Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
Set-EntraAuthorizationPolicy
Updates an authorization policy.
Syntax
Default (Default)
Set-EntraAuthorizationPolicy
[-BlockMsolPowerShell <Boolean>]
[-AllowedToSignUpEmailBasedSubscriptions <Boolean>]
[-AllowEmailVerifiedUsersToJoinOrganization <Boolean>]
[-DisplayName <String>]
[-Description <String>]
[-DefaultUserRolePermissions <DefaultUserRolePermissions>]
[-AllowedToUseSSPR <Boolean>]
[<CommonParameters>]
Description
The Set-EntraAuthorizationPolicy cmdlet updates a Microsoft Entra ID authorization policy.
In delegated scenarios with work or school accounts, the signed-in user must have a supported Microsoft Entra role or custom role with the necessary permissions. The least privileged role for this operation is:
- Privileged Role Administrator
Examples
Example 1: Update an authorization policy
Connect-Entra -Scopes 'Policy.ReadWrite.Authorization'
$params = @{
DisplayName = 'Updated displayName'
Description = 'Updated Description'
BlockMsolPowerShell = $true
AllowedToUseSSPR = $false
AllowEmailVerifiedUsersToJoinOrganization = $true
AllowedToSignUpEmailBasedSubscriptions = $true
}
Set-EntraAuthorizationPolicy @params
This example demonstrates how to update a Microsoft Entra ID authorization policy.
Example 2: Update DefaultUserRolePermissions of authorization policy
Connect-Entra -Scopes 'Policy.ReadWrite.Authorization'
$defaultUserRolePermissions = New-Object -TypeName Microsoft.Open.MSGraph.Model.DefaultUserRolePermissions
$defaultUserRolePermissions.AllowedToCreateApps = $false
$defaultUserRolePermissions.AllowedToCreateSecurityGroups = $false
$defaultUserRolePermissions.AllowedToReadOtherUsers = $false
Set-EntraAuthorizationPolicy -DefaultUserRolePermissions $defaultUserRolePermissions
This example demonstrates how to update a DefaultUserRolePermissions of authorization policy in Microsoft Entra ID.
Parameters
-AllowedToSignUpEmailBasedSubscriptions
Specifies whether users can sign up for email based subscriptions. The initial default value is true.
Parameter properties
| Type: | System.Boolean |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-AllowedToUseSSPR
Specifies whether the Self-Serve Password Reset feature can be used by users on the tenant. The initial default value is true.
Parameter properties
| Type: | System.Boolean |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-AllowEmailVerifiedUsersToJoinOrganization
Specifies whether a user can join the tenant by email validation. The initial default value is true.
Parameter properties
| Type: | System.Boolean |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-allowInvitesFrom
Indicates who can invite external users to the organization. Possible values are: none, adminsAndGuestInviters, adminsGuestInvitersAndAllMembers, everyone. Everyone is the default setting for all cloud environments except US Government.
Parameter properties
| Type: | allowInvitesFrom |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-allowUserConsentForRiskyApps
Indicates whether user consent for risky apps is allowed. Default value is false. We recommend that you keep the value set to false.
Parameter properties
| Type: | System.Boolean |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-BlockMsolPowerShell
Specifies whether the user-based access to the legacy service endpoint used by Microsoft Online PowerShell is blocked or not.
Parameter properties
| Type: | System.Boolean |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-DefaultUserRolePermissions
Contains various customizable default user role permissions.
Parameter properties
| Type: | DefaultUserRolePermissions |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-Description
Specifies the description of the authorization policy.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-DisplayName
Specifies the display name of the authorization policy.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Inputs
Microsoft.Open.MSGraph.Model.DefaultUserRolePermissions
Related Links
Feedback
Was this page helpful?