Edit

Share via

Set-EntraAuthorizationPolicy

Module:
Microsoft.Entra Module v1.1

Updates an authorization policy.

Syntax

Default (Default) 

Set-EntraAuthorizationPolicy

    [-BlockMsolPowerShell <Boolean>]
    [-AllowedToSignUpEmailBasedSubscriptions <Boolean>]
    [-AllowEmailVerifiedUsersToJoinOrganization <Boolean>]
    [-DisplayName <String>]
    [-Description <String>]
    [-DefaultUserRolePermissions <DefaultUserRolePermissions>]
    [-AllowedToUseSSPR <Boolean>]
    [<CommonParameters>]

Description

The Set-EntraAuthorizationPolicy cmdlet updates a Microsoft Entra ID authorization policy.

In delegated scenarios with work or school accounts, the signed-in user must have a supported Microsoft Entra role or custom role with the necessary permissions. The least privileged role for this operation is:

  • Privileged Role Administrator

Examples

Example 1: Update an authorization policy

Connect-Entra -Scopes 'Policy.ReadWrite.Authorization'
$params = @{
    DisplayName                               = 'Updated displayName'
    Description                               = 'Updated Description'
    BlockMsolPowerShell                       = $true
    AllowedToUseSSPR                          = $false
    AllowEmailVerifiedUsersToJoinOrganization = $true
    AllowedToSignUpEmailBasedSubscriptions    = $true
}

Set-EntraAuthorizationPolicy @params

This example demonstrates how to update a Microsoft Entra ID authorization policy.

Example 2: Update DefaultUserRolePermissions of authorization policy

Connect-Entra -Scopes 'Policy.ReadWrite.Authorization'
$defaultUserRolePermissions = New-Object -TypeName Microsoft.Open.MSGraph.Model.DefaultUserRolePermissions
$defaultUserRolePermissions.AllowedToCreateApps = $false
$defaultUserRolePermissions.AllowedToCreateSecurityGroups = $false
$defaultUserRolePermissions.AllowedToReadOtherUsers = $false
Set-EntraAuthorizationPolicy -DefaultUserRolePermissions $defaultUserRolePermissions

This example demonstrates how to update a DefaultUserRolePermissions of authorization policy in Microsoft Entra ID.

Parameters

-AllowedToSignUpEmailBasedSubscriptions

Specifies whether users can sign up for email based subscriptions. The initial default value is true.

Parameter properties

Type:System.Boolean
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-AllowedToUseSSPR

Specifies whether the Self-Serve Password Reset feature can be used by users on the tenant. The initial default value is true.

Parameter properties

Type:System.Boolean
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-AllowEmailVerifiedUsersToJoinOrganization

Specifies whether a user can join the tenant by email validation. The initial default value is true.

Parameter properties

Type:System.Boolean
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-allowInvitesFrom

Indicates who can invite external users to the organization. Possible values are: none, adminsAndGuestInviters, adminsGuestInvitersAndAllMembers, everyone. Everyone is the default setting for all cloud environments except US Government.

Parameter properties

Type:allowInvitesFrom
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-allowUserConsentForRiskyApps

Indicates whether user consent for risky apps is allowed. Default value is false. We recommend that you keep the value set to false.

Parameter properties

Type:System.Boolean
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-BlockMsolPowerShell

Specifies whether the user-based access to the legacy service endpoint used by Microsoft Online PowerShell is blocked or not.

Parameter properties

Type:System.Boolean
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DefaultUserRolePermissions

Contains various customizable default user role permissions.

Parameter properties

Type:DefaultUserRolePermissions
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Description

Specifies the description of the authorization policy.

Parameter properties

Type:System.String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisplayName

Specifies the display name of the authorization policy.

Parameter properties

Type:System.String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Inputs

Microsoft.Open.MSGraph.Model.DefaultUserRolePermissions