/sdks/create-client?from=snippets&tabs=go
evaluate, err := graphClient.Identity().ConditionalAccess().Evaluate().PostAsEvaluatePostResponse(context.Background(), requestBody, nil)
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
com.microsoft.graph.identity.conditionalaccess.evaluate.EvaluatePostRequestBody evaluatePostRequestBody = new com.microsoft.graph.identity.conditionalaccess.evaluate.EvaluatePostRequestBody();
UserSignIn signInIdentity = new UserSignIn();
signInIdentity.setOdataType("#microsoft.graph.userSignIn");
signInIdentity.setUserId("15dc174b-f34c-4588-ac45-61d6e05dce93");
evaluatePostRequestBody.setSignInIdentity(signInIdentity);
UserActionContext signInContext = new UserActionContext();
signInContext.setOdataType("#microsoft.graph.userActionContext");
signInContext.setUserAction(UserAction.RegisterSecurityInformation);
evaluatePostRequestBody.setSignInContext(signInContext);
SignInConditions signInConditions = new SignInConditions();
signInConditions.setDevicePlatform(ConditionalAccessDevicePlatform.MacOS);
signInConditions.setClientAppType(ConditionalAccessClientApp.Browser);
signInConditions.setSignInRiskLevel(RiskLevel.Low);
signInConditions.setUserRiskLevel(RiskLevel.High);
signInConditions.setServicePrincipalRiskLevel(RiskLevel.None);
signInConditions.setCountry("CA");
signInConditions.setIpAddress("40.77.182.32");
signInConditions.setInsiderRiskLevel(InsiderRiskLevel.Minor);
AuthenticationFlow authenticationFlow = new AuthenticationFlow();
authenticationFlow.setTransferMethod(EnumSet.of(ConditionalAccessTransferMethods.DeviceCodeFlow));
signInConditions.setAuthenticationFlow(authenticationFlow);
DeviceInfo deviceInfo = new DeviceInfo();
deviceInfo.setTrustType("EntraID");
signInConditions.setDeviceInfo(deviceInfo);
evaluatePostRequestBody.setSignInConditions(signInConditions);
evaluatePostRequestBody.setAppliedPoliciesOnly(true);
var result = graphClient.identity().conditionalAccess().evaluate().post(evaluatePostRequestBody);
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
const options = {
authProvider,
};
const client = Client.init(options);
const whatIfAnalysisResult = {
signInIdentity: {
'@odata.type': '#microsoft.graph.userSignIn',
userId: '15dc174b-f34c-4588-ac45-61d6e05dce93'
},
signInContext: {
'@odata.type': '#microsoft.graph.userActionContext',
userAction: 'registerSecurityInformation'
},
signInConditions: {
devicePlatform: 'macOS',
clientAppType: 'browser',
signInRiskLevel: 'low',
userRiskLevel: 'high',
servicePrincipalRiskLevel: 'none',
country: 'CA',
ipAddress: '40.77.182.32',
insiderRiskLevel: 'minor',
authenticationFlow: {
transferMethod: 'deviceCodeFlow'
},
deviceInfo: {
trustType: 'EntraID'
}
},
appliedPoliciesOnly: true
};
await client.api('/identity/conditionalAccess/evaluate')
.post(whatIfAnalysisResult);
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Identity\ConditionalAccess\Evaluate\EvaluatePostRequestBody;
use Microsoft\Graph\Generated\Models\UserSignIn;
use Microsoft\Graph\Generated\Models\UserActionContext;
use Microsoft\Graph\Generated\Models\UserAction;
use Microsoft\Graph\Generated\Models\SignInConditions;
use Microsoft\Graph\Generated\Models\ConditionalAccessDevicePlatform;
use Microsoft\Graph\Generated\Models\ConditionalAccessClientApp;
use Microsoft\Graph\Generated\Models\RiskLevel;
use Microsoft\Graph\Generated\Models\InsiderRiskLevel;
use Microsoft\Graph\Generated\Models\AuthenticationFlow;
use Microsoft\Graph\Generated\Models\ConditionalAccessTransferMethods;
use Microsoft\Graph\Generated\Models\DeviceInfo;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new EvaluatePostRequestBody();
$signInIdentity = new UserSignIn();
$signInIdentity->setOdataType('#microsoft.graph.userSignIn');
$signInIdentity->setUserId('15dc174b-f34c-4588-ac45-61d6e05dce93');
$requestBody->setSignInIdentity($signInIdentity);
$signInContext = new UserActionContext();
$signInContext->setOdataType('#microsoft.graph.userActionContext');
$signInContext->setUserAction(new UserAction('registerSecurityInformation'));
$requestBody->setSignInContext($signInContext);
$signInConditions = new SignInConditions();
$signInConditions->setDevicePlatform(new ConditionalAccessDevicePlatform('macOS'));
$signInConditions->setClientAppType(new ConditionalAccessClientApp('browser'));
$signInConditions->setSignInRiskLevel(new RiskLevel('low'));
$signInConditions->setUserRiskLevel(new RiskLevel('high'));
$signInConditions->setServicePrincipalRiskLevel(new RiskLevel('none'));
$signInConditions->setCountry('CA');
$signInConditions->setIpAddress('40.77.182.32');
$signInConditions->setInsiderRiskLevel(new InsiderRiskLevel('minor'));
$signInConditionsAuthenticationFlow = new AuthenticationFlow();
$signInConditionsAuthenticationFlow->setTransferMethod(new ConditionalAccessTransferMethods('deviceCodeFlow'));
$signInConditions->setAuthenticationFlow($signInConditionsAuthenticationFlow);
$signInConditionsDeviceInfo = new DeviceInfo();
$signInConditionsDeviceInfo->setTrustType('EntraID');
$signInConditions->setDeviceInfo($signInConditionsDeviceInfo);
$requestBody->setSignInConditions($signInConditions);
$requestBody->setAppliedPoliciesOnly(true);
$result = $graphServiceClient->identity()->conditionalAccess()->evaluate()->post($requestBody)->wait();
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.identity.conditionalaccess.evaluate.evaluate_post_request_body import EvaluatePostRequestBody
from msgraph.generated.models.user_sign_in import UserSignIn
from msgraph.generated.models.user_action_context import UserActionContext
from msgraph.generated.models.user_action import UserAction
from msgraph.generated.models.sign_in_conditions import SignInConditions
from msgraph.generated.models.conditional_access_device_platform import ConditionalAccessDevicePlatform
from msgraph.generated.models.conditional_access_client_app import ConditionalAccessClientApp
from msgraph.generated.models.risk_level import RiskLevel
from msgraph.generated.models.insider_risk_level import InsiderRiskLevel
from msgraph.generated.models.authentication_flow import AuthenticationFlow
from msgraph.generated.models.conditional_access_transfer_methods import ConditionalAccessTransferMethods
from msgraph.generated.models.device_info import DeviceInfo
# To initialize your graph_client, see https://free.blessedness.top/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = EvaluatePostRequestBody(
sign_in_identity = UserSignIn(
odata_type = "#microsoft.graph.userSignIn",
user_id = "15dc174b-f34c-4588-ac45-61d6e05dce93",
),
sign_in_context = UserActionContext(
odata_type = "#microsoft.graph.userActionContext",
user_action = UserAction.RegisterSecurityInformation,
),
sign_in_conditions = SignInConditions(
device_platform = ConditionalAccessDevicePlatform.MacOS,
client_app_type = ConditionalAccessClientApp.Browser,
sign_in_risk_level = RiskLevel.Low,
user_risk_level = RiskLevel.High,
service_principal_risk_level = RiskLevel.None,
country = "CA",
ip_address = "40.77.182.32",
insider_risk_level = InsiderRiskLevel.Minor,
authentication_flow = AuthenticationFlow(
transfer_method = ConditionalAccessTransferMethods.DeviceCodeFlow,
),
device_info = DeviceInfo(
trust_type = "EntraID",
),
),
applied_policies_only = True,
)
result = await graph_client.identity.conditional_access.evaluate.post(request_body)
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
响应
以下示例显示了相应的响应。
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(microsoft.graph.whatIfAnalysisResult)",
"value": [
{
"id": "37d51c45-8c60-4f82-98e0-6e1451cecf7c",
"templateId": null,
"displayName": "All Users except au1_All resources_user risk H_Password change",
"createdDateTime": "2022-03-31T22:59:59.6688974Z",
"modifiedDateTime": "2025-03-27T19:55:43.5390544Z",
"state": "enabledForReportingButNotEnforced",
"policyApplies": true,
"analysisReasons": "notSet",
"partialEnablementStrategy": null,
"sessionControls": null,
"conditions": {
"userRiskLevels": [
"high"
],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": [],
"insiderRiskLevels": null,
"clients": null,
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"clientApplications": null,
"authenticationFlows": null,
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null,
"networkAccess": null,
"globalSecureAccess": null
},
"users": {
"includeUsers": [
"All"
],
"excludeUsers": [
"f7ca74b0-8562-4083-b66c-0476f942cfd0"
],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
}
},
"grantControls": {
"operator": "AND",
"builtInControls": [
"mfa",
"passwordChange"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength": null
}
},
{
"id": "4aa7d105-d92b-4c07-9834-0e810ddb89ac",
"templateId": null,
"displayName": "All admin roles except au1_All resources_No conditions_MFA",
"createdDateTime": "2022-03-29T20:39:24.3899939Z",
"modifiedDateTime": "2025-03-27T21:40:19.6686701Z",
"state": "enabledForReportingButNotEnforced",
"policyApplies": true,
"analysisReasons": "notSet",
"partialEnablementStrategy": null,
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": [],
"insiderRiskLevels": null,
"clients": null,
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"clientApplications": null,
"authenticationFlows": null,
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null,
"networkAccess": null,
"globalSecureAccess": null
},
"users": {
"includeUsers": [],
"excludeUsers": [
"f7ca74b0-8562-4083-b66c-0476f942cfd0"
],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [
"62e90394-69f5-4237-9190-012177145e10",
"194ae4cb-b126-40b2-bd5b-6091b380977d",
"f28a1f50-f6e7-4571-818b-6a12f2af6b6c",
"29232cdf-9323-42fd-ade2-1d097af3e4de",
"b1be1c3e-b65d-4f19-8427-f6fa0d97feb9",
"729827e3-9c14-49f7-bb1b-9608f156bbb8",
"b0f54661-2d74-4c50-afa3-1ec803f12efe",
"fe930be7-5e62-47db-91af-98c3a49a38b1",
"c4e39bd9-1100-46d3-8c65-fb160da0071f",
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"158c047a-c907-4556-b7ef-446551a6b5f7",
"966707d0-3269-4727-9be2-8c3a10f19b9d",
"7be44c8a-adaf-4e2a-84d6-ab2649e08a13",
"e8611ab8-c189-46e8-94e1-60213ab1f814"
],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength": null
}
},
{
"id": "11083471-5a50-43ad-90c0-23f1af0869e1",
"templateId": null,
"displayName": "All users except au1_User action RS info_No conditions_Auth strenfth MFA",
"createdDateTime": "2024-10-16T15:06:45.0788027Z",
"modifiedDateTime": "2025-03-27T20:08:22.6064571Z",
"state": "enabledForReportingButNotEnforced",
"policyApplies": true,
"analysisReasons": "notSet",
"partialEnablementStrategy": null,
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": [],
"insiderRiskLevels": null,
"clients": null,
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"clientApplications": null,
"authenticationFlows": null,
"applications": {
"includeApplications": [],
"excludeApplications": [],
"includeUserActions": [
"urn:user:registersecurityinfo"
],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null,
"networkAccess": null,
"globalSecureAccess": null
},
"users": {
"includeUsers": [
"All"
],
"excludeUsers": [
"f7ca74b0-8562-4083-b66c-0476f942cfd0"
],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength": {
"id": "00000000-0000-0000-0000-000000000002",
"createdDateTime": "2021-12-01T08:00:00Z",
"modifiedDateTime": "2021-12-01T08:00:00Z",
"displayName": "Multifactor authentication",
"description": "Combinations of methods that satisfy strong authentication, such as a password + SMS",
"policyType": "builtIn",
"requirementsSatisfied": "mfa",
"allowedCombinations": [
"windowsHelloForBusiness",
"fido2",
"x509CertificateMultiFactor",
"deviceBasedPush",
"temporaryAccessPassOneTime",
"temporaryAccessPassMultiUse",
"password,microsoftAuthenticatorPush",
"password,softwareOath",
"password,hardwareOath",
"password,x509CertificateSingleFactor",
"password,x509CertificateMultiFactor",
"password,sms",
"password,voice",
"federatedMultiFactor",
"microsoftAuthenticatorPush,federatedSingleFactor",
"softwareOath,federatedSingleFactor",
"hardwareOath,federatedSingleFactor",
"sms,federatedSingleFactor",
"voice,federatedSingleFactor"
],
"combinationConfigurations": []
}
}
}
]
}
示例 4:确定应用于服务主体的条件访问策略
请求
以下示例显示了一个请求。
POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/evaluate
Content-Type: application/json
{
"signInIdentity": {
"@odata.type": "#microsoft.graph.servicePrincipalSignIn",
"servicePrincipalId": "c65b94a5-0049-439a-a6fd-bce307077730"
},
"signInContext": {
"@odata.type": "#microsoft.graph.applicationContext",
"includeApplications": [
"00000003-0000-0ff1-ce00-000000000000"
]
},
"signInConditions": {
"servicePrincipalRiskLevel": "high",
"country": "CA",
"ipAddress": "40.77.182.32"
},
"appliedPoliciesOnly": true
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Identity.ConditionalAccess.Evaluate;
using Microsoft.Graph.Models;
var requestBody = new EvaluatePostRequestBody
{
SignInIdentity = new ServicePrincipalSignIn
{
OdataType = "#microsoft.graph.servicePrincipalSignIn",
ServicePrincipalId = "c65b94a5-0049-439a-a6fd-bce307077730",
},
SignInContext = new ApplicationContext
{
OdataType = "#microsoft.graph.applicationContext",
IncludeApplications = new List<string>
{
"00000003-0000-0ff1-ce00-000000000000",
},
},
SignInConditions = new SignInConditions
{
ServicePrincipalRiskLevel = RiskLevel.High,
Country = "CA",
IpAddress = "40.77.182.32",
},
AppliedPoliciesOnly = true,
};
// To initialize your graphClient, see https://free.blessedness.top/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Identity.ConditionalAccess.Evaluate.PostAsEvaluatePostResponseAsync(requestBody);
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphidentity "github.com/microsoftgraph/msgraph-sdk-go/identity"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphidentity.NewEvaluatePostRequestBody()
signInIdentity := graphmodels.NewServicePrincipalSignIn()
servicePrincipalId := "c65b94a5-0049-439a-a6fd-bce307077730"
signInIdentity.SetServicePrincipalId(&servicePrincipalId)
requestBody.SetSignInIdentity(signInIdentity)
signInContext := graphmodels.NewApplicationContext()
includeApplications := []string {
"00000003-0000-0ff1-ce00-000000000000",
}
signInContext.SetIncludeApplications(includeApplications)
requestBody.SetSignInContext(signInContext)
signInConditions := graphmodels.NewSignInConditions()
servicePrincipalRiskLevel := graphmodels.HIGH_RISKLEVEL
signInConditions.SetServicePrincipalRiskLevel(&servicePrincipalRiskLevel)
country := "CA"
signInConditions.SetCountry(&country)
ipAddress := "40.77.182.32"
signInConditions.SetIpAddress(&ipAddress)
requestBody.SetSignInConditions(signInConditions)
appliedPoliciesOnly := true
requestBody.SetAppliedPoliciesOnly(&appliedPoliciesOnly)
// To initialize your graphClient, see https://free.blessedness.top/en-us/graph/sdks/create-client?from=snippets&tabs=go
evaluate, err := graphClient.Identity().ConditionalAccess().Evaluate().PostAsEvaluatePostResponse(context.Background(), requestBody, nil)
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
com.microsoft.graph.identity.conditionalaccess.evaluate.EvaluatePostRequestBody evaluatePostRequestBody = new com.microsoft.graph.identity.conditionalaccess.evaluate.EvaluatePostRequestBody();
ServicePrincipalSignIn signInIdentity = new ServicePrincipalSignIn();
signInIdentity.setOdataType("#microsoft.graph.servicePrincipalSignIn");
signInIdentity.setServicePrincipalId("c65b94a5-0049-439a-a6fd-bce307077730");
evaluatePostRequestBody.setSignInIdentity(signInIdentity);
ApplicationContext signInContext = new ApplicationContext();
signInContext.setOdataType("#microsoft.graph.applicationContext");
LinkedList<String> includeApplications = new LinkedList<String>();
includeApplications.add("00000003-0000-0ff1-ce00-000000000000");
signInContext.setIncludeApplications(includeApplications);
evaluatePostRequestBody.setSignInContext(signInContext);
SignInConditions signInConditions = new SignInConditions();
signInConditions.setServicePrincipalRiskLevel(RiskLevel.High);
signInConditions.setCountry("CA");
signInConditions.setIpAddress("40.77.182.32");
evaluatePostRequestBody.setSignInConditions(signInConditions);
evaluatePostRequestBody.setAppliedPoliciesOnly(true);
var result = graphClient.identity().conditionalAccess().evaluate().post(evaluatePostRequestBody);
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
const options = {
authProvider,
};
const client = Client.init(options);
const whatIfAnalysisResult = {
signInIdentity: {
'@odata.type': '#microsoft.graph.servicePrincipalSignIn',
servicePrincipalId: 'c65b94a5-0049-439a-a6fd-bce307077730'
},
signInContext: {
'@odata.type': '#microsoft.graph.applicationContext',
includeApplications: [
'00000003-0000-0ff1-ce00-000000000000'
]
},
signInConditions: {
servicePrincipalRiskLevel: 'high',
country: 'CA',
ipAddress: '40.77.182.32'
},
appliedPoliciesOnly: true
};
await client.api('/identity/conditionalAccess/evaluate')
.post(whatIfAnalysisResult);
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Identity\ConditionalAccess\Evaluate\EvaluatePostRequestBody;
use Microsoft\Graph\Generated\Models\ServicePrincipalSignIn;
use Microsoft\Graph\Generated\Models\ApplicationContext;
use Microsoft\Graph\Generated\Models\SignInConditions;
use Microsoft\Graph\Generated\Models\RiskLevel;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new EvaluatePostRequestBody();
$signInIdentity = new ServicePrincipalSignIn();
$signInIdentity->setOdataType('#microsoft.graph.servicePrincipalSignIn');
$signInIdentity->setServicePrincipalId('c65b94a5-0049-439a-a6fd-bce307077730');
$requestBody->setSignInIdentity($signInIdentity);
$signInContext = new ApplicationContext();
$signInContext->setOdataType('#microsoft.graph.applicationContext');
$signInContext->setIncludeApplications(['00000003-0000-0ff1-ce00-000000000000', ]);
$requestBody->setSignInContext($signInContext);
$signInConditions = new SignInConditions();
$signInConditions->setServicePrincipalRiskLevel(new RiskLevel('high'));
$signInConditions->setCountry('CA');
$signInConditions->setIpAddress('40.77.182.32');
$requestBody->setSignInConditions($signInConditions);
$requestBody->setAppliedPoliciesOnly(true);
$result = $graphServiceClient->identity()->conditionalAccess()->evaluate()->post($requestBody)->wait();
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.identity.conditionalaccess.evaluate.evaluate_post_request_body import EvaluatePostRequestBody
from msgraph.generated.models.service_principal_sign_in import ServicePrincipalSignIn
from msgraph.generated.models.application_context import ApplicationContext
from msgraph.generated.models.sign_in_conditions import SignInConditions
from msgraph.generated.models.risk_level import RiskLevel
# To initialize your graph_client, see https://free.blessedness.top/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = EvaluatePostRequestBody(
sign_in_identity = ServicePrincipalSignIn(
odata_type = "#microsoft.graph.servicePrincipalSignIn",
service_principal_id = "c65b94a5-0049-439a-a6fd-bce307077730",
),
sign_in_context = ApplicationContext(
odata_type = "#microsoft.graph.applicationContext",
include_applications = [
"00000003-0000-0ff1-ce00-000000000000",
],
),
sign_in_conditions = SignInConditions(
service_principal_risk_level = RiskLevel.High,
country = "CA",
ip_address = "40.77.182.32",
),
applied_policies_only = True,
)
result = await graph_client.identity.conditional_access.evaluate.post(request_body)
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
响应
以下示例显示了相应的响应。
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(microsoft.graph.whatIfAnalysisResult)",
"value": [
{
"id": "461478d2-5896-4761-84ba-4d241c396a29",
"templateId": null,
"displayName": "All ST SPs_All resources_Any location_Block",
"createdDateTime": "2022-04-08T19:31:15.6087842Z",
"modifiedDateTime": "2025-03-27T20:08:54.0912734Z",
"state": "enabledForReportingButNotEnforced",
"policyApplies": true,
"analysisReasons": "notSet",
"partialEnablementStrategy": null,
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": [],
"insiderRiskLevels": null,
"clients": null,
"platforms": null,
"times": null,
"deviceStates": null,
"devices": null,
"authenticationFlows": null,
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null,
"networkAccess": null,
"globalSecureAccess": null
},
"users": {
"includeUsers": [
"None"
],
"excludeUsers": [],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
},
"locations": {
"includeLocations": [
"All"
],
"excludeLocations": []
},
"clientApplications": {
"includeServicePrincipals": [
"ServicePrincipalsInMyTenant"
],
"excludeServicePrincipals": [],
"servicePrincipalFilter": null
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength": null
}
},
{
"id": "4f1d2ff3-50db-4299-bbdd-0a114c98e97e",
"templateId": null,
"displayName": "All ST SPs_All resources_No conditions_Block",
"createdDateTime": "2025-02-21T07:04:44.777856Z",
"modifiedDateTime": "2025-03-28T06:15:41.2376665Z",
"state": "enabledForReportingButNotEnforced",
"policyApplies": true,
"analysisReasons": "notSet",
"partialEnablementStrategy": null,
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"servicePrincipalRiskLevels": [],
"insiderRiskLevels": null,
"clients": null,
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"authenticationFlows": null,
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null,
"networkAccess": null,
"globalSecureAccess": null
},
"users": {
"includeUsers": [
"None"
],
"excludeUsers": [],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
},
"clientApplications": {
"includeServicePrincipals": [
"ServicePrincipalsInMyTenant"
],
"excludeServicePrincipals": [],
"servicePrincipalFilter": null
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"authenticationStrength": null
}
}
]
}