Policies
List Access reusable policies
Get an Access reusable policy
Create an Access reusable policy
Update an Access reusable policy
Delete an Access reusable policy
ModelsExpand Collapse
Policy = object { id, approval_groups, approval_required, 11 more }
approval_groups: optional array of object { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
decision: optional "allow" or "deny" or "non_identity" or "bypass"The action Access will take if a user matches this policy.
The action Access will take if a user matches this policy.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
PolicyListResponse = object { id, app_count, approval_groups, 15 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
PolicyGetResponse = object { id, app_count, approval_groups, 15 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
PolicyCreateResponse = object { id, app_count, approval_groups, 15 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
PolicyUpdateResponse = object { id, app_count, approval_groups, 15 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.